HackTheBox: Blue


This will be the ~30th box I do on HTB, but the very first Windows box that isnt a Starting Point box.

Until recently I had virtually no interest in hacking Windows. But now that I use it all the time between work and school, Im curious to know how to navigate and exploit it.

Im starting my Windows hacking career with this box, because it is rated as the easiest Windows box on the site. Since I dont know shit about this system that seems fitting.

Ill also use Guided Mode if needed.


Nmap shows 9 ports open, though I suspect some of these are either false-positives or irrelevant to the box.

The important ones are: 1) msrpc on 135 2) netbios-ssn on 139 3) microsoft-ds on 445

Let me run a script scan to get a better clue of what to do with that information:

$ nmap -p135,139,445 -sC -sV                                                                                                                                                                   
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-06 17:30 EDT
Nmap scan report for
Host is up (0.0057s latency).

135/tcp open  msrpc       Microsoft Windows RPC
139/tcp open  netbios-ssn Microsoft Windows netbios-ssn
445/tcp open  c3:V      Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: -20m12s, deviation: 34m36s, median: -13s
| smb-os-discovery: 
|   OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
|   OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
|   Computer name: haris-PC
|   NetBIOS computer name: HARIS-PC\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2023-10-06T22:30:14+01:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2:1:0: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2023-10-06T21:30:12
|_  start_date: 2023-10-06T21:27:10

As the scan shows, the netbios on 139 is SMB, which we can connect to or enumerate using smbclient. In this case anonymous signin is allowed, so we dont even need credentials;

$ smbclient -L
Password for [WORKGROUP\kali]:

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        Share           Disk      
        Users           Disk      

Lets see which of these we can get into without credentials:

Extracting credentials from NTUSER.DAT

According to the article here (https://cybermeisam.medium.com/blue-team-system-live-analysis-part-11-windows-user-account-forensics-ntuser-dat-495ab41393db), if the values in the header of the NTUSER.DAT file from bytes 4:7 and 8:11 are equal, then you have a "clean hive" and the NTUSER.DAT file is updated. If the two are inequal, then you have a copy of the DAT file taken mid-update, and the writes had not completed (thus you need to aggregate the data with the LOG1 and LOG2 files).

Using hexdump -C NTUSER.DAT | less, I can see that the headers ARE equal:

00000000  72 65 67 66 5f 00 00 00  5f 00 00 00 b0 17 2a 3c  |regf_..._.....*<|

The bytes in question are 5f 00 00 00 and 5f 00 00 00, which are equal. Thus this DAT file should be up to date and thus a "clean hive".

The following tool seems to confirm this:

$ regripper -r NTUSER.DAT -d
***Hive Check***
Hive is not dirty.