In my opinion, this box should be one of the first boxes someone should attempt who is new to Hack The Box. The attack surface for this box is small, so it should lay the foundation to a newbie learning how to enumerate and implement their own style of methodology in exploitation.
ENUMERATION
To start off every box, performing an NMAP (network mapper) scan is critical to learning about what ports are open and listening for connections from other machines. There are many different ways one can perform such a scan and to each their own, but in general one should should all 65535 ports to fully enumerate the box.
nmap switches:
- T4: Allows you set a speed of fast you want the scanner to go. Ranges are from T1-T5, with T5 being the fastest. I usually go with the T4 setting because its normally fast enough without missing anything. NOTE: The faster the speed the higher chance you may have an inaccurate scan.
- -A: This switch enables OS detection, version detection, script scanning, and trace routing.
- -p-: Scan all ports from 1–65535.
From the scan above, we see that SMB ports are open (Port 139 & 445). These are ports are normally open on Window machine’s and allow for computers on a network to share documents with each other like in corporate environments. However, these Samba ports are normally very vulnerable if not configured propertly, such as the famous Eternal Blue exploit. Hmmmm, can the name of this box be giving us a hint. . . 😮
NMAP NSE Scripts
Nmap is a powerful tool that should be kept in one’s pocket during any sort of penetration testing engagement or CTF. Nmap has the ability to run scripts to let a user know whether a machine may or may not be vulnerable. Since there are no other low hanging fruit available on other open ports beside the RPC ports, we can run nmap’s Nmaps Scripting Engine(NSE) on the SMB ports to see if it is indeed vulnerable to any SMB exploits.
The results of the NSE scripts for SMB show that Blue is indeed vulnerable to MS17–010 aka EternalBlue exploit.
EXPLOITATION
In our Kali box, we have a tool called Searchsploit, which is a database on our box that host exploits locally. We can query Searchsploit and see if their is any exploits for this well known exploit.
From the Searchsploit results we see that there are two exploits that are compatible with this Windows 7 box ( Found OS from nmap scan ). I chose to use the second exploit (42315.py), and downloaded the exploit script using the command “searchsploit -m 42315”.
Looking into the actual exploit script, we see that this exploit requires another python script and provides the link on where to download it shown below.
After downloading the required script in the same directory as your exploit script, there are two modifications that must be made to the script before we can pop Blue. Also, EternelBlue requires us to have valid credentials in order to work.. Since we don’t have any at the moment and don’t have much other services to enumerate for any, we can use the user “anonymous”. To make sure that anonymous is a valid user, we can use smbclient. First we will use smbclient to list all the shares for the box.
Now we can attempt to do authenticate as anonymous, and if successful we know that we are able to get a System shell via EternalBlue. We will again use smbclient to login.
Now that we know we have valid credentials with anonymous and no password, we can leave the username and password blank in the exploit script.
The last modification needed for this script to give us a reverse shell is to generate a payload from msfvenom. You must supply msfvenom your ip address (LHOST), port you want a connection on (LPORT), and type of file it should output (-f).
Now we must place this executable into the script that will send the payload to Blue in order to give us a shell. The script does have this already, however it is commented out in the smb_pwn function so we have to uncomment it and change the parameters to include the file location of our malicious executable that we generated using msfvenom.
Now that we have fixed the script, all that is left is to send the python script and start up a netcat (nc) listener to catch our reverse shell.
Just like that, you are the most powerful user for this box as “NT Authority\System”.
