Using nmap, I can see a smp and a MSQL servers open.

In the smp serv er I can see a public directory called backups.
Inside this directory, I found a config file.
Inside this file, I can see what looks like a MSQL credentials.

Using this credentials, I'm able to log in the database.
The user have the sysadmin role, wich means, I can execute system commands.
With this, I just need to execute a reverse shell.
And I can read the user flag.

I execute winpeas to scan the system.
Winpeas found a history file with a password inside.
This password allows me to los as administrator and take the admin flag.
