HackTheBox CTF Walkthrough - "Blue"

Note: This is a reupload of a CTF walkthrough from my original website which no longer exists.

Hello all,

We will be looking at the now retired HackTheBox machine "Blue" which is regarded as one of the simplest HackTheBox machines available.


ENUMERATION:

Machine IP: 10.10.10.40
OS: Windows

First we start off with an Nmap scan. This is my preferred Nmap scan for HackTheBox machines. If I fail to find anything on the default 1000 port list, I'll run a scan of all 65535 ports.



This type of scan can take a minute or two to simply due to the amount of enumeration it is performing on the remote host. If you want to try to speed up the process you can drop the OS (-O) enumeration and add in a -T5 flag. Running this particular Nmap scan on all 65535 ports will take 5-10 minutes sometimes, so be warned.

Here are the results of our scan.


As we can see, we have a few ports open. Also, if we didn't already know that this was a Windows machine, these port results in particular would be a dead giveaway. Further down beneath the TCP/IP fingerprint, we can see the hostname of the target is "HARIS-PC" and that CPE (Common Platform Enumeration) verified that it is a Windows machine.

Further down we can view the results from the Nmap vulnerability enumeration script. As we can see, it appears that the remote host HARIS-PC is vulnerable to MS17-010 or CVE-2017-0143. If we Google this particular Microsoft Security Bulletin, we can see that it is critical vulnerability in Windows SMBv1 that will allow an attacker remote code execution on a victim's computer.


This vulnerability is better known in the security world as EternalBlue, hence the machine's name. It was released in 2017 by the hacker group known as "The Shadow Brokers" who claimed to have stolen from the NSA's offensive security wing, Tailored Access Operations, sometimes referred to as "The Equation Group". 

Here is a Wired article that explains the situation much more in-depth.

https://www.wired.com/story/eternalblue-leaked-nsa-spy-tool-hacked-world/

Now, let's get on to exploitation.

EXPLOITATION:

Although it's not commonly used in the real world by hackers and pentesters because of the fact that it's so well known, Metasploit is a tool that will be used often in CTFs due to it's simplicity and due to the fact that in CTFs we aren't playing the evasion game, we're simply trying to root the box however we can.

 Let's open Metasploit and see if we can find anything helpful to us.

Metasploit can either be started by selecting it from the list of applications in the Kali menu or by simply opening a terminal and typing the "msfconsole" command. This is what you should see after Metasploit starts.

Your results may look slightly different as the banner is always random, but what you should always see is the "msf5 >" prompt at the bottom. You can also display all Metasploit commands simply by typing "?" and hitting enter. The command we will be looking for in particular is the "search" command.

If you didn't already know, Metasploit's entire purpose is to make hacking simple. What I mean by that is that Metasploit developers and other security professionals are able to craft Metasploit "modules" from known exploits, and import them into the Metasploit Framework. As a result, this makes it incredibly simple for anyone to run any exploit against any target, including high profile exploits, such as EternalBlue.

If we run a search for the string "eternalblue" we can already see a few relevant results.


As we can see from the two highlighted results, they include "ms17_010" in the exploit path, which as we already know is the Microsoft Security Bulletin identifier for the vulnerability.

Let's go ahead and try the first highlighted result. To do so, simply highlight the path beginning from "exploit" and ending at "eternalblue" and copy it. Next we will enter the "use" command and paste the exploit path after it, and hit enter. This is what you should see after hitting enter.

What we will do next is what you should always do next after selecting an exploit, type the "options" command and hit enter. 

Here is where we will configure Metasploit to point our exploit at the correct target. Reading the description of each option name will provide you with an explanation as to what it's purpose is. For now, the only option we will need to set is the RHOSTS option, which we will of course set to the IP of the target machine. This is done using the "set" command with the name of the option you want to change and the value that you want to change it to.

Now we will attempt to run the exploit. If you would like to, you could also run the "check" command before running the exploit. This can be hit or miss with certain exploits, but if successful, the check command will essentially verify for you if the remote host is vulnerable to the exploit. If you decide you are ready to run the exploit, simply type in the "run" command and hit enter.

As we can see, the exploit was able to successfully spawn a shell on the remote host after only one failed attempt. Please be aware, your exploit will not always be successful on the first attempt, sometimes it will not even be successful on the 5th attempt. If you have confirmed that the target is vulnerable to the exploit, simply keep trying to run the exploit until it is successful. 

Now that we are in a shell on the remote host, we can attempt to discover what level of access we have by running the "whoami" command, as this determines what user or service the shell is running under.

As we see here, we are already the SYSTEM user. If you know anything about Windows, you will know the the SYSTEM user is not so much a specific "user" but instead an account that Windows uses to run specific services at specific times, such as during installation. As a result of this, the SYSTEM user is by default granted "Full Control" permissions to all files on any attached NTFS volume. The SYSTEM user's permissions can be removed from a file but it is not commonly done.

In most CTFs, SYSTEM user access is what you aspire to achieve, it is essentially the equivalent of getting "root" on a Linux box. In this specific box as it is considered an "easy" box, we spawn in with a shell already running as the SYSTEM user. This is also a very good example of why EternalBlue is considered a "critical" vulnerability.

If we change directories to C:\Users we can see two User folders that will probably be of interest to us, that being the "haris" and "Administrator" users.

Lets move to the 'haris' user's Desktop as that is usually where many of the user flags are located. 

As shown here, the user flag is located on the Desktop of the 'haris' user. We can view the contents of the file by using the "type" command on Windows.

Now on to the root flag, which will more than likely be located in the Administrator's user folder. This is the case for most Windows boxes, similar to how the root flag is almost always located in the root  user's folder on Linux boxes.

We have now successfully rooted this machine and obtained both the user and root flags. This box only contained the enumeration and exploitation phases, most other boxes also contain the privilege escalation phase, which happens to be in my opinion, the most difficult phase.

That all being said, we are now done!

I will follow this writeup with one on the HackTheBox machine "Lame", which is a Linux box also considered one of the easier retired machines currently available.

Thank you for reading !
A capybara with an interest in security.

Comments

Post a Comment

Popular posts from this blog

TryHackMe CTF Walkthrough - "Simple CTF"

Image
Note: This is a reupload of a CTF walkthrough from my original website which no longer exists. Tonight I'll be providing a writeup on the TryHackMe box "Simple CTF" similar to my writeup on Blue. TryHackMe is another great and incredibly educational site dedicated to teaching learners about offensive and defensive cybersecurity. As always, it's typical to start with a basic Nmap scan.  This is one of the typical Nmap scans that I like to run on TryHackMe and HacktheBox machines. It will take longer than most scans due to the enumeration being performed by the vulnerability script. Another I will typically run is - nmap -sC -sV -A x.x.x.x This is an aggressive service scan with default scripts enabled. Here we have quite a bit of output, the bulk of it being a list of CVE's for the specific version of Apache web server running on the target machine. As we can see, Port 21 (FTP), Port 80 (HTTP), and Port 2222 (SSH) are currently open on the target machine. We can al...
Read more

Malware Overview - ZeuS

Image
 Note: This is a reupload of my writeup of the history of the ZeuS malware from my original website. INTRODUCTION:  Image Source:  https://www.bankinfosecurity.com/zeus-banking-trojan-spawn-alive-kicking-a-10471 When discussing the history of malware, you are more than likely going to hear the same few names over and over again. Conficker, Welchia, ILOVEYOU, Stuxnet, Flame, CryptoLocker, Dridex, and even newer malware like WannaCrypt0r, Emotet, and Maze.  What is left behind but stands atop the lesser remembered malware of the last fifteen years in particular is the ZeuS or Zbot Trojan and its successor, the Gameover ZeuS Trojan. This will be a historical summary of the ZeuS and Gameover ZeuS Trojans, beginning from its initial discovery and ending in the current year.  I will be using a variety of sources for my analysis. This is NOT a technical analysis of the malware, simply a historical account. I plan on writing a full technical analysis of the ZeuS and Gam...
Read more

Group Overview - Evil Corp

Image
This will be my first post in a series of posts summarizing various cyber actors, including APTs, Cybercrime outfits, and Hacktivist groups. I will be mainly discussing the history of the group and their known and documented activities throughout their existence. I plan on making additional summaries of each group that will delve further into their TTPs and other technical information to compliment this summary. The first group I will be discussing is the Evil Corp cybercrime outfit. The group is also known to many by the name INDRIK SPIDER, which was coined by the Cybersecurity company CrowdStrike. I decided to write about the Evil Corp group first due to the fact that they are still very relevant in 2020, as just a few days ago, Symantec published a report discussing a widespread attempted ransomware attack against various U.S. companies carried out by the Evil Corp group earlier this month. Evil Corp is an extremely sophisticated threat actor. They are capable of developing their ow...
Read more