search

Pennyw0rth / NetExec

The Network Execution Tool
https://netexec.wiki/
BSD 2-Clause "Simplified" License
2.6k stars 268 forks source link

mssql_priv module can't find any path to privesc #273

Closed sepauli closed 2 months ago

sepauli commented 2 months ago

Describe the bug When trying to escalate the privileges via the mssql_priv I get the error "can't find any path to privesc", but it works with exact the same arguments in crackmapexec

To Reproduce

└─$ docker run --network host --rm -it netexec --verbose --debug mssql 10.129.190.104 -u myusername -p 'mysecurepass' -M mssql_priv -o ACTION=privesc
...
[*] Copying default configuration file
[21:15:19] INFO     Socket info: host=10.129.190.104, hostname=10.129.190.104, kerberos=False, ipv6=False, link-local ipv6=False                       connection.py:105
           INFO     NTLM challenge:                                                                                                                         mssql.py:120
                    b'NTLMSSP\x00\x02\x00\x00\x00\x1a\x00\x1a\x008\x00\x00\x00\x05\x02\x89\xa2\xc1\xc8\x94\x9b\xb4\xe1Ti\x00\x00\x00\x00\x00\x00\x00\x00\xb             
                    6\x00\xb6\x00R\x00\x00\x00\n\x00cE\x00\x00\x00\x0fI\x00N\x00L\x00A\x00N\x00E\x00F\x00R\x00E\x00I\x00G\x00H\x00T\x00\x02\x00\x1a\x00I\x0             
                    0N\x00L\x00A\x00N\x00E\x00F\x00R\x00E\x00I\x00G\x00H\x00T\x00\x01\x00\x08\x00D\x00C\x000\x001\x00\x04\x00"\x00i\x00n\x00l\x00a\x00n\x00             
                    e\x00f\x00r\x00e\x00i\x00g\x00h\x00t\x00.\x00h\x00t\x00b\x00\x03\x00,\x00D\x00C\x000\x001\x00.\x00i\x00n\x00l\x00a\x00n\x00e\x00f\x00r\             
                    x00e\x00i\x00g\x00h\x00t\x00.\x00h\x00t\x00b\x00\x05\x00"\x00i\x00n\x00l\x00a\x00n\x00e\x00f\x00r\x00e\x00i\x00g\x00h\x00t\x00.\x00h\x0             
                    0t\x00b\x00\x07\x00\x08\x00\xc2\x9ck\x86\xf9\x94\xda\x01\x00\x00\x00\x00'                                                                           
MSSQL       10.129.190.104  1433   DC01             [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:mydomain.tld)
           INFO     Encryption required, switching to TLS                                                                                                     tds.py:873
MSSQL       10.129.190.104  1433   DC01             [+] mydomain.tld\myusername:mysecurepass 
MSSQL_PRIV                                          [*] MYDOMAIN\myusername can impersonate: julio
MSSQL_PRIV                                          [*] julio can impersonate: MYDOMAIN\robert
MSSQL_PRIV                                          [-] can't find any path to privesc

When using crackmapexec with it works as expected

└─$ crackmapexec --verbose mssql 10.129.190.104 -u myusername -p mysecurepass -M mssql_priv -o ACTION=privesc
DEBUG:root:Passed args:
{'aesKey': None,
 'clear_obfscripts': False,
 'connectback_host': None,
 'continue_on_success': False,
 'cred_id': [],
 'darrell': False,
 'domain': None,
 'execute': None,
 'export': None,
 'fail_limit': None,
 'force_ps32': False,
 'get_file': None,
 'gfail_limit': None,
 'hash': [],
 'jitter': None,
 'kdcHost': None,
 'kerberos': False,
 'list_modules': False,
 'local_auth': False,
 'module': 'mssql_priv',
 'module_options': ['ACTION=privesc'],
 'mssql_query': None,
 'no_bruteforce': False,
 'no_output': False,
 'obfs': False,
 'password': ['mysecurepass'],
 'port': 1433,
 'protocol': 'mssql',
 'ps_execute': None,
 'put_file': None,
 'server': 'https',
 'server_host': '0.0.0.0',
 'server_port': None,
 'show_module_options': False,
 'target': ['10.129.190.104'],
 'threads': 100,
 'timeout': None,
 'ufail_limit': None,
 'use_kcache': False,
 'username': ['myusername'],
 'verbose': True}
DEBUG Passed args:
{'aesKey': None,
 'clear_obfscripts': False,
 'connectback_host': None,
 'continue_on_success': False,
 'cred_id': [],
 'darrell': False,
 'domain': None,
 'execute': None,
 'export': None,
 'fail_limit': None,
 'force_ps32': False,
 'get_file': None,
 'gfail_limit': None,
 'hash': [],
 'jitter': None,
 'kdcHost': None,
 'kerberos': False,
 'list_modules': False,
 'local_auth': False,
 'module': 'mssql_priv',
 'module_options': ['ACTION=privesc'],
 'mssql_query': None,
 'no_bruteforce': False,
 'no_output': False,
 'obfs': False,
 'password': ['mysecurepass'],
 'port': 1433,
 'protocol': 'mssql',
 'ps_execute': None,
 'put_file': None,
 'server': 'https',
 'server_host': '0.0.0.0',
 'server_port': None,
 'show_module_options': False,
 'target': ['10.129.190.104'],
 'threads': 100,
 'timeout': None,
 'ufail_limit': None,
 'use_kcache': False,
 'username': ['myusername'],
 'verbose': True}
DEBUG:asyncio:Using selector: EpollSelector
DEBUG Using selector: EpollSelector
DEBUG:root:Running
DEBUG Running
DEBUG:root:Started thread poller
DEBUG Started thread poller
MSSQL       10.129.190.104  1433   DC01             [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:mydomain.tld)
INFO:impacket:Encryption required, switching to TLS
DEBUG Encryption required, switching to TLS
DEBUG:root:add_credential(credtype=plaintext, domain=MYDOMAIN, username=myusername, password=mysecurepass, groupid=None, pillaged_from=None) => None
DEBUG add_credential(credtype=plaintext, domain=MYDOMAIN, username=myusername, password=mysecurepass, groupid=None, pillaged_from=None) => None
MSSQL       10.129.190.104  1433   DC01             [+] mydomain.tld\myusername:mysecurepass 
MSSQL_PR... 10.129.190.104  1433   DC01             [+] MYDOMAIN\myusername can impersonate julio (sysadmin)
MSSQL_PR... 10.129.190.104  1433   DC01             [+] MYDOMAIN\myusername is now a sysadmin! (Pwn3d!)
DEBUG:root:Stopped thread poller
DEBUG Stopped thread poller

NetExec info

NeffIsBack commented 2 months ago

Not really obvious at first what might be the problem here. Is this a domain on some htb box or something else where i can debug the bug myself? Otherwise could you maybe pull down the repo manually, do pipx install . -e --force and checkout the past commits, to see when it worked the last time? https://github.com/Pennyw0rth/NetExec/commits/main/nxc/modules/mssql_priv.py

NeffIsBack commented 2 months ago

Which cme version is this? Latest from the apt repositories?

sepauli commented 2 months ago

I encountered the error in the HTB Academy module “Using CrackMapExec” in the task “MSSQL Enumeration and Attacks”. In addition to crackmapexec, I also run the tasks with NetExec. According to the Discord, other people have also recently run into the error here.

I have tested the older versions/commits of NetExec. https://github.com/Pennyw0rth/NetExec/commits/main/nxc/modules/mssql_priv.py

I reinstalled the OS once and ran NetExec in a Docker container to avoid any hick up from other programs, unfortunately it does not work.

crackmapexec is the oldest version in the apt repository of kali linux. Version : 5.4.0 Codename: Indestructible G0thm0g

Unfortunately, I could not find a HTB Box on the HTB Lab with the type of privilege escallation to test.

NeffIsBack commented 2 months ago

Thanks for the info!

@mpgn do you have access to htb academy? Any chance you could take a look at it?

sepauli commented 2 months ago

I found the issue.

The privileged user for the impersonation cannot be found, because there is an issue in the "is_admin_user" function. Due to the try except statement the admin privileges are always wrong, because the if statement cannot be executed

TypeError: int() argument must be a string, a bytes-like object or a real number, not 'list'

I could sucessfully test my changes.

└─$ docker run --privileged --network host netexec-fixed mssql 10.129.204.177 -u robert -p Inlanefreight01! -M mssql_priv -o ACTION=privesc
...
MSSQL       10.129.204.177  1433   DC01             [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:inlanefreight.htb)
MSSQL       10.129.204.177  1433   DC01             [+] inlanefreight.htb\robert:Inlanefreight01!
MSSQL_PRIV                                          [+] INLANEFREIGHT\robert can impersonate: julio (sysadmin)
MSSQL_PRIV                                          [+] INLANEFREIGHT\robert is now a sysadmin! (Pwn3d!)
└─$ docker run --privileged --network host netexec-fixed mssql 10.129.204.177 -u robert -p Inlanefreight01! -x whoami
...
MSSQL       10.129.204.177  1433   DC01             [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:inlanefreight.htb)
MSSQL       10.129.204.177  1433   DC01             [+] inlanefreight.htb\robert:Inlanefreight01! (Pwn3d!)
MSSQL       10.129.204.177  1433   DC01             [+] Executed command via mssqlexec
MSSQL       10.129.204.177  1433   DC01             inlanefreight\svc_mssql
NeffIsBack commented 2 months ago

Closing as it was fixed in #277