Hack The Box: Blue

Difficulty: Eazy

Machine Creator: ch4p

Tools Used: NMAP python smbclient msfvenom metasploit handler

Task: To find User.txt and Root.txt

Network Enumeration

Let’s start with a quick NMAP scan to discover open ports and services.

nmap -sS –min-rate 5000 –max-retries 1 -p-

The quick scan presents us with multiple ports lets perform some scans against SMB port 445 with all the “smb-vuln” NMAP scripts.

ls /usr/share/nmap/scripts/ | grep “smb-vuln” nmap -A -vv –script=smb-vuln-conficker,smb-vuln-cve2009- 3103,smb-vuln-cve-2017-7494,smb-vuln-ms06-025,smb-vuln-ms07-029,smb-vuln-ms08-067,smb-vuln-ms10-054,smb-vuln-ms10-061,smb-vuln-ms17-010 -p445

Exploit Development

While there is a Metasploit module for eternal blue, let’s do this the manual way. Searching on Exploit-DB there is a python script for this exploit.

| https://www.exploit-db.com/exploits/42315/

https://raw.githubusercontent.com/worawit/MS17- 010/master/mysmb.py

Before we can perform this exploit, we need to discover open SMB shares on this machine.

 vi /etc/hosts

smbclient -L \\HARIS-PC -N

We were able to find open SMB shares, and we need to verify that we have access to the shares. We can use smbclient to connect leaving the password blank.

smbclient \\\\haris-pc\\Users

Payload Generation

Exploit Modification

Handler Setup


User.txt and Root.txt

Post Exploitation

reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fDenyTSConnections /t REG_DWORD /d 0 /f