Footprinting medium machinr

RUAH · November 7, 2022, 9:52am

Hi!

Same here. Any luck/hint for us? And what about the info from the stop? Is it useful somewhere, or it is just a reminder?

P.S. nvm i solved it with help from Discord. For anyone still struggling, new to SQL (as myself), this is the query to execute: select * from accounts.dbo.devsacc where name = ‘htb’;

RUAH · November 7, 2022, 10:32am

Any hints? Once you were inside MSSMS, where/how do we have to know where to look at for the user HTB?

P.S. nvm i solved it with help from Discord. For anyone still struggling, new to SQL (as myself), this is the query to execute: select * from accounts.dbo.devsacc where name = ‘htb’;

shad0w0lf · December 1, 2022, 3:30pm

Very nice box - thx. Just use what you learned in the previous chapters. It will lead you to the goal.

onigiri_samurai · December 8, 2022, 5:13pm

Okay , I’m really struggling to the point imposter syndrome is creeping in.

So it seems like one of the first few steps I have to do is mount. I used the standard mount command but it didn’t work. I was able to mount after sudo mount. Now , I tried to cd into the mounted directory, but I’m having and access issue. Some people are saying something about ‘root’ but im honestly lost. Any advice is super appreciated :))

onigiri_samurai · December 9, 2022, 1:46am

Hi , I know this was a whiel ago, but did you end up solving this ? I’m also stuck at the noboy previlige and even if i have the nfs mounted, i cannot access to the directory because of PERMISSION DENIED

Lemur · December 10, 2022, 4:21am

Sometimes you’re not allowed to change to certain directories as an unprivileged user.

onigiri_samurai · December 14, 2022, 2:32am

FINALLY solved.

I in the end used the HTB discord for further advice and deepdive. For those who are struggling, if I can do this ( And trust me it took me days to solve this. ) You CAN.

Some hints

yes mount is probably the good start
having permission issue ? try to search root command for linux. Don’t think too much about trying to ‘cd’ the mounted directory
I actually used ‘grep’ and ‘find’ alot
Once accessing RDP, try looking into the Windows UI for some clue. You are not that far from the goal.

Neverakswhy · December 27, 2022, 3:24am

showmount -e <FQDN/IP>
mount -t nfs <FQDN/IP>:/ ./target-NFS/ -o
nolock
–>Note :- Do ls -la but it takes some time just be patient. (you will identify i txt file has different size )
–>Got 1 user and pass
–>Go through rdp (i love remmina)
–>check all folders because some one writer imp passwords in txt files
–>the imp pass may also be administrator
–>if so administrator will also be comprimised
–>if hyker has admin rights he can dig sqlservice from remmina by running queries from admin account. acutually admin can also view process,services running and change the access control of the service .
–>if this happen every user can query mssql (you no need to do this )
–>just query from administrator acc
→ speacial thanks to @flydragon for direct query

greder · December 28, 2022, 5:07am

I have not been able to access rdp and tried with alex’s credentials and nothing

Neverakswhy · December 29, 2022, 10:09am

did you used remmina for rdp

greder · December 29, 2022, 8:31pm

yes and alex’s credentials and it gives me an error

Neverakswhy · December 31, 2022, 3:42pm

Once again Reconfigure your vpn file and try it again

jameskhor · January 2, 2023, 4:53am

For those who are still stuck.

After you mount nfs with nobody, you have sudo on your pwnbox, your sudo password is on your desktop.
After you sudo you should be able to access TechSupport folder, use Grep to find the pass/user.
Use the credential found to RDP. I was stuck here while using xfreerdp.
Use Remmina in your pwnbox to rdp to target.
Look for ‘important’ file.
important file is local administrator password
use that password and try to "run as administrator "
navigate around, and some basic SQL WHERE statement.

Healy3000 · January 4, 2023, 6:21pm

If you are still struggling check out this video.

https://www.youtube.com/watch?v=hJhienEcm_U

vitorfprado · January 12, 2023, 12:24pm

Thanks for SQL query. It salved me

noobker · January 15, 2023, 11:22am

If you are stuck, then following reading can help you understand what needed to be done.

First , do nmap scan and understand what type of server is it and what the server is running and take note of the fact that everyone can access it.

Understand the meaning and concept of exports in NFS

Exporting a directory declares that a directory in the server's namespace is available to client machines. If you see a directory as NFS export (a directory that has been exported by an NFS server), then it means that a user can mount it. Mounting a directory makes the files that reside on the NFS server available to the user.

And then read this NFS command.

https://www.thegeekdiary.com/showmount-command-examples-in-linux/

also, read this basic info about SQL server command

https://www.datameer.com/blog/sql_how-to-display-all-the-tables-from-a-database/

BryRam7219 · February 1, 2023, 3:13am

I know this is a bit late. For anyone else with this issue, start the application in admin mode using the SA credentials. From there, it’s just a matter of searching for the username and password.

suryateja · February 6, 2023, 6:09pm

mount the folder

use credentials found in the mount to rdp

find administrator credentails which is in the windows system search for it [file name important]

devsacc → table name. accounts → database

johny · February 16, 2023, 3:48pm

Thanks to everyone here for your help, I’ve finally completed this box.

For those still needing a push in the right direction:

Use Remmina to connect to RDP with the first creds.
Once connected, explore the filesystem and you will find the next required creds.
It always helps to run as admin.
I found that this query did the trick - select * from accounts.dbo.devsacc where name like ‘%htb%’;

Hope this helps.

Peace out.

garr3ttmj · February 20, 2023, 12:55am

important.txt is an empty text file thought?