Ryushe

2 minute read

title About this box: A windows NT machine with the MS17-010 EternalRomance vulnerability.

Info

Within Try Hack Me, looking at the specifications of this box, the creator mentions to enter this box as if a black box pentest.

So, What do I do? Just that :sob:

Screenshot of the briefing if interested

brief

The Beginning

This box started off with a normal nmap scan:

nmap

as well as the advanced nmap scan:

nmap

I see that there is the opportunity for a MS web server, so I plug the machines ip into the browser to find…

Nothing :pensive:

web

Looking a little deeper into the Nmap scan I see that there is a SMB share. I haven’t dabbled too much in shares, so I turn to google. After a little research I find out that you can enumerate smb shares with: smbclient -L //ip/ -U user

Now for a user…

Reading more of the -sC portion of the nmap scan it tells us that there is a guest user on the SMB share.

BOOM! :ghost:

Now we can do the SMB enumeration. Running the command now with the guest user: smbclient -L //ip/ -U guest

We get a password prompt :sneezing_face:

Wait! SMB by default doesnt have a guest password, hitting enter does the trick in this case (no input).

SMB share list:

shares

We see a weird share named nt4wrksv. Looking within this share there is a passwords.txt file. Odd I know….

Downloading the file with mget will give us two base64 encoded strings. Putting these into cyberchef (shoutout them, base64 -d in terminal is very inconsistant for me), I get the credentials:

- Bob - !P@$$W0rD!123
- Bill - J#m$dRfM4@20969696$!

Now the next challenge, what to do with these credentials. :sleeping:

We know there is a rdp server, so lets try that! I boot up the rdp client for linux and put in the credentials with Relevant as the domain. Andddd, no connection. Bummer

At this point in time I think this machine is vulnerable to the MS17-10 Eternal Blue exploit. (I got the idea after running nmap --script vuln ip).

After running countless exploit trials, and attempting to modify my own exploit I decided to move onto another potential way to enter the machine. This so happened to be the other exploit named MS17-10 Eternal Romance.

eternal

Putting this exploit into msfconsole, I then change the exit function to process, and set the other options accordinly (using Bob and his password as the credentials).

Just like that were in!

Running a simple whoami will tell us that we are NT-AUTHORITY\SYSTEM. What is this user? According to this site it tells us that our current user is admin :smiling_imp:

Seems too simple?

It was, however according to the author there are plenty of other ways to pwn this box. My plan is to go back and find more places that are vulnerable. Also, running windows exploit suggester showed that there were over 700 vulnerabilities present on the machine. So, time to go hunt more!

P.S. Since you have admin, running a simple find command for .txt’s will give you the user/admin flag

What I learned from this box

  • SMB Shares
  • Windows host enumeration
  • That exploits can have VERY similar names
  • How to use linux RDP client

Thank you for reading

You may also enjoy

PortSwigger - Business Logic

1 minute read

Notes about this box: This box is a small simulation of what might exist out in the real world. So, even though some of these solutions may seem “easy”, once...

Try Hack Me - Retro

4 minute read

About this box: A windows IIS server with some pretty straightforward logic. Or so I thought..

Try Hack Me - Brainpan1

5 minute read

About this box: An application running in wine… an intersting problem of what to use for debugging and explioiting.