🔐
EAkl Blog
  • 👋Welcome!
  • 🐛Web Application Findings
    • Cisco BroadWorks Vulnerabilities CVE-2021–34785 & CVE-2021–34786
    • Authentication bypass using empty parameters.
    • IDOR at Login function leads to leak user’s PII data
  • ℹ️Recon automation, tips and tricks
    • Simple Recon Methodology
    • How to write a simple script to automate finding bugs
  • 🔐Hack The Box Machines
    • Feline Walkthrough
    • Reel2 Walkthrough
    • Active Walkthrough
    • PopCorn Walkthrough
    • Jewel Walkthrough
    • Passage Walkthrough
    • Time Walkthrough
    • Devel Walkthrough
    • Lame Walkthrough
    • Beep Walkthrough
    • Blue Walkthrough
    • Jerry Walkthrough
    • Optimum Walkthrough
    • Grandpa Walkthrough
    • Legacy Walkthrough
    • Mirai Walkthrough
    • Valentine Walkthrough
    • Shocker Walkthrough
    • Netmon Walkthrough
    • Bank Walkthrough
    • Granny Walkthrough
    • Tabby Walkthrough
    • Access Walkthrough
    • Swagshop Walkthrough
    • OpenAdmin Walkthrough
    • Remote Walkthrough
    • Sauna Walkthrough
    • FriendZone Walkthrough
    • Hack The Box — Networked
    • Hack The Box — Forest
    • Hack The Box — WriteUP
    • Hack The Box — Academy
    • Hack The Box — Luanne
  • 🏴‍☠️CTF Challenges
    • CTF CyberTalents  — Bypass the world Writeup
    • CTF CyberTalents — Admin Gate First
    • CTF CyberTalents — Inbox
    • CTFlearn — Inj3ction Time
    • CTF ringzer0ctf — Challenge Access List
    • CTF ringzer0ctf — Login portal 2
    • CTF ringzer0ctf — SQLi challenges — part 1
    • CTF ringZer0ctf — Login form
  • 🔴Red Teaming Tips & Tricks
    • MOTW Defensive and Bypass techniques
  • ☁️Cloud Security
    • [Azure] Real Example to know different types of app concepts in Azure
    • [Azure] What To Do If?
Powered by GitBook
On this page
  • DNS Enumeration
  • Exploitation
  1. Hack The Box Machines

Blue Walkthrough

PreviousBeep WalkthroughNextJerry Walkthrough

Last updated 2 years ago

Hello Everyone! Here we come back again with one of easy machines “Blue”, let’s take a look at its info and then get started…

As you can see it’s easy and based on Windows OS. Let’s get started…

DNS Enumeration

We will start our way with nmap scan to get all open ports, services, OS info and more info as you will see later in this blog post.

> nmap -A -T4 -oG blue.gnmap 10.10.10.40
-A : service detection, OS detection, script results -T4: Threads=4 to increase the speed -oG: to get the output in the extension gnmap to brute force the credentials by brute-spray

the results:

Nmap scan report for 10.10.10.40Host is up (0.17s latency).Not shown: 991 closed portsPORT      STATE SERVICE      VERSION135/tcp   open  msrpc        Microsoft Windows RPC139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn445/tcp   open  microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)49152/tcp open  msrpc        Microsoft Windows RPC49153/tcp open  msrpc        Microsoft Windows RPC49154/tcp open  msrpc        Microsoft Windows RPC49155/tcp open  msrpc        Microsoft Windows RPC49156/tcp open  msrpc        Microsoft Windows RPC49157/tcp open  msrpc        Microsoft Windows RPCService Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:|_clock-skew: mean: 2h02m04s, deviation: 2s, median: 2h02m02s| smb-os-discovery: |   OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)|   OS CPE: cpe:/o:microsoft:windows_7::sp1:professional|   Computer name: haris-PC|   NetBIOS computer name: HARIS-PC\x00|   Workgroup: WORKGROUP\x00|_  System time: 2020-12-08T18:40:03+00:00| smb-security-mode: |   account_used: guest|   authentication_level: user|   challenge_response: supported|_  message_signing: disabled (dangerous, but default)| smb2-security-mode: |   2.02: |_    Message signing enabled but not required| smb2-time: |   date: 2020-12-08T18:40:00|_  start_date: 2020-12-08T18:37:42

As you can see we have more and more open ports but the interesting port which we need to focus on is smb and you should note 2 dangerous things in these results

|    account_used: guest|    Message signing enabled but not required|    Message_signing: disabled (dangerous, but default)

from these results you should know that the smb server enable anyone to login and list the directories, so we will do 2 tasks:

  1. Try to brute force the smb credentials and get username and password by using brutespray tool (available on GitHub)

  2. Try to login to smb and list all files by using smbclient with the credentials from step 1

Use brutespray

to use this tool we will need the gnmap file which we generate it from nmap scan and run this command → brutespray -f blue.gnmap

As you can see we now have 2 usernames and 2 passwords related to the service which worked on smb server, let’s go to the next step…

Use smbclient

this tool manage you to login to the server with your username and password as follows → smbclient -L \\10.10.10.40 and it will ask you for the password, remember that from nmap scan results the password is not required, but we will insert it to take admin privileges, I hope that :)

Now we have the directories, but we don’t have an access to open them, let’s search for another exploitation method…

Exploitation

One of the advantages of nmap is nmap scripts, my opinion it’s wonderful, so we will use it to scan this port 445 and get us back the exploitation form it’s CVE scripts scan as follows

Now we know that it’s vulnerable by ms17–010, let’s search about it on metasploit

As you can see we have 4 exploitation, I’ve tried num3 but it’s not worked with me, so I’ve tried num2 and it’s worked well and get me reverse shell as you can see

by entering help you will get a list of available commands which you can use and by entering shell you will get a shell and then whoami to know our role

Good we’re root so we don’t need to more scripts to raise our privileges, let’s search for the root and the user flag in C:\Users

Congrats ❤

Stay in touch :)

| |

🔐
LinkedIn
GitHub
Twitter
HackTheBox