Footprinting medium machinr


Same here. Any luck/hint for us? And what about the info from the stop? Is it useful somewhere, or it is just a reminder?

P.S. nvm i solved it with help from Discord. For anyone still struggling, new to SQL (as myself), this is the query to execute: select * from accounts.dbo.devsacc where name = ‘htb’;

Any hints? Once you were inside MSSMS, where/how do we have to know where to look at for the user HTB?

P.S. nvm i solved it with help from Discord. For anyone still struggling, new to SQL (as myself), this is the query to execute: select * from accounts.dbo.devsacc where name = ‘htb’;

1 Like

Very nice box - thx. Just use what you learned in the previous chapters. It will lead you to the goal.

Okay , I’m really struggling to the point imposter syndrome is creeping in.

So it seems like one of the first few steps I have to do is mount. I used the standard mount command but it didn’t work. I was able to mount after sudo mount. Now , I tried to cd into the mounted directory, but I’m having and access issue. Some people are saying something about ‘root’ but im honestly lost. Any advice is super appreciated :))

Hi , I know this was a whiel ago, but did you end up solving this ? I’m also stuck at the noboy previlige and even if i have the nfs mounted, i cannot access to the directory because of PERMISSION DENIED

Sometimes you’re not allowed to change to certain directories as an unprivileged user.

FINALLY solved.

I in the end used the HTB discord for further advice and deepdive. For those who are struggling, if I can do this ( And trust me it took me days to solve this. ) You CAN.

Some hints

  1. yes mount is probably the good start
  2. having permission issue ? try to search root command for linux. Don’t think too much about trying to ‘cd’ the mounted directory
  3. I actually used ‘grep’ and ‘find’ alot
  4. Once accessing RDP, try looking into the Windows UI for some clue. You are not that far from the goal.

showmount -e <FQDN/IP>
mount -t nfs <FQDN/IP>:/ ./target-NFS/ -o
–>Note :- Do ls -la but it takes some time just be patient. (you will identify i txt file has different size )
–>Got 1 user and pass :slight_smile:
–>Go through rdp (i love remmina)
–>check all folders because some one writer imp passwords in txt files
–>the imp pass may also be administrator
–>if so administrator will also be comprimised
–>if hyker has admin rights he can dig sqlservice from remmina by running queries from admin account. acutually admin can also view process,services running and change the access control of the service .
–>if this happen every user can query mssql (you no need to do this )
–>just query from administrator acc
→ speacial thanks to @flydragon for direct query :slight_smile:

I have not been able to access rdp and tried with alex’s credentials and nothing

did you used remmina for rdp

yes and alex’s credentials and it gives me an error

Once again Reconfigure your vpn file and try it again

1 Like

For those who are still stuck.

After you mount nfs with nobody, you have sudo on your pwnbox, your sudo password is on your desktop.
After you sudo you should be able to access TechSupport folder, use Grep to find the pass/user.
Use the credential found to RDP. I was stuck here while using xfreerdp.
Use Remmina in your pwnbox to rdp to target.
Look for ‘important’ file.
important file is local administrator password
use that password and try to "run as administrator " :slight_smile:
navigate around, and some basic SQL WHERE statement.

If you are still struggling check out this video.

Thanks for SQL query. It salved me

If you are stuck, then following reading can help you understand what needed to be done.

First , do nmap scan and understand what type of server is it and what the server is running and take note of the fact that everyone can access it.

Understand the meaning and concept of exports in NFS

Exporting a directory declares that a directory in the server's namespace is available to client machines. If you see a directory as NFS export (a directory that has been exported by an NFS server), then it means that a user can mount it. Mounting a directory makes the files that reside on the NFS server available to the user.

And then read this NFS command.

also, read this basic info about SQL server command

I know this is a bit late. For anyone else with this issue, start the application in admin mode using the SA credentials. From there, it’s just a matter of searching for the username and password.

1 Like

mount the folder

use credentials found in the mount to rdp

find administrator credentails which is in the windows system search for it [file name important]

devsacc → table name. accounts → database

Thanks to everyone here for your help, I’ve finally completed this box.

For those still needing a push in the right direction:

  • Use Remmina to connect to RDP with the first creds.
  • Once connected, explore the filesystem and you will find the next required creds.
  • It always helps to run as admin.
  • I found that this query did the trick - select * from accounts.dbo.devsacc where name like ‘%htb%’;

Hope this helps.

Peace out.

important.txt is an empty text file thought?