Academy - Windows Privilege Escalation - Communication with Processes

Hello,

the question Which account has WRITE_DAC privileges over the \pipe\SQLLocal\SQLEXPRESS01 named pipe? does not accept my answer MSSQL$SQLEXPRESS01.

I tried SQLEXPRESS01, MSSQL$SQLEXPRESS, SERVICE\MSSQL$SQLEXPRESS01 and SQLEXPRESS as variations, as well as all other users on the system.

PS C:\Users\htb-student\Downloads> net user

User accounts for \\WINLPE-SRV01

-------------------------------------------------------------------------------
Administrator            DefaultAccount           Guest
helpdesk                 htb-student              htb-student_adm
jordan                   logger                   mrb3n
sarah                    sccm_svc                 secsvc
sql_dev
The command completed successfully.

Furthermore, since only connections to machines on the internal network are allowed, I had to fetch accesschk.exe from SysInternals on my Pwnbox and deliver it through a Python HTTP web server to the windows machine we RDP into.

Anyways, once I had accesschk.exe I did get this output, which would imply the answer I’m giving is correct.

PS C:\Users\htb-student\Downloads> .\accesschk.exe \pipe\SQLLocal\SQLEXPRESS01 -v

Accesschk v6.15 - Reports effective permissions for securable objects
Copyright (C) 2006-2022 Mark Russinovich
Sysinternals - www.sysinternals.com

\\.\Pipe\SQLLocal\SQLEXPRESS01
  Medium Mandatory Level (Default) [No-Write-Up]
  RW NT SERVICE\MSSQL$SQLEXPRESS01
        FILE_CREATE_PIPE_INSTANCE
        FILE_APPEND_DATA
        READ_CONTROL
        WRITE_DAC
  RW Everyone
        FILE_ADD_FILE
        FILE_LIST_DIRECTORY
        FILE_READ_ATTRIBUTES
        FILE_READ_DATA
        FILE_READ_EA
        FILE_WRITE_ATTRIBUTES
        FILE_WRITE_DATA
        FILE_WRITE_EA
        SYNCHRONIZE
        READ_CONTROL

Why does this not accept my answer? Am I wrong here?

1 Like

Solved it shortly after posting. The trick was to include nt and submit the answer in all lowercase :).

4 Likes

ah thanks . i also faced the same issue and solved it after putting in NT as well.

But you know, you had no need to upload accesscheck from your local PC. all the tools are already present in the windows target machine. Go to C folder, tools. you can find all the required tools and more there.

1 Like

I’m a bit lost here. how are you adding NT to this command?

1 Like

having the same issue, the commands given outside of gci \.\pipe\ do not work when it comes to accesschk.exe . even trying to use the tools within C:\Tools folder directly messes up the vm network connection
i dont understand what to do step by step and why it teaches differently in the page of this module lesson

still having issues

Things might have changed
As from the first picture in this thread, copy from N to 1 as it is and that’s is your answer

nt service\mssql$sqlexpress01

Why is it not acceptable to use uppercase letters.