Lessons Learned — HackTheBox — Legacy
Updated: Jun 11, 2019
Disclaimer: This isn’t a full walk-through. There are some general spoilers here for HTB Legacy. It’s a retired box so I’m allowed some leeway there. However, I stayed intentionally vague on some of the finer points such as not listing my exact commands. This is more an observational and hopefully inspirational post about my first semi-solo box.
I’ll state right up front, this is a fail post. I imagine I’ll have a lot of these as I progress through my Offensive Renaissance. I think there might be value in it though. Both for me collecting my thoughts and for you, the reader. Maybe you’re like me and just need stuff spelled out in a way you can relate to. Not too many fancy terms, just my real life brain dump as I try and figure things out. I’ll try and keep this as plain spoken as possible. Follow along with me, maybe we can get through this together.
So, here’s my thing. I’m taking my second dive at OSCP and figuring out what my best path is. Do I go through the videos? Do the whole book? Both? Then what? Poke around blindly till something magically clicks? It’s daunting to say the least. Maybe not for everyone, but definitely for me.
So, because of all that confusion in just finding a workflow to even get me started, I’ve had an incredibly tough time even taking the step to start looking at boxes on HTB. Fear of failure is real and it will stop you dead in your tracks. Can’t fail if you don’t try, right? Funny, I’ve got no fear to not even start at all. That stuff is easy.
This abject fear to not even start something that I want so badly to be good at is really what this post is all about. Maybe some of you can relate to that, the invisible wall in front of you that just seems too high to climb. So you sit and just wish it was smaller.
I lay my own insecurities out for you because I think that’s one of the most valuable things I have to offer the community that I love so deeply. I will put all this out there, no matter what other people might think of it because I want to help anyone who finds the value in it. That’s my karma.
Anyway, tonight, after some much needed slapping around to get going by @blackroomsec and @highmeh I tried my first box without looking at a walk-through. Before I go too far, I want to state how absolutely clutch those two wonderful people have been as I’m going through this journey. I truly won the lottery being able to count them as peers and dear friends.
Alright, enough philosophical pontificating. Tonight, I attempted HTB Legacy. Let’s begin.
Okay, so how do I even start? I know enough to NMAP. In much the same way a toddler knows how to mash the play-dough down to make some semblance of a pizza. However, Guy Fieri he ain’t. But, I digress. Throw an NMAP scan at it and it gives me a couple open ports. Hey, I recognize those. I can work with that. Confidence is rising.
Theres a web server on 3389 but it’s closed. Lame. Why is it lame? If we had an open web server port that opens a whole host of cool stuff to try. But hey, SMB is open. I know SMB. And by that I know I can Google on how to screw with it. For tonight, that has to be enough. My first instinct is to just try and connect to it. Holy crap, I got an answer, asks for a root password, which I don’t have. But I tried…something…and got something back in return. Huge for me. More progress.
I’d like to really stress that part. For me, that progress means the world. It’s validation, no matter how small, that I do not suck as much as my brain would have me believe. Anything worth accomplishing is often times built inch by inch, hour hour, day by day. This, as in all things, will take time. Keep reading if you’ve found some solace in that little fact.
Okay, I’m pretty sure that SMB is what I need to go after here. I remember Null sessions being a thing just as Jayme hints it to me. A Googling I will go. Find the method to connect over a Null session. In case I have people completely new to this, Null session means you don’t need a username/password to get in. Nothing, Nothing. I don’t need my OSCP to tell me that’s bad.
I bang around at it for about 45 minutes more till I get cranky and run out of ideas. Okay, I tried it. Training wheels. Let's see what the walkthroughs have to say. This whole time I’m actively avoiding Metasploit. Convinced there has to be a way other than that. Not that I have anything against it. It’s used by thousands of people for good reason. But, in my current developmental state, I’d like to get good without it, or as much as I can anyway.
So what happens when I admit defeat and look for walkthroughs? Every.Single.Answer is Metasploit. Of course it is. It’s cool though. Chatting with Jayme he reminds me to not be scared of using it. It doesn’t make you any less skilled if you need it and by the way theres always that pesky Enumeration and Privilege Escalation that you need to be good at. It’s like breaking down the back door with a sledge hammer, but then you still have to find the panic room and find your way in.
What’s the lesson there? Get out of your own way. Don’t hold so tightly to your “game plan” that you spin your wheels in the mud. So what if Metasploit was the answer. As Jayme suggested to me, I’m going to get in and just poke around anyway. I plan on spending some hours on the Enumeration/Privilege Escalation stuff on Legacy just to see what I can do. My first (mostly) solo box did a lot for me. It helped me to finally strike out on my own. I learned things I can build on. Most importantly I recalled things, more things than I realized, that I already new. That was just so huge for me tonight.
Thank you for reading this far. This post was a long one because it was my first box. I know even now, it might be one of the most important ones I ever do. I hope this helps you out. Perhaps my stream of consciousness/nonsense matches yours. If so, at least we both know we’re not alone in the quest to get good. Maybe in the end, that’s the most valuable piece of Recon we have.