Zero VM Walkthrough on HMV

Hack My VM (HMV) is an online capture the flag (CTF) platform for developing your hacking skills through CTF challenges. CTFs offer the ability to hone your skills within the enclosed environment of ethically hacking machines.

The Environment

The lab environment

The network settings

The first thing needed is making sure you have the right environment to get the work done. It is advised to put your VMs in a segregated environment where it has no access to the internet. This prevents any unwanted issues from happening, like getting your physical machine compromised in the process or infected by malware.

The Mission

The first thing I did was try navigating to it but it didn’t have an open port on 80 or 443 so there was no way to test for any web vulns or misconfigurations. The next step was to scan for open ports with Nmap.

nmap scan of zero

Looking at the results of the Nmap scan, you can easily tell that the only hope for gaining entrance into this machine is through SMB and the machine is most likely vulnerable to eternal blue exploit.

I then started looking for an exploit against SMB, I searched using various parameters many of which could not give me access. Using Metasploit, I used an auxiliary module to scan the SMB port so I could identify which version of SMB is used on zero.

msf smb detection

found smb version

Looking for exploits to use to my advantage, I tried using an eternal blue exploit against zero but it didn’t work. Continuously searching, I found an nmap scan that checks if a target is vulnerable to eternal blue. Again I stumbled on a lead utilizing eternal blue.

nmap script scan

Taking information from this scan, I decided to change my search parameter on Metasploit and searched for eternal, looking for an exploit that takes advantage of this critical vulnerability. To note, there are different exploits in Metasploit for eternal blue. Finding the right exploit is key.

While searching I came across something with psexec and I found an exploit on Metasploit with eternal blue and psexec after trying several exploits that didn’t work. I finally found the key to the door.

metasploit smb exploit

configuring exploit

With this exploit, I didn’t need to change my payload the payload chosen by default was a staged payload and it was enough to get the job done.

gained access

The next step will be finding the flags and this could be harder than gaining access to a machine sometimes or it could be relatively easy.

user compromised

The user flag can be found in the C:\Users\ruycr4ft\Desktop directory

admin compromised

The admin flag can be found in the C:\Users\Administrator\Desktop directory.

Summary

CTFs go beyond just looking for flags, they help in building the skills and resourcefulness needed in becoming a better penetration tester.