DEV Community

loading...
Cover image for Writeup: HackTheBox Blue- Without Metasploit (OSCP Prep)

Writeup: HackTheBox Blue- Without Metasploit (OSCP Prep)

0xhuey profile image Chris 'Huey' S ・3 min read

Blue HackTheBox Write up

Hey! My name is 0xHuey, and I am a infosec enthusiest who is tackling various Hackthebox challenges and providing write-ups! Thank you for following along my joruney.

I am in the process of studying for my GIAC GPEN/OSCP and I thought tacklking the boxes outlined by TJNULL would be a great additional resource while I study the GIAC books.

Follow me on twitter @0xhuey !

So lets begin!

Difficulty level: Easy
20mins of work but my scan took a really log time to run so it was actually an hour but I think my internet was being throttled a bit

I start off with running a general Nmap Scan to see the services running and for the ports.
Alt Text

Some background on what I am doing here.
-sV = version detection scan
-sC = runs default scripts
-v = verbose
-Pn = checks to see if the host is alive
-p- = scans all ports
-A = detailed information on scripts
-T4 = speed things up

After some time we get the results from that scan that shows a few different things going on. The first is that I see 9 different ports open with most of which running Microsoft Windows RPC. This stands for Microsoft Remote Procedure Call which is a modified version of DCE/RPC. This was used to create a client/server model in Windows NT.

Another item which is important to pick up on is the smb host-script section towards the bottom. It shows the machine as potentially being a Windows 7 Professional 7601 Service pack.

Alt Text

With the information I just found out from the scan I will start looking up "Windows 7 smb" vulnerabilities on Google, which turns up Eternal Blue.

If you don't know who the shadow brokers are, I would take a listen to this episode from the Darknet Diaries on them. https://darknetdiaries.com/episode/53/. Its a really nice listen that provides a lot of back story to how these exploits got out in the wild.

But the short of it is, this is a NSA exploit that gives you remote code execution on a Windows machine via a vulnerability in the SMB protocol.

I come across the following repo I can use.

Alt Text

Something that is really cool in the directions is that there is a checker script to see if your victim are vulnerable. Run the wget command to download the script.

Alt Text

Run python eternal_checker.py 10.10.10.40 and you will see if they are patched or not.

Alt Text

Now that we have confirmed that it hasn't been patched, we can go back to the Github repo to look at the instructions on how to run this.

Navigate to the shellcode folder that you downloaded from above.

Alt Text

Now run the ./shell_prep.sh command to start the script. Once running you will notice it mirrors Metasploit. Follow along in the image below to configure it correctly.

Alt Text

Now after running the above commands a payload will be generated. It is time to execute the code with a netcat listener running on another window. Type nc -lvp into the new window.

Alt Text

After sometime you should be greeted with a connection!

Alt Text

So nice work! I will now run systeminfo command to see what type of machine it is. I can confirm that it is indeed a Microsoft Windows 7 machine, standalone machine.

Alt Text

After some searching I find the User and Root txt files.

Alt Text

Discussion (0)

pic
Editor guide