Blue (TCM Security PEH Capstone)

This is a walkthrough of the machine called “Blue”.

You can download the machine, along with all the other machines in the PEH Capstone here: PEH Capstone VMs

I set up the machine on VMWare, with both Kali and Blue on the same NAT network. First, let’s find the IP address of the machine using Netdiscover.

sudo netdiscover -i eth0

I got the IP address as 192.168.208.130.

Now, let’s do a basic full port scan to see all the open ports on the machine.

sudo nmap -p- 192.168.208.130

Now that we got all the open ports, we can do a more detailed targeted scan on these ports.

sudo nmap -sC -sV -A -p135,139,445,49152,49153,49154.49155,49156 192.168.208.130

This gives us a lot of details, including the services on each port. We can see that the SMB service seems to be the focus here, as we do not have any other commonly seen services such as HTTP/HTTPS or SSH running. We got information about the OS version of our target as well.

Since the machine is running the SMB service, let’s try and enumerate it further. Our scan did not give us a lot of information about the SMB version, so let’s use a specific Nmap script to get that info.

nmap -p139 --script smb-protocols 192.168.208.130

We got a huge clue here, where nmap itself told us that the SMB v1 that’s running on the machine is dangerous. So I went and searched for SMB v1 vulnerabilities on Google, and up came the most popular SMB vulnerability MS17-010.

I went searching for exploits for this vulnerability, and found a metasploit module that can help us with this.

Now that that’s sorted, I fired up metasploit and got to work. First, I had to set my target as Windows 7 (we got this from the Nmap scan).

I also specified my target IP in RHOSTS.

Now all I had to do was run the exploit, and I got a meterpreter shell!

I then switched to a proper shell, and checked my user, and sure enough, I was already root!

This brings us to the end of this machine. Hope you liked it.

Happy Hacking!




Enjoy Reading This Article?

Here are some more articles you might like to read next:

  • Academy (TCM Security PEH Capstone)
  • Kioptrix - Vulnhub (TCM Security Version)
  • DC 9 - Vulnhub
  • Djinn - Vulnhub
  • DerpNStink - Vulnhub