This is a short write-up about the skills assessment lab Attacking Common Services module from Hack The box.
The third server is another internal server used to manage files and working material, such as forms. In addition, a database is used on the server, the purpose of which we do not know.
The following questions should be answered:
1. What file can you retrieve that belongs to the user "simon"? (Format: filename.txt)
2. Enumerate the target and find a password for the user Fiona. What is her password?
3. Once logged in, what other user can we compromise to gain admin privileges?
4. Submit the contents of the flag.txt file on the Administrator Desktop.
Starting with the port-scanning we have the following open ports:
 |
| nmap port scan |
More scans were performed to identify uncommon open ports, service versions, etc., but I won’t share them here to keep the content concise.
 |
| smb shares |
Navigating through the share, I found some directories to check.
 |
| /home share |
 |
| mounting share |
After exploring the directories, I identified some credential data belonging to Fiona, John, and Simon.
 |
| files from share. |
Moving to the second question:
2. Enumerate the target and find a password for the user Fiona. What is her password?
Upon checking the file in Fiona’s directory, I found five possible passwords available.
 |
| fiona's password file |
A simple check using crackmapexec and the file revealed the password 48Ns72!bns74@S84NNNSl being a valid one for SMB
 |
| fiona's valid pass |
Navigating through SMB, I couldn’t find any useful information beyond what I had already gathered.
With that in mind, I moved on to RDP. I spent a lot of time reviewing the available information, including an MSSQL management tool installed, potential user data, and the user’s command history
 |
| fiona's ps history |
 |
| fiona's groups |
The third question was still unanswered.
3. Once logged in, what other user can we compromise to gain admin privileges?
To find the answer, I shifted my focus to MSSQL.
From the attack machine, I managed to connect to MSSQL using impacket-mssqlclient with the -windows-auth option.
 |
| mssql connection with impacket |
There were two available databases TestingDB and TestAppDB.
 |
| test database |
The TestingDB database didn’t contain any tables, and the second database, TestAppDB, was not configured for access using Fiona’s credentials.
 |
| checking tables |
Fiona is able to impersonate John and Simon.
 |
| impersonate query |
After testing both IMPERSONATE options, I found that Simon had access to TestAppDB, but John did not, and neither of them had the sysadmin role.
 |
| impersonate options |
While reviewing the tb_users table, I found credentials for Patric and Julio. Although Julio was listed as an admin, he wasn’t the answer to question 3. I spent some time here before moving on to the next test.
 |
| tb_users |
After extensive testing with those credentials and no results, I moved on to other database tests. Checking for linked servers, as suggested in the module, proved to be the right path.
 |
| linked servers |
By checking the credentials for Fiona, John, and Simon, I discovered that John had the sysadmin role on the linked server.
 |
| john sysadmin |
The Question 3 was answered.
3. Once logged in, what other user can we compromise to gain admin privileges? John
Jumping to the last question:
Using John’s sysadmin access, I completed this in two steps:
1 - Enabled xp_cmdshell using the following command:
EXEC ('EXEC sp_configure ''show advanced options'', 1; RECONFIGURE; EXEC sp_configure ''xp_cmdshell'', 1; RECONFIGURE;') AT [LOCAL.TEST.LINKED.SRV];
2 - Retrieved the flag.txt contents using this command:
EXEC ('EXEC xp_cmdshell ''type C:\Users\Administrator\Desktop\flag.txt'';') AT [LOCAL.TEST.LINKED.SRV];
 |
| flag.txt |
Thanks for reading it!