Archetype (Tier 2)
Last updated
Was this helpful?
Last updated
Was this helpful?
Tier -> 2
Difficult -> Very Easy
OS -> Windows
Tags -> Protocols / MSSQL / SMB / Powershell / Reconnaissance / Remote Code Execution / Clear Text Credentials / Information Disclosure / Anonymous-Guest Access
With this, I answered the first question
Answer: 1433
Then I did an exhaustive scan on the ports found to get information about the services running
With this, I answered the next question
Answer: backups
Then I tried to access these folders and check their content starting with the striking backups folder which didn't have privilege restrictions to access it. Once inside, I listed the contents of the folder and found a file that seemed to be a backup of important information, so, I downloaded it to my machine and closed the connection
I checked the file content and found important information about the configuration of a product and within it, credentials for a database. These could maybe be for the MS SQL database I running on the machine
With this and some research, I answered the next questions
Answer: M3g4c0rp123
Answer: mssqlclient.py
Answer: xp_cmdshell
Answer: WinPEAS
This reconfiguration will only work if we have high privileges to do it
With this, as I could execute system commands I tried to invoke a PowerShell to interact more comfortably with the system. I did a little test using the pwd command to and got a positive response giving us the corresponding output
So abusing this, I could do an internal file enumeration in the system. I went to the user's Desktop folder and listed its contents, where I found a user.txt file which I read to obtain the user flag
I observed one of the routes was under the PowerShell installation folder and seemed to be a file related to the history of commands. If I navigated to that route and checked the content of the file, where I found a command for a previous connection to the Administrator user, and also that the corresponding password for this user was being leaked
With this and the previously found user flag, I answered the next questions
Answer: ConsoleHost_history.txt
Answer: 3e7b102e78218e935bf3f4951fec21a3
Knowing this information, I could try to access the network service on the target with these credentials. For this, Impacket helped me again, this time with the psexec module, and after using it I successfully logged in as a privileged user
Finally, I navigated to the Desktop folder of the Administrator user where I found a root.txt file, and reading its content I retrieved the root flag
With this, I got the root flag and pwned the machine
Answer: b91ccec3305e98240082d4474b848528
I started doing an initial port scan using
I found two interesting services, an SMB server on port 445 and an database on port 1433. I started interacting with the SMB service using the utility and trying to list the shared folders. When asked for the password, I just entered a blank password and it worked successfully listing the shared contents
To learn more about the SMB protocol you can go
To help me to connect to the database I used the tool kit, using the mssqlclient module to connect to the MS SQL service with the credentials I had found in the previous file. Also, as I knew this was a Windows host, I specified to use this kind of authentication, and after starting the connection, I successfully connected
Once inside, I explored the database but didn't find anything relevant, so next, I checked if it was possible to abuse the xp_cmdshell utility which could let me gain through MS SQL. I tried to execute a command but it told me that the utility was not configured, so I did the proper configuration and after retrying it worked
To learn the complete process for abusing xp_cmdshell you can go
I had to find a way to escalate privileges so to help me with this I tried using to find any path to do the escalation. I imported it successfully, ran it, and after the scan was finished, checked the results which let us know the path to some interesting files that were found
