Blue

04 Oct 2020

Blue is alot like the Legacy box but ths time instead of exploiting ms-08-067 I will be using a script taking advantage of the ms-17-010 vulnerability to get root.

As with the others I run my initial scans first.

Seeing ports 139 and 445 open I immediately jumped to using smbmap and smbclient to see if any interesting shares are open.

Seeing nothing of interest I ran a vuln scan.

And what would you know the machine named Blue is vulnerable to the EternalBlue exploit ms-17-010. This exploit was used in the WannaCry ransomware and has been patched years ago so it is a bit of an older exploit.
From here I used searchsploit to find a python script, 42315.py. Reading through the script showed that it needs the mysmb.py module to run which can be gotten off github.
The script utilizes the vulnerability in the smb server in order to send and execute a mlicious file. I used msfvenom to create that malicious file which was a reverse shell for windows pointing back to the 4444 port of my kali machine.

Then all i did was modify the script to send the correct file.

And boom, I was root. No priv esc needed here.

Lukej2680 Tech Blog

Blue

Related posts

Checkpoint 3 08 Mar 2023

Checkpoint 4 05 Mar 2023

Checkpoint 3 03 Mar 2023