TCM Security: Blue Box Writeup

Our current task involves exploiting a machine named Blue, which is sourced from TCM Security. Attempting this box allows us to understand how EternalBlue works. EternalBlue is the name of exploit that was used to exploit a critical vulnerability in Microsoft’s Windows operating system, specifically in the Server Message Block (SMB) protocol implementation. This vulnerability was discovered by the U.S. National Security Agency (NSA) and later leaked by a group known as “The Shadow Brokers” in April 2017. In order to understand let’s move on to our box.

Network Integration

Ping the target ip from your host machine. In my case ping is successful so our both machines are on the same network.

Checking Connection

Scanning

Let’s start with a nmap scan. Use following command to scan the target IP address.

nmap -p- -A -T4 192.168.102.124

• nmap invokes nmap, a network scanning tool.
• -p- tells Nmap to scan all 65535 ports on the target. By default, Nmap scans only the most common 1,000 ports. Using -p- ensures that no port is left unchecked.
• -A enables OS detection, version detection, script scanning, and traceroute.
• -T4 specifies the timing template for the scan. T4 is aggressive and speeds up the scan by making assumptions about network reliability and responsiveness. It's faster than the default but could potentially miss some information if the network is congested or the target system is heavily loaded.
• 192.168.102.124 is the IP address of the target system you wish to scan.

nmap scanning results

The scan results shows that target system appears to be a Windows host, specifically running Windows 7 to 10, based on the detected services and ports.

Port 135/tcp is open, indicating the presence of Microsoft Windows RPC (Remote Procedure Call) service.

Ports 49152/tcp to 49156/tcp are open, also indicating Microsoft Windows RPC services.

The SMB security mode indicates that guest account authentication is used, and message signing is disabled, which could pose security risks.

SMB stands for Server Message Block, and it’s a network protocol used for providing shared access to files, printers, and other communication between computers on a network. In the context of Windows operating systems, the SMB service enables file and printer sharing functionality.

SMB Exploit

Let’s search on google if we can find any exploit for SMB.

Searching for exploit

We found EternalBlue SMB exploit for windows. Let’s open that link and check the description of exploit.

MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption

So, on checking the exploit link we have found the commands of metasploit. We can use that commands to import exploit in metasploit and then execute it on our target.

commands to use exploit in metasploit

Metasploit

Let’s open metasploit by using command msfconsole .

metasploit

Let’s search for EternalBlue in msfconsole by using command search eternal blue and we found our desired exploits.

exploits found in metasploit

The exploit on number 1 says its checked so let’s use it by using command use 1. With that command the exploit will be loaded and we can see the available options by using command show options.

Options available for exploit

RHOSTS is a term used to specify the target host for an exploit or a scan. So, to set RHOST we can use command set rhosts 192.168.102.124.

setting rhosts

We are all set to execute the payload so let’s use command run to execute our exploit. As soon as the exploit is executed we get our desired meterpreter session.

executing exploit

Let’s use command shell in meterpreter to get the shell of target system and Boom!! We have our shell.

Shell of target system

Let’s verify that by using command whoami and we are the nt authority\system.

Result of whoami command

Congratulations!! We have successfully entered in our target system.🎉🎉🎉

Manual Method

There is another manual method to launch attack on target by using EternalBlue exploit. Let’s move onto it by searching eternal blue github on google.

Search results of eternal blue github

We get a repository link so let’s open it.

GitHub - 3ndG4me/AutoBlue-MS17-010: This is just an semi-automated fully working, no-bs…

Gihub repository of eternal blue

Let’s click on code and download files in a zip format.

Downloading repository

On checking the repository we have a requirements.txt file.

Content of downloaded repository

Installing requirements

We can install all the requirements by using the following command.

pip install -r requirements.txt

The above command is used to install Python packages listed in a file named requirements.txt.

Installing requirements.txt

We have successfully installed all requirements. we can see a directory named shellcode in the downloaded repository.

shellcode directory

Preparing shell

Now, let’s move to shellcode directory by using command cd shellcode and list files there by using ls command.

files in shellcode directory

We have a script named shell_prep.sh in shellcode directory. Let’s execute this script and prepare our shell for attack.

shell_prep.sh script executed

After the script finishes there will be a shellcode binary named sc_all.bin in the shellcode directory.

PWN

We are all set to PWN the target and we can do that by using the following command.

python3 eternalblue_exploit7.py 192.168.102.124 shellcode/sc_all.bin

I have opened our target windows machine and attack machine side by side and we can see that our target is up and running so let’s hit enter and launch our attack command.

Target and attack box opened side by side

BOOOOM!!! The target windows machine is PWNED and we can see that the target machine is booting up again.

Target PWNED

CONGRATULATIONS!!!

I would like to express my gratitude to #TCMSecurity for providing such amazing CTF challenge as part of their Practical Ethical Hacking curriculum.

This walkthrough finishes here. Stay tuned for the next adventure! 🚀😊