Hack The Box: Blue

Link: https://app.hackthebox.eu/machines/51

Enumeration

nmap

Our nmap scan shows smb ports open on 135/449 and several other windows RPC calls.

Next, I spawned up msfconsole to see if we can narrow down a particular version of windows. According to this article, we can use auxiliary/scanner/smb/smb_version to probe the SMB version. That version ties directly to certain OS versions.

After running it, we get the host is running SMB2.1 which relates to Windows 7 Professional SP1.

Exploit MS17-010

Doing some research on this Windows version nets us an exploit by the name MS17-010 Eternal Blue. This very well-known vulnerability targets a buffer overflow in the SMB protocol.

In msfconsole, we can do search eternal and the first option, exploit/windows/smb/ms17_010_eternalblue is the option we need.

Next we need to set the LHOST, RHOSTS at minimum then exploit.

We can watch the console perform a buffer dump, send exploit packets to corrupt the buffer and then send a final payload to open our meterpreter session!

Dropping into a shell and running whoami, we see we are nt authority\system!

Now we just need to grab the flags, of which I found one on C:\Users\Administrator\Desktop and the user one on C:\Users\Haris\Desktop.

Conclusion

This was a super easy pwn. I have had experience with EternalBlue from TryHackMe. The most important thing here was just enumerating to detect the version to confirm the vulnerability (as if the title of the box did not immediately give it away).

Comments

No comments available.

Leave a Reply

Your email address will not be published. Required fields are marked *