Blue

Welcome to the write-up for the retired box Blue!

This is another one of those simple boxes, that is great for new people to get familiar with looking at nmap results and using metasploit. I start this box just like I would start any box, nmap scans!

nmap -Pn -sV -oN svscan 10.10.10.49

This first scan, is really just used to see what open and running on the target host. Taking a look we see only 3 services and a bunch of ports open. msrpc, netbios-ssn, and microsoft-ds. If this is your first time hacking a windows machine, you will see these services fairly often. Knowing what these services are is something you will need to know.

MS-RPC is the Microsoft implementation of the RPC protocol. It was/still used to make client/server applications.
Further explanation.

NetBIOS is an OSI Session Layer 5 Protocol and a service that allows applications on computers to communicate with one another over a local area network (LAN). Further information

Microsoft-ds will always run on port 445. This is Microsofts SMB (Server Message Block) and allows file sharing. This is similar to FTP on Linux.

We will explore how to interact with these ports later on within other windows boxes.

nmap -Pn -sV -sC -oN scscan 10.10.10.40

This scan shows us a lot of valuable information gathered from port 445, microsoft-ds. Here we can see the OS, PC name, Security information about SMB, and other bits of less useful information.

nmap -Pn -sV –script vuln -oN vulnscan 10.10.10.40

This scan brings in the most useful information. Here we can see that is found a HIGH RISK VULNERABILITY! This gives us the exact CVE, as well as a quick snippet of what it is; Critical remote code execution. MS17-010 this is windows version of naming a CVE. You can search for this within metasploit or exploit-db.

So Let’s exploit this using metasploit! should be nice and simple!

Search for ms17-010 withing msf

Searching for the MS17-010 shows us the name of the exploit, Eternal Blue! You may have heard of this exploit before, but which one to use! well, if you look at every line of the name, and compare it to what information we have already obtained, we know it isn’t windows 8, so that leaves the only other Eternal Blue exploit.

using and setting up the options for EternalBlue exploit

Now all we need to do is use the exploit, set the options and run it. Metasploit is extremely user friendly and you can see more options by typing in advanced. For this exploit all we need to set is the rhosts to our target host. 10.10.10.40

Running the exploit gives us a shell!

running the exploit shows us that we were able to get a shell! (you can also type exploit to run the exploit if you want to feel super elite.) This is a windows box so we are working with windows commands in this shell, so your typical commands like ls, and cat will not work. Instead of using ls, we use the command dir. So going back to the home directory we can go into the Users folder and get our flags.

initial enumeration

Earlier we saw that the name of this PC is Haris-pc, and here we can see his user account!

Obtaining the user flag!

Within his Desktop folder we can see the user.txt file that we need! Cat the file and you see it wont work, for windows we can use the command type to print the contents of this file.

Obtaining the root flag.

Going back to the Administrator folder, within his desktop is the root.txt! use the same command to view it and enter it in hackthebox!

Even tho this box is incredibly simple, it shows why keeping your computer and software up to date. This could have easily been prevented if the user haris updated his system, rather than ignore his update notifications. I recommend that you read up on the impact of EternalBlue and how it works, to get an understanding for how we got into this box. Eternal Blue information.

Another thing to think about when doing hackthebox is once you’ve exploited a host, how would you advice that user to prevent it from happening again?