简介

靶机名称：Zero

难度：简单

靶场地址：https://hackmyvm.eu/machines/machine.php?vm=Zero

本地环境

虚拟机：vitual box

靶场IP（Zero）：未知

windows_IP：192.168.130.158

kali_IP：192.168.130.166

扫描

nmap起手，先来个ping探活

nmap -sn 192.168.130.0/24 -oA nmapscan/ip;ips=$(cat ./nmapscan/ip.nmap | grep -oP '(1\d{2}|2[0-4]\d|25[0-5]|[1-9]\d|[1-9])(\.(1\d{2}|2[0-4]\d|25[0-5]|[1-9]\d|\d)){3}');echo $ips >> ./nmapscan/ips_ping; 

Nmap scan report for OpenWrt.lan (192.168.130.1) Host is up (0.00049s latency). Nmap scan report for Pixel-4.lan (192.168.130.111) Host is up (0.17s latency). Nmap scan report for Redmi-K50.lan (192.168.130.139) Host is up (0.069s latency). Nmap scan report for DESKTOP-UDQONDB.lan (192.168.130.158) Host is up (0.00043s latency). Nmap scan report for kali.lan (192.168.130.166) Host is up (0.00023s latency). Nmap scan report for Koishi.lan (192.168.130.168) Host is up (0.089s latency). Nmap done: 256 IP addresses (6 hosts up) scanned in 4.07 seconds 

先说结论，虽然出现很多ip，但都是我自己的设备。假设DHCP运行正常的情况下，服务器应该是禁ping了。

那就转为fscan扫描。因为已知这次目标是windows靶场，所以定个135端口就够了。

fscan -h 192.168.130.0/24 -p 135 -nopoc -nobr -np 

   ___                              _   / _ \     ___  ___ _ __ __ _  ___| | __  / /_\/____/ __|/ __| '__/ _` |/ __| |/ / / /_\\_____\__ \ (__| | | (_| | (__|   < \____/     |___/\___|_|  \__,_|\___|_|\_\                      fscan version: 1.8.4 start infoscan 192.168.130.158:135 open 192.168.130.161:135 open 192.168.130.57:135 open [*] alive ports len is: 3 start vulscan [*] NetInfo [*]192.168.130.57    [->]DC01    [->]192.168.130.57    [->]fd67:3953:fc60:0:6187:1b6:c5c8:182    [->]2001:0:34f1:8072:47d:1ef5:3f57:7dc6 已完成 3/3 [*] 扫描结束,耗时: 3.069453191s 

得知ip后再用nmap进行精扫

nmap -sT -p0- -Pn 192.168.130.57 -oA nmapscan/ports ;ports=$(grep open ./nmapscan/ports.nmap | awk -F '/' '{print $1}' | paste -sd ',');echo $ports >> nmapscan/tcp_ports;  sudo nmap -Pn --min-rate=10000 -sT -sV -sC -O -p$ports 192.168.130.57/32 -oA nmapscan/detail 

PORT      STATE SERVICE      VERSION 53/tcp    open  domain? 88/tcp    open  kerberos-sec Microsoft Windows Kerberos (server time: 2024-08-02 14:27:18Z) 135/tcp   open  msrpc        Microsoft Windows RPC 139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn 389/tcp   open  ldap         Microsoft Windows Active Directory LDAP (Domain: zero.hmv, Site: Default-First-Site-Name) 445/tcp   open  microsoft-ds Windows Server 2016 Standard Evaluation 14393 microsoft-ds (workgroup: ZERO) 464/tcp   open  kpasswd5? 593/tcp   open  ncacn_http   Microsoft Windows RPC over HTTP 1.0 636/tcp   open  tcpwrapped 3268/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: zero.hmv, Site: Default-First-Site-Name) 3269/tcp  open  tcpwrapped 5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found |_http-server-header: Microsoft-HTTPAPI/2.0 9389/tcp  open  mc-nmf       .NET Message Framing 49666/tcp open  msrpc        Microsoft Windows RPC 49667/tcp open  msrpc        Microsoft Windows RPC 49670/tcp open  ncacn_http   Microsoft Windows RPC over HTTP 1.0 49671/tcp open  msrpc        Microsoft Windows RPC 49693/tcp open  msrpc        Microsoft Windows RPC 49723/tcp open  msrpc        Microsoft Windows RPC MAC Address: 08:00:27:37:AF:AA (Oracle VirtualBox virtual NIC) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose|phone Running (JUST GUESSING): Microsoft Windows 2016|2012|2022|10|Phone|Vista|2008|7 (95%) OS CPE: cpe:/o:microsoft:windows_server_2016 cpe:/o:microsoft:windows_server_2012:r2 cpe:/o:microsoft:windows_10:1607 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft:windows_server_2008::sp1 cpe:/o:microsoft:windows_7 Aggressive OS guesses: Microsoft Windows Server 2016 (95%), Microsoft Windows Server 2012 or Windows Server 2012 R2 (91%), Microsoft Windows Server 2022 (89%), Microsoft Windows Server 2012 R2 (89%), Microsoft Windows 10 1607 (85%), Microsoft Windows Phone 7.5 or 8.0 (85%), Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7 (85%) No exact OS matches for host (test conditions non-ideal). Network Distance: 1 hop Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows  Host script results: | smb2-time: |   date: 2024-08-02T14:29:37 |_  start_date: 2024-08-02T14:14:44 | smb-os-discovery: |   OS: Windows Server 2016 Standard Evaluation 14393 (Windows Server 2016 Standard Evaluation 6.3) |   Computer name: DC01 |   NetBIOS computer name: DC01\x00 |   Domain name: zero.hmv |   Forest name: zero.hmv |   FQDN: DC01.zero.hmv |_  System time: 2024-08-02T07:29:37-07:00 |_clock-skew: mean: 17h19m52s, deviation: 4h02m29s, median: 14h59m51s | smb-security-mode: |   account_used: guest |   authentication_level: user |   challenge_response: supported |_  message_signing: required | smb2-security-mode: |   3:1:1: |_    Message signing enabled and required |_nbstat: NetBIOS name: DC01, NetBIOS user: , NetBIOS MAC: 08:00:27:37:af:aa (Oracle VirtualBox virtual NIC)  OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 186.34 seconds 

smb扫描

enum4linux起手

enum4linux-ng -A 192.168.130.57 -C -oY enum-ng.txt 

 enum4linux-ng -A 192.168.130.57 -C -oY enum-ng.txt ENUM4LINUX - next generation (v1.3.3)   ========================== |    Target Information    |  ========================== [*] Target ........... 192.168.130.57 [*] Username ......... '' [*] Random Username .. 'mxrurerq' [*] Password ......... '' [*] Timeout .......... 5 second(s)   ======================================= |    Listener Scan on 192.168.130.57    |  ======================================= [*] Checking LDAP [+] LDAP is accessible on 389/tcp [*] Checking LDAPS [+] LDAPS is accessible on 636/tcp [*] Checking SMB [+] SMB is accessible on 445/tcp [*] Checking SMB over NetBIOS [+] SMB over NetBIOS is accessible on 139/tcp   ====================================================== |    Domain Information via LDAP for 192.168.130.57    |  ====================================================== [*] Trying LDAP [+] Appears to be root/parent DC [+] Long domain name is: zero.hmv   ============================================================= |    NetBIOS Names and Workgroup/Domain for 192.168.130.57    |  ============================================================= [+] Got domain/workgroup name: ZERO [+] Full NetBIOS names information: - DC01            <00> -         B   Workstation Service - ZERO            <00> -  B   Domain/Workgroup Name - ZERO            <1c> -  B   Domain Controllers - DC01            <20> -         B   File Server Service - ZERO            <1b> -         B   Domain Master Browser - MAC Address = 08-00-27-37-AF-AA   =========================================== |    SMB Dialect Check on 192.168.130.57    |  =========================================== [*] Trying on 445/tcp [+] Supported dialects and settings: Supported dialects:   SMB 1.0: true   SMB 2.02: true   SMB 2.1: true   SMB 3.0: true   SMB 3.1.1: true Preferred dialect: SMB 3.0 SMB1 only: false SMB signing required: true   ============================================================= |    Domain Information via SMB session for 192.168.130.57    |  ============================================================= [*] Enumerating via unauthenticated SMB session on 445/tcp [+] Found domain information via SMB NetBIOS computer name: DC01 NetBIOS domain name: ZERO DNS domain: zero.hmv FQDN: DC01.zero.hmv Derived membership: domain member Derived domain: ZERO   =========================================== |    RPC Session Check on 192.168.130.57    |  =========================================== [*] Check for null session [+] Server allows session using username '', password '' [*] Check for random user [-] Could not establish random user session: STATUS_LOGON_FAILURE   ===================================================== |    Domain Information via RPC for 192.168.130.57    |  ===================================================== [+] Domain: ZERO [+] Domain SID: S-1-5-21-1428058843-2653557213-3178474120 [+] Membership: domain member   ================================================= |    OS Information via RPC for 192.168.130.57    |  ================================================= [*] Enumerating via unauthenticated SMB session on 445/tcp [+] Found OS information via SMB [*] Enumerating via 'srvinfo' [-] Could not get OS info via 'srvinfo': STATUS_ACCESS_DENIED [+] After merging OS information we have the following result: OS: Windows Server 2016 Standard Evaluation 14393 OS version: '10.0' OS release: '1607' OS build: '14393' Native OS: Windows Server 2016 Standard Evaluation 14393 Native LAN manager: Windows Server 2016 Standard Evaluation 6.3 Platform id: null Server type: null Server type string: null   ======================================= |    Users via RPC on 192.168.130.57    |  ======================================= [*] Enumerating users via 'querydispinfo' [-] Could not find users via 'querydispinfo': STATUS_ACCESS_DENIED [*] Enumerating users via 'enumdomusers' [-] Could not find users via 'enumdomusers': STATUS_ACCESS_DENIED   ======================================== |    Groups via RPC on 192.168.130.57    |  ======================================== [*] Enumerating local groups [-] Could not get groups via 'enumalsgroups domain': STATUS_ACCESS_DENIED [*] Enumerating builtin groups [-] Could not get groups via 'enumalsgroups builtin': STATUS_ACCESS_DENIED [*] Enumerating domain groups [-] Could not get groups via 'enumdomgroups': STATUS_ACCESS_DENIED   ========================================== |    Services via RPC on 192.168.130.57    |  ========================================== [-] Could not get RPC services via 'net rpc service list': STATUS_ACCESS_DENIED   ======================================== |    Shares via RPC on 192.168.130.57    |  ======================================== [*] Enumerating shares [+] Found 0 share(s) for user '' with password '', try a different user   =========================================== |    Policies via RPC for 192.168.130.57    |  =========================================== [*] Trying port 445/tcp [-] SMB connection error on port 445/tcp: STATUS_ACCESS_DENIED [*] Trying port 139/tcp [-] SMB connection error on port 139/tcp: session failed   =========================================== |    Printers via RPC for 192.168.130.57    |  =========================================== [-] Could not get printer info via 'enumprinters': STATUS_ACCESS_DENIED  Completed after 0.29 seconds 

发现靶机开着稀罕的smb v1，而且系统还不是很新

试试打个RCE

ms17_010

msf启动

需要注意，永恒之蓝漏洞也分多种利用方式。至少第0个我是用不了的

而且可以看出作者刻意对该poc的默认参数进行了回避，比如回连端口、payload上传方式等都需要变动一下才能成功弹到shell

永恒之蓝进来就是system权限，直接游戏结束