Blue
Blue, while possibly the most simple machine on Hack The Box, demonstrates the severity of the EternalBlue exploit, which has been used in multiple large-scale ransomware and crypto-mining attacks sin
Recon
Let's start with an nmap scan.
┌──(kali㉿kali)-[~]
└─$ nmap -p- -A -T4 192.168.154.129
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-11 03:39 EDT
Nmap scan report for 192.168.154.129
Host is up (0.00012s latency).
Not shown: 65528 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
445/tcp open microsoft-ds Windows 7 Ultimate 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49156/tcp open msrpc Microsoft Windows RPC
Service Info: Host: WIN-845Q99OO4PP; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb-os-discovery:
| OS: Windows 7 Ultimate 7601 Service Pack 1 (Windows 7 Ultimate 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1
| Computer name: WIN-845Q99OO4PP
| NetBIOS computer name: WIN-845Q99OO4PP\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2024-03-11T03:42:02-04:00
| smb2-time:
| date: 2024-03-11T07:42:02
|_ start_date: 2024-03-11T17:58:29
| smb2-security-mode:
| 2:1:0:
|_ Message signing enabled but not required
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_clock-skew: mean: 1h19m59s, deviation: 2h18m33s, median: 0s
|_nbstat: NetBIOS name: WIN-845Q99OO4PP, NetBIOS user: <unknown>, NetBIOS MAC: 00:0c:29:ea:70:5f (VMware)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 147.80 seconds
The SMB output says this is Windows 7 Professional.
There are a couple shares with null session read access (the trick of giving smbmap
wrong creds works here):
┌──(kali㉿kali)-[~]
└─$ smbmap -H 192.168.154.129 -u "Kali" -p "kali"
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator | Shawn Evans - ShawnDEvans@gmail.com
https://github.com/ShawnDEvans/smbmap
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB session(s)
[+] IP: 192.168.154.129:445 Name: 192.168.154.129 Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ NO ACCESS Remote IPC
Users
has just empty Default
and Public
folders.
nmap
has vuln
scripts that will check for known vulnerabilities in service. It finds a big one, MS-17-010.
Searching on Exploit DB lead to the following script.
We can use Metasploit to execute this.

3
is a scanner, we can run that to confirm the vulnerability. 4
needs a backdoor that is already on the system so we can't use it. Let's start with the scan first and then use 0
.
We can run it after entering RHOST.


We can see the it is indeed vulnerable. We can exploit it.
Initial Access
Coming back to 0
i.e exploit/windows/smb/ms17_010_eternalblue
. We shall use it now after setting up the options and payload.

We now have meterpreter shell.

As you can see we are already NT AUTHORITY\SYSTEM which is root access.

Now we can just get the flags need.
C:\Windows\system32>cd \users
C:\Users>dir
Volume in drive C has no label.
Volume Serial Number is A0EF-1911
Directory of C:\Users
21/07/2017 07:56 <DIR> .
21/07/2017 07:56 <DIR> ..
21/07/2017 07:56 <DIR> Administrator
14/07/2017 14:45 <DIR> haris
12/04/2011 08:51 <DIR> Public
0 File(s) 0 bytes
5 Dir(s) 17,256,050,688 bytes free
C:\Users>type administrator\desktop\root.txt
[REDACTED]
C:\Users>type haris\desktop\user.txt
[REDACTED]
Last updated
Was this helpful?