In the last two articles on Nmap and Metasploit, I demonstrated using both of these tools on the TryHackMe room Blue. In this post, I decided to do a complete write-up of this room, as well as generally discuss the vulnerability this machine possess.
Considered to be an entry level capture the flag (CTF) challenge, Blue is a fun little room that gives you a taste of what is involved in attacking and escalating privileges on a vulnerable machine, using a real world example of a common exploit. Like every article on this blog so far, we will be again attacking from a Kali Linux environment.
Before we dive straight into recon and ‘1337 skiddie h4xx0r1ng’, let’s talk about exactly what we are exploiting, who made it and how we even know about it.
Notoriously discovered and exploited for over five years in secret by a particular three-letter-agency (TLA), the ominously named Eternal Blue is a nasty exploit found on Windows hosts that are running a vulnerable server message block (SMB) protocol. More specifically, the Microsoft implementation of the protocol (SMB v1).
Using a specially crafted packet sent to a vulnerable host, an attacker can ultimately gain remote access to a target. This malicious packet creates a buffer overflow on the target, which allows remote code execution (RCE). In this example, the RCE is a payload which returns a reverse shell to the attacking machine.
Instead of disclosing the vulnerability to Microsoft, the TLA in question controversially decided to stockpile the exploit. It was leaked by the mysterious hacker group Shadow Brokers in April 2017, and made global headlines again when it was found the WannaCry ransomware was using the exploit to rapidly spread itself on vulnerable networks. Several security patches for current and legacy versions of Windows have since been pushed, suggesting just how dangerous and prevalent the vulnerability is.
Since it’s leak and documentation by cyber security research firms, the exploit has been utilized by several pieces of malware, such as the NotPetya malware and Retefe banking trojan, and has been used by several ‘advanced persistent threats‘ in high profile cyber attacks. As of March 2020 a whole three years after the exploit was made public (a considerable amount of time in the context of cyber security), Eternal Blue remains one of the most popular network attacks.
Task One: Recon
Connect to the TryHackMe VPN and deploy the Blue machine. As stated in the room information, the machine does not respond to ping requests and may take up to five minutes to start. Once this is complete, lets begin our recon with Nmap by issuing the following:
nmap -Pn -sV -O –script vuln <target IP>
- -Pn to skip ping test
- -sV for service versions
- -O for operating system detection
- –script vuln to run the vulnerability detection script (note: there is a double dash before this flag, WordPress just fucks the font up and makes it appear as a single ‘-‘ for some reason)
The output will provide you with all three answers for this stage. Now we have a rough idea of what services our target is running, what the operating system is and what exploit we can use against the vulnerable SMB protocol.
Task Two: Gain Access
We have all the information we need to gain an initial foothold on the target system, so let’s fire up Metasploit. I covered this step in it’s entirety in my article on Metasploit, but let’s briefly go over it again.
Once msfconsole has started, let’s search for and select the exploit using the information we gathered in the first task:
use <corresponding number>
Check which options we need to set for the module to work by issuing ‘show options’ and set the appropriate options using the ‘set’ command.
Once we have set the required options up, we are now ready to run the exploit by issuing ‘run’ or ‘exploit’:
As you can see in my example image, the exploit failed a couple of times before it worked. You may have to restart the target machine if it continually fails.
Confirm that the exploit was successful and background the shell it returned by using ‘Ctrl+Z’ and then ‘y’ when prompted. The next task requires us to upgrade the shell to a ‘meterpreter‘ session, so we can escalate our privileges — which isn’t actually necessary as the shell the exploit returned is of the highest privilege on the target system — but for the purpose of the write-up, we will do this.
Task Three: Escalate
At this stage we have gained an initial foothold on the system, so now we need to upgrade the shell we have using a post exploitation module and then escalate our privileges. Using the search command, search for ‘meterpreter’.
Much like we did when searching for the exploit module, let’s select the module we want to use by issuing:
use <corresponding number>
Question two of this tasks asks us what option we need to set, so let’s view the options with ‘show options’. This is where the shell the exploit initially returned comes into use. Set the appropriate setting to use this session (you can view what sessions you have available and their ID’s by issuing the ‘sessions’ command):
Once you have completed this, run the module by issuing the ‘run’ command and then interact with the new meterpreter shell by issuing ‘sessions -i <session number>’. To verify that the shell conversion was successful, issue the meterpreter command ‘getuid’ or start a shell by issuing the ‘shell’ command and once a C prompt is displayed, issue the Windows command ‘whoami’. If this has been successful, it will return ‘NT AUTHORITY\SYSTEM’.
This shell isn’t stable enough to maintain access to the target, so we need to migrate to a process that has the same authority as the shell (which was ‘NT AUTHORITY\SYSTEM’, the highest privilege on a Windows system). Return to the meterpreter session and list the processes running on the system by issuing ‘ps’. You will see the process ID (PID), the parent process ID (PPID), the processes name, it’s architecture, the user domain it belongs to and the path where it is located at on the compromised host.
Once you have chosen a process (I usually go for lsass or spoolsv, two services that will restart if you crash them with little consequence to the stability of the target system), issue the following command:
Finally, elevate your meterpreter session by issuing ‘getsystem’:
Task Four: Cracking
It’s time to pillage and loot. Dump all the user hashes by issuing the ‘hashdump’ command in the meterpreter session, and crack this hash using either john, hashcat (which I covered in the hash cracking article) or CrackStation. This hash dump and crack will reveal the answers to this tasks questions.
Keep in mind you will have to appropriately format the hash for whatever tool you decide to use.
Task Five: Find flags!
Finally, let’s complete the room by finding all the flags. In reality for a black hat these flags are usually valuable pieces of data and trade secrets, for a white hat it’s proof the system is vulnerable and your paycheque. In our case we know exactly what we are looking for, so let’s search for the text files named ‘flag1.txt’, ‘flag2.txt’ and ‘flag3.txt’.
Start a shell, traverse up to the root C drive and use the Windows ‘dir‘ command to find the directories where these files are located and use the command ‘type’ to view them.
dir *flag*.txt /s
Alternatively, we can use meterpreters ‘search‘ command to find the files and ‘cat’ to view the files:
search -f flag*.txt
This isn’t necessary for the room or any of the tasks and arguably in a real world situation would blow your cover entirely (if an IDS system hadn’t already picked you up at the Nmap scan), but I thought it was pretty cool way of getting eyes on the actual system. We’re going to add our own user account with admin privileges to the compromised system and remote into it using Remmina. Kali Linux doesn’t come with Remmina installed by default, so go ahead and install it with apt or Synaptic.
In our elevated meterpreter session, access the compromised systems shell and issue the following Windows commands to create a user account:
net user <username> <password> /add
net localgroup administrators <username> /add
Now start up Remmina and setup a new connection with the compromised systems address, your new user account details and then connect to the system.