August 24, 2019
Blue is a very easy Windows machine box with only a couple ports open.. Named after the EternalBlue exploit, this box takes advantage of a vulnerability in Microsoft’s implementation of the SMB protocol.
Start with an active reconnasissance on the targeted machine. We use nmap to scan for open ports on the machine.
Port 445, seemed interesting to me. As a beginner I wasn’t too familar with microsoft-ds. So I ended doing some quick google searches about it and found a few hits about it.
After researching on those two links, I ended up searching Metasploit for a exploit on MS17-010..
Here, I found one suitable for exploit and set up the remote host to the targeted machine. with a reverse tcp shell to my own machine.
Executing the payload we then pwned the box and have user privileges.
There we go! We are now in the machine.
If you recall from the nmap scan it says Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/p:microsoft:windows.
This clearly gives an hint that the user flag is in the haris folder. After looking through the users fodlers we can then see the user flag in the user.txt file.
But we aren’t done with the machine yet. We still have to find the root flag to escalate privileges further.
Looking into the Administrator folder, we can see snoop around. Looking in the Desktop of the Administrator user, we can see the root flag in the root.txt file.
This was a very easy box. Overall, this box taught me to do your research and not dive head first and assume. If I didn’t end up doing some research on a port where I always assume its Samba SMB service, I would have been stuck on it much longer. Figuring that one specific part out were then able to easily exploit the machine using basic penetration testing techniques.
As per usual, now that we pwned this box, we can then move onto another box. You can expect a write-up for Shocker next.