Home Blue
Post
Cancel

Blue

blue

Blue is an easy level Windows machine on Hack the Box featuring the notorious CVE-2017-0143, which was used in the “WannaCry” ransomware attacks. Due to the nature of this vulnerability, it’s a pretty straight forward route from boot to root. That being said, this vulnerability will always have a historical significance as it is theorized to have been developed by the NSA, and it’s unintended release led to massive waves of ransomware attacks globally, or so the story goes.

Enumeration

Anyways, we run an NMAP on the target which shows us:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
sudo nmap -sC -sV 10.10.10.40
[sudo] password for kali: 
Starting Nmap 7.92 ( https://nmap.org ) at 2022-10-03 12:22 CDT
Nmap scan report for 10.10.10.40
Host is up (0.051s latency).
Not shown: 991 closed tcp ports (reset)
PORT      STATE SERVICE      VERSION
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
49152/tcp open  msrpc        Microsoft Windows RPC
49153/tcp open  msrpc        Microsoft Windows RPC
49154/tcp open  msrpc        Microsoft Windows RPC
49155/tcp open  msrpc        Microsoft Windows RPC
49156/tcp open  msrpc        Microsoft Windows RPC
49157/tcp open  msrpc        Microsoft Windows RPC
Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2022-10-03T17:23:10
|_  start_date: 2022-10-03T17:04:45
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.1: 
|_    Message signing enabled but not required
| smb-os-discovery: 
|   OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
|   OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
|   Computer name: haris-PC
|   NetBIOS computer name: HARIS-PC\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2022-10-03T18:23:12+01:00
|_clock-skew: mean: -19m57s, deviation: 34m36s, median: 0s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 71.95 seconds
zsh: segmentation fault  sudo nmap -sC -sV 10.10.10.40

Our trusty nmap scripts found the OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1), and a bunch of other information about SMB on the machine. Running another nmap, this time specifying to use the vuln scripts on port 445:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
$ sudo nmap -script vuln -p445 10.10.10.40                                                                   
[sudo] password for kali: 
Starting Nmap 7.92 ( https://nmap.org ) at 2022-10-03 12:47 CDT
Pre-scan script results:
| broadcast-avahi-dos: 
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for 10.10.10.40
Host is up (0.051s latency).

PORT    STATE SERVICE
445/tcp open  microsoft-ds

Host script results:
| smb-vuln-ms17-010: 
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|           
|     Disclosure date: 2017-03-14
|     References:
|       https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|       https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|_smb-vuln-ms10-061: NT_STATUS_OBJECT_NAME_NOT_FOUND
|_smb-vuln-ms10-054: false

Nmap done: 1 IP address (1 host up) scanned in 50.15 seconds
zsh: segmentation fault  sudo nmap -script vuln -p445 10.10.10.40

We can see that this version of SMB is vulnerable to CVE-2017-0143, which allows an unauthenticated user remote code execution. This vulnerability is more popularly known as EternalBlue (ms17-010), and you will see now why it is classified as a high severity vulnerability.

exploit

Using msfconsole, we search “ms17-010” and select a payload.

hosts

Once we’ve set the listener and remote host ip addresses, we’re ready to go.

system

In just a few commands, and with 0 technical prowess, we’ve gone from unauthenticated user to system level access on the machine.

This post is licensed under CC BY 4.0 by the author.