Skip to main content

HTB BLUE WALK-THROUGH


HackTheBox is an excellent platform for various pen-testers to increase their testing skills  and knowledge.
Machine Level -Easy
Machine Name -Blue
Machine OS -Windows
Machine IP -10.10.10.40
Tools:
Nmap -Nmap is a fantastic tools for scanning the open ports, services and OS detection. You can use other tools other than nmap (which ever you are more comfortable with ) like masscan, SPARTA etc. to scan for open ports.
Metasploit -One of the most common and widely used tool by pen-testers to launch exploits, it is maintained by Rapid 7 . Many books are available to understand the features of this tool.
We will be performing the attack by two methodology (using and without using metasploit).
Methodology 1 (using Metasploit)
Scanning the machine is the first step(i.e. Enumeration).
Use the command sudo nmap -sSVS 10.10.10.40 , this will scan for open ports and services on the host.
Lots of ports are open. But if we are looking for juicy port, then there is smb vulnerability present.
Fire up your Metasploit.
Search for smb_version
Use the module.
Set the rhosts(victim's IP) and run it.
We see that the host is running Windows 7 Professional SP1
Search for exploit for this version.

Rapid7 has a module.
Scroll down to find the exploit.
Copy the exploit into the msfconsole.
See for the options. We need to provide rhosts.
Set the rhosts.
Run the exploit.
We got a shell.
We are authority system.
Grab the root and user flag.
For root flag.
For user flag.

*****************************************************************************************************************************

Method 2(without metasploit)
From the previous section we got to know that the machine is vulnerable to MS17-010.
Download AutoBlue-MS17-010 package from GitHub.
Lets see what's in the package.
These are the scripts we will be using throughout this blog.
First lets use the eternal_checker.py script to see if the machine is vulnerable to AutoBlue.
Command is python eternal_checker.py 10.10.10.40
It says the target is not patched. That means its vulnerable.
Let's prepare a shell. Use the shell_prep.sh script
Just run the script by ./shell_prep.sh
Set the LHOST and LPORT(your IP and listening port), generate a meterpreter shell using staged payload.
Shellcode generated.
Let's prepare a listening port using listener_prep.sh
Just run this script with the command ./listener_prep.sh
Set the details as you set it up for the shellcode script.
We see a listening port opens on metasploit automatically.
Open a new tab in the terminal.
Final step, use the eternalblue_exploit7.py script to send the generated shellcode.
Use the command python eternalblue_exploit7.py 10.10.10.40 shellcode/sc_all.bin
(sc_all.bin is the shellcode that we generated)
We get a shell (see the listening port that opened earlier)
Shell opened. We are authority system.
Grab the user and root flags.
For user flag.
For root flag.
That's all for this machine.

Thanks for reading.
Takeaway from the machine -> We were able to exploit and gain access to the machine because it was vulnerable to AutoBlue MS10-059.


Thanks !

Comments

Post a Comment

Popular posts from this blog

VULNHUB INFOSEC PREP : OSCP

Welcome to the walkthrough of InfoSec Prep: OSCP walkthrough. It is a beginner-level boot2root machine and it can be downloaded from  here . I cracked this machine literally 5 minutes after it booted properly. So you can consider this machine the easiest.  Hint: Nmap Finding secret.txt and decoding it. Login via ssh. Privilege escalation to root via SUID binary.  Boot up the machine and it should show the IP address. We start off by pinging the box to verify that the box is up and running and we can reach out to it. Command: ping <IP> Then we can run Nmap scan to look for open ports and services running on the box. We will use -sC for running default scripts, -sV for Version/Service info and -T4 for faster execution, and -o for saving the result on a file named nmap The command is: sudo nmap -sC -sV -T4 <IP> -o filename Looking at the scan results, port 22 is open and running ssh, and port 80 is open, and it's running Apache. We can also see a directory named ...
Post a Comment
Read more

Beginners Code Review Part 1

  Image credits to  Leobit This is a walkthrough of an exercise created by  PentesterLab  as a free course for learning beginner-friendly source code review. The link to the source code is here . Either clone it or download it as a zip locally. As instructed in the exercise we won't run the run, just read through the source code and look for possible weaknesses that we can leverage into vulnerabilities. LIST OF WEAKNESSES You can find below the list of issues present in the application: Hardcoded credentials or secrets Information leak Missing security flags Weak password hashing mechanism Cross-Site Scripting No CSRF protection Directory Listing Crypto issue Signature bypass Authentication bypass Authorization bypass Remote Code Execution Hand-On Findings and Objectives * Hardcoded credentials or secrets      ...
Post a Comment
Read more

KIOPTRIX LEVEL 1 WALKTHROUGH WITH AND WITHOUT METASPLOIT

Kioptrix Level 1 is a beginner level CTF challenge. You can download this virtual machine from here .  Details of Kioptrix : Size----186 MB OS---Linux Note: In virtual box, set up a Bridged network (virtual box -> preferences -> network) in networking, put both your Kali and Kioptrix to Bridged network. Fire-up both the machines(Kali and Kioptrix Level 1) Kioptrix will ask for the logins which we don't know at the moment. This also means we can't find IP of the Kioptrix directly from the Kioptrix machine itself. Leave the Kioptrix machine as it is and switch to Kali. First we need to find the IP address of the Kioptrix machine. We will use the tool netdiscover that comes pre-installed in Kali Linux to identify the IP address. Command   sudo netdiscover -i eth0 Wait  for scan results. 192.168.233.130 seems to be the IP of the Kioptrix machine. Let's scan this IP address using the tool Nmap (scan will also verify that its the IP of Kioptrix machine) Command  su...
1 comment
Read more