CTF Walkthroughs, Hack The Box

Hack The Box – Legacy Walkthrough

Introduction

This was an easy Windows box that involved exploiting the EternalBlue SMB vulnerability which is part of the MS17-010 security bulletin.

Enumeration

The first thing to do is to run a TCP Nmap scan against the 1000 most common ports, and using the following flags:

  • -sC to run default scripts
  • -sV to enumerate applications versions
  • -Pn to skip the host discovery phase, as some hosts will not respond to ping requests
  • -oA to save the output in all formats available

SMB Enumeration

The next step was to run a Nmap scan on ports 139 and 445 with all SMB enumeration scripts, to further enumerate this service. Command used: 

nmap -p 139,445 -Pn –script smb-enum* 10.10.10.40

Then ran another Nmap scan to check for any known vulnerabilities within the SMB service. Nmap has a number of “smb-vuln-msxx-xxx” scripts that can be used to test the SMB service for public exploits.

SMB Exploitation

I tried a few exploits for MS17-010 found in GitHub and ExploitDB but most of them did not seem to work, I then finally found the following Git repository – this exploit can use an exe-embedded shellcode, rather
than having to add the shellcode to a Python script like some of the other ones available on ExploitDB.

The first step is to generate some shellcode using MSFvenom with the following flags:

  • -p to specify the payload type, in this case the Windows TCP reverse shell
  • LHOST to specify the local host IP address to connect to
  • LPORT to specify the local port to connect to

The next step is to set up a Netcat listener, which will catch our reverse shell when it is executed by the victim host, using the following flags:

  • -l to listen for incoming connections
  • -v for verbose output
  • -n to skip the DNS lookup
  • -p to specify the port to listen on

Executing the exploit, providing the IP address of the target machine, the malicious executable and the port to be used – this provides with a reverse shell. It looks like the current user already has system-level so no privilege escalation is required.

Conclusion

The EternalBlue vulnerability is a very common Windows issue that has affected a large number of systems over the years, it is particularly dangerous as it is extremely easy to exploit and pretty much always results in a full system compromise.