zero - hackmyvm
创始人
2024-11-11 11:10:34
0

简介

靶机名称:Zero

难度:简单

靶场地址:https://hackmyvm.eu/machines/machine.php?vm=Zero

本地环境

虚拟机:vitual box

靶场IP(Zero):未知

windows_IP:192.168.130.158

kali_IP:192.168.130.166

扫描

nmap起手,先来个ping探活

nmap -sn 192.168.130.0/24 -oA nmapscan/ip;ips=$(cat ./nmapscan/ip.nmap | grep -oP '(1\d{2}|2[0-4]\d|25[0-5]|[1-9]\d|[1-9])(\.(1\d{2}|2[0-4]\d|25[0-5]|[1-9]\d|\d)){3}');echo $ips >> ./nmapscan/ips_ping; 
Nmap scan report for OpenWrt.lan (192.168.130.1) Host is up (0.00049s latency). Nmap scan report for Pixel-4.lan (192.168.130.111) Host is up (0.17s latency). Nmap scan report for Redmi-K50.lan (192.168.130.139) Host is up (0.069s latency). Nmap scan report for DESKTOP-UDQONDB.lan (192.168.130.158) Host is up (0.00043s latency). Nmap scan report for kali.lan (192.168.130.166) Host is up (0.00023s latency). Nmap scan report for Koishi.lan (192.168.130.168) Host is up (0.089s latency). Nmap done: 256 IP addresses (6 hosts up) scanned in 4.07 seconds

先说结论,虽然出现很多ip,但都是我自己的设备。假设DHCP运行正常的情况下,服务器应该是禁ping了。

那就转为fscan扫描。因为已知这次目标是windows靶场,所以定个135端口就够了。

fscan -h 192.168.130.0/24 -p 135 -nopoc -nobr -np 
   ___                              _   / _ \     ___  ___ _ __ __ _  ___| | __  / /_\/____/ __|/ __| '__/ _` |/ __| |/ / / /_\\_____\__ \ (__| | | (_| | (__|   < \____/     |___/\___|_|  \__,_|\___|_|\_\                      fscan version: 1.8.4 start infoscan 192.168.130.158:135 open 192.168.130.161:135 open 192.168.130.57:135 open [*] alive ports len is: 3 start vulscan [*] NetInfo [*]192.168.130.57    [->]DC01    [->]192.168.130.57    [->]fd67:3953:fc60:0:6187:1b6:c5c8:182    [->]2001:0:34f1:8072:47d:1ef5:3f57:7dc6 已完成 3/3 [*] 扫描结束,耗时: 3.069453191s

得知ip后再用nmap进行精扫

nmap -sT -p0- -Pn 192.168.130.57 -oA nmapscan/ports ;ports=$(grep open ./nmapscan/ports.nmap | awk -F '/' '{print $1}' | paste -sd ',');echo $ports >> nmapscan/tcp_ports;  sudo nmap -Pn --min-rate=10000 -sT -sV -sC -O -p$ports 192.168.130.57/32 -oA nmapscan/detail 
PORT      STATE SERVICE      VERSION 53/tcp    open  domain? 88/tcp    open  kerberos-sec Microsoft Windows Kerberos (server time: 2024-08-02 14:27:18Z) 135/tcp   open  msrpc        Microsoft Windows RPC 139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn 389/tcp   open  ldap         Microsoft Windows Active Directory LDAP (Domain: zero.hmv, Site: Default-First-Site-Name) 445/tcp   open  microsoft-ds Windows Server 2016 Standard Evaluation 14393 microsoft-ds (workgroup: ZERO) 464/tcp   open  kpasswd5? 593/tcp   open  ncacn_http   Microsoft Windows RPC over HTTP 1.0 636/tcp   open  tcpwrapped 3268/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: zero.hmv, Site: Default-First-Site-Name) 3269/tcp  open  tcpwrapped 5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found |_http-server-header: Microsoft-HTTPAPI/2.0 9389/tcp  open  mc-nmf       .NET Message Framing 49666/tcp open  msrpc        Microsoft Windows RPC 49667/tcp open  msrpc        Microsoft Windows RPC 49670/tcp open  ncacn_http   Microsoft Windows RPC over HTTP 1.0 49671/tcp open  msrpc        Microsoft Windows RPC 49693/tcp open  msrpc        Microsoft Windows RPC 49723/tcp open  msrpc        Microsoft Windows RPC MAC Address: 08:00:27:37:AF:AA (Oracle VirtualBox virtual NIC) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose|phone Running (JUST GUESSING): Microsoft Windows 2016|2012|2022|10|Phone|Vista|2008|7 (95%) OS CPE: cpe:/o:microsoft:windows_server_2016 cpe:/o:microsoft:windows_server_2012:r2 cpe:/o:microsoft:windows_10:1607 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft:windows_server_2008::sp1 cpe:/o:microsoft:windows_7 Aggressive OS guesses: Microsoft Windows Server 2016 (95%), Microsoft Windows Server 2012 or Windows Server 2012 R2 (91%), Microsoft Windows Server 2022 (89%), Microsoft Windows Server 2012 R2 (89%), Microsoft Windows 10 1607 (85%), Microsoft Windows Phone 7.5 or 8.0 (85%), Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7 (85%) No exact OS matches for host (test conditions non-ideal). Network Distance: 1 hop Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows  Host script results: | smb2-time: |   date: 2024-08-02T14:29:37 |_  start_date: 2024-08-02T14:14:44 | smb-os-discovery: |   OS: Windows Server 2016 Standard Evaluation 14393 (Windows Server 2016 Standard Evaluation 6.3) |   Computer name: DC01 |   NetBIOS computer name: DC01\x00 |   Domain name: zero.hmv |   Forest name: zero.hmv |   FQDN: DC01.zero.hmv |_  System time: 2024-08-02T07:29:37-07:00 |_clock-skew: mean: 17h19m52s, deviation: 4h02m29s, median: 14h59m51s | smb-security-mode: |   account_used: guest |   authentication_level: user |   challenge_response: supported |_  message_signing: required | smb2-security-mode: |   3:1:1: |_    Message signing enabled and required |_nbstat: NetBIOS name: DC01, NetBIOS user: , NetBIOS MAC: 08:00:27:37:af:aa (Oracle VirtualBox virtual NIC)  OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 186.34 seconds

smb扫描

enum4linux起手

enum4linux-ng -A 192.168.130.57 -C -oY enum-ng.txt 
 enum4linux-ng -A 192.168.130.57 -C -oY enum-ng.txt ENUM4LINUX - next generation (v1.3.3)   ========================== |    Target Information    |  ========================== [*] Target ........... 192.168.130.57 [*] Username ......... '' [*] Random Username .. 'mxrurerq' [*] Password ......... '' [*] Timeout .......... 5 second(s)   ======================================= |    Listener Scan on 192.168.130.57    |  ======================================= [*] Checking LDAP [+] LDAP is accessible on 389/tcp [*] Checking LDAPS [+] LDAPS is accessible on 636/tcp [*] Checking SMB [+] SMB is accessible on 445/tcp [*] Checking SMB over NetBIOS [+] SMB over NetBIOS is accessible on 139/tcp   ====================================================== |    Domain Information via LDAP for 192.168.130.57    |  ====================================================== [*] Trying LDAP [+] Appears to be root/parent DC [+] Long domain name is: zero.hmv   ============================================================= |    NetBIOS Names and Workgroup/Domain for 192.168.130.57    |  ============================================================= [+] Got domain/workgroup name: ZERO [+] Full NetBIOS names information: - DC01            <00> -         B   Workstation Service - ZERO            <00> -  B   Domain/Workgroup Name - ZERO            <1c> -  B   Domain Controllers - DC01            <20> -         B   File Server Service - ZERO            <1b> -         B   Domain Master Browser - MAC Address = 08-00-27-37-AF-AA   =========================================== |    SMB Dialect Check on 192.168.130.57    |  =========================================== [*] Trying on 445/tcp [+] Supported dialects and settings: Supported dialects:   SMB 1.0: true   SMB 2.02: true   SMB 2.1: true   SMB 3.0: true   SMB 3.1.1: true Preferred dialect: SMB 3.0 SMB1 only: false SMB signing required: true   ============================================================= |    Domain Information via SMB session for 192.168.130.57    |  ============================================================= [*] Enumerating via unauthenticated SMB session on 445/tcp [+] Found domain information via SMB NetBIOS computer name: DC01 NetBIOS domain name: ZERO DNS domain: zero.hmv FQDN: DC01.zero.hmv Derived membership: domain member Derived domain: ZERO   =========================================== |    RPC Session Check on 192.168.130.57    |  =========================================== [*] Check for null session [+] Server allows session using username '', password '' [*] Check for random user [-] Could not establish random user session: STATUS_LOGON_FAILURE   ===================================================== |    Domain Information via RPC for 192.168.130.57    |  ===================================================== [+] Domain: ZERO [+] Domain SID: S-1-5-21-1428058843-2653557213-3178474120 [+] Membership: domain member   ================================================= |    OS Information via RPC for 192.168.130.57    |  ================================================= [*] Enumerating via unauthenticated SMB session on 445/tcp [+] Found OS information via SMB [*] Enumerating via 'srvinfo' [-] Could not get OS info via 'srvinfo': STATUS_ACCESS_DENIED [+] After merging OS information we have the following result: OS: Windows Server 2016 Standard Evaluation 14393 OS version: '10.0' OS release: '1607' OS build: '14393' Native OS: Windows Server 2016 Standard Evaluation 14393 Native LAN manager: Windows Server 2016 Standard Evaluation 6.3 Platform id: null Server type: null Server type string: null   ======================================= |    Users via RPC on 192.168.130.57    |  ======================================= [*] Enumerating users via 'querydispinfo' [-] Could not find users via 'querydispinfo': STATUS_ACCESS_DENIED [*] Enumerating users via 'enumdomusers' [-] Could not find users via 'enumdomusers': STATUS_ACCESS_DENIED   ======================================== |    Groups via RPC on 192.168.130.57    |  ======================================== [*] Enumerating local groups [-] Could not get groups via 'enumalsgroups domain': STATUS_ACCESS_DENIED [*] Enumerating builtin groups [-] Could not get groups via 'enumalsgroups builtin': STATUS_ACCESS_DENIED [*] Enumerating domain groups [-] Could not get groups via 'enumdomgroups': STATUS_ACCESS_DENIED   ========================================== |    Services via RPC on 192.168.130.57    |  ========================================== [-] Could not get RPC services via 'net rpc service list': STATUS_ACCESS_DENIED   ======================================== |    Shares via RPC on 192.168.130.57    |  ======================================== [*] Enumerating shares [+] Found 0 share(s) for user '' with password '', try a different user   =========================================== |    Policies via RPC for 192.168.130.57    |  =========================================== [*] Trying port 445/tcp [-] SMB connection error on port 445/tcp: STATUS_ACCESS_DENIED [*] Trying port 139/tcp [-] SMB connection error on port 139/tcp: session failed   =========================================== |    Printers via RPC for 192.168.130.57    |  =========================================== [-] Could not get printer info via 'enumprinters': STATUS_ACCESS_DENIED  Completed after 0.29 seconds

发现靶机开着稀罕的smb v1,而且系统还不是很新

试试打个RCE

ms17_010

msf启动

需要注意,永恒之蓝漏洞也分多种利用方式。至少第0个我是用不了的

image-20240802165355647

而且可以看出作者刻意对该poc的默认参数进行了回避,比如回连端口、payload上传方式等都需要变动一下才能成功弹到shell

image-20240802165923822

永恒之蓝进来就是system权限,直接游戏结束

image-20240802170222589

上一篇:使用 宝塔面板 部署 springboot 和 vue

下一篇:设计模式实战:任务调度系统的设计与实现

相关内容

热门资讯

四分钟辅助!wpk可以作弊吗(... 四分钟辅助!wpk可以作弊吗(透视辅助)详细辅助挂(竟然是有挂);1、下载好辅助软件之后点击打开,先...
二分钟辅助插件!wpk透视插件... 二分钟辅助插件!wpk透视插件(透视辅助)详细辅助方法(确实是有挂)1、每一步都需要思考,不同水平的...
三分钟辅助!wpk是真的还是假... 三分钟辅助!wpk是真的还是假的,wpk安卓下载辅助,详细教程(有挂系统);1、首先打开wpk安卓下...
十分钟俱乐部!wpk是真的还是... 十分钟俱乐部!wpk是真的还是假的,wpk真吗,详细教程(有挂黑科技);1、很好的工具软件,可以解锁...
6分钟透视辅助!wpk有辅助器... 6分钟透视辅助!wpk有辅助器吗(透视辅助)详细辅助挂(果然有挂)1、系统规律教程、辅助透视等服务,...
7分钟系统!wpk模拟器(透视... 7分钟系统!wpk模拟器(透视辅助)详细辅助免费(原来有挂)1、完成wpk模拟器透视辅助安装,帮助玩...
十分钟辅助软件!wpk软件是真... 十分钟辅助软件!wpk软件是真的吗(透视辅助)详细辅助俱乐部(总是是有挂)1、实时开挂更新:用户可以...
8分钟是真的!wpk透视辅助方... 8分钟是真的!wpk透视辅助方法(透视辅助)详细辅助免费(原来真的有挂)1、这是跨平台的wpk透视辅...
四分钟脚本!wpk作弊,wpk... 四分钟脚本!wpk作弊,wpk刷入池率脚本,详细教程(有挂下载);1、这是跨平台的wpk刷入池率脚本...
6分钟安卓下载!wpk免费辅助... 6分钟安卓下载!wpk免费辅助,wpk辅助哪里买,详细教程(有挂技巧)1、构建自己的wpk免费辅助辅...