# Blue ## Blue - 10.10.10.40 ### Target Enumeration: OS: Windows IP: 10.10.10.40 User: 4c546aea7dbee75cbd71de245c8deea9 Root: ff548eb71e920ff6c08843ce9df4e717 ### Ports / Services / Software Versions Running 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP) 49152/tcp open msrpc Microsoft Windows RPC 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC 49156/tcp open msrpc Microsoft Windows RPC 49157/tcp open msrpc Microsoft Windows RPC ### Vulnerability Exploited: EternalBlue exploits a vulnerability in Microsoft's implementation of the Server Message Block (SMB) protocol. This vulnerability is denoted by entry CVE-2017-0144 in the Common Vulnerabilities and Exposures (CVE) catalog. The vulnerability exists because the SMB version 1 (SMBv1) server in various versions of Microsoft Windows mishandles specially crafted packets from remote attackers, allowing them to execute arbitrary code on the target computer.\ \ In February 2018, EternalBlue was ported to all Windows operating systems since Windows 2000 by RiskSense security researcher Sean Dillon. EternalChampion and EternalRomance, two other exploits originally developed by the NSA and leaked by The Shadow Brokers, were also ported at the same event. They were made available as open sourced Metasploit modules.\[18] ### Exploiting the host: Nmap SMB script scan: ![](https://lh4.googleusercontent.com/a-cH1Y9CUzXTpNbbtg8Bkk4tYHd7u4eqaFdU-OTHgZSwCcoc-FKoS6pOo5aVzt8CRQt7sZxmVBlSNrkW6zD7IkiX2D_0MGLkX1R_gijZdCQwYdhjnVRPPCgH-iB6SDjEr2dKb9Rt) Set metasploit options as follows: ![](https://lh5.googleusercontent.com/uyOXdcqMzHstFSi1khfa3n3Lrh4RDC1kvsgYSW_FBIfB6Sct6angOCQ8qtXlxiLkudn667msFElPostffIJlLLNbfEs7CFYqlWA-japRTJ7LwipcMuuyFQVw01MWzPHjUCliLsuN) Execute the exploit: ![](https://lh5.googleusercontent.com/72l1QX6iGmUK9_rdb1zzAtzdKST5kRDGZYM83hLLECn9jWWcEtWLGaBJdeIbwwWd_7L96j1b_ImCxCLuw8F-V4L3WFH3Vv0GasF8R3wQds67dFdPplWjqITIhwY1KC-RH2FXTG6I) Evidence

Grabbing hashes: Add a user called vdk with the password Pentest12345! To the administrators group.

Background your session and use windows/smb/ms17\_010\_psexec module to get a meterpreter shell (or do it via powershell) ![](https://lh4.googleusercontent.com/7Cz0cC1R1FZKtLCkEdUE-_KCFSrShWMyQYY7G5llfYSvVxubuCtbgIew3Wz1EqIVn5j4c4ry7LRC76h0rzHjGSZ39Rbgk5N50LZMu5e-T4IwE_Rp-qTXEQ501AkM18PbMxvQLWKC) Run the exploit ![](https://lh3.googleusercontent.com/3ME1T_OS8ElQJsekVMMz0bQFH1-flTPlC1HG0LlwJHETauyrO1GhHr_VW39jXCCrRPHYjhb7arLCqaJWPx-97vUoL76TLGccCN9MCB8P4kOboHojGjTjc4xWKqLVETa-V8X2eskU) Background session and retrieve password hashes with smart\_hashdump and attempt to crack them offline. ![](https://lh4.googleusercontent.com/oghd15zSxEU9lYMlICRwX_9LonYPg3D2nSjsv-cKhWEV38cCfUia1ksImsRyIrk5CAIq22fsBB3onWzjR4LwkK64v3m38v89I6nOq1GfQWvjpjrDPoBmiJQHOwD26AvInpXftwVs) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.jdksec.com/hack-the-box/blue.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.