Disassembly of IppSec’s youtube video HackTheBox - Blue. A crash course in NMAP and the strength it has in enumeration. Exploitation crash course with Metasploit & Empire, fixing unicode with xxd. Using unicorn to elevate meterpreter shell to stdapi.
Legal Usage: The information provided by execute@will is to be used for educational purposes only. The website creator and/or editor is in no way responsible for any misuse of the information provided. All the information on this website is meant to help the reader develop penetration testing and vulnerability aptitude to prevent attacks discussed. In no way should you use the information to cause any kind of damage directly or indirectly. Information provided by this website is to be regarded from an “ethical hacker” standpoint. Only preform testing on systems you OWN and/or have expressed written permission. Use information at your own risk.
By continued reading, you acknowledge the aforementioned user risks/responsibilities.
This series of write-up will contain comprehensive write-ups of hackthebox machines. In an effort to sharpen reporting techniques and help solidify the understand and methodologies used during penetration testing.
Enumeration
1 |
|
-sC = default scripts -sV = enumerate versions -oA = ouput all formats nmap-scripts = saves file named nmap-scripts (results)
The Microsoft security bulletin for Eternal Blue is MS17-010 which allows an attacker to send a crafted SMB message to the service and execute remote code.
more information found at Microsoft secuity page: https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010
searching for MS17-010 nmap script
at first searching the box for “lue” as unaware if there is a lower case b or an upper case B and grepping for the nmap file extention “.nse$”. To then switching to the vulnerability code and grep for nmap file extention.
discovered the scripts exisits at */usr/share/nmap/scripts/smb=vuln-ms17-010.nse*
inspecting the nmap script
Moving to inspect the script and verify that the categories do include “safe”
1 |
|
nmap scanning all “safe” scripts
To scan with all safe scripts against a target:
1 |
|
-Pn = disable ping -n = disable DNS resolution
Running safe scripts will take quite a bit of time as it runs multiple scripts against the target.
searching nmap scripts&sorting
To continue searching what the all the “categories” are in the the nmap script folder:
1 |
|
if we just want to see the “categories” we can search for everything between quotes:
1 |
|
sorting this list with sort
:
1 |
|
this a list of all types of scripts are available with nmap.
to grab just one “catergory” from above and show a list:
1 |
|
Lists all the “default” scripts, which can be changed for any of the above types.
return to results from “safe” nmap
There is quite a bit of information that was returned.
returns the Eternal Blue “ms17-010” as “VULNERABLE”.
nmap with “vuln and safe”
To target this “safe” enumeration to include “vuln” syntax:
1 |
|
Exploiting
Metasploit
I know of two ways to launch metasploit:
1 |
|
Search for Eternal Blue - ms017-010
1 |
|
Use exploit:
1 |
|
show options;
1 |
|
Set payload:
1 |
|
Set LHOST
1 |
|
Set RHOST
Exploit
1 |
|
meterpreter session opened!
List all sessions
1 |
|
Interact with shell
1 |
|
EMPIRE Framework
Empire is a POST-exploitation windows tool.
in directory of choice /opt/Empire
1 |
|
development branch is recommened as there is better quality of life improvements
install empire
change directory to /setup
and execute install.sh
1 |
|
hit [enter] for random password generation
execute empire
from /opt/Empire
1 |
|
help to figure out all the commands available:
setup listeners
This is the first command always run:
1 |
|
1 |
|
using the “http” listener
1 |
|
run info - similar to show options on msf
1 |
|
we need to change the host and port.
1 |
|
10.10.14.16 is the local ip port 443 is normally allowed outside of firewalls
to start listener:
1 |
|
back out of listener
1 |
|
generate powershell payload
1 |
|
On local box make a directory called /http
and create a file name empire.ps1
1 |
|
paste power shell output
using stagers
alternatively like launchers there are stagers
1 |
|
we have duck, hta, bat, vbs, macros, macroless_msword files
sending empire.ps1
setup local http server
1 |
|
target meterpreter shell download file:
1 |
|
verified that the file was send from the local web-server.
back out to main menu
1 |
|
our target machine is now hooked. Empire is different in that based off the delay is when our target contacts the “mothership” to retrieve commands.
To change the frequency/delay
1 |
|
interacting with agents
1 |
|
show modules (tab x2) lists all available modules
1 |
|
empire privesc module
1 |
|
1 |
|
job will start once the agent pulls back to the “mothership” empire CnC server. Will show the results in the window when it has finished.
mimikatz module
head back one level and help
1 |
|
alternatively, use searchmodule
1 |
|
under mainly credentials
display empire running jobs
1 |
|
awaiting return of “allchecks”0
adding modules to Empire
for instance if you wanted to run the Sherlock.ps1
from @_Rastamouse
github link: https://github.com/rasta-mouse/Sherlock
fixing unicode on a ps1 file
unicode issues exist on the first line of the file.
use xxd to create a hex verison of the Sherlock.ps1
1 |
|
1 |
|
delete the first 6 characters
convert the hex back to ps1
1 |
|
1 |
|
unicode issue has been resolved.
return to invoke “allchecks”
results from the “allchecks”
returned a significant number of results as we are already system with the exploit.
lost limit
This feature will continue to connect to agent and if lost for a certain specified time the client will uninstall.
Normally set to 4440 which is about 24hrs.
scriptcmd & scriptimport
cmd exeuctes a function that has been previously imported and import send s a new powershell script to keep in memory.
importing Sherlock.ps1
1 |
|
run Sherlock.ps1
1 |
|
Find-AllVulns is parameter inside the Sherlock.ps1
(results)
pass an object from Empire to Metasploit
Stated at this point this might get a bit tricky… Create a new meterpreter listener within Empire:
1 |
|
add the Host and Port and execute. go back and interact with previous session
Re-setup Metasploit ctrl+c to terminate
setup exploit handler
1 |
|
set LHOST and LPORT
back on Empire issue a ps command to list processes
1 |
|
pick a process running as a particular user level.
head back to main and injectshellcode
1 |
|
pid of the process we want to inject.
show info
1 |
|
set payload
1 |
|
on Metasploit multi/handler session is received
seeing commands available
1 |
|
there should be a longer list of options to use but it was stated that this version of the exploit doesn’t support x64 and is more geared toward x86 system
spawning 32bit process
Empire:
1 |
|
set Cmd C:\windows\syswow64\cmd.exe
when attempting to execute the framework is asking for a Username or CredID.
IppSec workaround using unicorn: github link: https://github.com/trustedsec/unicorn
1 |
|
1 |
|
Metasploit, background session and create 32bit handler and change LPORT
1 |
|
Empire, injectshellcode with 32bit change Port and Host
back and interact with agent
1 |
|
set LPORT as 8002
Successful response back to metasploit:
interact with session 3
1 |
|
1 |
|
still don’t have the standard api but we can attempt to load it manually.
1 |
|
msf at this point crashes
unicorn for the full stdapi
pivots to unicorn and an output code called powershell_attack.txt
send this file to our target with a simplehttpserver.
1 |
|
Empire, head back and use command “shell” which performs powershell commands.
1 |
|
connection is established:
backgound our session 3 and enter session 4
1 |
|
at this point we have full standard api functionality with all the bells and whistles.
If you don’t know who ippsec is check him out at https://www.youtube.com/channel/UCa6eh7gCkpPo5XXUDfygQQA
Twitter: https://twitter.com/ippsec