Blue

Blue - 10.10.10.40

Target Enumeration:

OS: Windows

IP: 10.10.10.40

User: 4c546aea7dbee75cbd71de245c8deea9

Root: ff548eb71e920ff6c08843ce9df4e717

Ports / Services / Software Versions Running

135/tcp open msrpc Microsoft Windows RPC

139/tcp open netbios-ssn Microsoft Windows netbios-ssn

445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)

49152/tcp open msrpc Microsoft Windows RPC

49153/tcp open msrpc Microsoft Windows RPC

49154/tcp open msrpc Microsoft Windows RPC

49155/tcp open msrpc Microsoft Windows RPC

49156/tcp open msrpc Microsoft Windows RPC

49157/tcp open msrpc Microsoft Windows RPC

Vulnerability Exploited:

EternalBlue exploits a vulnerability in Microsoft's implementation of the Server Message Block (SMB) protocol. This vulnerability is denoted by entry CVE-2017-0144 in the Common Vulnerabilities and Exposures (CVE) catalog. The vulnerability exists because the SMB version 1 (SMBv1) server in various versions of Microsoft Windows mishandles specially crafted packets from remote attackers, allowing them to execute arbitrary code on the target computer. In February 2018, EternalBlue was ported to all Windows operating systems since Windows 2000 by RiskSense security researcher Sean Dillon. EternalChampion and EternalRomance, two other exploits originally developed by the NSA and leaked by The Shadow Brokers, were also ported at the same event. They were made available as open sourced Metasploit modules.[18]

Exploiting the host:

Nmap SMB script scan:

Set metasploit options as follows:

Execute the exploit:

Evidence

Grabbing hashes:

Add a user called vdk with the password Pentest12345! To the administrators group.

Background your session and use windows/smb/ms17_010_psexec module to get a meterpreter shell (or do it via powershell)

Run the exploit

Background session and retrieve password hashes with smart_hashdump and attempt to crack them offline.