zero - hackmyvm

news2024/12/26 13:50:26

简介

靶机名称:Zero

难度:简单

靶场地址:https://hackmyvm.eu/machines/machine.php?vm=Zero

本地环境

虚拟机:vitual box

靶场IP(Zero):未知

windows_IP:192.168.130.158

kali_IP:192.168.130.166

扫描

nmap起手,先来个ping探活

nmap -sn 192.168.130.0/24 -oA nmapscan/ip;ips=$(cat ./nmapscan/ip.nmap | grep -oP '(1\d{2}|2[0-4]\d|25[0-5]|[1-9]\d|[1-9])(\.(1\d{2}|2[0-4]\d|25[0-5]|[1-9]\d|\d)){3}');echo $ips >> ./nmapscan/ips_ping;
Nmap scan report for OpenWrt.lan (192.168.130.1)
Host is up (0.00049s latency).
Nmap scan report for Pixel-4.lan (192.168.130.111)
Host is up (0.17s latency).
Nmap scan report for Redmi-K50.lan (192.168.130.139)
Host is up (0.069s latency).
Nmap scan report for DESKTOP-UDQONDB.lan (192.168.130.158)
Host is up (0.00043s latency).
Nmap scan report for kali.lan (192.168.130.166)
Host is up (0.00023s latency).
Nmap scan report for Koishi.lan (192.168.130.168)
Host is up (0.089s latency).
Nmap done: 256 IP addresses (6 hosts up) scanned in 4.07 seconds

先说结论,虽然出现很多ip,但都是我自己的设备。假设DHCP运行正常的情况下,服务器应该是禁ping了。

那就转为fscan扫描。因为已知这次目标是windows靶场,所以定个135端口就够了。

fscan -h 192.168.130.0/24 -p 135 -nopoc -nobr -np
   ___                              _
  / _ \     ___  ___ _ __ __ _  ___| | __
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <
\____/     |___/\___|_|  \__,_|\___|_|\_\
                     fscan version: 1.8.4
start infoscan
192.168.130.158:135 open
192.168.130.161:135 open
192.168.130.57:135 open
[*] alive ports len is: 3
start vulscan
[*] NetInfo
[*]192.168.130.57
   [->]DC01
   [->]192.168.130.57
   [->]fd67:3953:fc60:0:6187:1b6:c5c8:182
   [->]2001:0:34f1:8072:47d:1ef5:3f57:7dc6
已完成 3/3
[*] 扫描结束,耗时: 3.069453191s

得知ip后再用nmap进行精扫

nmap -sT -p0- -Pn 192.168.130.57 -oA nmapscan/ports ;ports=$(grep open ./nmapscan/ports.nmap | awk -F '/' '{print $1}' | paste -sd ',');echo $ports >> nmapscan/tcp_ports;
 sudo nmap -Pn --min-rate=10000 -sT -sV -sC -O -p$ports 192.168.130.57/32 -oA nmapscan/detail
PORT      STATE SERVICE      VERSION
53/tcp    open  domain?
88/tcp    open  kerberos-sec Microsoft Windows Kerberos (server time: 2024-08-02 14:27:18Z)
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp   open  ldap         Microsoft Windows Active Directory LDAP (Domain: zero.hmv, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds Windows Server 2016 Standard Evaluation 14393 microsoft-ds (workgroup: ZERO)
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: zero.hmv, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp  open  mc-nmf       .NET Message Framing
49666/tcp open  msrpc        Microsoft Windows RPC
49667/tcp open  msrpc        Microsoft Windows RPC
49670/tcp open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
49671/tcp open  msrpc        Microsoft Windows RPC
49693/tcp open  msrpc        Microsoft Windows RPC
49723/tcp open  msrpc        Microsoft Windows RPC
MAC Address: 08:00:27:37:AF:AA (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|phone
Running (JUST GUESSING): Microsoft Windows 2016|2012|2022|10|Phone|Vista|2008|7 (95%)
OS CPE: cpe:/o:microsoft:windows_server_2016 cpe:/o:microsoft:windows_server_2012:r2 cpe:/o:microsoft:windows_10:1607 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft:windows_server_2008::sp1 cpe:/o:microsoft:windows_7
Aggressive OS guesses: Microsoft Windows Server 2016 (95%), Microsoft Windows Server 2012 or Windows Server 2012 R2 (91%), Microsoft Windows Server 2022 (89%), Microsoft Windows Server 2012 R2 (89%), Microsoft Windows 10 1607 (85%), Microsoft Windows Phone 7.5 or 8.0 (85%), Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time:
|   date: 2024-08-02T14:29:37
|_  start_date: 2024-08-02T14:14:44
| smb-os-discovery:
|   OS: Windows Server 2016 Standard Evaluation 14393 (Windows Server 2016 Standard Evaluation 6.3)
|   Computer name: DC01
|   NetBIOS computer name: DC01\x00
|   Domain name: zero.hmv
|   Forest name: zero.hmv
|   FQDN: DC01.zero.hmv
|_  System time: 2024-08-02T07:29:37-07:00
|_clock-skew: mean: 17h19m52s, deviation: 4h02m29s, median: 14h59m51s
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled and required
|_nbstat: NetBIOS name: DC01, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:37:af:aa (Oracle VirtualBox virtual NIC)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 186.34 seconds

smb扫描

enum4linux起手

enum4linux-ng -A 192.168.130.57 -C -oY enum-ng.txt
 enum4linux-ng -A 192.168.130.57 -C -oY enum-ng.txt
ENUM4LINUX - next generation (v1.3.3)

 ==========================
|    Target Information    |
 ==========================
[*] Target ........... 192.168.130.57
[*] Username ......... ''
[*] Random Username .. 'mxrurerq'
[*] Password ......... ''
[*] Timeout .......... 5 second(s)

 =======================================
|    Listener Scan on 192.168.130.57    |
 =======================================
[*] Checking LDAP
[+] LDAP is accessible on 389/tcp
[*] Checking LDAPS
[+] LDAPS is accessible on 636/tcp
[*] Checking SMB
[+] SMB is accessible on 445/tcp
[*] Checking SMB over NetBIOS
[+] SMB over NetBIOS is accessible on 139/tcp

 ======================================================
|    Domain Information via LDAP for 192.168.130.57    |
 ======================================================
[*] Trying LDAP
[+] Appears to be root/parent DC
[+] Long domain name is: zero.hmv

 =============================================================
|    NetBIOS Names and Workgroup/Domain for 192.168.130.57    |
 =============================================================
[+] Got domain/workgroup name: ZERO
[+] Full NetBIOS names information:
- DC01            <00> -         B <ACTIVE>  Workstation Service
- ZERO            <00> - <GROUP> B <ACTIVE>  Domain/Workgroup Name
- ZERO            <1c> - <GROUP> B <ACTIVE>  Domain Controllers
- DC01            <20> -         B <ACTIVE>  File Server Service
- ZERO            <1b> -         B <ACTIVE>  Domain Master Browser
- MAC Address = 08-00-27-37-AF-AA

 ===========================================
|    SMB Dialect Check on 192.168.130.57    |
 ===========================================
[*] Trying on 445/tcp
[+] Supported dialects and settings:
Supported dialects:
  SMB 1.0: true
  SMB 2.02: true
  SMB 2.1: true
  SMB 3.0: true
  SMB 3.1.1: true
Preferred dialect: SMB 3.0
SMB1 only: false
SMB signing required: true

 =============================================================
|    Domain Information via SMB session for 192.168.130.57    |
 =============================================================
[*] Enumerating via unauthenticated SMB session on 445/tcp
[+] Found domain information via SMB
NetBIOS computer name: DC01
NetBIOS domain name: ZERO
DNS domain: zero.hmv
FQDN: DC01.zero.hmv
Derived membership: domain member
Derived domain: ZERO

 ===========================================
|    RPC Session Check on 192.168.130.57    |
 ===========================================
[*] Check for null session
[+] Server allows session using username '', password ''
[*] Check for random user
[-] Could not establish random user session: STATUS_LOGON_FAILURE

 =====================================================
|    Domain Information via RPC for 192.168.130.57    |
 =====================================================
[+] Domain: ZERO
[+] Domain SID: S-1-5-21-1428058843-2653557213-3178474120
[+] Membership: domain member

 =================================================
|    OS Information via RPC for 192.168.130.57    |
 =================================================
[*] Enumerating via unauthenticated SMB session on 445/tcp
[+] Found OS information via SMB
[*] Enumerating via 'srvinfo'
[-] Could not get OS info via 'srvinfo': STATUS_ACCESS_DENIED
[+] After merging OS information we have the following result:
OS: Windows Server 2016 Standard Evaluation 14393
OS version: '10.0'
OS release: '1607'
OS build: '14393'
Native OS: Windows Server 2016 Standard Evaluation 14393
Native LAN manager: Windows Server 2016 Standard Evaluation 6.3
Platform id: null
Server type: null
Server type string: null

 =======================================
|    Users via RPC on 192.168.130.57    |
 =======================================
[*] Enumerating users via 'querydispinfo'
[-] Could not find users via 'querydispinfo': STATUS_ACCESS_DENIED
[*] Enumerating users via 'enumdomusers'
[-] Could not find users via 'enumdomusers': STATUS_ACCESS_DENIED

 ========================================
|    Groups via RPC on 192.168.130.57    |
 ========================================
[*] Enumerating local groups
[-] Could not get groups via 'enumalsgroups domain': STATUS_ACCESS_DENIED
[*] Enumerating builtin groups
[-] Could not get groups via 'enumalsgroups builtin': STATUS_ACCESS_DENIED
[*] Enumerating domain groups
[-] Could not get groups via 'enumdomgroups': STATUS_ACCESS_DENIED

 ==========================================
|    Services via RPC on 192.168.130.57    |
 ==========================================
[-] Could not get RPC services via 'net rpc service list': STATUS_ACCESS_DENIED

 ========================================
|    Shares via RPC on 192.168.130.57    |
 ========================================
[*] Enumerating shares
[+] Found 0 share(s) for user '' with password '', try a different user

 ===========================================
|    Policies via RPC for 192.168.130.57    |
 ===========================================
[*] Trying port 445/tcp
[-] SMB connection error on port 445/tcp: STATUS_ACCESS_DENIED
[*] Trying port 139/tcp
[-] SMB connection error on port 139/tcp: session failed

 ===========================================
|    Printers via RPC for 192.168.130.57    |
 ===========================================
[-] Could not get printer info via 'enumprinters': STATUS_ACCESS_DENIED

Completed after 0.29 seconds

发现靶机开着稀罕的smb v1,而且系统还不是很新

试试打个RCE

ms17_010

msf启动

需要注意,永恒之蓝漏洞也分多种利用方式。至少第0个我是用不了的

image-20240802165355647

而且可以看出作者刻意对该poc的默认参数进行了回避,比如回连端口、payload上传方式等都需要变动一下才能成功弹到shell

image-20240802165923822

永恒之蓝进来就是system权限,直接游戏结束

image-20240802170222589

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.coloradmin.cn/o/1973479.html

如若内容造成侵权/违法违规/事实不符,请联系多彩编程网进行投诉反馈,一经查实,立即删除!

相关文章

Vulnhub靶场DC-9练习

目录 0x00 准备0x01 主机信息收集0x02 站点信息收集0x03 漏洞查找与利用1. 发现SQL注入点2. Sqlmap跑数据3. 文件包含4. SSH爆破端口敲门服务5. 提权&#xff08;写入/etc/passwd&#xff09; 0x04 总结 0x00 准备 下载链接&#xff1a;https://download.vulnhub.com/dc/DC-9.z…

数据化项目中如何优化数据分析报表的响应速度

引言&#xff1a;在数据化项目中&#xff0c;优化数据分析报表的响应速度是一个关键任务&#xff0c;它直接影响到用户的体验和决策效率。以下是一些有效的策略和方法来优化数据分析报表的响应速度&#xff1a; 一.从IAAS层优化&#xff1a; 硬件与网络资源优化&#xff1a;提…

无法读取配置节“dataConfiguration”

无法读取配置节“dataConfiguration”&#xff0c;因为它缺少节声明 问题 在web.config中加了<dataConfiguration defaultDatabase"DefaultDB" />&#xff0c;服务器运行报无法读取配置节“dataConfiguration” 分析检查配置文件&#xff1a; Web.config…

前端常用的【设计模式】和使用场景

设计原则 最重要的&#xff1a;开放封闭原则 对扩展开放对修改封闭 工厂模式 用一个工厂函数&#xff0c;来创建实例&#xff0c;隐藏 new 如 jQuery 的 $ 函数&#xff0c;React 的 createElement 函数 单例模式 全局唯一的实例(无法生成第二个) 如 Vuex 和 Redux 的 store…

基于设备上解码的 Yolo 检测

什么是NDVI&#xff1f; 该存储库 ( 修改自 device-decoding) 包含直接使用 DepthAI SDK (main_sdk.py) 或 DepthAI API (main_api.py) 在设备上解码运行 Yolo 目标检测的代码。目前&#xff0c;支持的版本有&#xff1a;YoloV3 & YoloV3-tiny,YoloV4 & YoloV4-tiny,Y…

滑动窗口大总结!!!妈妈以后再也不担心我不会做滑动窗口啦~

写在前面&#xff1a;全部题都源于力扣 讲解题目一&#xff1a;最小覆盖子串题目二&#xff1a;字符串排列题目三&#xff1a;找所有字母异位词题目四&#xff1a;无重复字符的最长子串题目五&#xff1a;滑动窗口的最大值 讲解 滑动窗口算法技巧主要用来解决子数组问题&#…

B 端产品设计:导航系统构建指南

两年前写的一篇关于导航菜单的文章帮助许多学生进入 B 端设计领域。然而&#xff0c;两年过去了&#xff0c;行业在不断发展&#xff0c;文章中的许多观点并不适用于当前的 B 端设计环境。如今的 B 端设计越来越受到重视&#xff0c;所以最近打算深入挖掘之前不太过时的文章内容…

strimzi operator 部署kafka集群(可外部访问)

Strimzi介绍 官方文档:https://strimzi.io/docs/operators/0.42.0/overview#kafka-components_str Strimzi介绍 Strimzi 是一个用于 Apache Kafka 在 Kubernetes 上部署和管理的开源项目。它提供了一组 Kubernetes 自定义资源定义(Custom Resource Definitions,CRDs)、控制…

充电宝有必要买贵的吗?充电宝可以带上高铁吗?充电宝选购方法

市面上的充电宝可以说是非常的多&#xff0c;但是能选到一款适合自己的充电宝基本是不容易的&#xff0c;然而&#xff0c;当我们准备选购充电宝时&#xff0c;常常会面临诸多疑问。其中&#xff0c;“充电宝有必要买贵的吗”就是一个备受关注的问题。价格似乎成为了我们在众多…

[Git][认识Git]详细讲解

目录 1.什么是仓库&#xff1f;2.认识工作区、暂存区、版本库3.认识 .git1.index2.HEAD && master3.objects4.总结 1.什么是仓库&#xff1f; 仓库&#xff1a;进⾏版本控制的⼀个⽂件⽬录 2.认识工作区、暂存区、版本库 工作区&#xff1a;在电脑上写代码或⽂件的⽬录…

【C++】C++应用案例-通讯录管理系统

目录 一、整体介绍 1.1、需求和目标 1.2、整体功能描述 二、页面及功能描述 2.1 主菜单 2.2 添加联系人菜单 2.3 显示联系人菜单 2.4 修改联系人菜单 2.5 退出功能 三、流程设计 3.1 主流程 3.2 添加操作流程 3.3 显示联系人操作流程 3.4 修改联系人操作流程 四…

V.PS荷兰阿姆斯特丹VPS详细测评

V.PS怎么样&#xff1f; V.PS的荷兰VPS位于荷兰阿姆斯特丹数据中心&#xff0c;实际的网络从测评的数据来看&#xff1a;电信走的CN2 GIA/AS4809网络、联通走的是CUII/AS9929网络、移动走的是CUII/AS9929网络&#xff0c;也就是说三网都是走的运营商的轻负载线路。 默认的CPU型…

c/c++自增运算符

自增运算符在前&#xff1a;先自增再取值 自增运算符在后&#xff1a;先取值再自增 如图&#xff1a; lptmp等于tmp&#xff0c;但是t等于128&#xff0c;也就说&#xff0c;当位于后面时&#xff0c;先取值&#xff0c;再自增。

数论第四节:二元一次不定方程、勾股数

不定方程定义 解不确定的方程称为不定方程。一般化的定义为&#xff1a;不定方程是指未知数的个数多余方程的个数&#xff0c;或未知数受到某种限制&#xff08;如整数、正整数等&#xff09;的方程和方程组。 二元一次不定方程定义 形如axbyc的形式的方程。其中a,b不等于0&…

python print 函数参数:sep 自定义分隔符,end 自定义结尾符

1. 简述 print 函数可以将内容打印到标准输出&#xff0c;如果不指定 end 参数&#xff0c;默认在输出的内容之后加一个 “回车符\n”。 以下是 print 函数常用的参数用法&#xff1a; print(object, …, sepstr, endstr) object, …&#xff1a;要打印的内容&#xff0c;可以…

如何基于欧拉系统完成第三方软件仓库的安装

首先&#xff0c;我们需要写一个镜像脚本 rootlocalhost yum.repos.d]# vim docker-ce.repo内容如下 [docker-ce] namedocker baseurlhttps://mirrors.tuna.tsinghua.edu.cn/docker-ce/linux/rhel/9/x86_64/stable/ //我们使用的是清华的镜像源 gpgcheck0 tips:这里告诉大家一…

来点八股文(五) 分布式和一致性

Raft raft 会进入脑裂状态吗&#xff1f;描述下场景&#xff0c;怎么解决&#xff1f; 不会。raft通过选举安全性解决了这个问题&#xff1a; 一个任期内&#xff0c;follower 只会投票一次票&#xff0c;且先来先得&#xff1b;Candidate 存储的日志至少要和 follower 一样新…

Kafka基本讲解

Kafka基本讲解 一&#xff1a;Kafka介绍 Kafka是分布式消息队列&#xff0c;主要设计用于高吞吐量的数据处理和消息传输&#xff0c;适用于日志处理、实时数据管道等场景。Kafka作为实时数仓架构的核心组件&#xff0c;用于收集、缓存和分发实时数据流&#xff0c;支持复杂的…

【单例设计模式】揭秘单例模式:从原理到实战的全方位解析(开发者必读)

文章目录 深入理解单例设计模式&#xff1a;原理、实现与最佳实践引言第一部分&#xff1a;设计模式简介第二部分&#xff1a;单例模式定义第三部分&#xff1a;单例模式的优点和缺点第四部分&#xff1a;单例模式的实现方式懒汉式非线程安全的实现线程安全的实现&#xff08;双…

vmware ubuntu虚拟机网络联网配置

介绍vmware虚拟机配置基础网络环境&#xff0c;同时连接外网&#xff08;通过桥接模式&#xff09;&#xff0c;以及ubuntu下输入法等基础工具安装。 本文基于ubuntu22.04&#xff0c;前提虚拟机已经完成安装。本文更多是针对vmware虚拟机的设置&#xff0c;之前有一篇针对ubun…