Retired Machine Legacy (Solved)

Good Afternoon all, I am kinda new here and I joined VIP today so I could practice on retired machines. I have went through the forums and read all the similar posts which have not helped me to fix my problem. I am currently doing the Legacy machine and could use a little help. Here is my Nmap scan,

nmap -sC -sV -oA Legacy 10.10.10.4
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-05 14:15 EDT
Nmap scan report for 10.10.10.4
Host is up (0.048s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows XP microsoft-ds
3389/tcp closed ms-wbt-server
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp

Host script results:
|clock-skew: mean: -4h23m27s, deviation: 2h07m16s, median: -5h53m27s
|nbstat: NetBIOS name: LEGACY, NetBIOS user: , NetBIOS MAC: 00:50:56:b9:3c:37 (VMware)
| smb-os-discovery:
| OS: Windows XP (Windows 2000 LAN Manager)
| OS CPE: cpe:/o:microsoft:windows_xp::-
| Computer name: legacy
| NetBIOS computer name: LEGACY\x00
| Workgroup: HTB\x00
|
System time: 2020-10-05T18:22:39+03:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|
message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)

So, I see port 445 is open so I go to metasploit to use the ms08-067 exploit. I change the RHOSTS to 10.10.10.4 and LHOST to mine (10.10.14.25) and set target to 6 which is windows server svcpk3. When i run the exploit i get the following error.

Started reverse TCP handler on 10.10.14.25:4444
[-] 10.10.10.4:445 - Exploit failed [unreachable]: Rex::ConnectionTimeout The connection timed out (10.10.10.4:445)

I have tried running both exploits with no success, any helpful nudges would be greatly appreciated.

@initDr said:

Started reverse TCP handler on 10.10.14.25:4444
[-] 10.10.10.4:445 - Exploit failed [unreachable]: Rex::ConnectionTimeout The connection timed out (10.10.10.4:445)

This implies metasploit cant see the remote system which doesn’t really make sense as nmap obviously saw it.

Is your issue the same as the one here: linux - Exploit failed [unreachable]: Rex::ConnectionTimeout The connection timed out(remote host ip) - Information Security Stack Exchange ?

If so, I’d start with trying a different port from 4444.

Yeah, very similar to that article. I’ve tried restarting my vm with no luck. what listening port would you recommend using TazWake?

@initDr said:

Yeah, very similar to that article. I’ve tried restarting my vm with no luck. what listening port would you recommend using TazWake?

Try 8923 to avoid any collisions as its unlikely anything else will be on that. I find it always makes sense to avoid using 4444 if you can, if nothing else its almost always detected by security tools in real life.

Other than that, work through all the options and see if changing any of them helps.

show options is helpful if you aren’t used to Metasploit.

oh yeah, I almost always show options once i pick an exploit to use. since I don’t have them all memorized I need to know what to change lol. :slight_smile: I’ll try 8923 thanks for your help TazWake!

@initDr said:

Yeah, very similar to that article. I’ve tried restarting my vm with no luck. what listening port would you recommend using TazWake?

Alternatively - because MS08-67 is so old things may have changed in the internals of MSF, you could try a different SMB exploit like Eternal Blue (MS17-10) which is well handled by metasploit. (ms17_010_psexec is a good one to try)

Type your comment> @TazWake said:

Alternatively - because MS08-67 is so old things may have changed in the internals of MSF, you could try a different SMB exploit like Eternal Blue (MS17-10) which is well handled by metasploit. (ms17_010_psexec is a good one to try)

MSF also has scanners for a variety of smb attacks. If you are struggling to find one that works I’d suggest investigating those.

I’m looking into those right now LMAY75, There’s 125… so, might take a minute lol.

ok, lol now all the ports are showing up as filtered… wtf?!?

80/tcp filtered http
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
8080/tcp filtered http-proxy

Maybe I need to just walk away for a minute and collect my brains.

lmao, ok guys it was literally a noob error. i stopped the machine and restarted it. Then my nmapping was correct again. msfconsole use windows/smb/ms08_067_netapi. the set RHOSTS to 10.10.10.4 set LHOST to 10.10.14.25 set target to 6 or 7 they both work. Got in, opened a shell in metrepreter went to C:\Documents and Settings(Admin and John) retrieved both the flags! :wink: Thanks for the help though!

hey guys, I can’t get NMAP to scan the host because of a firewall it seems. I’ve tried different intensity scans and firewall evasions with no luck. Any hints?

Hi C4P,

You should try -PN nmap option.

I am having the same problem with ms08_067_netapi. I checked with nmap the ports on the XP target and port 445 (RPORT) is open. On the target the firewalls are off.
Any other ideas besides changing the LPORT to 8923?

I have also tried payload windows/meterpreter/reverse_tcp, by the way :).
And I am using Kali 2016/1. I am downloading 2020 now, but I don’t think the payload changed or something?

I’ve been at this for a couple days now. I’m having the same issues above, but only jumped to metasploit after a day of trying to get nmap to work. Even with -Pn. It just says, "Nmap scan report for 10.10.10.4
Host is up.
All 1000 scanned ports on 10.10.10.4 are filtered

Nmap done: 1 IP address (1 host up) scanned in _____ seconds" depending on which flags I use is longer or shorter.

Also, if I just skip that and jump right into metasploit, I get the same issues as above, I’ve changed Lhost, lports, payloads, nada…all timed out or completes the exploit but no connection made.

Do these machines change or what? None of the walkthroughs show any of this. I understand research and trial and error is part of the learning process, but this seems a bit ridiculous for one of the easiest machines in Hack the Box… guess I’ll just be working in Fast Food my whole life?..