Summary

This is a Windows host that has an smb version that is vulnerable to the eternalblue exploit. This was leveraged to gain a shell as nt authority\system. This walkthrough will server both the Metasploit, and manual versions of achieving a full privileged shell.

Metasploit Walkthrough

Recon

The first thing I do is run an nmap on the target to see which ports are open.

SMB is always a low hanging fruit, so let’s enumerate that further, and see if this box is vulnerable to any known exploits.

It seems that this box is running Windows 7, and it’s vulnerable to ms170–010 / CVE-2017–0143. A quick searchsploit search shows us that the are several popular exploits.

Exploit

We now fire up Metasploit and search modules for ms17–010. We choose the eternalblue exploit, and we set the correct options to run it.

Now that we have our options set, we can run it and get our shell.

Pwned!!!

Lets get our flags (user.txt and root.txt).

Manual Walkthrough

Exploit

This manual exploit will be done with a tool called AutoBlue-MS17–010. Which is a collection of scripts that would remove the need to use Metasploit or Meterpreter. You can find the tool in the link below.

After you have downloaded the tool from Github, we can check the contents, and run the ‘eternalblue_checker.py’ which will let us know if this box is patched for this exploit.

It seems that this box is not patched, so it should be a prime candidate for this exploit. In the shellcode folder, there is a script called ‘shell_prep.sh’ that we will need to run in order to create our shell code. Remember, for this example we are trying to steer away from Meterpreter, so pay close attention to the choices below.

After we have made our selections, an ‘sc_all.bin’ file will be created — containing our shellcode, which we will then need to copy over to the master directory.

Now it is time to run our listener bash script, called ‘listener_prep.sh’. In a new windows, run the bash scrtipt, and make sure that you choose the same parameters as the previously generated shellcode.