Blue is a Windows based box at 10.10.10.40 which has an easy rating.
Starting with Enumeration we find it looks to be a pretty vanilla Windows 7 installation.
# Nmap 7.70 scan initiated Fri Mar 1 18:25:52 2019 as: nmap -sV --script=default,vuln -p- -oA Blue 10.10.10.40 Nmap scan report for 10.10.10.40 Host is up (0.19s latency). Not shown: 65527 closed ports PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP) 49152/tcp open msrpc Microsoft Windows RPC 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC 49156/tcp open msrpc Microsoft Windows RPC 49157/tcp open msrpc Microsoft Windows RPC Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: -8m09s, deviation: 4s, median: -8m12s | smb-os-discovery: | OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1) | OS CPE: cpe:/o:microsoft:windows_7::sp1:professional | Computer name: haris-PC | NetBIOS computer name: HARIS-PC\x00 | Workgroup: WORKGROUP\x00 |_ System time: 2019-03-01T23:28:18+00:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) |_smb-vuln-ms10-054: false |_smb-vuln-ms10-061: NT_STATUS_OBJECT_NAME_NOT_FOUND | smb-vuln-ms17-010: | VULNERABLE: | Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010) | State: VULNERABLE | IDs: CVE:CVE-2017-0143 | Risk factor: HIGH | A critical remote code execution vulnerability exists in Microsoft SMBv1 | servers (ms17-010). | | Disclosure date: 2017-03-14 | References: | https://technet.microsoft.com/en-us/library/security/ms17-010.aspx | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143 |_ https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/ | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2019-03-01 18:28:13 |_ start_date: 2019-02-26 15:50:18 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Fri Mar 1 18:36:50 2019 -- 1 IP address (1 host up) scanned in 657.69 seconds
Based on the above results - MS17-010 looks like a good candidate to start with. Metasploit could be used, but in this case we can do it manually using the AutoBlue exploit code found on GitHub - https://github.com/3ndG4me/AutoBlue-MS17-010
The Exploit code has some instructions to follow - Shellcode needs to be generated and added to a binary. This is all done with a provided script.
Before running the exploit, make sure to start a netcat listener on the ports you selected. You may need to run the exploit a couple of times for it to work.
Once run you should end up with a system shell
From this point, you can get the root and user flags.