Hack The Box – Legacy Walkthrough
Introduction
This was an easy Windows box that involved exploiting the EternalBlue SMB vulnerability which is part of the MS17-010 security bulletin.
Enumeration
The first thing to do is to run a TCP Nmap scan against the 1000 most common ports, and using the following flags:
- -sC to run default scripts
- -sV to enumerate applications versions
- -Pn to skip the host discovery phase, as some hosts will not respond to ping requests
- -oA to save the output in all formats available
SMB Enumeration
The next step was to run a Nmap scan on ports 139 and 445 with all SMB enumeration scripts, to further enumerate this service. Command used:
nmap -p 139,445 -Pn –script smb-enum* 10.10.10.40
Then ran another Nmap scan to check for any known vulnerabilities within the SMB service. Nmap has a number of “smb-vuln-msxx-xxx” scripts that can be used to test the SMB service for public exploits.
SMB Exploitation
I tried a few exploits for MS17-010 found in GitHub and ExploitDB but most of them did not seem to work, I then finally found the following Git repository – this exploit can use an exe-embedded shellcode, rather
than having to add the shellcode to a Python script like some of the other ones available on ExploitDB.
The first step is to generate some shellcode using MSFvenom with the following flags:
- -p to specify the payload type, in this case the Windows TCP reverse shell
- LHOST to specify the local host IP address to connect to
- LPORT to specify the local port to connect to
The next step is to set up a Netcat listener, which will catch our reverse shell when it is executed by the victim host, using the following flags:
- -l to listen for incoming connections
- -v for verbose output
- -n to skip the DNS lookup
- -p to specify the port to listen on
Executing the exploit, providing the IP address of the target machine, the malicious executable and the port to be used – this provides with a reverse shell. It looks like the current user already has system-level so no privilege escalation is required.
Conclusion
The EternalBlue vulnerability is a very common Windows issue that has affected a large number of systems over the years, it is particularly dangerous as it is extremely easy to exploit and pretty much always results in a full system compromise.