fix mssql_priv #277

sepauli · 2024-04-26T21:43:32Z

Fixing the Issue #273

The privileged user for the impersonation cannot be found, because there is an issue in the "is_admin_user" function.
Due to the try except statement the admin privileges are always wrong, because the if statement cannot be executed

TypeError: int() argument must be a string, a bytes-like object or a real number, not 'list'

I could sucessfully test my changes on the HTB Academy module “Using CrackMapExec” in the task “MSSQL Enumeration and Attacks”

└─$ docker run --privileged --network host netexec-fixed mssql 10.129.204.177 -u robert -p Inlanefreight01! -M mssql_priv -o ACTION=privesc
...
MSSQL       10.129.204.177  1433   DC01             [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:inlanefreight.htb)
MSSQL       10.129.204.177  1433   DC01             [+] inlanefreight.htb\robert:Inlanefreight01!
MSSQL_PRIV                                          [+] INLANEFREIGHT\robert can impersonate: julio (sysadmin)
MSSQL_PRIV                                          [+] INLANEFREIGHT\robert is now a sysadmin! (Pwn3d!)

└─$ docker run --privileged --network host netexec-fixed mssql 10.129.204.177 -u robert -p Inlanefreight01! -x whoami
...
MSSQL       10.129.204.177  1433   DC01             [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:inlanefreight.htb)
MSSQL       10.129.204.177  1433   DC01             [+] inlanefreight.htb\robert:Inlanefreight01! (Pwn3d!)
MSSQL       10.129.204.177  1433   DC01             [+] Executed command via mssqlexec
MSSQL       10.129.204.177  1433   DC01             inlanefreight\svc_mssql

NeffIsBack · 2024-04-26T23:57:35Z

Very nice! Thanks for the fix

Marshall-Hallenbeck · 2024-04-27T00:24:41Z

Sorry I can't test right now (can in 2 days), but I think if the function that saves to res fails it's None, that's why they int'd it before, so if we just reference it it'll KeyError or whatever. I'll have to test it but if someone else can that'd be cool.

NeffIsBack · 2024-04-27T12:30:53Z

Lol also no one (including me) noticed that the logger in the module is completely broken

NeffIsBack · 2024-04-27T12:40:40Z

@Marshall-Hallenbeck Looks like thats just an object with "1" or "0" depending on the user being sysadmin or not

NeffIsBack · 2024-04-27T12:53:53Z

fyi, fixed the logger

NeffIsBack

LGTM

NeffIsBack · 2024-04-27T20:35:57Z

Also fixed the context bug for some other modules like adcs:

fix mssql_priv

fe0ec9c

sepauli requested review from zblurx, Marshall-Hallenbeck, NeffIsBack and mpgn as code owners April 26, 2024 21:43

fix is_admin_user function

a6271ce

NeffIsBack added the bug-fix This Pull Request fixes a bug label Apr 26, 2024

Fix context logger in mssql_priv

768d462

Fix context logger in different modules

d7918cd

NeffIsBack approved these changes Apr 27, 2024

View reviewed changes

Marshall-Hallenbeck merged commit 60db634 into Pennyw0rth:main Apr 27, 2024
5 checks passed

NeffIsBack mentioned this pull request Apr 29, 2024

mssql_priv module can't find any path to privesc #273

Closed

sepauli deleted the sepauli/fix-mssql_priv branch April 29, 2024 13:21

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix mssql_priv #277

fix mssql_priv #277

sepauli commented Apr 26, 2024

NeffIsBack commented Apr 26, 2024

Marshall-Hallenbeck commented Apr 27, 2024

NeffIsBack commented Apr 27, 2024

NeffIsBack commented Apr 27, 2024

NeffIsBack commented Apr 27, 2024

NeffIsBack left a comment

NeffIsBack commented Apr 27, 2024

fix mssql_priv #277

fix mssql_priv #277

Conversation

sepauli commented Apr 26, 2024

NeffIsBack commented Apr 26, 2024

Marshall-Hallenbeck commented Apr 27, 2024

NeffIsBack commented Apr 27, 2024

NeffIsBack commented Apr 27, 2024

NeffIsBack commented Apr 27, 2024

NeffIsBack left a comment

Choose a reason for hiding this comment

NeffIsBack commented Apr 27, 2024