Methodologies
Hack The Box last updated - 2019
Blue
Blue - 10.10.10.40
Target Enumeration:
OS: Windows
IP: 10.10.10.40
User: 4c546aea7dbee75cbd71de245c8deea9
Root: ff548eb71e920ff6c08843ce9df4e717
Ports / Services / Software Versions Running
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49156/tcp open msrpc Microsoft Windows RPC
49157/tcp open msrpc Microsoft Windows RPC
Vulnerability Exploited:
EternalBlue exploits a vulnerability in Microsoft's implementation of the Server Message Block (SMB) protocol. This vulnerability is denoted by entry CVE-2017-0144 in the Common Vulnerabilities and Exposures (CVE) catalog. The vulnerability exists because the SMB version 1 (SMBv1) server in various versions of Microsoft Windows mishandles specially crafted packets from remote attackers, allowing them to execute arbitrary code on the target computer.
In February 2018, EternalBlue was ported to all Windows operating systems since Windows 2000 by RiskSense security researcher Sean Dillon. EternalChampion and EternalRomance, two other exploits originally developed by the NSA and leaked by The Shadow Brokers, were also ported at the same event. They were made available as open sourced Metasploit modules.[18]
Exploiting the host:
Nmap SMB script scan:
Set metasploit options as follows:
Execute the exploit:
Evidence
Grabbing hashes:
Add a user called vdk with the password Pentest12345! To the administrators group.
Background your session and use windows/smb/ms17_010_psexec module to get a meterpreter shell (or do it via powershell)
Run the exploit
Background session and retrieve password hashes with smart_hashdump and attempt to crack them offline.
