Contents

HackTheBox - Blue Writeup

Box author | ch4pch4p

Enumeration

First, let’s do an enumeration with the IP address of this machine. I’m gonna run Nmap [Netwok Mapper] to scan any open ports. I’m gonna run this command

1
nmap -sC -sV -oN nmap/initial 10.10.10.40

Explaining the nmap scan:

  • -sC := scan using nmap default script
  • -sV := scan for version
  • -oN := output in normal format

/posts/htb/blue/2.png
nmap initial scan

The Nmap scan is done. The result shows us this is a Windows 7 machine and has smb!

This is a very old machine. I’m pretty sure this is vulnerable to Eternalblue. Let’s run the Nmap smb-vuln script to double-check.

1
nmap --script smb-vuln* -p139,445 -oN nmap/vuln_script 10.10.10.40

/posts/htb/blue/3.png
NSE check vulnerable to Eternalblue

Yup. This machine is vulnerable to Eternalblue exploit.

Foothold/Gaining Access

I’m gonna run Metasploit and search for eternalblue and use it

/posts/htb/blue/4.png
search Eternalblue exploit

Before we run it. We need to set up the RHOSTS and LHOST. Make the lhost is set into your htb ip addr.

/posts/htb/blue/5.png
setup listener ip and port

Oopsie

After that just type run.

/posts/htb/blue/6.png
execute the exploit

WE’RE IN AS SYSTEM!!! cool.

Now, let’s hunt for the user & admin flag.

User flag

/posts/htb/blue/7.png
user flag

Root/Admin flag

/posts/htb/blue/8.png
root flag

Conclusion

I’ve learned a lot today. Please update the system. In this case, I’m able to exploit using EternalBlue and become root. That’s super scary.

I have a fun time doing this machine and I hope you guys too. Bye ;)