代码拉取完成,页面将自动刷新
PORT STATE SERVICE VERSION
445/tcp open microsoft-ds?
4386/tcp open unknown
| fingerprint-strings:
| DNSStatusRequestTCP, DNSVersionBindReqTCP, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, LPDString, NULL, RPCCheck, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, TerminalServerCookie, X11Probe:
| Reporting Service V1.2
| FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, RTSPRequest, SIPOptions:
| Reporting Service V1.2
| Unrecognised command
| Help:
| Reporting Service V1.2
| This service allows users to run queries against databases using the legacy HQK format
| AVAILABLE COMMANDS ---
| LIST
| SETDIR <Directory_Name>
| RUNQUERY <Query_ID>
| DEBUG <Password>
|_ HELP <Command>
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port4386-TCP:V=7.91%I=7%D=7/10%Time=62CA8A0F%P=x86_64-pc-linux-gnu%r(NU
SF:LL,21,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(GenericLin
SF:es,3A,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>\r\nUnrecognise
SF:d\x20command\r\n>")%r(GetRequest,3A,"\r\nHQK\x20Reporting\x20Service\x2
SF:0V1\.2\r\n\r\n>\r\nUnrecognised\x20command\r\n>")%r(HTTPOptions,3A,"\r\
SF:nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>\r\nUnrecognised\x20comma
SF:nd\r\n>")%r(RTSPRequest,3A,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\
SF:n\r\n>\r\nUnrecognised\x20command\r\n>")%r(RPCCheck,21,"\r\nHQK\x20Repo
SF:rting\x20Service\x20V1\.2\r\n\r\n>")%r(DNSVersionBindReqTCP,21,"\r\nHQK
SF:\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(DNSStatusRequestTCP,21,"
SF:\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(Help,F2,"\r\nHQK\
SF:x20Reporting\x20Service\x20V1\.2\r\n\r\n>\r\nThis\x20service\x20allows\
SF:x20users\x20to\x20run\x20queries\x20against\x20databases\x20using\x20th
SF:e\x20legacy\x20HQK\x20format\r\n\r\n---\x20AVAILABLE\x20COMMANDS\x20---
SF:\r\n\r\nLIST\r\nSETDIR\x20<Directory_Name>\r\nRUNQUERY\x20<Query_ID>\r\
SF:nDEBUG\x20<Password>\r\nHELP\x20<Command>\r\n>")%r(SSLSessionReq,21,"\r
SF:\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(TerminalServerCooki
SF:e,21,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(TLSSessionR
SF:eq,21,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(Kerberos,2
SF:1,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(SMBProgNeg,21,
SF:"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(X11Probe,21,"\r\
SF:nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(FourOhFourRequest,3A
SF:,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>\r\nUnrecognised\x20
SF:command\r\n>")%r(LPDString,21,"\r\nHQK\x20Reporting\x20Service\x20V1\.2
SF:\r\n\r\n>")%r(LDAPSearchReq,21,"\r\nHQK\x20Reporting\x20Service\x20V1\.
SF:2\r\n\r\n>")%r(LDAPBindReq,21,"\r\nHQK\x20Reporting\x20Service\x20V1\.2
SF:\r\n\r\n>")%r(SIPOptions,3A,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r
SF:\n\r\n>\r\nUnrecognised\x20command\r\n>")%r(LANDesk-RC,21,"\r\nHQK\x20R
SF:eporting\x20Service\x20V1\.2\r\n\r\n>")%r(TerminalServer,21,"\r\nHQK\x2
SF:0Reporting\x20Service\x20V1\.2\r\n\r\n>");
Host script results:
|_clock-skew: -2s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2022-07-10T08:15:52
|_ start_date: 2022-07-10T08:09:52
4386端口nc连上去发现是HQK Reporting Service V1.2
可匿名登录
smbclient --no-pass -L //10.10.10.178
每个目录进去翻文件,得到一组账密
TempUser
welcome2019
使用该凭据重新搜集信息,在data/it目录下发现很多xml,在RU_config.xml中发现密码
smbmap -H 10.10.10.178 -u TempUser -p welcome2019 -R Data
smbmap -H 10.10.10.178 -u TempUser -p welcome2019 --download 'Data\IT\Configs\RU Scanner\RU_config.xml'
smbmap -H 10.10.10.178 -u TempUser -p welcome2019 --download 'Data\IT\Configs\NotepadPlusPlus\config.xml'
c.smith
fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE=
在notepad++的config.xml里发现了几个路径
尽管secure$/it无法列目录,但是这个Carl目录可以直接进入
smbmap -H 10.10.10.178 -u TempUser -p welcome2019 -R 'Secure$\IT\Carl'
把这些vb文件都下载下来看看都写了啥
smbclient //10.10.10.178/Secure$ -U "TempUser"%"welcome2019"
#cd it\Carl\VB Projects\WIP\RU\RUScanner
#mget *
find . -type f -name "*.vb"|xargs grep passw
发现在Utils.vb里有,这其中定义了很多函数,给其他引用。继续搜索decrypt看看是否有谁引用了解密方法
find . -type f -name "*.vb"|xargs grep Decrypt
发现Module1.vb有引用,但是调不了啊。翻了下wp,sln说明这是个visual stdio项目 把sln文件和同级的RUScanner子目录全部下载下来
smbclient //10.10.10.178/Secure$ -U "TempUser"%"welcome2019"
cd "it\Carl\VB Projects\WIP\RU\RUScanner"
mask ""
recurse ON
prompt OFF
mget *
这样子下载下来,RUScanner子目录是没有的,得新建一个再把除sln外的文件夹和文件都放进去,反正目录结构要一样。否则VS打开会报错
然后在这一行右键选择运行到光标行,在步过到下一行。就可以读到明文密码了
Dim test As New SsoIntegration With {.Username = Config.Username, .Password = Utils.DecryptString(Config.Password)}
c.smith :xRxRxPANCAK3SxRxRx
继续信息收集
smbmap -H 10.10.10.178 -u c.smith -p xRxRxPANCAK3SxRxRx -R Users
smbmap -H 10.10.10.178 -u c.smith -p xRxRxPANCAK3SxRxRx --download 'Users\C.Smith\user.txt'
把其他文件也下载下来,可惜这个Debug password是空的
strings HqkLdap.exe发现一个publickeytoken
不知道有啥用
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。
马建仓 AI 助手