HackTheBox: Blue
01/13/2024
This will be the ~30th box I do on HTB, but the very first Windows box that isnt a Starting Point box.
Until recently I had virtually no interest in hacking Windows. But now that I use it all the time between work and school, Im curious to know how to navigate and exploit it.
Im starting my Windows hacking career with this box, because it is rated as the easiest Windows box on the site. Since I dont know shit about this system that seems fitting.
Ill also use Guided Mode if needed.
Enumeration
Nmap shows 9 ports open, though I suspect some of these are either false-positives or irrelevant to the box.
The important ones are: 1) msrpc on 135 2) netbios-ssn on 139 3) microsoft-ds on 445
Let me run a script scan to get a better clue of what to do with that information:
$ nmap -p135,139,445 -sC -sV 10.10.10.40
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-06 17:30 EDT
Nmap scan report for 10.10.10.40
Host is up (0.0057s latency).
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open c3:V Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -20m12s, deviation: 34m36s, median: -13s
| smb-os-discovery:
| OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
| Computer name: haris-PC
| NetBIOS computer name: HARIS-PC\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2023-10-06T22:30:14+01:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2:1:0:
|_ Message signing enabled but not required
| smb2-time:
| date: 2023-10-06T21:30:12
|_ start_date: 2023-10-06T21:27:10
As the scan shows, the netbios on 139 is SMB, which we can connect to or enumerate using smbclient. In this case anonymous signin is allowed, so we dont even need credentials;
$ smbclient -L 10.10.10.40
Password for [WORKGROUP\kali]:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
Share Disk
Users Disk
Lets see which of these we can get into without credentials:
Extracting credentials from NTUSER.DAT
According to the article here (https://cybermeisam.medium.com/blue-team-system-live-analysis-part-11-windows-user-account-forensics-ntuser-dat-495ab41393db), if the values in the header of the NTUSER.DAT file from bytes 4:7 and 8:11 are equal, then you have a "clean hive" and the NTUSER.DAT file is updated. If the two are inequal, then you have a copy of the DAT file taken mid-update, and the writes had not completed (thus you need to aggregate the data with the LOG1 and LOG2 files).
Using hexdump -C NTUSER.DAT | less, I can see that the headers ARE equal:
00000000 72 65 67 66 5f 00 00 00 5f 00 00 00 b0 17 2a 3c |regf_..._.....*<|
The bytes in question are 5f 00 00 00 and 5f 00 00 00, which are equal. Thus this DAT file should be up to date and thus a "clean hive".
The following tool seems to confirm this:
$ regripper -r NTUSER.DAT -d
***Hive Check***
Hive is not dirty.