Gary Jones
Gary Jones
EternalBlueSMB VulnerabilityMetasploitChiselProxychainsCybersecurity

Exploiting EternalBlue on bdc.artstailor.com to Achieve Domain Admin Access

Exploiting EternalBlue on bdc.artstailor.com to Achieve Domain Admin Access
0 views
3 min read
#EternalBlue#SMB Vulnerability#Metasploit#Chisel#Proxychains#Cybersecurity
Table Of Content

Exploiting EternalBlue on bdc.artstailor.com to Achieve Domain Admin Access

Situation:

This exercise aimed to exploit an SMB vulnerability on bdc.artstailor.com to achieve Domain Admin privileges within the artstailor.com network. The bdc.artstailor.com server, recently added to the domain, was found to be unpatched and vulnerable to the EternalBlue exploit.

Obstacles:

  1. Host Identification:
    • Determining the correct IP address of the backup domain controller (BDC) among other machines in the network.
  2. Vulnerability Validation:
    • Confirming the presence of the EternalBlue (EternalSynergy) vulnerability on the identified host.
  3. Exploit Execution:
    • Finding a Metasploit module compatible with Windows Server 2016.

Actions Taken:

  1. Network Scanning:
    • Established a Chisel SOCKS proxy through costumes.artstailor.com using credentials from previous exercises.
    • Ran a targeted nmap scan with Proxychains on the 10.70.184.* subnet, identifying port 445 open on bdc.artstailor.com (10.70.184.89).
    • Validated the vulnerability by executing: 
      proxychains nmap -Pn -sT -p 445 10.70.184.89 --script vuln
    • Confirmed the machine was susceptible to EternalBlue (CVE-2017-0143).
  2. Exploit Execution:
    • Loaded Metasploit and selected the EternalSynergy module: 
      exploit/windows/smb/ms17_010_psexec
    • Configured the exploit with:
      • LHOST: Attack machine IP (172.24.0.10)
      • RHOSTS: Target IP (10.70.184.89)
    • Successfully exploited the machine, gaining NT AUTHORITY\SYSTEM privileges.
  3. Privilege Escalation:
    • Migrated to the process svchost.exe running under ARTSTAILOR\Administrator to gain Domain Admin access.
  4. Data Exfiltration:
    • Located and exfiltrated MoreSacredText.txt from the root directory, which contained the twenty-third encryption key.

Results:

  1. Domain Admin Access Achieved:
    • Gained full control of the domain by exploiting a critical SMB vulnerability.
  2. Sensitive Data Retrieved:
    • Extracted the twenty-third encryption key: KEY023-[Redacted for Security].
  3. High Security Risk Identified:
    • The unpatched server exposed the entire domain to severe risks, including privilege escalation and data exfiltration.

Tool Purpose Overview:

Chisel:

  • Created a SOCKS proxy for accessing internal network resources.

Proxychains:

  • Enabled nmap scans to target internal hosts via the Chisel proxy.

nmap:

  • Identified open SMB ports and validated vulnerabilities using the --script vuln flag.

Metasploit:

  • Exploited the EternalSynergy vulnerability to achieve remote code execution and Domain Admin privileges.

Recommendations:

  1. Patch SMB Services:
    • Apply all updates to address EternalBlue vulnerabilities on all domain controllers.
  2. Disable SMBv1:
    • Prevent legacy protocol exploitation by disabling SMBv1 across the network.
  3. Monitor Privileged Accounts:
    • Implement real-time monitoring for Domain Admin accounts to detect unauthorized activities.
  4. Conduct Regular Penetration Tests:
    • Perform frequent security assessments to identify and mitigate emerging vulnerabilities.

View PDF Document