Meathead is a Windows-based box on Offensive Security’s Proving Grounds. It is rated as Very Hard by the community. The box is also part of the OSCP-Like boxes list created by TJ-Null and is great practice for the OSCP exam.
The machine proved difficult to get the initial shell (hint: we didn’t), however, the privilege escalation part was very easy.
We start with nmap;
sudo nmap -sC -sV -p- 192.168.171.70
So we have some interesting stuff here. Website on port 80. SMB on 445. 1221 has FTP and 1435 serving MSSQL. So a couple of services on ports which would not usually see them on.
Let’s first check port 80, which shows us a Plantronics splash page.
We check searchsploit for Plantronics. There is nothing for us now but we note the Local Privilege Escalation exploit which might come in handy later down the track.
SMB on port 445 is not accepting our anonymous logins. But FTP on port 1221 is.
Of interest to us is the MSSQL backup. We know this box is running MSSQL so a backup is certainly something we want to take a look at. Let’s get a copy.
We try to open it but it needs a password.
Lets use John to get this into a crackable form. The following will dump the hash contents to a file called “crackthis”.
rar2john MSSQL_BAK.rar > crackthis
We then start John using the rockyou wordlist.
john ~/Desktop crackthis --wordlist=/usr/share/wordlists/rockyou.txt
And we get our password back.
We unrar the file;
We take a look at the text file inside;
Awesome! Let’s see if we can now log into the MSSQL database using these creds. For this, we can use SQSH, which is short for SQShell.
Let’s check if we have code execution via the following;
xp_cmdshell "whoami" go
This box has curl which is always important to remember on later boxes of Windows 10.
Let’s create a reverse shell and try to download it and execute it.
No matter what I tried, I couldn’t get a reverse shell to download onto the machine. I also tried certutil and although I could see the initial request hitting my HTTP server, the actual reverse shell never downloaded. Maybe A/V?
We take a look around what directories we can and don’t find anything useful. We start some more manual methods, including searching for passwords which are always a good go-to.
We locate something interesting.
So we have a three passwords now, including the one from the cracked rar file, another from the SA database, and this one from the Registry. Let’s enumerate the users on this machine as we might be able to leverage credential re-use.
We get two users, Jane, and the Administrator. Let’s use the usernames and the passwords we have collected to password spray across port 3389 RDP, and then SMB.
We can use Hydra for this.
hydra –V –f –L usernames.txt -P passwords.txt rdp://192.168.171.170
We get a valid login;
Let’s log in use rdesktop;
rdesktop -u jane -p TwilightAirmailMuck234
We are greeted with the familiar desktop.
We note Plantronics Hub on the desktop. Recall our first steps where we saw a Local Privilege Escalation exploit for this. We open the software to see if the version is vulnerable, which it is as per searchsploit.
Looking at the exploit, it appears extremely easy to escalate our privileges on this machine. We simply need to create a config file in the appropriate folder.
Turn on the checkboxes for Hidden Items and File Name Extensions.
Create the file MajorUpgrade.config.txt and add the data into it as per the exploit. I created it as .config.txt first so I could edit it without it trying to execute.
Our payload is cmd.exe
Press save and remove the .txt portion of the file extension, and a cmd window boots up as SYSTEM.
And there is our SYSTEM shell so you are free to grab both flags.
We hope you enjoyed this machine as much as we did.