# Blue

{% embed url="<https://app.hackthebox.com/machines/Blue>" %}

## Recon

Let's start with an nmap scan.

{% code overflow="wrap" %}

```
┌──(kali㉿kali)-[~]
└─$ nmap -p- -A -T4 192.168.154.129
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-11 03:39 EDT
Nmap scan report for 192.168.154.129
Host is up (0.00012s latency).
Not shown: 65528 closed tcp ports (conn-refused)
PORT      STATE SERVICE      VERSION
135/tcp   open  msrpc        Microsoft Windows RPC
445/tcp   open  microsoft-ds Windows 7 Ultimate 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
49152/tcp open  msrpc        Microsoft Windows RPC
49153/tcp open  msrpc        Microsoft Windows RPC
49154/tcp open  msrpc        Microsoft Windows RPC
49155/tcp open  msrpc        Microsoft Windows RPC
49156/tcp open  msrpc        Microsoft Windows RPC
Service Info: Host: WIN-845Q99OO4PP; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb-os-discovery: 
|   OS: Windows 7 Ultimate 7601 Service Pack 1 (Windows 7 Ultimate 6.1)
|   OS CPE: cpe:/o:microsoft:windows_7::sp1
|   Computer name: WIN-845Q99OO4PP
|   NetBIOS computer name: WIN-845Q99OO4PP\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2024-03-11T03:42:02-04:00
| smb2-time: 
|   date: 2024-03-11T07:42:02
|_  start_date: 2024-03-11T17:58:29
| smb2-security-mode: 
|   2:1:0: 
|_    Message signing enabled but not required
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_clock-skew: mean: 1h19m59s, deviation: 2h18m33s, median: 0s
|_nbstat: NetBIOS name: WIN-845Q99OO4PP, NetBIOS user: <unknown>, NetBIOS MAC: 00:0c:29:ea:70:5f (VMware)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 147.80 seconds
```

{% endcode %}

The SMB output says this is Windows 7 Professional.

There are a couple shares with null session read access (the trick of giving `smbmap` wrong creds works here):

{% code overflow="wrap" %}

```
┌──(kali㉿kali)-[~]
└─$ smbmap -H 192.168.154.129 -u "Kali" -p "kali"
    ________  ___      ___  _______   ___      ___       __         _______
   /"       )|"  \    /"  ||   _  "\ |"  \    /"  |     /""\       |   __ "\
  (:   \___/  \   \  //   |(. |_)  :) \   \  //   |    /    \      (. |__) :)
   \___  \    /\  \/.    ||:     \/   /\   \/.    |   /' /\  \     |:  ____/
    __/  \   |: \.        |(|  _  \  |: \.        |  //  __'  \    (|  /
   /" \   :) |.  \    /:  ||: |_)  :)|.  \    /:  | /   /  \   \  /|__/ \
  (_______/  |___|\__/|___|(_______/ |___|\__/|___|(___/    \___)(_______)
 -----------------------------------------------------------------------------
     SMBMap - Samba Share Enumerator | Shawn Evans - ShawnDEvans@gmail.com
                     https://github.com/ShawnDEvans/smbmap

[*] Detected 1 hosts serving SMB
[*] Established 1 SMB session(s)
                                                                                                
[+] IP: 192.168.154.129:445      Name: 192.168.154.129        Status: Authenticated
        Disk   Permissions     Comment
        ----   -----------     -------
        ADMIN$ NO ACCESS       Remote Admin
        C$     NO ACCESS       Default share
        IPC$   NO ACCESS       Remote IPC
```

{% endcode %}

`Users` has just empty `Default` and `Public` folders.

`nmap` has `vuln` scripts that will check for known vulnerabilities in service. It finds a big one, MS-17-010.

Searching on Exploit DB lead to the following script.

{% embed url="<https://www.exploit-db.com/exploits/41891>" %}

We can use Metasploit to execute this.

<figure><img src="/files/gsZuyl6X5NclM41Rhpla" alt=""><figcaption></figcaption></figure>

`3` is a scanner, we can run that to confirm the vulnerability. `4` needs a backdoor that is already on the system so we can't use it. Let's start with the scan first and then use `0`.

We can run it after entering RHOST.&#x20;

<figure><img src="/files/9uKgzVleEldmYpsld1Z1" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/uUoxSwH6cdq680E1bqou" alt=""><figcaption></figcaption></figure>

We can see the it is indeed vulnerable. We can exploit it.&#x20;

## Initial Access

Coming back to `0` i.e `exploit/windows/smb/ms17_010_eternalblue`. We shall use it now after setting up the options and payload.

<figure><img src="/files/bUwOTwHksqmAZT7vlPDU" alt=""><figcaption></figcaption></figure>

We now have meterpreter shell.

<figure><img src="/files/vk6WCResO6kxFJgbNI9k" alt=""><figcaption></figcaption></figure>

As you can see we are already NT AUTHORITY\SYSTEM which is root access.

<figure><img src="/files/ZkQKKyJDovtSmCnj6UrC" alt=""><figcaption></figcaption></figure>

Now we can just get the flags need.&#x20;

```
C:\Windows\system32>cd \users   

C:\Users>dir
 Volume in drive C has no label.
 Volume Serial Number is A0EF-1911

 Directory of C:\Users

21/07/2017  07:56    <DIR>          .
21/07/2017  07:56    <DIR>          ..
21/07/2017  07:56    <DIR>          Administrator
14/07/2017  14:45    <DIR>          haris
12/04/2011  08:51    <DIR>          Public
               0 File(s)              0 bytes
               5 Dir(s)  17,256,050,688 bytes free

C:\Users>type administrator\desktop\root.txt
[REDACTED]
C:\Users>type haris\desktop\user.txt
[REDACTED]
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://bunring.gitbook.io/ctf-writeups/hack-the-box/2024/blue.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.