TryHackMe! EternalBlue/MS17-010 in Metasploit

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hello everyone my name is John Hammond and this is another try hack me video because I know a lot of you guys have been loving that lately and I want to get back at it so let's dive in I'll hop over to my computer screen here so you guys can follow along and I'm gonna be tackling that blue machine from Troy Hackney it's kind of an easy one it's got a lot of users and it's really really well known it's kind of a good staple of triac me I'm scripted is deployed hacked into a Windows machine leveraging common misconfigurations issues so let's go check this out it has a nice I like this like default Windows XP banner I love that and we can go take a look what this machine is is it showcasing the eternal blue exploit or MS 1701 zero and zero ten however you want to say that that was the exploit that kind of sudo got released from the NSA with the shadow Brokers thing and eventually kind of made for that whole wanna cry ransomware so it's a big deal breaks into a whole lot of Windows machines with some SMB v1 stuff and Miss configuration you'll essentially just grant you system access if you can point it out the Machine an SMP is open then you can go ahead and roll through it so anyway let's dive into it this machine was created by Dark Star he's one of the admins and over there at Troy hacking me cool guy and the secret list machine oh I want to tackle that is the ice that's another rendition of this sort of thing that I definitely want to make a video on as well so anyway let's join this room and we can go ahead and deploy the machine so we can go ahead and access it I'll hit that big green button to deploy and let's go ahead and create just a folder for us to work and I'll dive into my terminal here so move into the triac me directory I will sudo Open VPN our VPN key so we can go ahead and connect to that raw Hackney Network and then reach the Machine I'm using Terminator that's how I'm splitting my screen and I'll move the VPN way at the top there let's make a directory for us to work in I'll call it blue just name the box and I will get started with the readme because I think that's a good thing to do you can kind of take notes of what everything that you're working on I'd like to include my name and the day just because hey this is good note keeping for myself and then we can go ahead and get started so what is asked of us we have the machine here the IP address so I'll include that in our notes and let's go ahead and make sure we can access it I don't know if we can maybe it's not up yet or because it's windows maybe ping is turned off we can give a little bit more time or we can just go take a look at what these challenges for us are this says scan the machine if you're unsure how to tackle this I recommend checking out the room for the red path and map you could totally take a hint here again the whole idea is to learn try Acme's SuperDuper friendly in that regard and that they'll willingly give you write-ups right away even if you haven't solved the machine you're just all about learning this thing and that's what we're here to do so let's go back to it suit we're working on scan the Machine it suggested using nmap and I'll do that as well maybe you're not getting any pings just back yet so I knew let's make an nmap directory let's go ahead and map all use tack SC tack SV enumerate versions I also want to output this to an end map format because I think that's good to have our notes and we still have our IP address on our clipboard so I can just go ahead and paste that in getting a lot of YouTube notifications over here it might be down or it's just not seeing pings so let's add tack P and in there to kind of disregard those and just scan it anyway maybe the machines just still not up but I'll see if our ping is coming back still oh there we go there we go now he's back okay I guess we don't need that tack the end regardless that's a good quick and easy one to just say mm I don't care about your ping just go ahead and Hammer the thing scan it it's asking us to just scan the machine ok so we can mark that as complete because we are running our nmap scan it says how many ports are open with the port number under 1000 so nmap will go ahead and scan kind of the most common a thousand ports I think it is I don't know if it goes all the way up to a thousand but anyway we'll see what results we get from nmap once that scan is done we can go ahead and work with it it says what is this machine vulnerable to enter in the form of MS blah blah blah example of that ok so I will just discuss here for a little bit of learning I added an extra one there MSF excuse me MS not talking about Metasploit here SMB server this knowledgebase ms70 ness010 critical is about eternal blue so this affects a lot of Windows machines and it will immediately give you critical code execution so kind of a big deal we can see where to track it down within Metasploit and the track me room is really really good about actually giving you that information again try Hackney is all about kind of guiding you and making sure that you learn so that's a big plus okay now our nmap scan has returned we see some information here we have these and four four five isn't even showing right now kind of an oddball maybe we should get a little bit more of that anyway we can take a look what we have here we are still seeing some SMB OS discovery so we've got Windows 7 Professional Service Pack 1 looks like the computer name is John PC that might be a user name potentially we could totally take advantage of that if that is in fact a user name and all these are PC ports you may or may not kind of consider those real if what you're working through it you don't need those entirely but 135 for MSRP C and 139 are pretty common between NetBIOS and you'll see that a lot on Windows machines and with SMB running and open ok that second end maps can return for us I just want to do that one more time because I wasn't singing for 4 or 5 open and it looks like we also have three three eight nine so it was just kind of me knowing hey this machine is all about SMB and internal blue so it looks like we could use one three five one three nine four four five and three three eight nine it's asking for under a thousand as the answer there so it looks like we only want those three ports so let's go ahead and submit that number three and from hackney will tell me sweet that's the correct answer what I'm gonna do again just prove my note keeping is just kind of save this and slap it into our readme let's just say some code block here we'll just include that and we could say what is this machine vulnerable to so answer in the form of all of these things and what I want to show you if you don't already know is that nmap can do some crazy cool things with its scripting engine so you can use tack tack script and you can also specify what kind of script you want to run from so you can use SMB and SMB with a prefix within kind of an asterisk or a wild-card here we'll run everything that could use as a script under that SMB family so let me go ahead and fire that off and I think I could track down like NSC scripts there we go yeah so there are tons of these over in user share and map in my case scripts all about VNC all about TFTP all about FTP tons and tons of SCM and map scripting engine scripts that you can go ahead and check out and see what they're really doing let's look for those that have SMB in the name so it'll look through all of these different things 1701 0 is hopefully what it will trigger on but let's take a look at what that script actually is and what it's doing so I'll fire that up in sublime text looks like this is some cool cool stuff and if you want to do more research on the nmap scripting engine you absolutely could just quick Google search just to know what that sort of thing is and it'll explain hey this is one of the coolest things that nmap can do what is all of it you can obviously write your own you can grab some others but you'll typically want to activate it with tack tack script if you want to use a specific script I'd ran a few of those with tack SC which is why you were able to see those results from the SMB host discovery or the SMB security mode etc etc time it didn't go for anything that might have been intrusive or might do actual vulnerability scanning so that's why when we're looking with SMB as a prefix will also scan for that SMB volm just there we could use that as well we could have used SMB - balm star and then we might be able to get more specific stuff tailored to those results we could simply run on what we or when I'm kind of guide and you'll answer here that it is vulnerable to MS 1701 0 or eternal blue so okay that nmap scan is taking way too long so we could drill down to use a specific one if we wanted to just kind of being certain that hey this is what we're going to be working with we could run and map TAC script equals that guy on our IP address you can see I've been hey trying to check the status of that one and it was just taking longer and longer and longer so we could let that go let's grab this syntax because we know that that's going to be the correct answer for what our try Hackney room will be looking for so we can go ahead and submit that perfect and now we can move on to task 2 which says gain access exploit the Machine and gain a foothold it says start Metasploit so we can go ahead and do that with MSF consult and it looks like our quick and map scan had ran just fine so it is vulnerable to our MS 1701 zero vulnerability remote code execution and SMB version 1 and it is clearly vulnerable with severe high risk critical remote code execution vulnerability we can go ahead and abuse this because we do have Metasploit with a module has that intact let's go ahead and clear that terminal out and we'll wait to see if that big one finds any other vulnerabilities for us but MSF needs to go ahead and spin up its own database and some web account stuff for whatever the things that it does I tend to just kind of whack enter every time it needs to do that and just like please give me my product and it will start the Metasploit framework console so we can say yep yeah we did that fantastic and it says find the exploitation code we will run against the Machine what is the full path of that code so we need to find the Metasploit module that can go ahead and exploit this vulnerability and a 1701 0 or eternal blue so we could do is we literally search for Ms 1701 0 or you could search for eternal blue if you don't happen to have that kind of knowledge-based hag memorized and there are a lot of options here we have some auxilary scanners that will simply verify hey is this going to be vulnerable to that and we could have we could use that if we wanted to if you check out the options for what this has it should just kind of ask for the our host that's really the only one that's kind of necessary so I will go ahead and say yeah let's set our our host - I'll go grab the IP address here spit that in there hit run and then our plan our auxilary scanner will work through and says hey that is pretty vulnerable to that anyway that's just scanning it kind of the same thing that nmap did I think you can safely scan for MS 17-0 and zero vulnerabilities that actually beating up the machine because using the exploit for eternal blue can sometimes over and over again cause a blue screen and kind of knock the box over so anyway we had scanned for eternal blue we had searched for it so we could potentially find some exploit that will work here we could just simply use kind of the most common one exploit Windows SMB ms70 ness010 eternal blue and that is kind of the one that is okay average ranking I do tend to see the PS exec rendition of it that I think is the one that uses named pipes and all those is a little bit more stable and reliable anyway let's go ahead and fire off this one because I think that's what it's asking for we can go ahead and submit that and yeah that's all we need so let's go ahead and use that module we can check out the options to see what we new supply looks like our host is the only one that is still a required parameter that doesn't have a setting the our port is required but that is by default for four or five where SMB server matches message block typically listens on and it will go ahead and verify the architecture and target etc etc anyway we will need to go ahead and set that our host but that is what this next question is asking for it wants it in all caps so we can go ahead and submit it and let's set that our hosts which I have in my history let's hit run or exploit that will go ahead and fire this off it'll check it determine that it is vulnerable and it will kind of spam along send the exploit let's go ahead and hit completed yep we did successfully run the exploit and says confirm the exploit has ran correctly you might depress enter for the do s or da shell to appear and we can background that okay so looking back at our exploit now we do have kind of this win notification here and that we successfully were able to exploit it and we do have a command shell open on the target on the box you can say I'm in that C window system32 directory I do have cmd.exe DOS execution and I can enter commands and do things on that target so I could kind of jump around a little bit type in Who am I it looks like I am the NT authority system so we have full control over this machine just from that single exploit and now we could see what else you wanted to do it's a good idea at this point to try and escalate our shell or upgrade our shell because we have just regular CMB turd exe we're a little limited in what Metasploit could actually allow us to do because if we were to be using the meterpreter shell we could upload and download files we could run some post exploitation tools or scripts or other Metasploit modules so that's something that we really want to do so we can background as they said with control Z and that might actually depending on your shell background the entire Metasploit program so what I tend to like to do is just enter at the command background and now that will read okay that's something that we're actually going to background let me get back to that session and show you that one more time interacting with session 1 ok so background is not normally a command that cmd.exe would understand typically in the windows world but because we're running within Metasploit Metasploit we'll see that and understand it in okay oh you do want to background and go back to your regular MSF prompt so now we could run something like shell to meterpreter to actually upgrade and escalate our shell so if you wanted to you could literally just run or use shell 2 meterpreter and try hackmigos through a little bit of a good explanation as to what you could be doing with that here and the in there tasks that's over an escalate section here I've already filled a little bit of this out because I needed to restart some recording because the box a little bit unstable the free version makes this a little bit hard to do on track mean I know obviously the eternal blue exploit itself might damage the Machine a little bit that's gonna hurt so we could be using that post multi manage shell to meterpreter module and that is what Metasploit is going to recommend for us when we try and use shelter meterpreter but just to make a little bit easy on typing there we don't need to include that entire path of Metasploit knows that's so common it'll go ahead and use that for us so it puts us immediately in that module context now the thing that we need to actually specify when we're working here is the session option because it needs to know what session are you actually go and using what specially are you what session are going to use that is right now regular shell CNB 2/dx see that we want to upgrade to meterpreter so we could set our session to any of the sessions that we have active right now and our case will want to use the ID just that number one here for that is our first shell that's open so I could say set session to one and then we could go ahead and hit run I also learned another cool trick you could use session attack you and I will go ahead and upgrade that with the session ID if we hit enter on that excuse me sessions I don't know why I do that all the time it'll go ahead and automatically figure out okay this is what you're trying to do with the multi manage shell to meterpreter session and it will go ahead and start the reverse tcp handler it'll wait to go ahead and catch that and start a new exploit for you and then you'll eventually have the meterpreter call back hopefully right we can check out sessions and right now we don't have anything called back just yet we could try and interact with our session number one who am i okay and that's still alive thankfully so we can background that and it looks like ok now it's finally coming along in that session stack you worked for us just as well or we could very well have just hit run or exploit from within the context of our exploit post multi managed shelter meterpreter anyway now we can go check out our sessions because you see an open session number two which is running meterpreter so we could sessions tack I to interact with number two and now you can see I am inside a meterpreter prompt I can get you ID which is kind of their equivalent to the Who am I command you can see we are still anti-authority system awesome so we could say yep we ran all that enter the session there ran its we might needed to we might have needed to re exploit the machine if things kind of fell apart which it did in my case and so I know this one is a little bit sensitive and kind of broken verify that we've escalated anti-authority system you can run get system to confirm this so let's go ahead and do that get system will kind of by default try a couple different avenues and routes to determine or find some way to get the anti-authority system account maybe you do some UAC bypass or other things or pipe impersonation in our case we already were anti-authority system so we wouldn't need to run that but again confirm so feel free to open a door shell by the command shell and running Who am I so we could do that shell will let you in to a small command prompt here which you can take who am i and then you could control C to break out of that and it'll terminate that channel and throw you back into your meterpreter session so say that's done list all the processes running the PS command just because we our system doesn't mean our process is fine our process toward the bottom that is running as anti-authority system and write down the process ID in the far left column okay so just some learning just some kind of understanding with what Metasploit and interpreters doing if I run PS you can see the process listing here the parent excuse me the pit at the process ID and the peep at the parent process ID the name that's running the session and architecture user etcetera and where that's running from so if you wanted to if it were kind of an unstable connection or you wanted to move to something else you could use the migrate command migrates pretty awesome because you could migrate into another process your meterpreter session in memory could move and pull into something else if you wanted to use tack n not to let you specify a better one at least enter it by the name rather than just the process ID cuz sometimes running PS and trying to track it down can be a little annoying so I like to migrate to put capital n when logon DXE that's normally a safe bet that's always running and still has some pretty crazy privileges etc so what's that's going we can say that that is completed oh and it there's actually asking us to migrate with my grant process ID fantastic note that that may or may not work migrating processes sometimes can be tough but looks like ours ran successfully so perfect all right now we can do some interesting things we can go ahead and crack some information dump the non default user's password and crack it within our elevated meterpreter shell run the command hash dump and that will dump all the passwords of the users on the machine as long as we have the correct privileges to do so so we could go ahead and run a hash and you could see that there is another user John in here Jo n and we did see that earlier when we were looking at some more nmap scan results so looks like that is the answer there what is the name of that user copy this password hash to a file and research how to crack it what is the crack password okay and we have his hash here so I might actually just see if I can crack that with something online just to make a quick easy one crack station I think can handle some ntlm stuff so let's go ahead and paste that in I am NOT a robot and it doesn't know what it is so let me remove just that preceding section because that might be the empties thing okay yeah so al qfn a.22 is apparently his password great we can go ahead and submit that and we should probably be documenting everything that we've been doing but hey John's password and that is with no H in John's name ok so now that we've got that cracking section done we want to find flags there are three flex planted on this machine flag one okay it doesn't really give us any information check out the hints can you see it I don't know what that means oh it might be actually referring to the C Drive because if we check out our current working directory we are in C windows system32 but if we move all the way back to C we can check out the directory listing and we do have a flag one dot txt file there okay so we could cat that out flag one dot txt and flag is access the machine ok fantastic it looks like it just wanted us to submit the inside part in between the curly braces so let's submit that and then flag to errata windows really doesn't like the location this flag and can occasionally delete it and might be necessary in some cases determined to restore the machine cheese and rerun the exploit to find this flag and this is relatively rare however it can happen ok I wrote this I wish I wrote down where I kept my password luckily it's still stored here on windows ok so this might be stored in the Sam configuration right so Windows Sam location we could Google that that is kind of the path that as all of the hashes that are stored for usernames and for users and on the system it's in C windows system32 config so we can see if that exists C windows system32 config I'm using forward slashes here so I don't have to use the WWE or excuse me the double backslash escape because you need to in that we're working in Ruby so you need to supply two backslashes if you actually end up using a backslash dir let's see we got oh there was a flag to file here fantastic nope it's not really there wait did I type that right flag to flag to dot txt there we go Sam database elevator access cool thank goodness the one I did this originally that flag was not there and I was like how am I gonna show this in a video so cool that one's good and flag three okay so let me show case something that I actually kind of wanted to in this video for this section because interpreter has something awesome called search where you can search for files here and if you don't know how to use it you can use search tak H you can search inside a directory recursively or for a specific pattern you typically use tak F and you can use the wild card or the asterisk to glob things by default I think it starts either from where you are from where you're going but more it can do the entire file system so we'll search for things that start with flag right or flag dot text and since I have a number in there we could use flag asterisk dot text maybe so let's do that let's use search tack F flag star dot text and maybe this will track down where we found that flag one and that flag too and it could tell us where flag three is so this might take a little bit of time I'm gonna let this run and we'll see if it actually gets into results or if it's going to use from our current directory or not it probably has to cache like just about everything so maybe this will take some time okay so it looks like it found those flags there it found flag one right where we found it earlier looks like it also found flag two right where we were and it found flag three in the documents of that John user so we probably could've track that down if we did our own enumeration man you looking for seeing hey what's in this users directory to what stuff does I have etcetera etc but there is flag three so we could go ahead and try and cat that out and I'll just show you that quick issue where we are not gonna be able to find that file because we're using backslashes so we'll need to specify two backslashes in order to escape them and actually be able to read that out so flag admin documents can be valuable we can go ahead and grab that paste it in here and with that we have completed everything in the room and it says congratulations we did it you completed that room so that's that you could also and I found this kind of interesting earlier when my flag too didn't spawn for me when I did this originally I would search and I tried to look for things that didn't have that dot txt extension and eventually I was able to find something that was an LNK file or like a shortcut and that was pretty cool because looking at that specific file it would actually tell me hey this is the path this is the location for that flag number two so even without using that search function and flag to not spawning when I did this originally then I could still know okay that's where that flag location actually is without looking at the hint without I don't know looking at write-ups etc etc so I hope those are some good nuggets I hope those are some good tip it's for you once this returns I'll show you that technique okay there we go now we got our results back we saw the flag one text itself two three text itself etc but we were able to find these LNK files which are acting like small shortcuts for us so this flag this file did stay intact when I previously did this and that flag to file hadn't spawned for me so what I had done and I'll show you this is just simply cat this out and type this out again if I copy and paste I need to throw in these escape back slashes use a pair of them here and now you'll see a lot of nonsense right because a lot of this isn't printable characters it's kind of like a compiled binary not a compiled file right but it's using some raw bytes that are printable and we could see oh this is the current path windows system32 config flag tor text and that is where that would actually be stored even if that flag hadn't spawned so kind of cool good trick I hope that search tak F syntax can be handy for you inside an interpreter and maybe you hadn't heard of that before I hope that's a what we're doing here what we're learning for this video so that's that that is the blue machine from Troy Hackney sorry for kind of the bumps in the video editing on this I needed to redo this a little bit of time and then someone started like mowing their lawn outside and it was just awful I rage quit a little bit but thank you guys for watching I really recommend if you're playing a CTF or you're doing some cheesy pen test video game not a video game just a hack quest competition the king of the hill event I don't know what are you doing but if you see a Windows machine if it looks kind of old if it has got if it's got four four or five open if SMB is open to listening maybe its SMB v1 it's worth the try check that auxilary script determine if it's vulnerable and then fire away for a tunnel blue it's a quick and easy win and that's pretty awesome so thank you guys so much for watching I really hope you enjoyed this video if you did please do press that like button if you didn't like the video I don't know what to say alright thank you guys I appreciate it like comment subscribe the YouTube algorithm thing see you on discord Twitter Facebook Linkedin Instagram all those internet thanks bye I love you I'll see in the next video [Music] [Music] you
Info
Channel: John Hammond
Views: 190,202
Rating: undefined out of 5
Keywords:
Id: s6rwS7UuMt8
Channel Id: undefined
Length: 28min 14sec (1694 seconds)
Published: Fri Mar 20 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.