10.10.10.40 - Blue

Blue

nmap -A 10.10.10.40

nmap

We have Windows 7 Pro 7601 SP1

ports 135 445 are open

1/We can try to scan it for vulns with nmap

nmap --script vuln -p 445 10.10.10.40

Nmap 445

Looks like we have Eternal Blue here: MS17-010

We can check what we have on SMB

smbclient -L 10.10.10.40

Smbclient

Try accessing Users share

smbclient //10.10.10.40/Users

Smbclient shares

2/This share is accessible without password.

Let’s copy this repo

https://github.com/worawit/MS17-010

will run checker.py

chercker

3/All named pipes are denied. Mist eternal blue scripts won’t work here.

Searching eternal blue and Windows version 7601 gives us this

https://www.exploit-db.com/exploits/42315

To use the script we need two things:

  1. prepare a reverse shell Msfvenom

  2. edit script for our needs:

  • edit username variable to use share without the password (guest authentication) File edit 1

  • specify location for our reverse shell that we generated File edit 2

4/Let’s run the script

Script

While listenning on port 4444 locally

Listen

5/We got shell and we are nt authority.

root

Now we can get root flag

We can also grab user flag

User