Meathead

Writeup for Shenzi from offsec Proving Grounds

Information Gathering

sudo ./nmapAutomator.sh 192.168.214.70 all

Can't really determine the version number. Default credentials also don't work.

The MSSQL_BAK.rar file looks interesting, however, it is password protected.

We can use john to crack it.

rar2john MSSQL_BAK.rar > hash

john --wordlist=/usr/share/wordlists/rockyou.txt hash

Looks like we got the password: letmeinplease

We try to unrar the file again and it works this time.

Looks like we got the credentials for the MSSQL server. sa:EjectFrailtyThorn425

Before we carry on, we need to append the target server information into /etc/freetds/freetds.conf

Next, create a .sqshrc file.

Now we're ready to connect to the server with sqsh.

We have successfully gotten RCE.

We search the registry hoping to find any plaintext passwords.

reg query HKLM /f pass /t REG_SZ /s

We see this and we can try to RDP into the target machine.

xfreerdp /u:jane /p:TwilightAirmailMuck234 /v:192.168.214.70

Immediately, Plantronics Hub on the desktop catches our attention. Let's check the version of it.

Just follow the steps above and we get SYSTEM.

Last updated 2 years ago