zero - hackmyvm
创始人
2024-11-11 11:10:34
0

简介

靶机名称:Zero

难度:简单

靶场地址:https://hackmyvm.eu/machines/machine.php?vm=Zero

本地环境

虚拟机:vitual box

靶场IP(Zero):未知

windows_IP:192.168.130.158

kali_IP:192.168.130.166

扫描

nmap起手,先来个ping探活

nmap -sn 192.168.130.0/24 -oA nmapscan/ip;ips=$(cat ./nmapscan/ip.nmap | grep -oP '(1\d{2}|2[0-4]\d|25[0-5]|[1-9]\d|[1-9])(\.(1\d{2}|2[0-4]\d|25[0-5]|[1-9]\d|\d)){3}');echo $ips >> ./nmapscan/ips_ping; 
Nmap scan report for OpenWrt.lan (192.168.130.1) Host is up (0.00049s latency). Nmap scan report for Pixel-4.lan (192.168.130.111) Host is up (0.17s latency). Nmap scan report for Redmi-K50.lan (192.168.130.139) Host is up (0.069s latency). Nmap scan report for DESKTOP-UDQONDB.lan (192.168.130.158) Host is up (0.00043s latency). Nmap scan report for kali.lan (192.168.130.166) Host is up (0.00023s latency). Nmap scan report for Koishi.lan (192.168.130.168) Host is up (0.089s latency). Nmap done: 256 IP addresses (6 hosts up) scanned in 4.07 seconds 

先说结论,虽然出现很多ip,但都是我自己的设备。假设DHCP运行正常的情况下,服务器应该是禁ping了。

那就转为fscan扫描。因为已知这次目标是windows靶场,所以定个135端口就够了。

fscan -h 192.168.130.0/24 -p 135 -nopoc -nobr -np 
   ___                              _   / _ \     ___  ___ _ __ __ _  ___| | __  / /_\/____/ __|/ __| '__/ _` |/ __| |/ / / /_\\_____\__ \ (__| | | (_| | (__|   < \____/     |___/\___|_|  \__,_|\___|_|\_\                      fscan version: 1.8.4 start infoscan 192.168.130.158:135 open 192.168.130.161:135 open 192.168.130.57:135 open [*] alive ports len is: 3 start vulscan [*] NetInfo [*]192.168.130.57    [->]DC01    [->]192.168.130.57    [->]fd67:3953:fc60:0:6187:1b6:c5c8:182    [->]2001:0:34f1:8072:47d:1ef5:3f57:7dc6 已完成 3/3 [*] 扫描结束,耗时: 3.069453191s 

得知ip后再用nmap进行精扫

nmap -sT -p0- -Pn 192.168.130.57 -oA nmapscan/ports ;ports=$(grep open ./nmapscan/ports.nmap | awk -F '/' '{print $1}' | paste -sd ',');echo $ports >> nmapscan/tcp_ports;  sudo nmap -Pn --min-rate=10000 -sT -sV -sC -O -p$ports 192.168.130.57/32 -oA nmapscan/detail 
PORT      STATE SERVICE      VERSION 53/tcp    open  domain? 88/tcp    open  kerberos-sec Microsoft Windows Kerberos (server time: 2024-08-02 14:27:18Z) 135/tcp   open  msrpc        Microsoft Windows RPC 139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn 389/tcp   open  ldap         Microsoft Windows Active Directory LDAP (Domain: zero.hmv, Site: Default-First-Site-Name) 445/tcp   open  microsoft-ds Windows Server 2016 Standard Evaluation 14393 microsoft-ds (workgroup: ZERO) 464/tcp   open  kpasswd5? 593/tcp   open  ncacn_http   Microsoft Windows RPC over HTTP 1.0 636/tcp   open  tcpwrapped 3268/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: zero.hmv, Site: Default-First-Site-Name) 3269/tcp  open  tcpwrapped 5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found |_http-server-header: Microsoft-HTTPAPI/2.0 9389/tcp  open  mc-nmf       .NET Message Framing 49666/tcp open  msrpc        Microsoft Windows RPC 49667/tcp open  msrpc        Microsoft Windows RPC 49670/tcp open  ncacn_http   Microsoft Windows RPC over HTTP 1.0 49671/tcp open  msrpc        Microsoft Windows RPC 49693/tcp open  msrpc        Microsoft Windows RPC 49723/tcp open  msrpc        Microsoft Windows RPC MAC Address: 08:00:27:37:AF:AA (Oracle VirtualBox virtual NIC) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose|phone Running (JUST GUESSING): Microsoft Windows 2016|2012|2022|10|Phone|Vista|2008|7 (95%) OS CPE: cpe:/o:microsoft:windows_server_2016 cpe:/o:microsoft:windows_server_2012:r2 cpe:/o:microsoft:windows_10:1607 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft:windows_server_2008::sp1 cpe:/o:microsoft:windows_7 Aggressive OS guesses: Microsoft Windows Server 2016 (95%), Microsoft Windows Server 2012 or Windows Server 2012 R2 (91%), Microsoft Windows Server 2022 (89%), Microsoft Windows Server 2012 R2 (89%), Microsoft Windows 10 1607 (85%), Microsoft Windows Phone 7.5 or 8.0 (85%), Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7 (85%) No exact OS matches for host (test conditions non-ideal). Network Distance: 1 hop Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows  Host script results: | smb2-time: |   date: 2024-08-02T14:29:37 |_  start_date: 2024-08-02T14:14:44 | smb-os-discovery: |   OS: Windows Server 2016 Standard Evaluation 14393 (Windows Server 2016 Standard Evaluation 6.3) |   Computer name: DC01 |   NetBIOS computer name: DC01\x00 |   Domain name: zero.hmv |   Forest name: zero.hmv |   FQDN: DC01.zero.hmv |_  System time: 2024-08-02T07:29:37-07:00 |_clock-skew: mean: 17h19m52s, deviation: 4h02m29s, median: 14h59m51s | smb-security-mode: |   account_used: guest |   authentication_level: user |   challenge_response: supported |_  message_signing: required | smb2-security-mode: |   3:1:1: |_    Message signing enabled and required |_nbstat: NetBIOS name: DC01, NetBIOS user: , NetBIOS MAC: 08:00:27:37:af:aa (Oracle VirtualBox virtual NIC)  OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 186.34 seconds 

smb扫描

enum4linux起手

enum4linux-ng -A 192.168.130.57 -C -oY enum-ng.txt 
 enum4linux-ng -A 192.168.130.57 -C -oY enum-ng.txt ENUM4LINUX - next generation (v1.3.3)   ========================== |    Target Information    |  ========================== [*] Target ........... 192.168.130.57 [*] Username ......... '' [*] Random Username .. 'mxrurerq' [*] Password ......... '' [*] Timeout .......... 5 second(s)   ======================================= |    Listener Scan on 192.168.130.57    |  ======================================= [*] Checking LDAP [+] LDAP is accessible on 389/tcp [*] Checking LDAPS [+] LDAPS is accessible on 636/tcp [*] Checking SMB [+] SMB is accessible on 445/tcp [*] Checking SMB over NetBIOS [+] SMB over NetBIOS is accessible on 139/tcp   ====================================================== |    Domain Information via LDAP for 192.168.130.57    |  ====================================================== [*] Trying LDAP [+] Appears to be root/parent DC [+] Long domain name is: zero.hmv   ============================================================= |    NetBIOS Names and Workgroup/Domain for 192.168.130.57    |  ============================================================= [+] Got domain/workgroup name: ZERO [+] Full NetBIOS names information: - DC01            <00> -         B   Workstation Service - ZERO            <00> -  B   Domain/Workgroup Name - ZERO            <1c> -  B   Domain Controllers - DC01            <20> -         B   File Server Service - ZERO            <1b> -         B   Domain Master Browser - MAC Address = 08-00-27-37-AF-AA   =========================================== |    SMB Dialect Check on 192.168.130.57    |  =========================================== [*] Trying on 445/tcp [+] Supported dialects and settings: Supported dialects:   SMB 1.0: true   SMB 2.02: true   SMB 2.1: true   SMB 3.0: true   SMB 3.1.1: true Preferred dialect: SMB 3.0 SMB1 only: false SMB signing required: true   ============================================================= |    Domain Information via SMB session for 192.168.130.57    |  ============================================================= [*] Enumerating via unauthenticated SMB session on 445/tcp [+] Found domain information via SMB NetBIOS computer name: DC01 NetBIOS domain name: ZERO DNS domain: zero.hmv FQDN: DC01.zero.hmv Derived membership: domain member Derived domain: ZERO   =========================================== |    RPC Session Check on 192.168.130.57    |  =========================================== [*] Check for null session [+] Server allows session using username '', password '' [*] Check for random user [-] Could not establish random user session: STATUS_LOGON_FAILURE   ===================================================== |    Domain Information via RPC for 192.168.130.57    |  ===================================================== [+] Domain: ZERO [+] Domain SID: S-1-5-21-1428058843-2653557213-3178474120 [+] Membership: domain member   ================================================= |    OS Information via RPC for 192.168.130.57    |  ================================================= [*] Enumerating via unauthenticated SMB session on 445/tcp [+] Found OS information via SMB [*] Enumerating via 'srvinfo' [-] Could not get OS info via 'srvinfo': STATUS_ACCESS_DENIED [+] After merging OS information we have the following result: OS: Windows Server 2016 Standard Evaluation 14393 OS version: '10.0' OS release: '1607' OS build: '14393' Native OS: Windows Server 2016 Standard Evaluation 14393 Native LAN manager: Windows Server 2016 Standard Evaluation 6.3 Platform id: null Server type: null Server type string: null   ======================================= |    Users via RPC on 192.168.130.57    |  ======================================= [*] Enumerating users via 'querydispinfo' [-] Could not find users via 'querydispinfo': STATUS_ACCESS_DENIED [*] Enumerating users via 'enumdomusers' [-] Could not find users via 'enumdomusers': STATUS_ACCESS_DENIED   ======================================== |    Groups via RPC on 192.168.130.57    |  ======================================== [*] Enumerating local groups [-] Could not get groups via 'enumalsgroups domain': STATUS_ACCESS_DENIED [*] Enumerating builtin groups [-] Could not get groups via 'enumalsgroups builtin': STATUS_ACCESS_DENIED [*] Enumerating domain groups [-] Could not get groups via 'enumdomgroups': STATUS_ACCESS_DENIED   ========================================== |    Services via RPC on 192.168.130.57    |  ========================================== [-] Could not get RPC services via 'net rpc service list': STATUS_ACCESS_DENIED   ======================================== |    Shares via RPC on 192.168.130.57    |  ======================================== [*] Enumerating shares [+] Found 0 share(s) for user '' with password '', try a different user   =========================================== |    Policies via RPC for 192.168.130.57    |  =========================================== [*] Trying port 445/tcp [-] SMB connection error on port 445/tcp: STATUS_ACCESS_DENIED [*] Trying port 139/tcp [-] SMB connection error on port 139/tcp: session failed   =========================================== |    Printers via RPC for 192.168.130.57    |  =========================================== [-] Could not get printer info via 'enumprinters': STATUS_ACCESS_DENIED  Completed after 0.29 seconds 

发现靶机开着稀罕的smb v1,而且系统还不是很新

试试打个RCE

ms17_010

msf启动

需要注意,永恒之蓝漏洞也分多种利用方式。至少第0个我是用不了的

image-20240802165355647

而且可以看出作者刻意对该poc的默认参数进行了回避,比如回连端口、payload上传方式等都需要变动一下才能成功弹到shell

image-20240802165923822

永恒之蓝进来就是system权限,直接游戏结束

image-20240802170222589

相关内容

热门资讯

绝活儿辅助!广西老友玩老是输怎... 绝活儿辅助!广西老友玩老是输怎么办(辅助挂)都是真的有辅助app(讲解有挂)在进入广西老友玩老是输怎...
法门辅助!福建13水插件(辅助... 法门辅助!福建13水插件(辅助挂)一贯是有辅助技巧(有挂技术)1、许多玩家不知道福建13水插件辅助怎...
办法辅助!潮友会app下载官方... 办法辅助!潮友会app下载官方辅助器(辅助挂)真是真的是有辅助app(有挂教程)该软件可以轻松地帮助...
妙招辅助!邯郸胡乐挂辅助(辅助... 妙招辅助!邯郸胡乐挂辅助(辅助挂)好像存在有辅助插件(有挂方略)1、上手简单,内置详细流程视频教学,...
教程书辅助!乐酷辅助(辅助挂)... 教程书辅助!乐酷辅助(辅助挂)其实存在有辅助脚本(有挂细节)乐酷辅助能透视中分为三种模型:乐酷辅助模...
学习辅助!决战卡五星辅助(辅助... 学习辅助!决战卡五星辅助(辅助挂)本来真的是有辅助软件(有人有挂)学习辅助!决战卡五星辅助(辅助挂)...
绝活辅助!边锋嘉兴麻将辅助器(... 绝活辅助!边锋嘉兴麻将辅助器(辅助挂)真是真的有辅助神器(新版有挂)1、边锋嘉兴麻将辅助器公共底牌简...
举措辅助!枫叶辅助器(辅助挂)... 举措辅助!枫叶辅助器(辅助挂)本来存在有辅助技巧(竟然有挂)1、下载好枫叶辅助器正确养号方法之后点击...
讲义辅助!点我达辅助(辅助挂)... 讲义辅助!点我达辅助(辅助挂)一直存在有辅助技巧(有人有挂)1、点我达辅助辅助器安装包、点我达辅助辅...
模块辅助!威信茶馆有挂的吗(辅... 模块辅助!威信茶馆有挂的吗(辅助挂)一直真的是有辅助脚本(揭秘有挂)1、玩家可以在威信茶馆有挂的吗线...