Hack The Box Walkthrough: Blue
This article contains walkthrough for a retired HTB machine called Blue.
Run nmap on the target.
sudo nmap -sV -sC -oA nmap/blue 10.10.10.40
Starting Nmap 7.93 ( https://nmap.org ) at 2023–03–10 02:52 EST
Nmap scan report for 10.10.10.40
Host is up (0.15s latency).
Not shown: 991 closed tcp ports (reset)
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49156/tcp open msrpc Microsoft Windows RPC
49157/tcp open msrpc Microsoft Windows RPC
Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windowsHost script results:
| smb2-security-mode:
| 210:
|_ Message signing enabled but not required
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-time:
| date: 2023–03–10T07:53:28
|_ start_date: 2023–03–10T07:51:08
| smb-os-discovery:
| OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
| Computer name: haris-PC
| NetBIOS computer name: HARIS-PC\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2023–03–10T07:53:25+00:00
|_clock-skew: mean: 2s, deviation: 1s, median: 1sService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 84.96 seconds
The OS detected is Windows 7 Professional 7601 Service Pack. There is a possibility that our target is vulnerable to EternalBlue.
Now, open Metasploit and search for the EternalBlue exploit.
![[Pasted image 20230310162734.png]]
We find that there is an exploit under exploit/windows/smb/ms17_010_eternalblue. Set the RHOSTS (the target’s IP address) and LHOST (our IP address).
![[Pasted image 20230310163110.png]]
Run the exploit (NOTE: it might take you more than one attempt to get a successful shell)
After the exploit completes, we will get a Meterpreter session. Type ‘shell’ to get access to Windows Command Prompt.
To find what user we are logged in as, type ‘whoami’. We get the following output:
nt authority\system
This implies that we are logged as the user with the highest privilege in Windows.
The user.txt is located in C:\Users\haris\Desktop and the root.txt is located in C:\Users\Administrator\Desktop.
