Hack The Box — Blue

Information

Blue is an easy retired machine on Hack The Box by ch4p. The vulnerability on this machine is MS17–010 also known as ‘Eternal Blue’. We exploited this machine first with a Metasploit module and then with a python exploit. This writeup will not include any passwords/cracked hashes/flags.

Scanning

We will start off by running an NMAP scan against the target IP:

From the results we can see that ports 139 and 445 are open. We will move on to investigating SMB.

Investigating SMB

We will connect to SMB using smbclient and see what is available:

We can see two disk shares called ‘Share’ and one called ‘Users’, we will look at both of these:

There is nothing in ‘Share’ so let’s try ‘Users’:

We have access to a file-share but nothing really interesting. Given the Windows version our scan picked up, we will check to see if the server is vulnerable to eternal blue:

We can see that the host is vulnerable. We will investigate ways to exploit this vulnerability.

Exploiting SMB using Metasploit

We will start msfconsole:

And search for MS17–010:

From the results we want to load the second exploit:

Now we can look at the options:

We will set RHOST to our targets IP:

We will also set our payload:

We will need to set our listener IP:

And before we run the exploit let’s use check to make sure the target is vulnerable:

Now we are ready we will run the exploit:

The exploit completes and we get a Meterpreter session:

We use the ‘shell’ command to drop into a shell and we can see that we are nt/authority system:

From here, we can get the user.txt and root.txt files.

Next, we will look at how to exploit this using a publicly available version of Eternal Blue.

Exploiting SMB — Python Script

We will use searchsploit to find an exploit:

We find a list of exploits with one matching the Windows version on our target. We will save it to our local directory:

Looking at the exploit we are required to meet a few conditions and make a few adjustments. We will need to download mysmb.py, this module is imported by the exploit. We also need to adjust the payload to one that meets our needs and finally we need to add credentials, we don’t have a password but we can use the ‘guest’ login account which is enabled on the service.

We have mysmb.py in our local directory already but if needed we could download it and rename it with the following commands:

Next, we will generate a reverse shell executable using MSFvenom:

Now we have the reverse shell executable in our working directory we need to modify the path of the exploit in the python script. The original script looks like this:

We need to uncomment lines 922 and 923 and adjust the details to the following:

This will call to our executable payload on our attack machine and execute it once it is present on the victim.

Finally, we need to adjust the login details, we need to change the following to include, at least, a valid user. We know ‘guest’ is valid so we will use that in our adjusted script:

Next, we will setup our listener:

And finally run the exploit against the target:

The exploit runs:

And we can see we have a reverse shell connection to our listener as nt authority\system:

From here we can collect the proof flags and as before.

Hi, I’m Ben. This blog is for my write-ups on my journey through learning in infosec. I am OSCP certified and currently looking for experience in the industry.