First we run an nmap scan against the target:
Here we can see that port 445 (SMB) is open. We also see the computer name as HARIS-PC, meaning there may be a user named "haris" on the box. Let's do a bit more enumeration against port 445 on this machine:
Looking at the shares we have access to, we have READ/WRITE against the IPC$ share on the host as well as anonymous read rights. This is consistent with Windows versions prior to Windows 8, which allow for a null logon session when accessing the IPC$ share.
If you start deep diving into SMB exploits, you won't make it very far before stumbling on the ETERNAL exploit suite, famously leaked a few years ago. One of the vulnerabilities/exploits, ETERNAL BLUE or MS17-010, can be checked for using an nmap script:
So now we know that the target host is vulnerable to ETERNAL BLUE and can pivot into finding an exploit that successfully targets this vulnerability.
Disclaimer: I'll be the bearer of bittersweet news here and tell you that if you're using HTB's pwnbox, a lot of these exploits won't work even if you try to install the necessary python2 dependencies for them. I was able to execute this on a relatively untouched Kali image with minimal changes, so if you're trying to perform this non-metasploit route, I recommend using a VM and a VPN connection to HTB's infrastructure.
You can use searchsploit to search for exploits that target this vulnerability:
Additionally, Googling for GitHub exploits against MS17-010 gives you solid results. In this instance we're going to use the exploit highlighted in the image below:
Clone this github rebo to your kali VM.
Next you're going to craft a payload using msfvenom and pointing back to your kali VM:
Next, edit the zzz_exploit.py file so that the username value is "guest" and modify the smb_pwn function to reflect the image below:
The first line in the red box should point to where your payload is on your kali VM.
Now all we need to do is set up a netcat listener and run the exploit pointing it at a named pipe:
Check your listener:
Technically, you can create a meterpreter payload and use a meterpreter listener as opposed to a shell payload and a netcat listener. This still avoids using the metasploit exploit for this vulnerability and offers you the msf interface for handling the shell session.
I'd be lying if I told you this worked smoothly the first time. Based on those frustrating experiences, I offer you some troubleshooting questions that may help ameliorate your troubles:
Is your payload configured correctly? Are you using the right payload/shell type (i.e. windows/shell_reverse_tcp for a netcat listener vs windows/meterpreter/reverse_tcp for a meterpreter listener)
Did you update the exploit code properly? Did you add the lines for your payload and is it pointing accurately at where your payload is hosted?
If the above is all sound, make sure you update the exploit code between reruns. It will not work if a file already exists on the endpoint named "exploit.exe" from the first time you ran it. Go ahead and rename it "exploit1.exe" and reattempt. Too many unsuccessful attempts and you might as well revert the box, which doesn't cause you any losses and gives you a clean slate to work with.
Worawit's Github Repo: https://github.com/worawit/MS17-010
Null-Byte MS17-010 Manual Exploitation with 42315: https://null-byte.wonderhowto.com/how-to/manually-exploit-eternalblue-windows-server-using-ms17-010-python-exploit-0195414/
3ndG4me's AutoBlue Exploit: https://github.com/3ndG4me/AutoBlue-MS17-010
HackTricks Pentesting SMB: https://book.hacktricks.xyz/network-services-pentesting/pentesting-smb
Other Cool Resources on the Eternal Suite:
zerosum0x0's DEFCON26 talk on reverse engineering the ETERNAL exploits: https://www.youtube.com/watch?v=HsievGJQG0w
WIRED article on the "leaked NSA spy tool that hacked the world": https://www.wired.com/story/eternalblue-leaked-nsa-spy-tool-hacked-world/
Mandiant article on WannaCry's use of EternalBlue: https://www.mandiant.com/resources/blog/smb-exploited-wannacry-use-of-eternalblue
TrendMicro article on mapping the use of EternalBlue: https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/putting-the-eternal-in-eternalblue-mapping-the-use-of-the-infamous-exploit
Lucideus' writeup on the ETERNAL exploit suite: https://medium.com/@lucideus/the-eternal-exploitation-bible-lucideus-research-20e3ed541d4