This machine is called “Blue” and it is one of the beginner machines on HackTheBox (HTB) and the first machine of this series. Blue is a Windows box and it could possibly be one of the easiest machines to pwn on HTB. I will be using these writeups in this series to help me practice documenting my strategy and reporting. I am also hoping it will help teach someone what I have learned so far.
First we run our nmap scan to see what services are running on the machine. Remember enumeration is the most important part of ethical hacking so we need to be thorough.
nmap -T4 -p- -A 10.10.10.40
- -T4 sets timing template (higher is faster)
- -p- scans all ports
- -A runs aggressive scan
- 10.10.10.40 is the IP address
Immediately I notice port 445 (smb) is running an older service pack version “Windows 7” which is interesting so I’m going to see if we can exploit that.
Let’s look a little deeper into SMB. Luckily nmap has a vuln script we can run to see if the version running on this machine is vulnerable to any known exploits.
nmap -sV -Pn -vv -p 445-script=smb-vuln* 10.10.10.40
- -sV probe open ports to determine service and version info
- -Pn treats all hosts as online
- -vv increases verbosity level
- -p identifies port number
- — script=smb-vuln* tells nmap we want to run the smb vuln script
- 10.10.10.40 is the IP address
Okay so boom the script has revealed that this machine is vulnerable to the popular NSA exploit MS17–010 otherwise known as eternal blue. Luckily there is a module on Metasploit that should work. If you didn’t already know about eternal blue it’s fine…a google search will catch you up to speed on what the exploit is and how it works.
So we’re going to try using the exploit module ms17_010_eternalblue in Metasploit to gain access to the machine.
First we open Metasploit using the msfconsole command in the terminal.
Then we are going to search for the eternal blue module.
Looking through the results the first one listed seems to fit what we are looking for. The second one on the list is for Windows 8 and we discovered this machine is running Windows 7 so that probably wouldn’t work.
First we take a look at our options to make sure we configure the module correctly.
We need to set our RHOSTS to the IP of the target machine (10.10.10.40) and then we need to set our LHOST (attack machine) to our IP address since that is the address the reverse shell will be using to connect back to the port we are listening on which is 4444. Keep in mind once all of our required options are set we can run the exploit.
Now that everything is set we can run the attack.
IT WORKED ! Now that the exploit has ran successfully we have access to a meterpreter shell. The meterpreter shell will allow us to explore the machine for the admin and user flags. We can run a search to see which directory they are in and we should be able to read the flag.
Great we found them both. We have the root and user flag. The job is done.
My initial attempt at this flag was manual using autoblue but I couldn’t get it to work. I wasnt going to post this writeup becuase I didnt exploit this machine without using Metasploit but I realized it is important to document my strategy anyway. Every exploit isnt always going to work and there will be times where Metasploit is all I have available. It’s not about taking the hard way because of pride. Its about learning which is what I was able to do here.