MSSQL
Nmap initially discovered a MSSQL server on the target port 1433
The running service is Microsoft SQL Server 2019 15.00.2000.00
┌──(kali㉿kali)-[~/archive/htb/labs/escape]
└─$ nmap -Pn --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 $IP
starting nmap 7.94 ( https://nmap.org ) at 2023-08-13 03:17 CEST
Nmap scan report for sequel.htb (10.10.11.202)
Host is up (0.087s latency).
bug in ms-sql-dac: no string output.
bug in ms-sql-hasdbaccess: no string output.
PORT STATE SERVICE VERSION
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
| ms-sql-ntlm-info:
| 10.10.11.202:1433:
| target_name: sequel
| netbios_domain_name: sequel
| netbios_computer_name: DC
| dns_domain_name: sequel.htb
| dns_computer_name: dc.sequel.htb
| dns_tree_name: sequel.htb
|_ product_version: 10.0.17763
| ms-sql-empty-password:
|_ 10.10.11.202:1433:
| ms-sql-info:
| 10.10.11.202:1433:
| version:
| name: Microsoft SQL Server 2019 RTM
| number: 15.00.2000.00
| product: Microsoft SQL Server 2019
| service pack level: RTM
| post-sp patches applied: false
|_ tcp port: 1433
| ms-sql-tables:
| 10.10.11.202:1433:
|_[10.10.11.202:1433]
| ms-sql-xp-cmdshell:
|_ (Use --script-args=ms-sql-xp-cmdshell.cmd='<CMD>' to change command.)
| ms-sql-dump-hashes:
|_ 10.10.11.202:1433: ERROR: Bad username or password
| ms-sql-config:
| 10.10.11.202:1433:
|_ error: Bad username or password
service detection performed. please report any incorrect results at https://nmap.org/submit/ .
nmap done: 1 IP address (1 host up) scanned in 12.26 secondsRunning a few enumeration script with Nmap doesn’t seem to provide any additional information likely due to the access control I would need a valid credential to proceed forward
PublicGuest Session
┌──(kali㉿kali)-[~/archive/htb/labs/escape]
└─$ impacket-mssqlclient sequel.htb/PublicUser:GuestUserCantWrite1@dc.sequel.htb -dc-ip $IP
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Encryption required, switching to TLS
[-] [('SSL routines', '', 'internal error')]Initially, there was an error with impacket-mssqlclient due to the way dependent library handles the TLS connection
I was able to resolve the issue by following the fix to the impacket/tds.py file
┌──(kali㉿kali)-[~/archive/htb/labs/escape]
└─$ impacket-mssqlclient sequel.htb/PublicUser:GuestUserCantWrite1@dc.sequel.htb -dc-ip $IP
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC\SQLMOCK): Line 1: Changed database context to 'master'.
[*] INFO(DC\SQLMOCK): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208)
[!] Press help for extra shell commands
SQL> It works now
┌──(kali㉿kali)-[~/archive/htb/labs/escape]
└─$ sqsh -S $IP -U PublicUser -P GuestUserCantWrite1
sqsh-2.5.16.1 Copyright (C) 1995-2001 Scott C. Gray
Portions Copyright (C) 2004-2014 Michael Peppler and Martin Wesdorp
This is free software with ABSOLUTELY NO WARRANTY
For more information type '\warranty'
1> Or I could have just used sqsh too
SQL> enable_xp_cmdshell
[-] ERROR(DC\SQLMOCK): Line 105: User does not have permission to perform this action.
[-] ERROR(DC\SQLMOCK): Line 1: You do not have permission to run the RECONFIGURE statement.
[-] ERROR(DC\SQLMOCK): Line 62: The configuration option 'xp_cmdshell' does not exist, or it may be an advanced option.
[-] ERROR(DC\SQLMOCK): Line 1: You do not have permission to run the RECONFIGURE statement.First off, the current user doesn’t have enough privileges to perform the direct OS command execution with enable_xp_cmdshell
Another thing to note here is that DC\SQLMOCK is the server name
Version
SQL> select @@version;
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Microsoft SQL Server 2019 (RTM) - 15.0.2000.5 (X64)
sep 24 2019 13:48:23
Copyright (C) 2019 Microsoft Corporation
express edition (64-bit) on windows server 2019 standard 10.0 <x64> (build 17763: ) (Hypervisor)The target system is Windows Server 2019 Standard; 17763
current user
SQL> SELECT user;
--------------------------------------------------------------------------------------------------------------------------------
guest
SQL> SELECT system_user;
--------------------------------------------------------------------------------------------------------------------------------
PublicUser
SQL> SELECT is_srvrolemember('sysadmin');
-----------
0The current SQL user is guest who is PublicUser
The current user is not a sysadmin
Users
SQL> SELECT name from master..syslogins
name
--------------------------------------------------------------------------------------------------------------------------------
sa
PublicUserThere are only 2 users; sa and PublicUser
Database
SQL> SELECT name FROM master.dbo.sysdatabases;
name
--------------------------------------------------------------------------------------------------------------------------------
master
tempdb
model
msdbThere are only those default DBs
I will check the msdb DB
msdb
SQL> SELECT * FROM msdb.INFORMATION_SCHEMA.TABLES;
TABLE_CATALOG TABLE_SCHEMA
TABLE_NAME
TABLE_TYPE
-------------------------------------------------------------------------------------------------------------------------------- -------------------------------------------------------------------------------------------------------------------------------- -------------------------------------------------------------------------------------------------------------------------------- ----------
msdb dbo
syspolicy_policy_category_subscriptions
b'VIEW'
msdb dbo
syspolicy_system_health_state
b'VIEW'
msdb dbo
syspolicy_policy_execution_history
b'VIEW'
msdb dbo
syspolicy_policy_execution_history_details
b'VIEW'
msdb dbo
syspolicy_configuration
b'VIEW'
msdb dbo
syspolicy_conditions
b'VIEW'
msdb dbo
syspolicy_policy_categories
b'VIEW'
msdb dbo
sysdac_instances
b'VIEW'
msdb dbo
syspolicy_object_sets
b'VIEW'
msdb dbo
dm_hadr_automatic_seeding_history
b'BASE TABLE'
msdb dbo
syspolicy_policies
b'VIEW'
msdb dbo
backupmediaset
b'BASE TABLE'
msdb dbo
backupmediafamily
b'BASE TABLE'
msdb dbo
backupset
b'BASE TABLE'
msdb dbo
autoadmin_backup_configuration_summary
b'VIEW'
msdb dbo
backupfile
b'BASE TABLE'
msdb dbo
syspolicy_target_sets
b'VIEW'
msdb dbo
restorehistory
b'BASE TABLE'
msdb dbo
restorefile
b'BASE TABLE'
msdb dbo
syspolicy_target_set_levels
b'VIEW'
msdb dbo
restorefilegroup
b'BASE TABLE'
msdb dbo
logmarkhistory
b'BASE TABLE'
msdb dbo
suspect_pages
b'BASE TABLE'While there are a lot of tables, I will check a few
SQL> SELECT * FROM msdb.dbo.logmarkhistory;
database_name mark_name
description
user_name lsn mark_time
-------------------------------------------------------------------------------------------------------------------------------- -------------------------------------------------------------------------------------------------------------------------------- --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- -------------------------------------------------------------------------------------------------------------------------------- ----------------- ----------
SQL> SELECT * FROM msdb.dbo.restorehistory;
restore_history_id restore_date destination_database_name
user_name backup_set_id restore_type replace recovery restart stop_at device_count stop_at_mark_name
stop_before
------------------ ------------------- -------------------------------------------------------------------------------------------------------------------------------- -------------------------------------------------------------------------------------------------------------------------------- ------------- ------------ ------- -------- ------- ------------------- ------------ -------------------------------------------------------------------------------------------------------------------------------- -----------
SQL> SELECT * FROM msdb.dbo.autoadmin_backup_configuration_summary;
ManagedBackupVersion IsAlwaysOn IsDropped IsEnabled RetentionPeriod EncryptionAlgorithm
SchedulingOption DayOfWeek
DatabaseCount
-------------------- ---------- --------- --------- --------------- -------------------------------------------------------------------------------------------------------------------------------- -------------------------------------------------------------------------------------------------------------------------------- --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- -------------
SQL> SELECT * FROM msdb.dbo.backupfile;
backup_set_id first_family_number first_media_number filegroup_name
page_size file_number backed_up_page_count file_type source_file_block_size file_size logical_name
physical_drive
physical_name
state state_desc
create_lsn drop_lsn file_guid read_only_lsn read_write_lsn differential_base_lsn differential_base_guid backup_size filegroup_guid is_readonly is_present
------------- ------------------- ------------------ -------------------------------------------------------------------------------------------------------------------------------- ----------- ----------------- -------------------- --------- ---------------------- ----------------- -------------------------------------------------------------------------------------------------------------------------------- --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------- ---------------------------------------------------------------- ----------------- ----------------- ------------------------------------ ----------------- ----------------- --------------------- ------------------------------------ ----------------- ------------------------------------ ----------- ----------
SQL> SELECT * FROM msdb.dbo.syspolicy_configuration;
SQL> SELECT * FROM msdb.dbo.syspolicy_policy_execution_history;
history_id policy_id start_date end_date result exception_message
exception
---------- ----------- ---------- ------------------- ---------- --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------They are all empty
There is another attack vector