Merge pull request #277 from sepauli/sepauli/fix-mssql_priv

fix mssql_priv

nxc/modules/adcs.py

@@ -27,7 +27,6 @@ def options(self, context, module_options):
         SERVER             PKI Enrollment Server to enumerate templates for. Default is None, use CN name
         BASE_DN            The base domain name for the LDAP query
         """
-        self.context = context
         self.regex = re.compile("(https?://.+)")
 
         self.server = None
@@ -39,6 +38,7 @@ def options(self, context, module_options):
 
     def on_login(self, context, connection):
         """On a successful LDAP login we perform a search for all PKI Enrollment Server or Certificate Templates Names."""
+        self.context = context
         if self.server is None:
             search_filter = "(objectClass=pKIEnrollmentService)"
         else:

nxc/modules/daclread.py

@@ -221,7 +221,6 @@ def options(self, context, module_options):
 
         Based on the work of @_nwodtuhs and @BlWasp_.
         """
-        self.context = context
 
         context.log.debug(f"module_options: {module_options}")
 
@@ -273,6 +272,7 @@ def options(self, context, module_options):
         self.filename = None
 
     def on_login(self, context, connection):
+        self.context = context
         """On a successful LDAP login we perform a search for the targets' SID, their Security Descriptors and the principal's SID if there is one specified"""
         context.log.highlight("Be careful, this module cannot read the DACLS recursively.")
         self.baseDN = connection.ldapConnection._baseDN

nxc/modules/mssql_priv.py

@@ -42,12 +42,12 @@ def options(self, context, module_options):
             - rollback (remove sysadmin privilege)
         """
         self.action = None
-        self.context = context
 
         if "ACTION" in module_options:
             self.action = module_options["ACTION"]
 
     def on_login(self, context, connection):
+        self.context = context
         # get mssql connection
         self.mssql_conn = connection.conn
         # fetch the current user
@@ -441,13 +441,11 @@ def is_admin_user(self, username) -> bool:
         :rtype: bool
         """
         res = self.query_and_get_output(f"SELECT IS_SRVROLEMEMBER('sysadmin', '{username}')")
-        try:
-            if int(res):
-                self.admin_privs = True
-                return True
-            else:
-                return False
-        except Exception:
+        is_admin = res[0][""]
+        if is_admin:
+            self.admin_privs = True
+            return True
+        else:
             return False
 
     def revert_context(self, exec_as):

nxc/modules/nanodump.py

@@ -39,7 +39,6 @@ def options(self, context, module_options):
         NANO_EXE_NAME       Name of the nano executable (default: nano.exe)
         DIR_RESULT          Location where the dmp are stored (default: DIR_RESULT = NANO_PATH)
         """
-        self.context = context
         self.remote_tmp_dir = "C:\\Windows\\Temp\\"
         self.share = "C$"
         self.tmp_share = self.remote_tmp_dir.split(":")[1]

nxc/modules/user-desc.py

@@ -37,7 +37,6 @@ def options(self, context, module_options):
         """
         self.log_file = None
         self.desc_count = 0
-        self.context = context
         self.account_names = set()
         self.keywords = {"pass", "creds", "creden", "key", "secret", "default"}
 
@@ -71,6 +70,7 @@ def on_login(self, context, connection):
         On successful LDAP login we perform a search for all user objects that have a description.
         Users can specify additional LDAP filters that are applied to the query.
         """
+        self.context = context
         self.create_log_file(connection.conn.getRemoteHost(), datetime.now().strftime("%Y%m%d_%H%M%S"))
         context.log.info(f"Starting LDAP search with search filter '{self.search_filter}'")