HTB: Blue

An oldie but a goodie, MS17-010 was the vulnerability that kept on giving!

Enumeration

Firing up our nmap scanner, we discover several ports open:

nmap -sS 10.10.10.40 -v

Digging a little deeper into the open ports this time:

nmap -sVC -p 139,445 10.10.10.40

Immediately, Windows 7 should jump out at us and we should zero in on the SMB service with further enumeration:

nmap --script smb-vuln* -p445 10.10.10.40

As suspected, MS17-010 is present here. Time to switch to Metasploit and go hunting!

Exploitation

Bring up Metasploit in quiet mode with msfconsole -q and let’s have a look for potential exploits we can use, with search ms17-010

Searching for “MS17-010” brings up several results. I’m going with Option “1” and will bring up the Options menu to see what’s required of us.

use 1

show options

I’ve set some required options (RHOSTS and LHOST) and have left the default LPORT as 4444. Let’s send the exploit and see what we get back using exploit

Post-Exploitation & Loot

And as expected, we’ve landed in a privileged shell. A quick whoami confirms we are indeed the “NT AUTHORITY\ SYSTEM” account. Time to go lootin’…

The user.txt is up first and after a quick poke around the file system, we find it on the “haris” users Desktop

And heading back over to the Administrators Desktop to pick up the final flag, the root.txt flag

Mission accomplished.

Further information and reading