HackTheBox Endgame P.O.O Writeup Part 3 – BackTrack (Flag 03/05)
HackTheBox P.O.O Writeup Series:
- PART 1: HackTheBox Endgame P.O.O Writeup Part 1 – Recon (Flag 01/05)
- PART 2: HackTheBox Endgame P.O.O Writeup Part 2 – Huh?! (Flag 02/05)
- PART 3: HackTheBox Endgame P.O.O Writeup Part 3 – BackTrack (Flag 03/05)
- PART 4: HackTheBox Endgame P.O.O Writeup Part 4 – Foothold (Flag 04/05)
- PART 5: p00ned (Coming soon)
HackTheBox POO Backtrack is the stage where you will need to exploit the SQL Server to get your way in the gain system shell and escalate yourself to gain Administrator password and gain full access to the system.
This was the hard step where I wasn’t able to gain the shell. The script I used was giving me “MSSQL failed: (18452, ‘Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication.DB-Lib error message 20018,” error. I researched a lot of gaining MSSQL shell but none helped me. Later in one of the forum I found that “XP_cmdshell” feature for Microsoft SQL Server needs to be enabled.
So I enabled the XP_cmdshell feature and proceed to run the exploit script again, but I welcomed with another error:
After fixing the previous error, now I was able to login successfully, but seems like “xp_cmdshell” failing to enable, I have a new error now. At this point, the server is very unstable, the SQL Management studio in my windows host machine disconnects and become unresponsive repeatedly.
After reading n number of articles on SQL XP_CMDShell, I finally found what I was doing wrong and fixed. The result of hard work paid-off, I successfully gained SQLSell. 🙂
I got the shell, but I’m a public user, I have limited access to the system. I can’t read anything or write. However, after looking for tips all over the HTB and Discord; a Discord user told me that I can run Python commands to read a web.config file, I never used Python as a scripting language in SQL, so it is something new for me.
I made a several scripts myself, but at one point it fails, I even tried to read the file using XP_CMDShell as mentioned in this article, but failed again and again. Finally, I made a very simple Python script to print the contents of the web.config file based on this article.
The Stored procedures in SQL Server starting from 2016, executes a script provided as an input from couple of languages like Python and R language. To run Python within the MS SQL just call the stored procedure using “
sp_execute_external_script” and your script. What I did was, I called the stored procedure “Execute External Script” and defined “Python” as my scripting language using “@language = N’Python’,” and start my script with handle @script = ” ——————– “. Ref
sp_execute_external_script @language = N'language', @script = N'script' [ , @input_data_1 = N'input_data_1' ] [ , @input_data_1_name = N'input_data_1_name' ] [ , @input_data_1_order_by_columns = N'input_data_1_order_by_columns' ] [ , @input_data_1_partition_by_columns = N'input_data_1_partition_by_columns' ] [ , @output_data_1_name = N'output_data_1_name' ] [ , @parallel = 0 | 1 ] [ , @params = N'@parameter_name data_type [ OUT | OUTPUT ] [ ,...n ]' ] [ , @parameter1 = 'value1' [ OUT | OUTPUT ] [ ,...n ] ]
The file web.config cobtains administrator credentials:
Now that I have the Administrator credentials, I know whereto use, if you recall correctly, from my enum I found a directory called “http://poo.htb/admin/”
As soon as I logged in, I obtained the 3rd flag of POO.
That’s all folks!!, See you soon with another write-up – If you like my articles, I’m open for +Respects 😉 : https://www.hackthebox.eu/home/users/profile/68523