HackTheBox Endgame P.O.O Writeup Part 3 – BackTrack (Flag 03/05)

HackTheBox P.O.O Writeup Series:

  1. PART 1: HackTheBox Endgame P.O.O Writeup Part 1 – Recon (Flag 01/05)
  2. PART 2: HackTheBox Endgame P.O.O Writeup Part 2 – Huh?! (Flag 02/05)
  3. PART 3: HackTheBox Endgame P.O.O Writeup Part 3 – BackTrack (Flag 03/05)
  4. PART 4: HackTheBox Endgame P.O.O Writeup Part 4 – Foothold (Flag 04/05)
  5. PART 5: p00ned (Coming soon)

HackTheBox POO Backtrack is the stage where you will need to exploit the SQL Server to get your way in the gain system shell and escalate yourself to gain Administrator password and gain full access to the system.

This was the hard step where I wasn’t able to gain the shell. The script I used was giving me “MSSQL failed: (18452, ‘Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication.DB-Lib error message 20018,” error. I researched a lot of gaining MSSQL shell but none helped me. Later in one of the forum I found that “XP_cmdshell” feature for Microsoft SQL Server needs to be enabled.

HackTheBox Endgame P.O.O Writeup Part 3 – BackTrack and Foothold (Flag 03 and 04 /05)

So I enabled the XP_cmdshell feature and proceed to run the exploit script again, but I welcomed with another error:

After fixing the previous error, now I was able to login successfully, but seems like “xp_cmdshell” failing to enable, I have a new error now. At this point, the server is very unstable, the SQL Management studio in my windows host machine disconnects and become unresponsive repeatedly.

After reading n number of articles on SQL XP_CMDShell, I finally found what I was doing wrong and fixed. The result of hard work paid-off, I successfully gained SQLSell. 🙂

HackTheBox POO – SQL XP_CMDShell

I got the shell, but I’m a public user, I have limited access to the system. I can’t read anything or write. However, after looking for tips all over the HTB and Discord; a Discord user told me that I can run Python commands to read a web.config file, I never used Python as a scripting language in SQL, so it is something new for me.

I made a several scripts myself, but at one point it fails, I even tried to read the file using XP_CMDShell as mentioned in this article, but failed again and again. Finally, I made a very simple Python script to print the contents of the web.config file based on this article.

The Stored procedures in SQL Server starting from 2016, executes a script provided as an input from couple of languages like Python and R language. To run Python within the MS SQL just call the stored procedure using “sp_execute_external_script” and your script. What I did was, I called the stored procedure “Execute External Script” and defined “Python” as my scripting language using “@language = N’Python’,” and start my script with handle @script = ” ——————– “. Ref

Example:

sp_execute_external_script   
    @language = N'language',   
    @script = N'script'  
    [ , @input_data_1 = N'input_data_1' ]   
    [ , @input_data_1_name = N'input_data_1_name' ]  
    [ , @input_data_1_order_by_columns = N'input_data_1_order_by_columns' ]    
    [ , @input_data_1_partition_by_columns = N'input_data_1_partition_by_columns' ]  
    [ , @output_data_1_name = N'output_data_1_name' ]  
    [ , @parallel = 0 | 1 ]  
    [ , @params = N'@parameter_name data_type [ OUT | OUTPUT ] [ ,...n ]' ] 
    [ , @parameter1 = 'value1' [ OUT | OUTPUT ] [ ,...n ] ]

The file web.config cobtains administrator credentials:

Administrator:Ev—————-O.O.

Now that I have the Administrator credentials, I know whereto use, if you recall correctly, from my enum I found a directory called “http://poo.htb/admin/”

As soon as I logged in, I obtained the 3rd flag of POO.

HackTheBox POO 3rd Flag

That’s all folks!!, See you soon with another write-up – If you like my articles, I’m open for +Respects 😉 : https://www.hackthebox.eu/home/users/profile/68523

Navin

Hey there, I'm Navin, a passionate Info-Sec enthusiast from Bahrain. I started this blog to share my knowledge. I usually write on HackTheBox machines and challenges, cybersecurity-related articles and bug-bounty. If you are an HTB user and like my articles, please respect here: Profile: https://www.hackthebox.eu/nav1n

You may also like...

Subscribe
Notify of
guest
3 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
trackback
9 months ago

[…] Previous Post Previous post: HackTheBox Endgame P.O.O Writeup Part 1 – Recon (Flag 01/05)Next Post Next post: HackTheBox Endgame P.O.O Writeup Part 3 – BackTrack (Flag 03/05) […]

trackback
9 months ago

[…] HackTheBox Endgame P.O.O Writeup Part 3 – BackTrack (Flag 03/05) […]

trackback
8 months ago

[…] Previous Post Previous post: HackTheBox Endgame P.O.O Writeup Part 3 – BackTrack (Flag 03/05) […]

Sorry, that action is blocked.