The gMan nixWiki

Because the mind is made of Teflon...

User Tools

Site Tools

You are here: start » hack_htb_legacy
hack_htb_legacy

This is an old revision of the document!

Table of Contents

HTB: Legacy

IP: 10.10.10.4 Me: 10.10.14.25

Scan

Note: masscan found a udp port that nmap did not. Remember to scan UDP!

  • I later ran nmap to scan UDP (-sU) and found it (it just take forever).
  • Syntax: nmap -sU -p137 10.10.10.4

masscan

Scan Syntax: 

masscan 10.10.10.4 -p1-65535,U:1-65535 --rate=1000 -e tun0
# -p1-65535,U:1-65535 # scan all TCP/UDP ports
# --rate=1000         # scan rate = 1000 packets per second
# -e tun0             # listen on the VPN network interface for responses

Results: 

Starting masscan 1.0.5 (http://bit.ly/14GZzcT) at 2020-09-20 23:05:00 GMT
 -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [131070 ports/host]
Discovered open port 445/tcp on 10.10.10.4
Discovered open port 137/udp on 10.10.10.4
Discovered open port 139/tcp on 10.10.10.4
rate:  0.00-kpps, 100.00% done, waiting -308-secs, found=2

nmap

First: 

root@kali:~# nmap -T4 -p- 10.10.10.4
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-20 17:51 CDT
Nmap scan report for 10.10.10.4
Host is up (0.037s latency).
Not shown: 65532 filtered ports

PORT     STATE  SERVICE
139/tcp  open   netbios-ssn
445/tcp  open   microsoft-ds
3389/tcp closed ms-wbt-server

Second: 

root@kali:~# nmap -T4 -A -p139,445,3389 10.10.10.4
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-20 17:54 CDT
Nmap scan report for 10.10.10.4
Host is up (0.037s latency).

PORT     STATE  SERVICE       VERSION
139/tcp  open   netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open   microsoft-ds  Windows XP microsoft-ds
3389/tcp closed ms-wbt-server
Device type: general purpose|specialized
Running (JUST GUESSING): Microsoft Windows 2000|XP|2003|2008 (92%), General Dynamics embedded (87%)
OS CPE: cpe:/o:microsoft:windows_2000::sp4 cpe:/o:microsoft:windows_xp::sp2 cpe:/o:microsoft:windows_xp::sp3 cpe:/o:microsoft:windows_server_2003 cpe:/o:microsoft:windows_server_2008::sp2
Aggressive OS guesses: Microsoft Windows 2000 SP4 or Windows XP SP2 or SP3 (92%), Microsoft Windows XP SP2 (92%), Microsoft Windows XP SP2 or Windows Small Business Server 2003 (91%), Microsoft Windows Server 2003 (90%), Microsoft Windows 2000 SP4 (90%), Microsoft Windows XP Professional SP3 (90%), Microsoft Windows XP SP2 or SP3 (90%), Microsoft Windows XP SP3 (90%), Microsoft Windows XP SP2 or Windows Server 2003 (90%), Microsoft Windows 2000 Server (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp

Host script results:
|_clock-skew: mean: -4h27m04s, deviation: 2h07m16s, median: -5h57m04s
|_nbstat: NetBIOS name: LEGACY, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:b9:6c:76 (VMware)
| smb-os-discovery: 
|   OS: Windows XP (Windows 2000 LAN Manager)
|   OS CPE: cpe:/o:microsoft:windows_xp::-
|   Computer name: legacy
|   NetBIOS computer name: LEGACY\x00
|   Workgroup: HTB\x00
|_  System time: 2020-09-20T22:57:48+03:00
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)

TRACEROUTE (using port 3389/tcp)
HOP RTT      ADDRESS
1   36.83 ms 10.10.14.1
2   37.15 ms 10.10.10.4

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 61.96 seconds

MetaSploit

This took forever but I let it run anyway…

Enumerate

Exploit

Post-Ex Enum

hack_htb_legacy.1604707971.txt.gz · Last modified: by gman