Labels

HackTheBox- “Blue” [Write-Up] {EASY}

   

HackTheBox- “Blue”

       Michael N (Mm0)
                                                     





About the Box 

  • The “Blue” box on Hack The Box is an easy-level Windows machine that showcases the dangers of the EternalBlue exploit (MS17-010). This exploit has been used in various large-scale ransomware and crypto-mining attacks since it was leaked.


Box URL: https://app.hackthebox.com/machines/51



Figure. 1: About the Box 







To complete this box I will be using the pwnbox from HackTheBox. 


Adding the Box IP to my /etc/hosts →

Recon

Active Scanning - To complete an active scan I want to get a better understanding of what this machine is doing. One of the best ways to do this is with a nmap scan, to see what ports are open. 



From the results of the nmap scan we can see that there are lots of ports open related to AD services. One of the biggest ones that always catches my eye when doing Nmap scan is smb ports 137, 139, 445. (To learn more on SMB this is a useful resource i used: https://book.hacktricks.xyz/network-services-pentesting/pentesting-smb). 

Now you might be wondering why SMB uses 3 ports, EVEN THOUGH IN THIS SCAN WE ONLY SEE 2 of the 3 SMB ports being used, and for that explanation I will show a Screenshot from CHATGPT…














Findings 

For some more important information for us is:

We have the OS version, the Computer name, and the workgroup, as we can see that admins were lazy and decided to leave this user a part of the default workgroup called “workgroup”. Knowing this amount of information is enough for me to begin moving on to the next phase as I don't really see anything special or interesting about the other open ports. 


Metasploit 

Used metasploit auxiliary module to find the smb verison. 



Resource Development

Lets try and see if we can get access to the IPC$ share. 


So you might be wondering what I did here? 


Well I basically used the smbclient in linux to do some enumeration to see what drives are available on the server. 


We can see that there is remote administration and remote IPC. let's try to access these. 



Now armed with all this information I think I'm ready to move on to the next phase which is to try to find a way into this machine. By doing a quick search on Exploit DB for smb i came across a RCE, for SMB in metasploit. 


So lets launch msfconsole again and try to gain access. 


To launch Metasploit type # msfconsole


Then it should launch below. I will attach screen shots of what I  did in metasploit. 


To narrow that my search results as quickly as possible i used the Microsoft Security Bulletin number. 


EXPLOIT ISSUES: 



https://www.freecodecamp.org/news/eternalblue-explained-an-analysis-of-the-windows-flaw/





I was able to fix the issue I was getting and got root flag.


Labels:
Location: Switzerland

Popular Posts