A blind MSSQLi, an enabled xp_cmdshell and one high privileged user

RWP #2

Welcome back readers.

This is our second post in our Real World Pentests RWP serie. Let's talk more about the methodology we follow. I think it is pretty standard within the industry (at least the first two steps): 

1- We spend time gathering as much info as possible on the target or objective (call it reconnaissance phase or OSINT) .
2- We then use a large amount of automated tools, scripts and scanners we deem useful and review and compare the results trying to find existing vulnerabilities. We try to exploit found issues.
3- After this step, if nothing is found or interesting so far and we still have spare time, we usually go deeper into testing to find new vulnerabilities which cannot be found easily by automated testing ("custom or manual testing"). 

This assessment had the following scope: faketarget.abc and its subdomains
TL/DR available at the end of the article. 


The recon part, a.k.a the important-est 

I will give you a practical example of why reconnaissance is so important. This advice was given to me from a friend.

"You might focus on a target that you deem weak and you start researching zero days... which lasts for months. But it can be totally useless and wasted time. To achieve the same exact objective (remote code exec in scope), you could have enumerated more and found a simple / dumb password on a SSH port from a related target that you forgot to discover".


Abraham Lincoln, who is famous for killing zombies with an Axe, knew that preparation is key in all projects. 
"Give me six hours because I need to go to toilets".
Give me six hours to chop down a tree and I will spend the first four sharpening the axe.
Read more at: https://www.brainyquote.com/quotes/quotes/a/abrahamlin109275.html
Give me six hours to chop down a tree and I will spend the first four sharpening the axe.
Read more at: https://www.brainyquote.com/quotes/quotes/a/abrahamlin109275.html

In other words, while pentesting and due to time constraint you need to take  💥THE PATH OF LEAST RESISTANCE 💥and not fall down rabbit holes. (Security research is in my opinion a different topic).
That being said, there are tons of ways to recon your target, be it a person, a company, a domain or even an IP. It gets even more complex when you start to map sub related targets, for instance domains of a sub-company of your targets... You understand that it can rapidly be exponential or become out of scope. But compromising a sub company can give you access to target company (it happens quite frequently).
As it would be too long to present all tools and processes, we have gathered our most used techniques inside an automated script that you can find on github. If you don't want to give it a try, we recommend to use at least recon-ng, which is a reconnaissance framework tool gathering most techniques, and is kinda brilliant to map a target. 💪

One of the most basic step when you recon a domain name is DNS enumeration. Again a lot of tools can do it and with various techniques. A simple DNS brute force can give you more targets to test.
[...] 
support.faketarget.abc A 1.2.3.4
[...] 

For websites, vhosts enumeration is also important. As you know webservers may host multiple websites under several DNS names (with different web app codes, so different vulnerabilities 👿) . You can use passive reconnaissance websites like Robtex (checking domain name per IP) or active reconnaissance with curl and scripts like wfuzz.py or vhostbrute.py. Be sure to check that vhosts are not aliases (pointing to the same code) so you don't loose time.


Pick your automated scanners

You need to decide which tools to run against your target. Too much information or false positives information and it will kill your time, too few information and you wont detect anything. Every pentester has its own cocktail of tools 👷 but most of them probably use sqlmap.

Sqlmap is efficient, can run alone fully automated and detect somehow false positives (not all) or non-exploitable vulnerability. It is still a dumb script so it can miss stuff a human mind can detect or predict. But it has a very solid detection capacity. We recommend to run on your discovered targets at least this command: 

sqlmap --batch --crawl=2 --forms -b -u discoveredtarget.faketarget.com

--batch avoid human interaction with the tool and let it run autonomously by filling default answers, --crawl will crawl automatically the target with depth of 2 links max, --forms we want to test forms of the website (POST data) and -b will try to dump the banner of the database (its a technique we use to detect false positives). 
On one of our discovered target, sqlmap scan returned this:

This means the target backend is (a) a Microsoft SQL Server 2008 and more importantly (b) is vulnerable to blind SQL injection. Now its time to see what we can do from there. 👻


From SQLi to RCE

You will encounter this situation very often. Sometimes, dumping all the database rows is not enough and you want to dig deeper. How to go from SQL injection to code execution on the server ? There exist multiple techniques for that. Although this step might be quite easy on Windows SQL Server under certain conditions. Let's try sqlmap --os-cmd=dir :

[16:32:19] [INFO] testing if xp_cmdshell extended procedure is usable
[16:33:19] [INFO] xp_cmdshell extended procedure is usable

We are lucky today. The stored procedure xp_cmdshell is enabled for the current database user, which is a bad security practice.  We could have played a bit with sqlmap --os-shell command which provides a "virtually interactive" shell but a truly interactive shell is better. Let's call Powershell.exe with a payload executed directly from memory, not touching the server drive to avoid Bitdefender or other anti-virus software vendor detection. 💤 Latest Windows versions like Windows 10 or Windows Server 2016 now have a protection against such scripts payloads. Also I'm unsure if Powercat is now blocked by this security feature.




This will open a new Internet Explorer component in the background which downloads Powercat() function code from github website (powershell version of netcat), then it will directly use this function with our parameters to connect back to us, the attackers.  -ep means Powercat will serve us a Powershell.exe shell and -rep means it will repeat connection if failing or crashing. Lets fire up a ncat listener and wait for connection.


You have to trust me on the System privilege because I didn't take a screenshot, as usual :]

Working. Good. It also means firewall is not blocking outgoing connection (this is allowed by default on Windows).


Higher privileges ?

A simple whoami command on the received shell showed that the Microsoft database service was running as NtAuthority/System, which is again a bad security practice. With just this Blind SQLi and xp_cmdshell we are now having code execution at highest privilege on the server !  From there we performed the standard persistence (Autorun), post exploitation (i prefer the word pillaging💣) and we pivoted deeper into the internal network(s).


Thats's it. Assessment RWP#2: ...... success !


And now for the lazy peeps out there ... 😤


TL/DR: DNS bruteforce, blind MSSQL injection, enabled xp_cmdshell, Database Service running as NTAuthority/System 

Comments

Popular Posts