Academy - Windows Privilege Escalation - Communication with Processes

lancedelacroix · April 6, 2023, 10:11am

Hello,

the question Which account has WRITE_DAC privileges over the \pipe\SQLLocal\SQLEXPRESS01 named pipe? does not accept my answer MSSQL$SQLEXPRESS01.

I tried SQLEXPRESS01, MSSQL$SQLEXPRESS, SERVICE\MSSQL$SQLEXPRESS01 and SQLEXPRESS as variations, as well as all other users on the system.

PS C:\Users\htb-student\Downloads> net user

User accounts for \\WINLPE-SRV01

-------------------------------------------------------------------------------
Administrator            DefaultAccount           Guest
helpdesk                 htb-student              htb-student_adm
jordan                   logger                   mrb3n
sarah                    sccm_svc                 secsvc
sql_dev
The command completed successfully.

Furthermore, since only connections to machines on the internal network are allowed, I had to fetch accesschk.exe from SysInternals on my Pwnbox and deliver it through a Python HTTP web server to the windows machine we RDP into.

Anyways, once I had accesschk.exe I did get this output, which would imply the answer I’m giving is correct.

PS C:\Users\htb-student\Downloads> .\accesschk.exe \pipe\SQLLocal\SQLEXPRESS01 -v

Accesschk v6.15 - Reports effective permissions for securable objects
Copyright (C) 2006-2022 Mark Russinovich
Sysinternals - www.sysinternals.com

\\.\Pipe\SQLLocal\SQLEXPRESS01
  Medium Mandatory Level (Default) [No-Write-Up]
  RW NT SERVICE\MSSQL$SQLEXPRESS01
        FILE_CREATE_PIPE_INSTANCE
        FILE_APPEND_DATA
        READ_CONTROL
        WRITE_DAC
  RW Everyone
        FILE_ADD_FILE
        FILE_LIST_DIRECTORY
        FILE_READ_ATTRIBUTES
        FILE_READ_DATA
        FILE_READ_EA
        FILE_WRITE_ATTRIBUTES
        FILE_WRITE_DATA
        FILE_WRITE_EA
        SYNCHRONIZE
        READ_CONTROL

Why does this not accept my answer? Am I wrong here?

lancedelacroix · April 6, 2023, 10:25am

Solved it shortly after posting. The trick was to include nt and submit the answer in all lowercase :).

ace · June 5, 2023, 12:09pm

ah thanks . i also faced the same issue and solved it after putting in NT as well.

But you know, you had no need to upload accesscheck from your local PC. all the tools are already present in the windows target machine. Go to C folder, tools. you can find all the required tools and more there.

gary.copland · November 7, 2023, 10:32am

I’m a bit lost here. how are you adding NT to this command?

ransomthehost · November 30, 2023, 11:37pm

having the same issue, the commands given outside of gci \.\pipe\ do not work when it comes to accesschk.exe . even trying to use the tools within C:\Tools folder directly messes up the vm network connection
i dont understand what to do step by step and why it teaches differently in the page of this module lesson

ransomthehost · November 30, 2023, 11:49pm

still having issues

IBlazeI · February 9, 2024, 2:39am

Things might have changed
As from the first picture in this thread, copy from N to 1 as it is and that’s is your answer

voyager77 · July 11, 2024, 10:40am

nt service\mssql$sqlexpress01

Why is it not acceptable to use uppercase letters.

Topic		Replies	Views
Windows Privilege Escalation Module Academy academy	1	35	August 18, 2024
Windows Privilege Escalation - Tools Missing on Target Machines Academy machines , problem , tech-support , academy	0	155	February 29, 2024
Windows Privilege Escalation - SeImpersonate [sql_dev does not have token permission] Academy	8	1520	July 20, 2024
ACTIVE DIRECTORY ENUMERATION & ATTACKS - Privileged Access Academy	26	2917	September 27, 2024
WINDOWS PRIVILEGE ESCALATION [Interacting with Users] Academy windows	18	3549	October 31, 2024

Academy - Windows Privilege Escalation - Communication with Processes

Related topics