First blog in a long time wanted to do something fast to get back into it – I want to start doing more HTB this year and using a quick and dirty walk-through lets me get two birds with one stone!
- Run Nmap scan
We see 445 smb! With a name like blue i wonder what smb vulnerability could be our target.. 🙂
Spin up msf and search for smb to see what options we have.
SMB_Version is a good starting point to see what SMB tells us about the host, we can then cross check that with ExploitDB or something similar to see what vulnerabilities are present
With SMB running on Windows 7 SP1 we should have all we need.
Lets check vulnerabilities for that Windows version – I am specifically looking to see if its vulnerable to eternal blue; https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010
Wonderful! Its vulnerable. lets exploit it. We could use ExploitDB’s script; https://www.exploit-db.com/exploits/42031 but lets be lazy and see what MSF has for us by searching for eternal blue, or for MS17-010.
We can see there are several pre-made payloads for eternal blue and one interesting result, but not for this box, is the doublepulsar RCE payload.. Wannacry leveraged that.. the memories :’) but for now we will use Exploit/windows/smb/ms17_010_eternalblue.
Using this we are able to get a shell and it shows we are running as system! Looks like there will only one stage for finding flags with this box. Checking Users we see haris and Admin, both flags were found in the respective users Desktop.
And with that we have our flags. Easy box but good for beginners!