<aside> ๐Ÿ’ก Turn on dark ๐ŸŒ’ mode with cmd/ctrl + shift + L

</aside>

Archetype (SMB, SQL, Windows)

10.129.185.149

Questions:

What is the name of the non-Administrative share available over SMB?: -> backups

What is the password identified in the file on the SMB share?: -> M3g4c0rp123

What script from Impacket collection can be used in order to establish an authenticated connection to a Microsoft SQL Server?: -> mssqlclient.py

What extended stored procedure of Microsoft SQL Server can be used in order to spawn a Windows command shell?: -> xp_cmdshell

What script can be used in order to search possible paths to escalate privileges on Windows hosts?: -> winpeas

What file contains the administrator's password?: -> ConsoleHost_history.txt

Submit user flag: -> 3e7b102e78218e935bf3f4951fec21a3

Recon

ๅพžๆŽƒๆ็ตๆžœๅฏไปฅ็œ‹ๅ‡บ้€™ๆฌกไธป่ฆ็š„็›ฎๆจ™ๆœ‰ SMB, MS SQL Server 2017

nmap -sCV 10.129.185.149

Starting Nmap 7.92 ( <https://nmap.org> ) at 2022-03-06 14:17 CST
Nmap scan report for 10.129.185.149
Host is up (0.45s latency).
Not shown: 996 closed tcp ports (reset)
PORT     STATE SERVICE      VERSION
135/tcp  open  msrpc        Microsoft Windows RPC
139/tcp  open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds Windows Server 2019 Standard 17763 microsoft-ds
1433/tcp open  ms-sql-s     Microsoft SQL Server 2017 14.00.1000.00; RTM
| ms-sql-ntlm-info: 
|   Target_Name: ARCHETYPE
|   NetBIOS_Domain_Name: ARCHETYPE
|   NetBIOS_Computer_Name: ARCHETYPE
|   DNS_Domain_Name: Archetype
|   DNS_Computer_Name: Archetype
|_  Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2022-03-06T04:20:52
|_Not valid after:  2052-03-06T04:20:52
|_ssl-date: 2022-03-06T07:29:32+00:00; +1h11m40s from scanner time.
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled but not required
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-time: 
|   date: 2022-03-06T07:29:20
|_  start_date: N/A
| smb-os-discovery: 
|   OS: Windows Server 2019 Standard 17763 (Windows Server 2019 Standard 6.3)
|   Computer name: Archetype
|   NetBIOS computer name: ARCHETYPE\\x00
|   Workgroup: WORKGROUP\\x00
|_  System time: 2022-03-05T23:29:17-08:00
| ms-sql-info: 
|   10.129.185.149:1433: 
|     Version: 
|       name: Microsoft SQL Server 2017 RTM
|       number: 14.00.1000.00
|       Product: Microsoft SQL Server 2017
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
|_clock-skew: mean: 2h47m39s, deviation: 3h34m40s, median: 1h11m38s

Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 29.57 seconds

smbclient -L 10.129.185.149

Enter WORKGROUP\\root's password: 

	Sharename       Type      Comment
	---------       ----      -------
	ADMIN$          Disk      Remote Admin
	backups         Disk      
	C$              Disk      Default share
	IPC$            IPC       Remote IPC

SMB1 disabled -- no workgroup available