What's the blog about?

Hello! Welcome to BlackWolf's Blog page

The aim of this blog is for me to annotate all of my work, ranging from book reviews, malware disassembly, projects I've been working on, what materials I've used to study. In short, this blog post is a collection of all the projects I've worked on, what books I've read, what courses I've been taking. As well as small guides on each intentionally vulnerable machines that I've solved.

This blog page also provides a multitude of benefits besides me just having my work visible. For the world of IT, documentation is of huge importance. This will drastically deepen my documentation skills and habits. As well as permitting me to show what work I may have done and showcase it to all potential future employers. Because if it isn't documented, it never happened.

BlackWolf's TryHackMe Writeup [EternalBlue]

 


Offensive Security
An Eternal Blue writeup


"Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say."
- Edward Snowden






Eternal blue is one of the most infamous of vulnerabilities, as thousands of windows machines are susceptible to such an attack. Microsoft released patches for the vulnerabilities in the leak, under the MS17-010 (Microsoft Security Bulletin).

CVE-2017-0144 is the CVE ID, anyhow this post isn't aimed towards getting too much into this exploit but if you would like to know more about it have a look  a https://research.checkpoint.com/2017/eternalblue-everything-know/



Having just completed a write-up on Vulnversity where we exploited an Apache web server, I'm now moving onto the next course, ticking another thing that's been placed on the chopping block. Just like the previous write-up, I'm doing this to further consolidate my own understanding as explaining what I'm doing reinforces my own learning as well as lending aid in preparation for the OSCP where write-ups are compulsory. 

                        The Primary Objective

This primary objective, the highest priority for all penetration testers. Obtaining admin access, this machine, or 'box', is a virtual machine running an intentionally vulnerable version of windows, one that does not contain the appropriate Microsoft patches. 

As a penetration tester, our goal is to discover what this vulnerability may be and exploit it. Successfully exploiting the vulnerability will grant us a foothold onto the machine, which will be utilised in order for us to achieve complete and utter control of this machine, utilising a vulnerability and becoming Administrator. 


Now, to complete this box, a series of steps will be broken down into 'tasks'. Each task will achieve a different goal, it involves a series of procedures to follow which will grant us vital information that we will later on leverage. In order to obtain unauthorised access to the machine, these tasks must be done in order, as it will fail otherwise. As each task is broken down and thoroughly explained, this is where our theoretical knowledge gets put into practice.

With the competition of each 'task', it will bring us closer to our primary objective, which is to obtain Admin Privileges, or 'root'. Achieving root means we've successfully obtained persistent and full control of the target machine, granting us full reign on the target machine. 

If these steps were employed outside of this simulated environment, one may potentially obtain full control of a vulnerable web-server, computer, host platform etc. Bear in mind that any form of unauthorised interaction may very well be considered malicious activity if you employ any of the following commands with the intent to obtain un-authorised access or confidential material is a federal offence. Even running a simple nmap scan is an offence. This write-up is purely educational. 


Here are the five tasks that we'll be working through today, I'll be breaking down each task into a series of hopefully easy to follow steps so even someone who has hardly played around with computers can follow these steps 

                        Deploying the Machine

Anyway, before we begin, let us start up both our attack box and our vulnerable host machine, hopefully by this stage, 

we all know the procedure, once you've started your attack box you should be presented with this familiar screen (as shown on the left).

Now that the attackbox is up and running, that's if you're using the web integrated virtual machine. If not make sure you're running the TryHackMe OpenVPN otherwise you won't be able to make any connections with the box.

Alright, let's get to it. The first and foremost stage, reconnaissance. 

"Scan and learn what exploit this machine is vulnerable to. Please note that this machine does not respond to ping (ICMP) and may take a few minutes to boot up. This room is not meant to be a boot2root CTF, rather, this is an educational series for complete beginners. Professionals will likely get very little out of this room beyond basic practice as the process here is meant to be beginner-focused."

As always, we'll be using nmap for the reconnaissance stage, later on, they might incorporate new tools into the courses but for now, this is one of the most important tools to get used to.
nmap -sV 10.10.152.255

Running the command we can see the following ports are open;

135, 139, 445, 3389 and a few surprisingly high ports 49152, 49153, 49154, 49158 and 49160

Now knowing this and looking at all these somewhat high ports, let's run another scan but this time we'll be using a nmap script called vulnscan, nmap has an insane amount of scripts and allows you to create and use your own. This is one of the many reasons as to why nmap is incredibly powerful.

To do this we'll run: nmap -p-400 --script=vuln 10.10.213.230

It'll take a while to scan all ports up to 49160 so I recommend just scanning the first 400 ports to save time, you can do this by throwing the -p-400 flag in.

After running the vulnerability scan we can see that it's potentially vulnerable to the wannacry attack, which is the Eternal Blue vulnerability. CVE-2017-0143

Now let's continue on and actually carry out this vulnerability, Eternal Blue is an RCE vulnerability and has one of the highest CVE ratings.

Questions:

1. How many ports are open with a port number under 1000
With the ports: 135, 139 and 445 the total will come to 3
The Answer: 3



2. What is this machine vulnerable to?
Referring to the above image we can see that that it's (ms17-10)
The Answer: ms17-010

One of the most powerful tools available to any penetration tester, Metasploit. Using Metasploit automates most parts of penetration testing and any script kiddy can come along and use this tool, with certain certificates they heavily discourage the use of Metasploit and instead encourage people to use an exploit 'manually'. In this case, though, we will be using Metasploit.

To run Metasploit open up your terminal on your attackbox and enter msfconsole.

Once it starts up there will be unique ASCII art which you can fangirl over and if you wanna look like a script kiddy just show this to people and call yourself a 'hacker'.

Anyway, moving on. We know what vulnerability we want to use, so lets set it up so we can execute the vulnerability and send a payload.

To do this we'll go to Metasploit once it's finished initialising, and with the CVE in mind, we'll use the search function they kindly graced us, users, with. 

Metasploit was developed by rapid7, they have thousands of vulnerabilities and exploits for all aspiring penetration testers and red-teamers alike. To find the one we're looking for we'll type search ms17

Here are the results from our search, now we'll look through the list and find the appropriate matching one.

Looking through all of these all but one are applicable, and to save you the tedious procedure of finding the right one it's #8

now to use the exploit we'll copy the path shown above, type



use exploit/windows/smb/ms17_010_eternalblue

Now, if we go and try and run this attack it'll fail as we haven't set the target, nor have we looked at the options. To look at the options available type: show options. And it'll list out all of the available options. Now to set out target we look to RHOSTS, type set RHOSTS 10.10.152.255 

Now we're ready to execute the exploit, do this by typing either run or if you want to be cool exploit.

This is what it will look like if the exploit was executed and worked successfully since this exploit is rather buggy you may have to restart the box to get exploit working. 

Now, let's background the session by click Ctrl + Z, then a prompt will ask us if we want to background session 1 and then type Y followed by enter.

Cool, so we have a standard session, we'll now have to convert a shell to a meterpreter shell. 
Questions:

1. Find the exploit to run against the machine
This is just the full path of the exploit which we found the correct one earlier when looking through the response to 'search ms17' 
The Answer: exploit/windows/smb/ms17_010_eternalblue



2. In 'show options' what is the name of the required value
The only thing we changed when looking at the options in the exploit was the host address
The Answer: RHOSTS


To convert a shell to a meterpreter shell, metasploit has another snazzy thing within their database of vulnerabilities. post/multi/manage/shell_to_meterpreter, so like what we did before to use this we have to type use followed by the exploit path which is the bolded part above. So go ahead and set up this meterpreter shell and check what options we might have to change. 

Looking at the options there is only one thing that we need to set, and that's session. And if you recall what we did earlier was we put a session to the background and it saved that session as session one. All you need to do is type set SESSION 1. And then we're ready to run this shell!

As you can see here, we set the session to 1, then we ran the exploit. Even though it says it failed, when we checked to see if any sessions are running by typing sessions we can see an active meterpreter session. 

To use the meterpeter session type sessions 1 and it'll then make that the active session and we'll have a shell into the system. 
then the next thing we shall do is execute getsystem which will then elevate us temporarily. Now, to use the shell we first have to go to the session then you enter shell to initiate the shell, 

Once you've done that then you can use any given windows command, we'll start by using the ol' reliable whoami, and as we can see we're system!

Now just because we're system doesn't mean our shell is. The next stage is the escalation. And to do that we'll need to attach ourself to a process, to list all processes run the command tasklist, and you should be presented with a nice little display of all processes running as well as the process ID's (PID). 

And here's the list of services and names alongside memory usage measured in kilobytes. Let's see if we can find ourselves a process to attach to, we want one that's running as SYSTEM.

Setting our eyes on tasklist.exe with the PID of 1420 let us migrate to this process by typing migrate 2599

It may take a few attempts, I had to restart the box and do the entire process over again, but we finally migrated to PID 2356, so now we have system privileges. 


And now we move onto the next stage, dumping all the hashes and decrypting them using a tool of our choosing. First of all, to dump the hashes we just run the hashdump command and it'll throw us a few different hashes for different users. So let us go ahead and do that now.

Here are the hashes for the users; Administrator, Guest & Jon.

The hash: Jon:1000:aad3b435b51404eeaad3b435b51404ee:ffb43f0de35be4d9917ac0cc8ad57f8d:::

Let's save these hashes and decrypt them locally, now since we only really care about Jon. We'll just grab his hash. Let's try and crack this hash, first, to do so. We need to identify the hash, there's a tool called hash-identifier.


First, let's install hash-identifier, 
1. git clone https://gitlab.com/kalilinux/packages/hash-identifier.git
2. chmod +rwx hash-id.py
3. python hash-id.py

Here's what should appear if everything was correctly followed. Pasting the whole hash In wouldn't be helpful so we should investigate what kind of hashing algorithm windows uses to hash it's users credentials. Googling that we know that the first part is LM, and the back half is NTLM.

Now let's use hashcat to crack the hash we have just identified, hashcat is a tool that kali comes with. We'll also need to supply it with a wordlist. type locate rockyou.txt and copy the path it gives you.
hashcat -m 1000 ffb43f0de35be4d9917ac0cc8ad57f8d /usr/share/wordlists/rockyou.txt

And voila! we have just cracked a hash! If we look at the terminal response we can see the hash followed by the password.

hash cracking is technically a form of brute-forcing, every word within the wordlist gets compared to the hash and if it doesn't match on it'll move onto the next.

It does this until it finds a match, which in our case we were fortunate enough for it to only take 5 seconds. Longer passwords take exponentially longer, ranging from mere seconds to days. Which at that point we question whether or not it's viable.

1. What is the cracked password?
ffb43f0de35be4d9917ac0cc8ad57f8d = alqfna22
The Answer: alqfna22


And here is where our work finally pays off! the hunt is no longer to find the exploit but to find the flag, the final stages of any CTF (capture the flag). The first thing I did was cd to the root directory C:\, and that's where flag1 will be. Seeing this I was curious, could we recursively search for each flag? I was bit foolish and searched the entire machine but I exited out of the shell and just escalated to a new one, but before I did that, I coincidentally found the other two flags! 

Quite lucky I must say, to search it's just where /R C:\ *.txt which at the time struck me as a great idea. Was a tadeen foolish I must say. Anyway, that is the last section of on this box!

1. Flag1? (Only submit the flag contents {CONTENTS})
We found this one by cd'ing all the way to the root directory
The Answer: access_the_machine

2. Flag2? {CONTENTS}
This bad boy was hiding all the way into the deep recesses of C:\Windows\System32\config
The Answer: sam_database_elevated_access

3. Flag3? {CONTENTS}
And the last but not least, flag3, this one was hiding in C:\Users\Jon\My Documents
The Answer: admin_documents_can_be_valuable

And there we have it, folks! this is the end of the EternalBlue writeup, it takes a bit of patience and trying over and over again, quite often you will need to restart the box to get some exploits to function properly, all you need is persistence in this case. It's always quite exciting for your work to finally pay off and to grab the flag, this is the pinnacle of any good CTF.

Good luck to all of those who shall tread down the path of penetration testing, may your exploits succeed and your shells connect!

Comments

Post a Comment