Blue — HTB walkthrough

Eternal Blue Exploit.

ENUMERATION

Nmap Scan

RPC Enumeration

SMB Enumeration

Enum4Linux gave nothing, so I ran full port nmap scan

Got not much. So directly searched for Windows 7 Professional 7601 Service Pack 1 microsoft-ds exploit and found, it is vulnerable to EternalBlue exploit

Why not we have :

1. Windows 7
2. Smb v1

EternalBlue is an exploit that allows cyber threat actors to remotely execute arbitrary code and. gain access to a network by sending specially crafted packets. It exploits a software vulnerability. in Microsoft’s Windows operating systems (OS) Server Message Block (SMB) version 1 (SMBv1)

From <https://www.google.com/search?client=firefox-b-d&q=eternal+blue>

EXPLOITATION

We do this using msf

Set RHOSTS 10.10.10.40, and run

Running exploit — — It checks first if target is exploitable. Exploit Buffer in SMB version1 using named pipes.

How Does Eternalblue Work?

Eternalblue relies on a Windows function named srv!SrvOS2FeaListSizeToNt. To see how this leads to remote code execution, let’s take a quick look at how SMB works.

Primarily, SMB (Server Message Block) is a protocol used to request file and print services from server systems over a network. Among the protocol’s specifications are structures that allow the protocol to communicate information about a file’s extended attributes, essentially metadata about the file’s properties on the file system.

Eternalblue takes advantage of three different bugs. The first is a mathematical error when the protocol tries to cast an OS/2 FileExtended Attribute (FEA) list structure to an NT FEA structure in order to determine how much memory to allocate. A miscalculation creates an integer overflow that causes less memory to be allocated than expected, which in turns leads to a buffer overflow. With more data than expected being written, the extra data can overflow into adjacent memory space.

Triggering the buffer overflow is achieved thanks to the second bug, which results from a difference in the SMB protocol’s definition of two related sub commands: SMB_COM_TRANSACTION2 and SMB_COM_NT_TRANSACT. Both have a _SECONDARY command that is used when there is too much data to include in a single packet. The crucial difference between TRANSACTION2 and NT_TRANSACT is that the latter calls for a data packet twice the size of the former. This is significant because an error in validation occurs if the client sends a crafted message using the NT_TRANSACT sub-command immediately before the TRANSACTION2 one. While the protocol recognizes that two separate sub-commands have been received, it assigns the type and size of both packets (and allocates memory accordingly) based only on the type of the last one received. Since the last one is smaller, the first packet will occupy more space than it is allocated.

Once the attackers achieve this initial overflow, they can take advantage of a third bug in SMBv1 which allows heap spraying, a technique which results in allocating a chunk of memory at a given address. From here, the attacker can write and execute shellcode to take control of the system.

Get Root Flag

Get User Flag

ROOTED !!!!