twitter

Hack The Box: Blue

Difficulty: Eazy

Machine Creator: ch4p

Tools Used:
NMAP
python
smbclient
msfvenom
metasploit
handler

Task: To find User.txt and Root.txt

Network Enumeration


Let’s start with a quick NMAP scan to discover open ports and services.

nmap -sS –min-rate 5000 –max-retries 1 -p- 10.10.10.40

The quick scan presents us with multiple ports lets perform some scans against SMB port 445 with all the “smb-vuln” NMAP scripts.

ls /usr/share/nmap/scripts/ | grep “smb-vuln”

 

nmap -A -vv –script=smb-vuln-conficker,smb-vuln-cve2009- 3103,smb-vuln-cve-2017-7494,smb-vuln-ms06-025,smb-vuln-ms07-029,smb-vuln-ms08-067,smb-vuln-ms10-054,smb-vuln-ms10-061,smb-vuln-ms17-010 -p445 10.10.10.40


As we can see from the scan this machine is vulnerable to MS17–010 which is an exploit against SMBv1 (EternalBlue). Also from this scan, we will need the computer name “Haris-PC” later in the exploit.

Exploit Development

While there is a Metasploit module for eternal blue, let’s do this the manual way. Searching on Exploit-DB there is a python script for this exploit.

| https://www.exploit-db.com/exploits/42315/


You will get this error, download the MYSMB python script and save it in the same folder.

https://raw.githubusercontent.com/worawit/MS17- 010/master/mysmb.py

Before we can perform this exploit, we need to discover open SMB shares on this machine.


First, we need to add the computer name in our host file and then scan for open SMB shares.

 vi /etc/hosts


Now that we have the hostname we need to discover the open shares.

smbclient -L \\HARIS-PC -N

We were able to find open SMB shares, and we need to verify that we have access to the shares.
We can use smbclient to connect leaving the password blank.

smbclient \\\\haris-pc\\Users


We were able to find open SMB shares, and we need to verify that we have access to the shares.
We can use smbclient to connect leaving the password blank.

Payload Generation


This python script does not have a built in reverse shell payload, so we need to build our payload using msfvenom and export it as an executable file.

Exploit Modification


We need to modify the python script in the username field. As we saw in a previous step we could connect as guest with no password however to do this we need to put in // for guest authentication.


Next, we need to modify these two lines for smb_send_file and service_exec.
Uncommenting the lines (remove the #) and add the exploit file to send and the payload to execute from the client side.

Handler Setup


Before we execute the script, we need to start our handler for our meterpreter shell.

Exploitation


Now it is time to execute the exploit python script. It may take a few tries but as you can see we now have a meterpreter shell as NT AUTHORITY \SYSTEM.


We need to drop down to a shell session to continue.

User.txt and Root.txt


Having our shell running as the local system, we can read both User.txt and Root.txt

Post Exploitation


I just created a new user named hacker with its password as hacker. I have also added it to the local “administrators” group.
To enable RDP we need to add this registry key.

reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fDenyTSConnections /t REG_DWORD /d 0 /f



We can verify that RDP port 3389 is now enabled.


I can log into this desktop as the new user. This user is a local administrator.