Blue (E)

https://tryhackme.com/room/blue

Room info: "Scan and learn what exploit this machine is vulnerable to. Please note that this machine does not respond to ping (ICMP) and may take a few minutes to boot up. This room is not meant to be a boot2root CTF, rather, this is an educational series for complete beginners. Professionals will likely get very little out of this room beyond basic practice as the process here is meant to be beginner-focused."

The virtual machine used in this room (Blue) can be downloaded for offline usage from https://darkstar7471.com/resources.html ; It used the same flaw leveraged by WannaCry back in 2017. EternalBlue exploit, which was revealed by the ShadowBrokers, exploits an issue within SMBv1

Enumeration

To answer the below questions, we need to run nmap for basic enumeration. Since it says the machine does not response to ping (ICMP) requests, we can use the -Pn switch and -sC and -sV for basic script and service detection as well:

How many ports are open with a port number under 1000? 3 What is this machine vulnerable to?

Let's say we don't know EternalBlue. To answer the second question, we need to further enumerate the machine and better understand the services behind ports TCP 135,139,445,3389 and 49152-49154, 49158,49159. (Or just follow the hint: "Revealed by the ShadowBrokers, exploits an issue within SMBv1").

Let's take the learning approach and first understand SMB: the SMB protocol is a client–server communication protocol that has been used by Windows since the beginning for sharing files, printers, named pipes, and other network resources. SMB stands for "server message block." Apart from regular resource sharing, SMB is also useful for inter-process communication (IPC), such as in mailslots.

The SMB port number is TCP 445. If you've heard people saying the port number is 139, they could be partially correct. Let’s understand the SMB ports 445, 139, 138, and 137 in detail.

The earlier version of SMB (SMB 1.0) was originally designed to operate on NetBIOS over TCP/IP (NBT), which uses port TCP 139 for session services, port TCP/UDP 137 for name services, and port UDP 138 for datagram services. Here's a detailed and comprehensive overview of the SMB Protocol.

By default, NBT is installed and enabled in Windows for backwards compatibility, but it is known for exposing file shares and other information to everyone on the network. While it is not a big problem in local networks, it could be a security risk if exposed to the Internet. Man-in-the-middle (MITM) and NetBIOS name service (NBNS) spoofing attacks are common with NTB-enabled networksβ€”particularly if the related ports are not properly safeguarded. That's how WannaCry spreaded so quickly over the internt with its worm capabilities.

NetBIOS over TCP/IP (NBT) is a completely independent service from SMB, and it doesn't depend on SMB for anything. The SMB protocol, on the other hand, may rely on NetBIOS to communicate with old devices that do not support the direct hosting of SMB over TCP/IP.

Therefore, the SMB protocol relies on port 139 while operating over NBT. However, normally, for direct SMB over TCP/IP, the SMB port number is TCP 445. By the way, if both NetBIOS over TCP/IP and directly hosted SMB over TCP/IP are available (that is, if ports 445 and 139 are both listening), Windows tries both options at the same time. Whichever responds first is used for communication.

The SMB 2.0 that was introduced with Windows Vista and Windows Server 2008 can operate solely on TCP port 445, and you can safely disable NBT for improved security and reduced network overhead caused by NetBIOS broadcasts.

To see the status of ports 139 and 445 in your system, use the following PowerShell command:

Get-NetTCPConnection -LocalPort 139,445 -ea 0 | select Local*, Remote*, State, @{n="ProcessName";e={(Get-Process -Id $_.OwningProcess).ProcessName}} | ft -Auto

As a side note, here's some best practices to secure SMB communication:

  • Explicitly disable the obsolete SMB dialects (SMB 1.0 in particular) and NBT in your network.

  • Restrict the SMB ports' access to trusted networks and clients.

  • Always use the latest SMB dialect (SMB 3.1.1) whenever possible and enable security features.

  • If you do not have any old clients in your network, it is a good idea to block other ports, except for TCP 445 in the Windows Defender firewall.

Looking for nmap information and how I could further enumerate SMB vulnerabilities, I came across specific scripts, like: https://nmap.org/nsedoc/scripts/smb2-vuln-uptime.html

--script smb2-vuln-uptime

Description: Attempts to detect missing patches in Windows systems by checking the uptime returned during the SMB2 protocol negotiation.

SMB2 protocol negotiation response returns the system boot time pre-authentication. This information can be used to determine if a system is missing critical patches without triggering IDS/IPS/AVs.

Unfortunately, that didn't bring any results, (I'm not sure why), but we still have the vulners option: https://nmap.org/nsedoc/scripts/vulners.html ; and also --script smb-vuln*, to check all possible and well known SMB vulnerabilities:

What is this machine vulnerable to? MS17-010

With this, we can use Metasploit to exploit this vuln:

Now we can background the previously gained shell (CTRL + Z), and convert a shell to meterpreter shell in metasploit:

use post/multi/manage/shell_to_meterpreter (Shell to Meterpreter Upgrade) and configure options (LHOST and session)

Verify that we have escalated to NT AUTHORITY\SYSTEM. Run getsystem to confirm this. Feel free to open a dos shell via the command 'shell' and run 'whoami'. This should return that we are indeed system. Background this shell afterwards and select our meterpreter session for usage again.

List all of the processes running via the 'ps' command. Just because we are system doesn't mean our process is. Find a process towards the bottom of this list that is running at NT AUTHORITY\SYSTEM and write down the process id.

Migrate to this process using the 'migrate PROCESS_ID' command where the process id is the one you just wrote down in the previous step. This may take several attempts, migrating processes is not very stable. If this fails, you may need to re-run the conversion process or reboot the machine and start once again. If this happens, try a different process next time.

Jon:1000:aad3b435b51404eeaad3b435b51404ee:ffb43f0de35be4d9917ac0cc8ad57f8d:::

This is a "LM hash" used by older versions of Windows to store password hashes. The hash is composed of several colon-separated fields, each of which represents a different piece of information:

  1. "Jon": The username of the account.

  2. "1000": The user ID of the account.

  3. "aad3b435b51404eeaad3b435b51404ee": The LM hash of the user's password.

  4. "ffb43f0de35be4d9917ac0cc8ad57f8d": The NT hash of the user's password.

  5. "::": Empty fields for additional information (not used in this example).

Used hashcat to crack it (or search at crackstation.com)

The "-m 1000" flag specifies that the hash type is Windows NTLM, and the "-a 0" flag specifies a straight attack mode (trying all passwords in the wordlist one by one).

In Windows, password information for individual user accounts is stored in the Windows Registry or in the SAM (Security Account Manager) file, depending on the version of Windows. The SAM file is located in the %SystemRoot%\System32\Config folder, where %SystemRoot% is the location of the Windows operating system, usually "C:\Windows".

Another excellent write-up: https://unicornsec.com/home/tryhackme-blue-t6red

PreviousWalkthroughsNextMr. Robot (M)

Last updated