📚
OSCP
  • Pentesting
  • Proving Grounds practice
    • Warm up
      • Windows
        • Kevin
        • Internal
        • Metallus
      • Linux
        • ClamAV
        • Exfiltrated
        • Twiggy
    • Get to work
      • Windows
        • Slort
        • Billyboss
        • Fish
        • UT99
        • AuthBy
        • Jacko
        • Shenzi
      • Linux
        • Dibble
        • Pelican
        • Sorcerer
        • Zino
        • Zenphoto
        • Snookums
        • Nibbles
        • Chatty
        • Banzai
    • Try harder
      • Windows
        • Meathead
      • Linux
        • Sirol
        • Peppo
        • Clyde
  • Buffer overflow
    • Buffer Overflow Methodology
    • TryHackMe Practice
      • Overflow1
      • Overflow2
      • Overflow3
      • Overflow4
      • Overflow5
      • Overflow6
      • Overflow7
      • Overflow8
      • Overflow9
      • Overflow10
  • Active Directory
    • AD Authentication
      • NTLM Authentication
      • Kerberos Authentication
    • TryHackMe Practice
      • Attacktive Directory
      • Roasted
      • RazorBlack
    • PG Practice
      • Hutch
      • Vault
      • Heist
Powered by GitBook
On this page
  • Information Gathering
  • Service Enumeration
  • HTTP (Port 80)
  • FTP (Port 1221)
  • Exploit
  • Privesc

Was this helpful?

  1. Proving Grounds practice
  2. Try harder
  3. Windows

Meathead

Writeup for Shenzi from offsec Proving Grounds

PreviousWindowsNextLinux

Last updated 3 years ago

Was this helpful?

Information Gathering

sudo ./nmapAutomator.sh 192.168.214.70 all

Service Enumeration

HTTP (Port 80)

Can't really determine the version number. Default credentials also don't work.

FTP (Port 1221)

The MSSQL_BAK.rar file looks interesting, however, it is password protected.

We can use john to crack it.

rar2john MSSQL_BAK.rar > hash

john --wordlist=/usr/share/wordlists/rockyou.txt hash

Looks like we got the password: letmeinplease

We try to unrar the file again and it works this time.

Looks like we got the credentials for the MSSQL server. sa:EjectFrailtyThorn425

Exploit

Before we carry on, we need to append the target server information into /etc/freetds/freetds.conf

Next, create a .sqshrc file.

Now we're ready to connect to the server with sqsh.

We have successfully gotten RCE.

We search the registry hoping to find any plaintext passwords.

reg query HKLM /f pass /t REG_SZ /s

We see this and we can try to RDP into the target machine.

xfreerdp /u:jane /p:TwilightAirmailMuck234 /v:192.168.214.70

Privesc

Immediately, Plantronics Hub on the desktop catches our attention. Let's check the version of it.

Just follow the steps above and we get SYSTEM.

Logo1433 - Pentesting MSSQL - Microsoft SQL ServerHackTricks
LogoPlantronics Hub 3.13.2 - Local Privilege EscalationExploit Database