Blue — HTB walkthrough
Eternal Blue Exploit.
Enum4Linux gave nothing, so I ran full port nmap scan
Got not much. So directly searched for Windows 7 Professional 7601 Service Pack 1 microsoft-ds exploit and found, it is vulnerable to EternalBlue exploit
Why not we have :
- Windows 7
- Smb v1
EternalBlue is an exploit that allows cyber threat actors to remotely execute arbitrary code and. gain access to a network by sending specially crafted packets. It exploits a software vulnerability. in Microsoft’s Windows operating systems (OS) Server Message Block (SMB) version 1 (SMBv1)
We do this using msf
Set RHOSTS 10.10.10.40, and run
Eternalblue relies on a Windows function named
srv!SrvOS2FeaListSizeToNt. To see how this leads to remote code execution, let’s take a quick look at how SMB works.
Primarily, SMB (Server Message Block) is a protocol used to request file and print services from server systems over a network. Among the protocol’s specifications are structures that allow the protocol to communicate information about a file’s extended attributes, essentially metadata about the file’s properties on the file system.
Eternalblue takes advantage of three different bugs. The first is a mathematical error when the protocol tries to cast an OS/2 FileExtended Attribute (FEA) list structure to an NT FEA structure in order to determine how much memory to allocate. A miscalculation creates an integer overflow that causes less memory to be allocated than expected, which in turns leads to a buffer overflow. With more data than expected being written, the extra data can overflow into adjacent memory space.
Triggering the buffer overflow is achieved thanks to the second bug, which results from a difference in the SMB protocol’s definition of two related sub commands:
SMB_COM_NT_TRANSACT. Both have a
_SECONDARY command that is used when there is too much data to include in a single packet. The crucial difference between
NT_TRANSACT is that the latter calls for a data packet twice the size of the former. This is significant because an error in validation occurs if the client sends a crafted message using the
NT_TRANSACT sub-command immediately before the
TRANSACTION2 one. While the protocol recognizes that two separate sub-commands have been received, it assigns the type and size of both packets (and allocates memory accordingly) based only on the type of the last one received. Since the last one is smaller, the first packet will occupy more space than it is allocated.
Once the attackers achieve this initial overflow, they can take advantage of a third bug in SMBv1 which allows heap spraying, a technique which results in allocating a chunk of memory at a given address. From here, the attacker can write and execute shellcode to take control of the system.