SQL XP_CMDSHELL Post-Exploitation

Hi Friends,

I have a small tutorial on a post exploitation and privilege escalation on XP_CMDSHELL. It is very often that when you are able to compromise a server then the next move is to create reverse shell using nc (nc -nlvp 4444). This steps are just like muscle remember for post exploitation, this is quite bored steps.

I would like to share in this post to leverage the use of Cobaltstrike to handle the post exploitation hence we can use the multiple of built-in function of cobaltstrike to navigate the post exploitation. I believe this will make so much fun

Post Exploitation

Since we are focusing on the post-exploitation so in this tutorial I have had the access to the SQL Server with the mssqlclient.py. I have access as DB admin on the server and running as the service account.

Because we are connected to the database as an admin then we can activate the access to the cmd by executing this command “enable_xp_cmdshell“. You can refer the detail of what is xp_cmdshell on previous post https://rioasmara.com/2020/01/31/mssql-rce-and-reverse-shell-xp_cmdshell/

As we are only connected to the machine using access from the database with capability of remote command execution then we need to leverage the access to CobaltStrike to have more functionality and flexibility

Generating Beacon

As we know that cobaltsrike use beacon to work on the compromised host hence we need to deliver and install cobaltstrike beacon.We can use the powershell beacon that is provided by the cobaltstrike with the below steps

Cobaltstrike provide an easy way to deliver the beacon including hosting the beacon and prvide a command to run and execute beacon on the host. Lets generate the Scripted Web Delivery. Follow the steps below

Below is the detail of the above steps

  1. Set your payload file name. That is the file which will be used to host the beacon payload. You can create a fake .txt or .jpeg file here. Basically it is just a powershell file
  2. Set the server IP that is going to host the file. Remember that the powershell will download the payload from the IP that you keyin there
  3. Set the Server Port
  4. Select the listener that is going to accept the connection back from the victim machine
  5. Select the type is powershell IIEX
  6. Last select Launch

CobaltStrike provide the above powershell onliner to be executed in the victim host. IEX downloadstring command is to download string and push it to memory, so this is kind of fileless attack. Unfortunately, We cannot just paste the above command to xp_cmdshell since the quote on the string will make problem. So the solutiion is to encode the command with base64 encoding.

The next things to do is to copy the oneliner to text file and do the following command for encoding. I saved the file name as powershell.txt

cat powershell.txt | iconv -t UTF-16LE | base64 -w 0

After the based64 encoded string has been generated then you can copy it to the SQLServer that you have compromised to start the beacon connection with the following command. Basically we are telling powershell with parameter -enc to be run and execute the command in the encoded string.

xp_cmdshell powershell -enc [ENCODED-STRING]

When we executed the command in the MSSQL then we can see that the file has been downloaded. You can check on the cobalstrike server logs

We can see that a new beacon connection has been established. We have successfully deliver and install new beacon to the host

Now you can initiate to start the interaction with the beacon by right click on the row and select interact

Privilege Escalation

Enumerating the beacon security context by checking the privilege assigned to the account by using the command run whoami /priv

The result showing that we have SeImpersonatePrivilege. As you may have known that this privilege can be abused using the potato attack

I downloaded the release binary from the https://github.com/antonioCoco/JuicyPotatoNG and upload them to the server on the C:/Temp

Based on the instruction on the website that we can run a program on the server with the JuicyPotato. So I made another beacon payload with Cobaltstrike and upload them to the same folder in C:\Temp or you can actually create a bat file which will contain the previous payload with powershell -enc [ENCODED_PAYLOAD] and upload the bat file to the server.

I executed the above command in order to exploit the SeImpersonatePrivilege rights and run the beacon on highest privilege.

New beacon is connected with the highest privilege on the server as we can see that user is SYSTEM with * means we have administrator access on the server.

Get the Golden Ticket

As we know that the server that we compromised is a domain controller server hence we can do further escalation in order to create the Golden Ticket

To create the Golden ticket you need a krbtgt hash from the domain controller. You can run this command from the cobalt interactive beacon. Now you have the krbtgt hash

The next is to get the domain SID. You can also run the below command

with the above command then you can get the domain SID as highlighted

Based on the above information then you have enough information to create the golden ticket. To create the golden ticket using cobatstrike is easy. Just right click on the admin privilege beacon and select Golden Ticket

Follow the steps below

  1. Input the username that you want to use (rio) or Administrator
  2. input the domain name (csrm.local)
  3. Input the Domain SID that we got from previous command
  4. Last select the KRBTGT hash that we got from hashdump. You can select using the … button
  5. Press Build

Golden ticket creation is success. The ticket has also been activated. You can check with the command below

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s