HackTheBox - Blue Writeup

SH∆FIQ ∆IM∆N included in HacktheBox Windows

20-07-2021 242 words 2 minutes

Contents

Box author | ch4p

Enumeration

First, let’s do an enumeration with the IP address of this machine. I’m gonna run Nmap [Netwok Mapper] to scan any open ports. I’m gonna run this command

1

nmap -sC -sV -oN nmap/initial 10.10.10.40

Explaining the nmap scan:

-sC := scan using nmap default script
-sV := scan for version
-oN := output in normal format

/posts/htb/blue/2.png — nmap initial scan

The Nmap scan is done. The result shows us this is a Windows 7 machine and has smb!

This is a very old machine. I’m pretty sure this is vulnerable to Eternalblue. Let’s run the Nmap smb-vuln script to double-check.

1

nmap --script smb-vuln* -p139,445 -oN nmap/vuln_script 10.10.10.40

/posts/htb/blue/3.png — NSE check vulnerable to Eternalblue

Yup. This machine is vulnerable to Eternalblue exploit.

Foothold/Gaining Access

I’m gonna run Metasploit and search for eternalblue and use it

/posts/htb/blue/4.png — search Eternalblue exploit

Before we run it. We need to set up the RHOSTS and LHOST. Make the lhost is set into your htb ip addr.

/posts/htb/blue/5.png — setup listener ip and port

Oopsie

After that just type run.

/posts/htb/blue/6.png — execute the exploit

WE’RE IN AS SYSTEM!!! cool.

Now, let’s hunt for the user & admin flag.

User flag

Root/Admin flag

Conclusion

I’ve learned a lot today. Please update the system. In this case, I’m able to exploit using EternalBlue and become root. That’s super scary.

I have a fun time doing this machine and I hope you guys too. Bye ;)