CPTS #06: Attacking Common Services
Be careful — make sure to use -p- in your Nmap scan and take a break with a cup of coffee while waiting for the results. I made the mistake of only scanning the top 1000 ports and wasted a lot of time brute-forcing.
Easy Lab
I forgot to capture so I will update it later :v
Medium Lab
After scanning all ports, I found that the FTP service was actually running on a non-standard port (30021 and 2121). HTB tricked us here — I spent almost 3 hours brute-forcing this service and even went down the rabbit hole of DNS exploitation. I overthought things and failed right at the recon step. Totally my fault.
After discovering that the FTP service allows anonymous login, I accessed it and looked for more information. Inside, I found a folder named simon and a file named note, which contains several lines that appear to be possible passwords.
I downloaded this file and used it to perform a brute-force attack against the FTP and POP3 services, using simon as the username and each line in the note as a potential password.
As expected, we successfully discovered valid credentials to log in to the FTP service running on port 2121.
This lab is labeled as medium, but in my opinion, it feels fairly easy—as long as you pay close attention to the recon phase. Most of the challenge lies in thorough scanning and enumeration.
Hard Lab
Proceed to perform an Nmap scan on the target machine to identify open ports and running services.
Brute force using the username “simon” as required by the question in the assignment.
Found a shared directory belonging to the user “simon”.
Logged in with the user “simon” and proceeded to search for information within the SMB share.
Using the information found in the SMB share, proceed to search for the password for the user “fiona”.
Next, we found a reference to a database in John’s folder, suggesting that this user may have login privileges to the database. We attempted to brute-force the MSSQL login with the user “john” and the password found in John’s folder. However, brute-forcing with users “john,” “fiona,” or “simon” using the credential files from the SMB share all failed. Therefore, we decided to brute-force RDP to check if we could gain access to the RDP service.
After successfully accessing the RDP, I tried logging into MSSQL Management Studio using Windows Authentication, but encountered an error. Therefore, I switched to using mssqlclient with the -windows-auth parameter to log in. Upon further reconnaissance, I discovered that I did not have permission to access any databases on this MSSQL server, and I was also unable to execute xp_cmdshell. As a result, I decided to conduct a deeper investigation.
After discovering that there are two users I can impersonate, and noting that the contents of the text file for user John in the SMB share were related to the database, it seems likely that John is a database administrator. Therefore, I decided to impersonate user John to attempt gaining elevated privileges on the MSSQL server.
Even though I impersonated John, I still didn’t have any privileges on the DB server. I decided to check if there were any linked servers, and I discovered a local test DB server. However, when I tried using user Fiona, it returned an error with NT Authority, indicating that Fiona didn’t have permission on this DB server. This gave me a clue that there might be a way to escalate privileges or find another user with the appropriate permissions.
After impersonating the user John, I discovered that I now had full sysadmin privileges on the test DB server. This gave me complete control over the database, allowing me to execute commands, query sensitive data, and potentially escalate further or extract the flag.
If we attempt the xp_cmdshell command and find that the component is disabled, we can re-enable it and reconfigure the database to allow execution of shell commands.
Execute the following query with the EXECUTE command: “EXECUTE(‘EXEC sp_configure ”show advanced options”, 1; RECONFIGURE; EXEC sp_configure ”xp_cmdshell”, 1; RECONFIGURE;’) AT [LOCAL.TEST.LINKED.SRV];”. Then, try running the command whoami, and we have successfully enabled xp_cmdshell.
Now we just need to locate the path containing the flag.txt file and read the result.
