HTB Legacy[Hack The Box HTB靶场]writeup系列2

最新推荐文章于 2022-08-22 17:41:34 发布

3riC5r

最新推荐文章于 2022-08-22 17:41:34 发布

阅读量1.6k

点赞数

分类专栏： HTB靶场文章标签： Legacy 永恒之蓝

本文链接：https://blog.csdn.net/fastergohome/article/details/104133208

版权

本文是Hack The Box靶场中Legacy机器的writeup，主要涉及端口扫描、samba服务及MS17-010"永恒之蓝"漏洞的利用。通过端口扫描发现139和445端口开放，确认靶机为winxp系统。利用永恒之蓝成功获取flag。

摘要由CSDN通过智能技术生成

Retired Machines的第二台，前面的靶机都是比较简单的，通常都是适应性的训练，找到合适的突破点就可以了。

0x00 靶场介绍

Legacy这台靶机是windows靶机，我们之前在Vulnhub上使用的靶机基本上都是linux操作系统。那么我们就来看看这台靶机是什么情况。

先看下靶机的具体信息：

0x01 端口扫描

接下来做下端口扫描，看看有开放哪些服务

root@kali:~# nmap -T5 -A -v 10.10.10.4
Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-31 20:12 EST
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 20:12
Completed NSE at 20:12, 0.00s elapsed
Initiating NSE at 20:12
Completed NSE at 20:12, 0.00s elapsed
Initiating NSE at 20:12
Completed NSE at 20:12, 0.00s elapsed
Initiating Ping Scan at 20:12
Scanning 10.10.10.4 [4 ports]
Completed Ping Scan at 20:12, 0.34s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 20:12
Completed Parallel DNS resolution of 1 host. at 20:12, 0.10s elapsed
Initiating SYN Stealth Scan at 20:12
Scanning 10.10.10.4 [1000 ports]
Discovered open port 139/tcp on 10.10.10.4
Discovered open port 445/tcp on 10.10.10.4
Completed SYN Stealth Scan at 20:13, 26.88s elapsed (1000 total ports)
Initiating Service scan at 20:13
Scanning 2 services on 10.10.10.4
Completed Service scan at 20:13, 7.32s elapsed (2 services on 1 host)
Initiating OS detection (try #1) against 10.10.10.4
Retrying OS detection (try #2) against 10.10.10.4
Initiating Traceroute at 20:13
Completed Traceroute at 20:13, 0.46s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 20:13
Completed Parallel DNS resolution of 2 hosts. at 20:13, 0.42s elapsed
NSE: Script scanning 10.10.10.4.
Initiating NSE at 20:13
Completed NSE at 20:14, 52.52s elapsed
Initiating NSE at 20:14
Completed NSE at 20:14, 0.00s elapsed
Initiating NSE at 20:14
Completed NSE at 20:14, 0.00s elapsed
Nmap scan report for 10.10.10.4
Host is up (0.37s latency).
Not shown: 997 filtered ports
PORT     STATE  SERVICE       VERSION
139/tcp  open   netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open   microsoft-ds  Windows XP microsoft-ds
3389/tcp closed ms-wbt-server
Device type: general purpose|specialized
Running (JUST GUESSING): Microsoft Windows XP|2003|2000|2008 (94%), General Dynamics embedded (88%)
OS CPE: cpe:/o:microsoft:windows_xp::sp3 cpe:/o:microsoft:windows_server_2003::sp1 cpe:/o:microsoft:windows_server_2003::sp2 cpe:/o:microsoft:windows_2000::sp4 cpe:/o:microsoft:windows_server_2008::sp2
Aggressive OS guesses: Microsoft Windows XP SP3 (94%), Microsoft Windows Server 2003 SP1 or SP2 (92%), Microsoft Windows XP (92%), Microsoft Windows Server 2003 SP2 (92%), Microsoft Windows XP SP2 or Windows Server 2003 (91%), Microsoft Windows 2003 SP2 (90%), Microsoft Windows Server 2003 (90%), Microsoft Windows 2000 SP4 (90%), Microsoft Windows XP Professional SP3 (90%), Microsoft Windows XP SP2 (90%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=263 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp

Host script results:
|_clock-skew: mean: 5d00h58m22s, deviation: 1h24m50s, median: 4d23h58m22s
| nbstat: NetBIOS name: LEGACY, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:b9:4e:64 (VMware)
| Names:
|   LEGACY<00>           Flags: <unique><active>
|   HTB<00>              Flags: <group><active>
|   LEGACY<20>           Flags: <unique><active>
|   HTB<1e>              Flags: <group><active>
|   HTB<1d>              Flags: <unique><active>
|_  \x01\x02__MSBROWSE__\x02<01>  Flags: <group><active>
| smb-os-discovery: 
|   OS: Windows XP (Windows 2000 LAN Manager)
|   OS CPE: cpe:/o:microsoft:windows_xp::-
|   Computer name: legacy
|   NetBIOS computer name: LEGACY\x00
|   Workgroup: HTB\x00
|_  System time: 2020-02-06T05:11:41+02:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)

TRACEROUTE (using port 3389/tcp)
HOP RTT       ADDRESS
1   442.76 ms 10.10.14.1
2   442.94 ms 10.10.10.4

NSE: Script Post-scanning.
Initiating NSE at 20:14
Completed NSE at 20:14, 0.00s elapsed
Initiating NSE at 20:14
Completed NSE at 20:14, 0.00s elapsed
Initiating NSE at 20:14
Completed NSE at 20:14, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 95.82 seconds
           Raw packets sent: 3081 (138.976KB) | Rcvd: 56 (3.072KB)

0x02 samba服务

我们可以看到只开启了139和445服务，操作系统是winxp。

应该是有很多漏洞可以使用的，我简单演示一下查找漏洞的过程

root@kali:~# searchsploit smb
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ----------------------------------------
 Exploit Title