Footprinting Lab - Hack The Box - Medium

 

The second lab from Foot-printing module has the following description:

This second server is a server that everyone on the internal network has access to. In our discussion with our client, we pointed out that these servers are often one of the main targets for attackers and that this server should be added to the scope.

Our customer agreed to this and added this server to our scope. Here, too, the goal remains the same. We need to find out as much information as possible about this server and find ways to use it against the server itself. For the proof and protection of customer data, a user named HTB has been created. Accordingly, we need to obtain the credentials of this user as proof.

The initial enumeration revealed connections to Windows Remote Management protocols and NFS modules.

Further investigation of the NFS revealed a volume named TechSupport that contained several tickets available for exploration.

This information can also be accessed using the showmount command:

To access the information, it is necessary to mount it as follows:

- create the folder (nfs)
- mount the NFS pointing to the folder (mount -t nfs 10.129.202.41:/ ./nfs -o nolock)

All the files were empty except for one, which contained valuable information.

The file had credentials from a user named Alex:

Alex's credentials

With Alex's credentials, it became possible to access the machine via RDP and search for additional information:

At first glance, there was a SQL Server Management Studio tool installed but Alex didn't have rights to connect.

While searching for information in Alex's profile, a file named important.txt was discovered. This file contained the credentials for the sa user, which is the known Microsoft SQL Server System Administrator account.

This part took some time, Although the db user sa credentials were available it was not possible to connect through Alex's session.

In searching for available users, it became necessary to connect as Administrator.

After conducting additional tests, it became possible to connect as Administrator using the sa password via RDP.

Finally, a connection could be established through the SQL Server Management Studio tool.

The flag was then found in the database Accounts, specifically in the table devsacc.

Thanks for reading!