Port enumeration

Using nmap, I can see a smp and a MSQL servers open. 600890e9bf6bd2534d49aaff2df8c938.png

SMP Enumeration

In the smp serv er I can see a public directory called backups. b28c4b99596976b089c5618919c23326.png Inside this directory, I found a config file. 0d7949ebfff65f904dc7fe2e85f766b6.png Inside this file, I can see what looks like a MSQL credentials. d3048bd63551f7497f96f43bad9ed447.png

MSSQL RCE

Using this credentials, I'm able to log in the database. 9af949af6eb1de4f6a06d50f716a03a9.png The user have the sysadmin role, wich means, I can execute system commands. 35b47096e3565e7178698fd4dcee4357.png With this, I just need to execute a reverse shell. f7197ecf63fb7fefe853e8d60ea259d7.png 9db5a2a69ff9f27b6f581b3d88de0550.png And I can read the user flag. ea439edb64f7544d713452ecd91b0137.png

Privilege escalation

I execute winpeas to scan the system. ae4cbc032fc95aab279047039c15b6b5.png 8016a5035241f7b3e8378df94b93c527.png Winpeas found a history file with a password inside. c376d8ef9bf3857a7631173bf23d44e5.png 6e049a919f285db2fc8c48ff029845de.png This password allows me to los as administrator and take the admin flag. 6064431aeaced50321fe27779b70c5eb.png fbc5e7658bd30e61662e739ac883116d.png