Exploiting Eternal Blue Vulnerability

This TryHackMe room is based on a Windows machine, in which we need to leverage common misconfiguration. A penetration test is the best way to verify that defenses and security processes are working correctly and if not, which is often the case, remediate them before it is too late. In this post, we will exploit the eternal blue vulnerability to gain remote access to our target Windows machine and retrieve user passwords.

Pentesting

Penetration testing is an active security method. Security experts known as ethical hackers attempt cyberattacks against a system to discover and fix security weaknesses. Penetration tests evaluate an organization’s security processes and tools and discover vulnerabilities in underlying infrastructure. Organizations must test their overall defense (technology, processes, and people) by simulating the objectives and actions of an attacker. Attackers often exploit the gap between good defensive design and actual implementation

Stages of Pentesting

Pentesting adopts the hacker perspective to discover and mitigate cybersecurity weaknesses before taking advantage of them. The penetration testing process should include these steps:

Planning: the pentester creates a plan, identifying the scope of the test and the general attack vectors they plan to use.

Reconnaissance: the pentester uses scanning tools to identify entry paths, valuable resources, and existing vulnerabilities.

Exploitation: the pentester attempts their attack, typically using a combination of social engineering techniques, known attack vectors described by OWASP and MITRE ATT&CK, and novel attack vectors.

Review and analyze: the pentester creates a report explaining their attack, what they achieved, the potential damage to the organization, vulnerabilities they discovered, and recommendations for remediating them and improving security processes.

Remediation: the organization must identify the critical findings from a penetration test and immediately resolve security weaknesses.

Eternal Blue

The Eternal Blue exploit affects Windows OS and anything that uses the SMB v1 file-sharing protocol. The exploit takes advantage of the SMB v1 vulnerability in older Microsoft operating systems. The Server Message Block (SMB) protocol is a network file-sharing protocol that allows applications on a computer to read and write to files and request services from server programs in a computer network. It enables shared access to files, printers, and ports.

This vulnerability is denoted by entry CVE-2017-0144[14][15] in the Common Vulnerabilities and Exposures (CVE) catalog. The vulnerability exists because the SMB version 1 (SMBv1) server in various versions of Microsoft Windows mishandles specially crafted packets from remote attackers, allowing them to remotely execute code on the target computer.

On May 12, 2017, the worldwide WannaCry ransomware used this exploit to attack unpatched computers.  The exploit was again used to help carry out the 2017 NotPetya cyberattack on more unpatched computers.

Metasploit framework

Using pen-testing tools, white hats, and DevSec professionals can probe networks and applications for flaws and vulnerabilities at any point along the production and deployment process by hacking the system.

Metasploit is the world’s most used penetration testing framework. Metasploit helps security teams do more than just verify vulnerabilities, manage security assessments, and improve security awareness; it empowers defenders to always stay one step (or two) ahead of the game. The Metasploit framework is a very powerful tool which can be used by cybercriminals as well as ethical hackers to probe systematic vulnerabilities on networks and servers.

Walkthrough

So, let’s begin

We commence the recon phase of the process by scanning our target machine. We do this using Nmap, a network scanner. This tool is commonly used for host/endpoint discovery, port scanning, and vulnerability scanning.

Start an nmap scan on the given box. The IP address of our target machine is 10.10.236.181; you should know the IP of your target machine. We used the command

nmap -sV –script-vuln -vv 10.10.236.181

Q: How many ports are open with a port number under 1000?

A: 3

Q: What is this machine vulnerable to? (Answer in the form of: ms??-???, ex: ms08-067)

A: ms17-010

Gain Access

Exploit the machine and gain a foothold

Launch Metasploit framework, enter the command

Msfconsole

Now to look for the exploit

msf6 > search ms17-010

This returns anything that is related to eternal blue or ms17-010

We find the EternalBlue SMB remote exploit.

Enter use 0

EternalBlue exploits SMBv1 vulnerabilities to insert malicious data packets and spread malware over the network. The exploit makes use of the way Microsoft Windows handles or rather mishandles, specially crafted packets from malicious attackers.

Q: Find the exploitation code we will run against the machine. What is the full path of the code? (Ex: exploit/……..)

A: exploit/windows/smb/ms17_010_eternalblue

We then select the exploit and check the options that we need to set.

Show options and set the one required value. What is the name of this value? (All caps for submission)

We check this by entering the command show options

A: RHOSTS (The RHOSTS value is the IP address of the target)

We then start the exploit.

Enter Exploit

We have successfully gained remote access to the target machine. We can then go ahead and enter some commands. For example, hostname, to know the name of the PC

Escalate

A privilege escalation attack is a cyberattack designed to gain unauthorized privileged access into a system. The pentester will attempt to gain higher privileges on the current device e.g., root access to a sensitive system, admin access to the network, or even superuser access, through social engineering, exploiting vulnerabilities or weak authentication systems.

Meterpreter

Meterpreter is a Metasploit attack payload that provides an interactive shell to the attacker from which to explore the target machine and execute code. A payload that supports the pen testing process; it runs on the target machine but is not installed on it. It runs in memory and does not write itself to the disk on the target; it does this to avoid antivirus software that will scan new files on the disk.

It resides in the memory and allows the users to access the target’s system. It provides an interactive shell from which an attacker can explore the target machine and execute code.

We will upgrade our current shell to a meterpreter shell in Metasploit.

Now we background our current shell (Ctrl+Z) and convert our shell to a meterpreter shell.

msf6 > search shell_to_meterpreter

msf6 > use 0

We show options for the current selected exploit. We set LHOST and SESSION.

Q: you haven’t already, background the previously gained shell (CTRL + Z). Research online how to convert a shell to meterpreter shell in metasploit. What is the name of the post module we will use? (Exact path, similar to the exploit we previously selected)

A: post/multi/manage/shell_to_meterpreter

Q: Select this (use MODULE_PATH). Show options, what option are we required to change?

We view the current active sessions and select the one we want to upgrade

A: SESSION

We set the ID, in my case, it is ID 1. So, the command would be set session 1

We run the exploit and we get a meterpreter session. We then use the meterpreter session instead of the shell.

sessions -i <meterpreter-session-no>

Now we have a meterpreter session. We check if we are NT AUTHORITY\SYSTEM or not by using getsystem

We are running as SYSTEM but that doesn’t indicate that our process is. We need to migrate to another process. Generally, we use services.exe, we see services.exe as PID 704

Cracking

In this penetration test, the goal is to retrieve sensitive information from the target system

Within our elevated meterpreter shell, run the command ‘hashdump’. This will dump all of the passwords on the machine as long as we have the correct privileges to do so. The command lists the content of the SAM database (where user password hashes are stored on Windows Systems). With NTLM, cracking Windows passwords is more difficult but still possible. NTLM is weaker than modern algorithms because it is based on the MD4 cipher. While Kerberos has replaced it for network authentication, NTLM is still used for saving passwords locally in the Windows SAM file.The passwords are stored in the NLTM format. It is used for storing passwords locally.

Q: What is the name of the non-default user?

A: Jon

We are in an elevated meterpreter shell. We could use the command hashdump and get the password hashes stored on the machine.

meterpreter > hashdump

Q: Copy this password hash to a file and research how to crack it. What is the cracked password?

We will make use of the free password-cracking tool, CrackStation. Crackstation is a free service that supports MD2, MD5, NTLM, and SHA1 cracking. It uses its own word list and lookup tables to effectively perform a plaintext search of a hash from its database:

We paste the hash that we want to crack and fill in the CAPTCHA. We will see the plaintext if the hash is found; else, we see a message that says the hash was not found

We got alqfna22 as the password

Find flags!

Find the three flags planted on this machine

As we have a meterpreter shell we could search for a file on the system.

We start by changing our directory to C:/ (root of system). We find the flag1.txt in the system root.

We could now directly search for the flags as we know the format of the file.

meterpreter > search -f flag*txt

We have found all the files on the system and and successfully completed the room. The flags represent key locations within the Windows system that we need to know.

Remediation

To Mitigate such vulnerabilities

Update to the latest SMB version and patch the Windows system.

Conclusion

Simulating a realistic attack is important for an organization’s defense strategy. While an organization might have the tools and security processes, verifying they are working is critical. Any lapses in the security process must be discovered before an actual attack takes place. This is exactly what a successful penetration test can achieve.

Leave a Comment

Your email address will not be published. Required fields are marked *