CTF Walkthroughs, Hack The Box

Hack The Box – Blue Walkthrough

January 16, 2021 | by Stefano Lanaro | Leave a comment

Introduction

This is a fairly easy box that requires you to exploit the Eternal Blue vulnerability(CVE-2017-0143, fixed with the MS17-010 Microsoft update) in the SMB service(specifically version 1), which allows execution of code remotely.

Enumeration

The first thing to do is to run a TCP Nmap scan against the 1000 most common ports, and using the following flags:

  • -sC to run default scripts
  • -sV to enumerate applications versions
  • -Pn to skip the host discovery phase, as some hosts will not respond to ping requests

The following open ports were found by Nmap:

  • 135 – Used by Remote Procedure Call(RPC)
  • 139/445 – Used by Server Message Block(SMB)
  • 4915X – Used by Microsoft Windows RPC(MSRPC)

SMB Enumeration

Using the smbclient with the -L flag to list available shares on the machine. There are a couple of uncommon shares although this will not be useful to gain access to the machine.

The next step was to run an Nmap scan on port 445 with all SMB enumeration scripts, to further enumerate this service.

Command used: nmap -p 445 -Pn –script smb-enum* 10.10.10.40

I then ran another Nmap scan to check for any known vulnerabilities within the SMB service. Nmap has a number of “smb-vuln-msxx-xxx” scripts that can be used to test the SMB service for public exploits.

The scripts found that the host is vulnerable to the MS17-010 Eternal Blue vulnerability.

Exploiting EternalBlue

I had previously exploited the Eternal Blue vulnerability using scripts from Exploit DB, although I often found better scripts from the community on GitHub. I found this really handy “AutoBlue-MS17010” script:

It can be cloned with: git clone https://github.com/3ndG4me/AutoBlue-MS17-010.git

After cloning the Git repository, based on the instruction outlined in the documentation, the first step is to generate our shellcode, which will be executed on the victim host when the exploit runs.

This works in the same fashion as when creating a shellcode through MSFvenom, in fact that’s what the script uses to generate the final payload. All we have to do is specify the local host, local port and time of payload. Generating shellcode:

The next step is to set up a Netcat listener, which will catch our reverse shell when it is executed by the victim host, using the following flags:

  • -l to listen for incoming connections
  • -v for verbose output
  • -n to skip the DNS lookup
  • -p to specify the port to listen on

The final step is to execute the script, providing the victim host and the shellcode to use. We immediately receive a callback with a SYSTEM shell.

Conclusion

Although this vulnerability isn’t particularly difficult to exploit, it is indeed quite common, especially in older Windows machines, and it is very useful to know how to exploit this as you are very likely to come across it when performing a real penetration test.