• @Firestone65

7# CRTP Series | CyberSecLabs : Mount Write-up

Updated: Nov 10, 2021



Welcome to the CRTP prep series, aimed at the Certified Red Team Professional certification from PentesterAcademy.


This is the last box from Cyberseclabs, and it's got a spin to it.


Stay tuned for HackTheBox machines up next!


You can access my Gitbook repository here for all the commands.


Let's get started!


Reconnaissance


Let's begin with a full port scan using threader3000.


Let's run an aggressive nmap scan to enumerate the services on all open ports.

  • -A : Enable OS detection, version detection, script scanning, and traceroute.

  • -Pn : Skip host discovery [Don't ping].

  • -oA : Save output to file.

Notes:

  • Looking at ports 389(LDAP) and 88(Kerberos), our target is likely a Domain Controller.

  • Domain Name : Mount.csl | Hostname: MOUNT-DC

  • Add "mount.csl 172.31.3.5" >> /etc/hosts, so that we can reference the target via domain name.

  • The MSSQL service seems interesting.


Enumeration


  • The SMB service(Port 445) does not have anonymous read access.

  • Let's attempt to identify valid users using kerbrute. I explain how this technique works in the Spray writeup.


Notes:

  • We've identified 5 users.

  • Using impacket's GetNPUsers.py, we've ruled out the possibility of AS-REP Roasting.

  • Testing the users for weak passwords using crackmapexec did not work either.

  • The MS-SQL service can be enumerated using metasploit's auxilliary modules.

The mssql_login module queries the MSSQL instance for specific users/pass (default is sa with blank).


Looks like the 'sa' account(sysadmin) is configured with the default <blank> password.



Initial Foothold


Now that we have credentials for the 'sa' account, let's use sqsh to connect to the Microsoft SQL Server.


Follow the steps above to enable 'xp_cmdshell'. Once that's done we have OS command execution!

Let's grab a reverse shell from MOUNT-DC. Keep in mind that we need to bypass AMSI.


As always, enumerate all you can with:


winPEAS and PowerUp identify a modifiable service, 'UsoSvc'. Enumerating 'UsoSvc' further using Service Controller Utility(sc) reveals it's running as LocalSystem and we have permissions to restart it.


Let's understand how modifiable services can be exploited for privilege escalation.

 

Modifiable Services

  • Services execute the file defined in their file path.

  • If configured with weak permissions, the executable can be replaced with a malicious binary.

  • This attack requires privileges to restart the service the service. If not he'd have to wait till the system is restarted, if it loads at startup.

  • Once restarted, the service is executed in the context of the LocalSystem, i.e Administrator.

  • The 'BINARY_PATH_NAME' can be changed to execute any command as well. Once the service is restarted, the system will execute what's in the 'BINARY_PATH_NAME'.

 

Privilege Escalation


  1. Change the 'BINARY_PATH_NAME' to change the Administrator's password.

  2. Stop and start UsoSvc service.

  3. Login as Administrator with the new password.


We have access to the SYSTEM & ACCESS flags!


To Summarize:

  • Valid users were enumerated.

  • MS-SQL enumeration revealed users, service version, OS version.

  • The 'sa' account was configured with the default <blank> password.

  • 'UsoSvc', being a privileged service was misconfigured with weak permissions.

Interesting article on attacking MSSQL with Metasploit


310 views0 comments

Recent Posts

See All