Academy - Windows Privilege Escalation - Communication with Processes

Hello,

the question Which account has WRITE_DAC privileges over the \pipe\SQLLocal\SQLEXPRESS01 named pipe? does not accept my answer MSSQL$SQLEXPRESS01.

I tried SQLEXPRESS01, MSSQL$SQLEXPRESS, SERVICE\MSSQL$SQLEXPRESS01 and SQLEXPRESS as variations, as well as all other users on the system.

PS C:\Users\htb-student\Downloads> net user

User accounts for \\WINLPE-SRV01

-------------------------------------------------------------------------------
Administrator            DefaultAccount           Guest
helpdesk                 htb-student              htb-student_adm
jordan                   logger                   mrb3n
sarah                    sccm_svc                 secsvc
sql_dev
The command completed successfully.

Furthermore, since only connections to machines on the internal network are allowed, I had to fetch accesschk.exe from SysInternals on my Pwnbox and deliver it through a Python HTTP web server to the windows machine we RDP into.

Anyways, once I had accesschk.exe I did get this output, which would imply the answer I’m giving is correct.

PS C:\Users\htb-student\Downloads> .\accesschk.exe \pipe\SQLLocal\SQLEXPRESS01 -v

Accesschk v6.15 - Reports effective permissions for securable objects
Copyright (C) 2006-2022 Mark Russinovich
Sysinternals - www.sysinternals.com

\\.\Pipe\SQLLocal\SQLEXPRESS01
  Medium Mandatory Level (Default) [No-Write-Up]
  RW NT SERVICE\MSSQL$SQLEXPRESS01
        FILE_CREATE_PIPE_INSTANCE
        FILE_APPEND_DATA
        READ_CONTROL
        WRITE_DAC
  RW Everyone
        FILE_ADD_FILE
        FILE_LIST_DIRECTORY
        FILE_READ_ATTRIBUTES
        FILE_READ_DATA
        FILE_READ_EA
        FILE_WRITE_ATTRIBUTES
        FILE_WRITE_DATA
        FILE_WRITE_EA
        SYNCHRONIZE
        READ_CONTROL

Why does this not accept my answer? Am I wrong here?

Solved it shortly after posting. The trick was to include nt and submit the answer in all lowercase :).

ah thanks . i also faced the same issue and solved it after putting in NT as well.

But you know, you had no need to upload accesscheck from your local PC. all the tools are already present in the windows target machine. Go to C folder, tools. you can find all the required tools and more there.