Blue (tryhackme)

 This is a machine on tryhackme 


I liked working on this machine as it allowed me to practice hacking Windows based boxes as well as following a methodology which can be used when attacking networks.


The first job was to use nmap to find open ports. I could have limited the scan to the most common 1000 (which is the default scan when using the -sS flag) but I always like to check every port. The -p- flag makes sure that nmap checks every port. This can take a while, so I used --min-rate=250 to speed things up (I have found the value of 250 works well for my particular set up and network speed - this may be different for others). I also only performed a half-open SYN scan using the -sS flag. I then used piped commands to strip away unwanted data so that I could save the open port numbers into a variable which could then be used for further enumeration using more intrusive scans.


The open ports 135, 139 and 445 were of immediate interest to me as they indicated that the victim machine was running NetBIOS over TCP. This is how machines running Windows can share resources over the internet. Port 139 uses TCP to establish a session and then the Service Message Block (SMB) protocol is used to exchange data. In order for this to work, first of all a NetBIOS name has to be resolved into an IP address using a name service. This is similar to DNS. I didn't have to scan UDP ports, but did so just to verify that port 137 was open. This is the port which is used for the NetBIOS name services. NetBIOS names consist of 16 bytes and identify a NetBIOS resource on a network. The first 15 bytes are user defined, but the last byte is reserved to indicate what type of resource is being shared. This last byte will use hexadecimial and can range from 00 to FF. SMB can run on its own as well as over a NetBIOS session - this is what port 445 is for. Port 445 runs SMB on its own.



 With these open ports identified and saved in a variable, I next used the variable along with the -p switch to conduct more intrusive scans using the -sV and -A flags. The results were interesting (though not surprising considering the name of the room!) as the victim machine was running Windows 7. Further information was leaked from the Remote Desktop service running on port 3389.




I could at this point have jumped straight into checking for an eternalblue vulnerability, but instead thought I would check out the SMB shares a little more.


The first thing I noticed was that message signing was disabled or enabled but not required (which is really the same thing). This is good to know when attacking a machine which is a part of a Windows domain as by not having message signing enabled, the machine is vulnerable to pass-the-hash attacks in which looted NTLM hashes are passed around the domain to see if they can grant access to other machines.



Next, I used nmblookup to check out the victim machine more. The code <20> (remember the last byte in NetBIOS names?) indicated to me that the machine was serving shared resources, so I tried to connect to it using a null session attack. This can be achieved by using smbclient with the -L flag to list shares along with the -N flag to specify not to use a password. The \\\\ and \\ look like a lot of \ because I had to escape each \ in my Linux terminal. The anonymous login was successful, but nothing could be found so it was essentially useless. 





I felt it was now time to see if the victim machine was vulnerable to eternalblue (ms17-010). In order to do this, I started msfconsole and used auxiliary/scanner/smb/smb_ms17_010 

It turned out that the victim machine was vulnerable, so I searched for eternalblue exploits. Several were found.  I used the first one and only had to set the RHOSTS option to the IP of the victim machine and the LHOST option to the IP address of my attacking machine. This exploit was successful and opened a meterpreter reverse shell.






The first thing I did once I had obtained a reverse shell was to check the level of access I had gained along with privileges by using run post/windows/gather/win_privs I was happy to see that I was NT AUTHORITY\SYSTEM which is the most privileged user (like root on Linux). This was good news.



It was now time to follow a sound methodology for continuing my attack.


The first thing I did was to find a more stable process to migrate my meterpreter session to. This is good practice as the initial process may not be too stable or could be shut down by a remote user. I wanted to find a process which was running with x64 architecture and as NT AUTHORITY\SYSTEM so I used the -A x64 and -s flags.





My next step was to enumerate the machine to find out more about it and its users. This can be achieved manually by opening a shell and then using Windows commands, but using run winenum from the meterpreter shell speeds things up considerably. One useful command dumped the NTLM hashes from the SAM database. These hashes are important as they can be used in pass-the-hash attacks (remember that message signing was not enabled?) or they can be cracked and used in pass-the-password attacks. They can also give us persistence in other ways such as being used to open half-shells or access Remote Desktop sessions.





This is the next step in my attack methodology - gain persistence - a way to get back onto the machine at a later date.


The looted NTLM hashes would be useful for this, but there are other ways to achieve it. I chose to open a shell and then create a new user called brian with a password of my own choice and therefore control. I then added brian to the local administrators group. This meant that even if I couldn't crack the looted hashes, I would still know the username and password of a local admin account on the victim machine which I would be able to use to regain access to it at a later date.





Now that I had made my shell more stable by migrating to a different process and gaining persistence by creating a new local admin user under my control and looting NTLM hashes, I felt ready to loot sensitive data from the victim machine. As this was a CTF room, I knew that flags would represent this sensitive data. I therefore used the tree command along with the findstr command to quickly find any files with flag in them.




Three flags were discovered, but the paths to them were not shown, so I used the dir command to find their paths and then the type command to see their contents.






Now that data had been looted from this machine, it made sense to check its networking to see if it was connected to any other networks. If it was, then my attacking methodology would cycle back around as I would use the compromised machine to pivot through and scan the other machines on the other networks. In this case, unsurprisingly, I found that the victim machine was only on the one network which I already knew about.




With my attack completed, I continued by making sure that my new user brian could be used to regain access to the remote machine. I was able to do so by using an eternalblue psexec exploit. I finished off by using hashcat to crack the looted hash for the user Jon. In my command, I used the dive.rule by specifying it with the -r flag. This is a very good set of rules to use. When cracking NTLM hashes, we can use -m 1000 I like to combine usernames with hashes and passwords when cracking hashes. It looks like more work, but I like to do it, especially when cracking the hashes of lots of users.








Thanks to ben and DarkStar7471 for creating the room, and thank you for reading my write up - I hope it was of some use :-)

Popular posts from this blog

Hacking Reset (thm)

Image
  NOTE: I am currently migrating my writeups and notes regarding hacking aka pentesting to  my github - my reset writeup can be found here     Reset is a fun active directory based box on thm   We start with an nmap scan which shows us that the target machine is probably a domain controller as it has port 88 open. Domain controllers typically have this port open since they are involved in kerberos based authentication. We also find some useful data regarding the domain and machine we are attacking. In addition, we find port 5985 is open - this is of interest as it is a port which is used by winrm which in turn is a service which could potentially give us a remote session on the target machine if we find valid credentials.    Since smb is being used, we start our enumeration of the haystack machine by taking a look at it - can we get a null session and thereby enumerate useful data? We find that we can. The IPC$ share has read access to non-authentica...
Read more

Hacking Year of the Owl (thm)

Image
NOTE: I am currently migrating my writeups and cybersecurity notes to  my github This writeup can be found in a new and shiny form at puzz00 year of the owl writeup  --- The Year of the Owl is a machine by MuirlandOracle on tryhackme   We start by using nmap to scan the TCP ports. The results show us that this appears to be a windows machine because we see netbios on port 139, SMB on 445 and winrm on its default port of 5985. We take a closer look but don't find much of interest. Since SMB is running, we can try a null session attack, but this does not work. We cannot connect using rpcclient without valid creds, either. Web app enumeration does not reveal anything of interest, so I have not included it in this post. We need to find another way to enumerate usernames and potential passwords. We can try common UDP ports using nmap. The results come back in the open|filtered state which is not very useful. We do not know if the ports are open or if the UDP datagrams are bei...
Read more

Simple CTF (tryhackme)

Image
  I started with a quick SYN scan of all ports on the target machine. The -T4 flag speeds up the scan from the default -T3 and the -p- flag specifies all ports to be scanned. As can be seen from the results, ports 21, 80 and 2222 had services listening on them. It was now time to take a closer look at those three ports, so I used the -A flag with nmap to find out more. The anonymous login allowed using FTP on port 21 seemed interesting, so I connected to it in passive mode using the username anonymous and no password ftp -p 10.10.179.144 The connection was successful, but I could not get any listing of the directories or files using ls so I turned my attention to port 80 by navigating to the home page in my browser. I was greeted with a default Apache "It Works!" page. I then checked the robots.txt file and fired up a directory buster. I used gobuster as it is fast, but dirb, dirbuster or a home-grown one would also do. The /simple directory stood out as interesting, so I na...
Read more