Link: https://app.hackthebox.eu/machines/51
Enumeration
Our nmap scan shows smb ports open on 135/449 and several other windows RPC calls.
Next, I spawned up msfconsole
to see if we can narrow down a particular version of windows. According to this article, we can use auxiliary/scanner/smb/smb_version
to probe the SMB version. That version ties directly to certain OS versions.
After running it, we get the host is running SMB2.1 which relates to Windows 7 Professional SP1.
Exploit MS17-010
Doing some research on this Windows version nets us an exploit by the name MS17-010 Eternal Blue. This very well-known vulnerability targets a buffer overflow in the SMB protocol.
In msfconsole
, we can do search eternal
and the first option, exploit/windows/smb/ms17_010_eternalblue
is the option we need.
Next we need to set the LHOST
, RHOSTS
at minimum then exploit
.
We can watch the console perform a buffer dump, send exploit packets to corrupt the buffer and then send a final payload to open our meterpreter session!
Dropping into a shell
and running whoami
, we see we are nt authority\system
!
Now we just need to grab the flags, of which I found one on C:\Users\Administrator\Desktop
and the user one on C:\Users\Haris\Desktop
.
Conclusion
This was a super easy pwn. I have had experience with EternalBlue from TryHackMe. The most important thing here was just enumerating to detect the version to confirm the vulnerability (as if the title of the box did not immediately give it away).
Comments
No comments available.