Hey! My name is 0xHuey, and I am a infosec enthusiest who is tackling various Hackthebox challenges and providing write-ups! Thank you for following along my joruney.
I am in the process of studying for my GIAC GPEN/OSCP and I thought tacklking the boxes outlined by TJNULL would be a great additional resource while I study the GIAC books.
Follow me on twitter @0xhuey !
So lets begin!
Difficulty level: Easy
20mins of work but my scan took a really log time to run so it was actually an hour but I think my internet was being throttled a bit
Some background on what I am doing here.
-sV = version detection scan
-sC = runs default scripts
-v = verbose
-Pn = checks to see if the host is alive
-p- = scans all ports
-A = detailed information on scripts
-T4 = speed things up
After some time we get the results from that scan that shows a few different things going on. The first is that I see 9 different ports open with most of which running Microsoft Windows RPC. This stands for Microsoft Remote Procedure Call which is a modified version of DCE/RPC. This was used to create a client/server model in Windows NT.
Another item which is important to pick up on is the smb host-script section towards the bottom. It shows the machine as potentially being a Windows 7 Professional 7601 Service pack.
With the information I just found out from the scan I will start looking up "Windows 7 smb" vulnerabilities on Google, which turns up Eternal Blue.
If you don't know who the shadow brokers are, I would take a listen to this episode from the Darknet Diaries on them. https://darknetdiaries.com/episode/53/. Its a really nice listen that provides a lot of back story to how these exploits got out in the wild.
But the short of it is, this is a NSA exploit that gives you remote code execution on a Windows machine via a vulnerability in the SMB protocol.
I come across the following repo I can use.
Something that is really cool in the directions is that there is a checker script to see if your victim are vulnerable. Run the wget command to download the script.
Run python eternal_checker.py 10.10.10.40 and you will see if they are patched or not.
Now that we have confirmed that it hasn't been patched, we can go back to the Github repo to look at the instructions on how to run this.
Navigate to the shellcode folder that you downloaded from above.
Now run the ./shell_prep.sh command to start the script. Once running you will notice it mirrors Metasploit. Follow along in the image below to configure it correctly.
Now after running the above commands a payload will be generated. It is time to execute the code with a netcat listener running on another window. Type nc -lvp into the new window.
After sometime you should be greeted with a connection!
So nice work! I will now run systeminfo command to see what type of machine it is. I can confirm that it is indeed a Microsoft Windows 7 machine, standalone machine.
After some searching I find the User and Root txt files.