HTB – Blue

HTB 1 Minute

First blog in a long time wanted to do something fast to get back into it – I want to start doing more HTB this year and using a quick and dirty walk-through lets me get two birds with one stone!

Recon

  1. Run Nmap scan

We see 445 smb! With a name like blue i wonder what smb vulnerability could be our target.. 🙂

2. MSF
Spin up msf and search for smb to see what options we have.

smb_version looks like a good start.

SMB_Version is a good starting point to see what SMB tells us about the host, we can then cross check that with ExploitDB or something similar to see what vulnerabilities are present

With SMB running on Windows 7 SP1 we should have all we need.

Exploit

Lets check vulnerabilities for that Windows version – I am specifically looking to see if its vulnerable to eternal blue; https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010

Wonderful! Its vulnerable. lets exploit it. We could use ExploitDB’s script; https://www.exploit-db.com/exploits/42031 but lets be lazy and see what MSF has for us by searching for eternal blue, or for MS17-010.

We can see there are several pre-made payloads for eternal blue and one interesting result, but not for this box, is the doublepulsar RCE payload.. Wannacry leveraged that.. the memories :’) but for now we will use Exploit/windows/smb/ms17_010_eternalblue.

Using this we are able to get a shell and it shows we are running as system! Looks like there will only one stage for finding flags with this box. Checking Users we see haris and Admin, both flags were found in the respective users Desktop.

And with that we have our flags. Easy box but good for beginners!

Published by Adam Miller

Published

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s