Blue

Blue, while possibly the most simple machine on Hack The Box, demonstrates the severity of the EternalBlue exploit, which has been used in multiple large-scale ransomware and crypto-mining attacks sin

Hack The Boxapp.hackthebox.com

Recon

Let's start with an nmap scan.

┌──(kali㉿kali)-[~]
└─$ nmap -p- -A -T4 192.168.154.129
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-11 03:39 EDT
Nmap scan report for 192.168.154.129
Host is up (0.00012s latency).
Not shown: 65528 closed tcp ports (conn-refused)
PORT      STATE SERVICE      VERSION
135/tcp   open  msrpc        Microsoft Windows RPC
445/tcp   open  microsoft-ds Windows 7 Ultimate 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
49152/tcp open  msrpc        Microsoft Windows RPC
49153/tcp open  msrpc        Microsoft Windows RPC
49154/tcp open  msrpc        Microsoft Windows RPC
49155/tcp open  msrpc        Microsoft Windows RPC
49156/tcp open  msrpc        Microsoft Windows RPC
Service Info: Host: WIN-845Q99OO4PP; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb-os-discovery: 
|   OS: Windows 7 Ultimate 7601 Service Pack 1 (Windows 7 Ultimate 6.1)
|   OS CPE: cpe:/o:microsoft:windows_7::sp1
|   Computer name: WIN-845Q99OO4PP
|   NetBIOS computer name: WIN-845Q99OO4PP\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2024-03-11T03:42:02-04:00
| smb2-time: 
|   date: 2024-03-11T07:42:02
|_  start_date: 2024-03-11T17:58:29
| smb2-security-mode: 
|   2:1:0: 
|_    Message signing enabled but not required
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_clock-skew: mean: 1h19m59s, deviation: 2h18m33s, median: 0s
|_nbstat: NetBIOS name: WIN-845Q99OO4PP, NetBIOS user: <unknown>, NetBIOS MAC: 00:0c:29:ea:70:5f (VMware)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 147.80 seconds

The SMB output says this is Windows 7 Professional.

There are a couple shares with null session read access (the trick of giving smbmap wrong creds works here):

┌──(kali㉿kali)-[~]
└─$ smbmap -H 192.168.154.129 -u "Kali" -p "kali"
    ________  ___      ___  _______   ___      ___       __         _______
   /"       )|"  \    /"  ||   _  "\ |"  \    /"  |     /""\       |   __ "\
  (:   \___/  \   \  //   |(. |_)  :) \   \  //   |    /    \      (. |__) :)
   \___  \    /\  \/.    ||:     \/   /\   \/.    |   /' /\  \     |:  ____/
    __/  \   |: \.        |(|  _  \  |: \.        |  //  __'  \    (|  /
   /" \   :) |.  \    /:  ||: |_)  :)|.  \    /:  | /   /  \   \  /|__/ \
  (_______/  |___|\__/|___|(_______/ |___|\__/|___|(___/    \___)(_______)
 -----------------------------------------------------------------------------
     SMBMap - Samba Share Enumerator | Shawn Evans - ShawnDEvans@gmail.com
                     https://github.com/ShawnDEvans/smbmap

[*] Detected 1 hosts serving SMB
[*] Established 1 SMB session(s)
                                                                                                
[+] IP: 192.168.154.129:445      Name: 192.168.154.129        Status: Authenticated
        Disk   Permissions     Comment
        ----   -----------     -------
        ADMIN$ NO ACCESS       Remote Admin
        C$     NO ACCESS       Default share
        IPC$   NO ACCESS       Remote IPC

Users has just empty Default and Public folders.

nmap has vuln scripts that will check for known vulnerabilities in service. It finds a big one, MS-17-010.

Searching on Exploit DB lead to the following script.

Microsoft Windows - SMB Remote Code Execution Scanner (MS17-010) (Metasploit)Exploit Database

We can use Metasploit to execute this.

3 is a scanner, we can run that to confirm the vulnerability. 4 needs a backdoor that is already on the system so we can't use it. Let's start with the scan first and then use 0.

We can run it after entering RHOST.

We can see the it is indeed vulnerable. We can exploit it.

Initial Access

Coming back to 0 i.e exploit/windows/smb/ms17_010_eternalblue. We shall use it now after setting up the options and payload.

We now have meterpreter shell.

As you can see we are already NT AUTHORITY\SYSTEM which is root access.

Now we can just get the flags need.

C:\Windows\system32>cd \users   

C:\Users>dir
 Volume in drive C has no label.
 Volume Serial Number is A0EF-1911

 Directory of C:\Users

21/07/2017  07:56    <DIR>          .
21/07/2017  07:56    <DIR>          ..
21/07/2017  07:56    <DIR>          Administrator
14/07/2017  14:45    <DIR>          haris
12/04/2011  08:51    <DIR>          Public
               0 File(s)              0 bytes
               5 Dir(s)  17,256,050,688 bytes free

C:\Users>type administrator\desktop\root.txt
[REDACTED]
C:\Users>type haris\desktop\user.txt
[REDACTED]