Ports 445 and 1433 are open, which are associated with file sharing (SMB) and SQL Server.
It is worth checking to see if anonymous access has been permitted, as file shares often store configuration files containing passwords or other sensitive information. We can use smbclient to list available shares.
$ smbclient -N -L \\\\10.10.10.27\\
It seems there is a share called backups. Let’s attempt to access it and see what’s inside.
$ smbclient -N \\\\10.10.10.27\\backups
smb: \> dir
There is a dtsConfig file, which is a config file used with SSIS.
We see that it contains a SQL connection string, containing credentials for the local Windows user ARCHETYPE\sql_svc.
local Windows user ARCHETYPE\sql_svc
locate your current location | $ pwd
create a new directory called tools | $ mkdir tools
change location into the tools directory | $ cd tools
Download the tool called mssqlclient.py | $ wget http://ingrata.eu/wp-content/uploads/2020/10/mssqlclient.py_.zip
extract the required tool | $ unzip mssqlclient.py_.zip
delete the zip file | rm mssqlclient.py_.zip
Let’s try connecting to the SQL Server using Impacket’s mssqlclient.py.
We can use the IS_SRVROLEMEMBER function to reveal whether the current SQL user has sysadmin (highest level) privileges on the SQL Server. This is successful, and we do indeed have sysadmin privileges.