Hack the Box: Blue

My friends tell me it’s in vogue these days for pentesters to write up walk-throughs of challenge boxes from Hack The Box. So I decided to get into the game, starting with a machine called Blue. I hear it’s one of the easiest boxes on the platform. Nonetheless, I hope my write-up will prove enlightening among the sea of other write-ups out there. #IAmNodeZero

TL;DR

I obtained system-level privileges on Blue by exploiting the family of critical Windows SMB vulnerabilities known as EternalBlue. During post-exploitation I acquired credentials for the Administrator and haris users by dumping the Windows Security Account Manager (SAM) database.

Timeline of Notable Events

Attack Graph

This is the attack graph that represents what I did. I’ll walk through this in detail below:

Walkthrough

Enumeration

2:49:08 AM UTC: I started my assessment. I was provided the target’s IP address, 10.10.10.40. I confirmed this machine was live with an nmap ping sweep.

I ran TCP and UDP port scans using nmap and found the following open ports:

The Windows SMB port 445 stood out, and I ran further probes against it.

2:49:33 AM UTC: I fingerprinted the operating system as Windows 7 using crackmapexec. I also noted that SMB signing was disabled – not useful for this particular assessment but something that may have been helpful for attacking larger networks.

2:49:37 AM UTC: I discovered that the Windows Guest user could read the Users and Share shares. I found 58 files in those shares but none of them were particularly interesting.

2:49:56 AM UTC: In the midst of running a full-port TCP port scan, I started scanning the SMB port for major vulnerabilities using nmap and discovered that the machine was vulnerable to EternalBlue.

Exploitation

What’s commonly referred to as EternalBlue is actually a collection of multiple critical Windows SMB vulnerabilities, logged as CVE-2017-0143 through CVE-2017-0148. The EternalBlue family also includes  EternalChampion, EternalSynergy, and EternalRomance.

Four years after the disclosure of these vulnerabilities by the Shadow Brokers, and the widespread exploitation of them by the WannaCry and NotPetya ransomware worms, I still see EternalBlue commonly come up in internal pen tests. Successful exploitation of EternalBlue leads directly to system-level privileges on the vulnerable host, allowing an attacker to not fully only compromise the host but to acquire credentials and other data that can be used to move laterally within the network.

There are a couple of off-the-shelf exploits provided by the Metasploit framework for exploiting EternalBlue.

Of these exploits, the first and second options (exploit/windows/smb/ms17_010_eternalblue and exploit/windows/smb/ms17_010_eternalblue_win8) are kernel-level exploits that carry some risk of blue-screening the target. While it’s ok to throw this exploit in a playground like Hack The Box, it’s not something I’d throw in a real-world pen test without prior authorization.

Instead I chose to first run the auxiliary/admin/smb/ms17_010_cmmand Metasploit module. This module exploits the EternalChampion/EternalSynergy/EternalRomance combination of vulnerabilities and runs an arbitrary command on the target via psexec, a well known technique for running processes on a host.

According to the Metasploit documentation this module is much more reliable and safe than exploit/windows/smb/ms17_010_eternalblue and exploit/windows/smb/ms17_010_eternalblue_win8.

This module is highly reliable and preferred over EternalBlue where a Named Pipe is accessible for anonymous logins (generally, everything pre-Vista, and relatively common for domain computers in the wild).

The catch is that this module requires access to a named pipe. From my experience this is pretty common on machines that are vulnerable to EternalBlue. Even if a named pipe isn’t accessible at first as an anonymous user, there is a good chance in a large network that I’ll acquire some sort of credential to the machine (Guest access or any domain user for domain-joined machines will work).

2:50:09 AM UTC: I ran the auxiliary/admin/smb/ms17_010_command module with the whoami command:

I’ve proven that EternalBlue on this target is exploitable.

Post-Exploitation

The next step is land a proper shell on the target to pilfer the host.

The Metasploit module exploit/windows/smb/ms17_010_psexec works the same way as the auxiliary/admin/smb/ms17_010_command module except it establishes a reverse shell instead of just executing a command and exiting.

2:52:10 UTC: I kicked off the exploit/windows/smb/ms17_010_psexec module using the standard meterpreter payload. Inside the meterpreter shell, I ran the post-exploit module post/windows/gather/hashdump to dump the host’s SAM database.

2:54:36 AM UTC: I obtained the NTLM hashes for the Administrator and haris users.

2:54:41 AM UTC: I used crackmapexec to verify that the Administrator NTLM hash is valid by “passing the hash” while authenticating to the SMB service:

2:54:52 AM UTC: I do the same thing for the haris user:

2:55:07 AM UTC: I attempted to dump credentials stored in the target’s Local Security Authority Subsystem Service (LSASS) process using crackmapexec and the Administrator user credentials. This didn’t yield any new credentials.

While none of these credentials matter much for a CTF, in larger assessments these credentials are extremely valuable for moving laterally through the network.

3:00:20 AM UTC: I completed my assessment.

Conclusion

Even though EternalBlue was disclosed 4 years ago, I still find it frequently in internal pentests, usually on one-off assets that are hard to patch or got missed by patch management. Please patch! Assets in lab or test environments are also important to address because attackers may be able to use the data on those assets to attack more critical assets.

This was a fun experience, and I am looking forward to documenting my experiences with more challenging boxes on the Hack The Box platform.