Closed sepauli closed 2 months ago
Not really obvious at first what might be the problem here.
Is this a domain on some htb box or something else where i can debug the bug myself?
Otherwise could you maybe pull down the repo manually, do pipx install . -e --force
and checkout the past commits, to see when it worked the last time?
https://github.com/Pennyw0rth/NetExec/commits/main/nxc/modules/mssql_priv.py
Which cme version is this? Latest from the apt repositories?
I encountered the error in the HTB Academy module “Using CrackMapExec” in the task “MSSQL Enumeration and Attacks”. In addition to crackmapexec, I also run the tasks with NetExec. According to the Discord, other people have also recently run into the error here.
I have tested the older versions/commits of NetExec. https://github.com/Pennyw0rth/NetExec/commits/main/nxc/modules/mssql_priv.py
I reinstalled the OS once and ran NetExec in a Docker container to avoid any hick up from other programs, unfortunately it does not work.
crackmapexec is the oldest version in the apt repository of kali linux. Version : 5.4.0 Codename: Indestructible G0thm0g
Unfortunately, I could not find a HTB Box on the HTB Lab with the type of privilege escallation to test.
Thanks for the info!
@mpgn do you have access to htb academy? Any chance you could take a look at it?
I found the issue.
The privileged user for the impersonation cannot be found, because there is an issue in the "is_admin_user" function. Due to the try except statement the admin privileges are always wrong, because the if statement cannot be executed
TypeError: int() argument must be a string, a bytes-like object or a real number, not 'list'
I could sucessfully test my changes.
└─$ docker run --privileged --network host netexec-fixed mssql 10.129.204.177 -u robert -p Inlanefreight01! -M mssql_priv -o ACTION=privesc
...
MSSQL 10.129.204.177 1433 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:inlanefreight.htb)
MSSQL 10.129.204.177 1433 DC01 [+] inlanefreight.htb\robert:Inlanefreight01!
MSSQL_PRIV [+] INLANEFREIGHT\robert can impersonate: julio (sysadmin)
MSSQL_PRIV [+] INLANEFREIGHT\robert is now a sysadmin! (Pwn3d!)
└─$ docker run --privileged --network host netexec-fixed mssql 10.129.204.177 -u robert -p Inlanefreight01! -x whoami
...
MSSQL 10.129.204.177 1433 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:inlanefreight.htb)
MSSQL 10.129.204.177 1433 DC01 [+] inlanefreight.htb\robert:Inlanefreight01! (Pwn3d!)
MSSQL 10.129.204.177 1433 DC01 [+] Executed command via mssqlexec
MSSQL 10.129.204.177 1433 DC01 inlanefreight\svc_mssql
Closing as it was fixed in #277
Describe the bug When trying to escalate the privileges via the mssql_priv I get the error "can't find any path to privesc", but it works with exact the same arguments in crackmapexec
To Reproduce
When using crackmapexec with it works as expected
NetExec info