Add database logic for hash login and ensure admin relation is added via queried userid

Author: NeffIsBack

nxc/protocols/winrm.py

@@ -31,7 +31,6 @@ def __init__(self, args, db, host):
         self.server_os = None
         self.output_filename = None
         self.endpoint = None
-        self.hash = None
         self.lmhash = ""
         self.nthash = ""
         self.ssl = False
@@ -165,11 +164,13 @@ def plaintext_login(self, domain, username, password):
 
             self.logger.debug(f"Adding credential: {domain}/{self.username}:{self.password}")
             self.db.add_credential("plaintext", domain, self.username, self.password)
-            # TODO: when we can easily get the host_id via RETURNING statements, readd this in
+            user_id = self.db.get_credential("plaintext", domain, self.username, self.password)
+            host_id = self.db.get_hosts(self.host)[0].id
+            self.db.add_loggedin_relation(user_id, host_id)
 
             if self.admin_privs:
                 self.logger.debug("Inside admin privs")
-                self.db.add_admin_user("plaintext", domain, self.username, self.password, self.host)  # , user_id=user_id)
+                self.db.add_admin_user("plaintext", domain, self.username, self.password, self.host, user_id=user_id)  # , user_id=user_id)
                 add_user_bh(f"{self.hostname}$", domain, self.logger, self.config)
 
             if not self.args.local_auth and self.username != "":
@@ -211,8 +212,13 @@ def hash_login(self, domain, username, ntlm_hash):
             self.check_if_admin()
             self.logger.success(f"{self.domain}\\{self.username}:{process_secret(nthash)} {self.mark_pwned()}")
 
+            self.db.add_credential("hash", domain, self.username, ntlm_hash)
+            user_id = self.db.get_credential("hash", domain, self.username, ntlm_hash)
+            host_id = self.db.get_hosts(self.host)[0].id
+            self.db.add_loggedin_relation(user_id, host_id)
+
             if self.admin_privs:
-                self.db.add_admin_user("hash", domain, self.username, nthash, self.host)
+                self.db.add_admin_user("hash", domain, self.username, nthash, self.host, user_id=user_id)
                 add_user_bh(f"{self.hostname}$", domain, self.logger, self.config)
 
             if not self.args.local_auth and self.username != "":

nxc/protocols/winrm/database.py

@@ -128,7 +128,6 @@ def add_host(self, ip, port, hostname, domain, os=None):
 
     def add_credential(self, credtype, domain, username, password, pillaged_from=None):
         """Check if this credential has already been added to the database, if not add it in."""
-        domain = domain.split(".")[0].upper()
         credentials = []
 
         credential_data = {}
@@ -275,6 +274,16 @@ def get_credentials(self, filter_term=None, cred_type=None):
 
         return self.db_execute(q).all()
 
+    def get_credential(self, cred_type, domain, username, password):
+        q = select(self.UsersTable).filter(
+            self.UsersTable.c.domain == domain,
+            self.UsersTable.c.username == username,
+            self.UsersTable.c.password == password,
+            self.UsersTable.c.credtype == cred_type,
+        )
+        results = self.db_execute(q).first()
+        return results.id
+
     def is_credential_local(self, credential_id):
         q = select(self.UsersTable.c.domain).filter(self.UsersTable.c.id == credential_id)
         user_domain = self.db_execute(q).all()