Enumeration
First, lets do an enumeration with the IP address of this machine. Im gonna run Nmap [Netwok Mapper] to scan any open ports. Im gonna run this command
nmap -sC -sV -oN nmap/initial 10.10.10.40Explaining the nmap scan:
- -sC := scan using nmap default script
- -sV := scan for version
- -oN := output in normal format
nmap initial scan
The Nmap scan is done. The result shows us this is a Windows 7 machine and has smb!
This is a very old machine. I’m pretty sure this is vulnerable to Eternalblue. Let’s run the Nmap smb-vuln script to double-check.
nmap --script smb-vuln* -p139,445 -oN nmap/vuln_script 10.10.10.40
NSE check vulnerable to Eternalblue
Yup. This machine is vulnerable to Eternalblue exploit.
Foothold/Gaining Access
I’m gonna run Metasploit and search for eternalblue and use it
search Eternalblue exploit
Before we run it. We need to set up the RHOSTS and LHOST. Make the lhost is set into your htb ip addr.
setup listener ip and port
Oopsie
After that just type run.
execute the exploit
WE’RE IN AS SYSTEM!!! cool.
Now, let’s hunt for the user & admin flag.
User flag
user flag
Root/Admin flag
root flag
Conclusion
Ive learned a lot today. Please update the system. In this case, I’m able to exploit using EternalBlue and become root. That’s super scary.
I have a fun time doing this machine and I hope you guys too. Bye ;)