[HTB] Blue

2024-08-06

This is my first post in a week, not because I was procastinating or slacking off, but because I was taking time to watch pentesting lectures to strengthen my foundational knowledge. I’ve alwas felt my foundation wa a bit weak. After watching some videos, I tackled this box, one of the easy-level challenges they recommended. I’m proud to say that, for the first time, I solved it without any help from a walkthrough. Even though it was a straightforward box, solving it on my own is really satisfying. I know there’s still a lot of room for improvement, especially in writing better write-ups but still, I’m definitely making progress!

As always, I started the enumeration phase by scanning ports with nmap.

 1# Nmap 7.94SVN scan initiated Tue Aug  6 23:39:01 2024 as: nmap -T4 -A --min-rate 3000 -p- -oA output 10.10.10.40
 2Nmap scan report for 10.10.10.40
 3Host is up (0.0084s latency).
 4Not shown: 65526 closed tcp ports (reset)
 5PORT      STATE SERVICE      VERSION
 6135/tcp   open  msrpc        Microsoft Windows RPC
 7139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
 8445/tcp   open  microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
 949152/tcp open  msrpc        Microsoft Windows RPC
1049153/tcp open  msrpc        Microsoft Windows RPC
1149154/tcp open  msrpc        Microsoft Windows RPC
1249155/tcp open  msrpc        Microsoft Windows RPC
1349156/tcp open  msrpc        Microsoft Windows RPC
1449157/tcp open  msrpc        Microsoft Windows RPC
15No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
16TCP/IP fingerprint:
17OS:SCAN(V=7.94SVN%E=4%D=8/6%OT=135%CT=1%CU=31869%PV=Y%DS=2%DC=T%G=Y%TM=66B2
18OS:FAC2%P=x86_64-pc-linux-gnu)SEQ(SP=107%GCD=1%ISR=107%TI=I%CI=I%II=I%SS=S%
19OS:TS=7)OPS(O1=M53CNW8ST11%O2=M53CNW8ST11%O3=M53CNW8NNT11%O4=M53CNW8ST11%O5
20OS:=M53CNW8ST11%O6=M53CST11)WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=
21OS:2000)ECN(R=Y%DF=Y%T=80%W=2000%O=M53CNW8NNS%CC=N%Q=)T1(R=Y%DF=Y%T=80%S=O%
22OS:A=S+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF
23OS:=Y%T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%
24OS:RD=0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W
25OS:=0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
26OS:U1(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%D
27OS:FI=N%T=80%CD=Z)
28
29Network Distance: 2 hops
30Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
31
32Host script results:
33|_clock-skew: mean: -19m57s, deviation: 34m36s, median: 0s
34| smb2-time:
35|   date: 2024-08-07T04:40:29
36|_  start_date: 2024-08-07T04:29:18
37| smb-security-mode:
38|   account_used: guest
39|   authentication_level: user
40|   challenge_response: supported
41|_  message_signing: disabled (dangerous, but default)
42| smb-os-discovery:
43|   OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
44|   OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
45|   Computer name: haris-PC
46|   NetBIOS computer name: HARIS-PC\x00
47|   Workgroup: WORKGROUP\x00
48|_  System time: 2024-08-07T05:40:30+01:00
49| smb2-security-mode:
50|   2:1:0:
51|_    Message signing enabled but not required
52
53TRACEROUTE (using port 22/tcp)
54HOP RTT     ADDRESS
551   8.08 ms 10.10.14.1
562   8.47 ms 10.10.10.40
57
58OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
59# Nmap done at Tue Aug  6 23:40:34 2024 -- 1 IP address (1 host up) scanned in 93.01 seconds

Since we know the target host is running the smb server, I tried the following command smbclient -L \\\\10.10.10.40\\ to list the shares alt text

Anonymous login was failed with every share but the Users share. I spent time looking around inside the share but there wasn’t any useful information. alt text

While exploring the Users share, ran another nmap script to find if there’s any smb vulnerabilities. The scan found one vulnerability CVE-2017-0143 also known as ms17-010. alt text

To exploit the found vulnerability, I came to msfconsole and searched for ms17-010. alt text

Configure options of exploit. set RHOSTS to 10.10.10.40 and LHOST to 10.10.14.15 alt text

Successfully got the shell! alt text

From the user, Haris’ desktop, the user flag could be found. alt text

Moved up to All Users directory, then to Administrator directory, there was the root.txt. alt text

alt text

#Hack The Box