During our penetration test our team found a Windows host running on the network and the corresponding credentials for the Administrator. It is required that we connect to the host and find the hardcoded password for the MSSQL service.

Questions:

What is the hardcoded password for the database connection in the MultimasterAPI.dll file?

RDP to with user "Administrator" and password "xcyj8izxNVzhf4z"

Reconnaissance

Nmap

└─$ cat nmap.txt                                                                   
# Nmap 7.95 scan initiated Thu May  7 02:40:46 2026 as: /usr/lib/nmap/nmap -sV -sC -oN nmap.txt 10.129.95.200
Nmap scan report for 10.129.95.200
Host is up (0.29s latency).
Not shown: 985 closed tcp ports (reset)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: MegaCorp
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2026-05-07 02:48:01Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: MEGACORP.LOCAL, Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds  Windows Server 2016 Standard 14393 microsoft-ds (workgroup: MEGACORP)
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
1433/tcp open  ms-sql-s      Microsoft SQL Server 2017 14.00.1000.00; RTM
|_ssl-date: 2026-05-07T02:48:30+00:00; +7m04s from scanner time.
| ms-sql-info: 
|   10.129.95.200:1433: 
|     Version: 
|       name: Microsoft SQL Server 2017 RTM
|       number: 14.00.1000.00
|       Product: Microsoft SQL Server 2017
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
| ms-sql-ntlm-info: 
|   10.129.95.200:1433: 
|     Target_Name: MEGACORP
|     NetBIOS_Domain_Name: MEGACORP
|     NetBIOS_Computer_Name: MULTIMASTER
|     DNS_Domain_Name: MEGACORP.LOCAL
|     DNS_Computer_Name: MULTIMASTER.MEGACORP.LOCAL
|     DNS_Tree_Name: MEGACORP.LOCAL
|_    Product_Version: 10.0.14393
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2026-05-07T02:47:23
|_Not valid after:  2056-05-07T02:47:23
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: MEGACORP.LOCAL, Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
3389/tcp open  ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=MULTIMASTER.MEGACORP.LOCAL
| Not valid before: 2026-05-06T02:46:41
|_Not valid after:  2026-11-05T02:46:41
|_ssl-date: 2026-05-07T02:48:30+00:00; +7m04s from scanner time.
| rdp-ntlm-info: 
|   Target_Name: MEGACORP
|   NetBIOS_Domain_Name: MEGACORP
|   NetBIOS_Computer_Name: MULTIMASTER
|   DNS_Domain_Name: MEGACORP.LOCAL
|   DNS_Computer_Name: MULTIMASTER.MEGACORP.LOCAL
|   DNS_Tree_Name: MEGACORP.LOCAL
|   Product_Version: 10.0.14393
|_  System_Time: 2026-05-07T02:48:16+00:00
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: MULTIMASTER; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: mean: 1h07m04s, deviation: 2h38m46s, median: 7m03s
| smb2-time: 
|   date: 2026-05-07T02:48:16
|_  start_date: 2026-05-07T02:46:50
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required
| smb-os-discovery: 
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: MULTIMASTER
|   NetBIOS computer name: MULTIMASTER\x00
|   Domain name: MEGACORP.LOCAL
|   Forest name: MEGACORP.LOCAL
|   FQDN: MULTIMASTER.MEGACORP.LOCAL
|_  System time: 2026-05-06T19:48:19-07:00

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu May  7 02:41:33 2026 -- 1 IP address (1 host up) scanned in 47.48 seconds

Rdp

xfreerdp3 /v:10.129.95.200 /u:Administrator /p:'xcyj8izxNVzhf4z' /cert:ignore /dynamic-resolutio

Enumerate

Just do some simple enumerations to find available tools in the host and find target fMultimasterAPI.dll file

Get-ChildItem -Path C:\ -Filter MultimasterAPI.dll -Recurse -ErrorAction SilentlyContinue

we can see it locate at C:\inetpub\wwwroot\bin directory and i opened with dnsSpy

Manually Browsing (Controller is always a good choice to start for me)

Summary Methodology:

  1. Initial Access: Gained GUI access to the target server (MULTIMASTER) via RDP using the discovered Administrator credentials.
  1. File Discovery: Navigated to the IIS web root directory (typically C:\inetpub\wwwroot\) and located the compiled backend binary for the API: MultimasterAPI.dll.
  1. Decompilation: Opened the .NET executable using dnSpy, a standard reverse-engineering tool for .NET assemblies, to perform static code analysis.
  1. Source Code Review: Manually browsed the assembly tree structure in dnSpy. Navigated to the MultimasterAPI.Controllers namespace and analyzed the ColleagueController class.
  1. Credential Discovery: Examined the GetColleagues method handling [HttpPost] requests to the api/getColleagues route. Found a hardcoded SQL connection string directly within the method used to instantiate the SqlConnection.

Code Snippet Found:

C#

string connString = "server=localhost;database=Hub_DB;uid=finder;password=D3vel0pM3nT!;"; SqlConnection con = new SqlConnection(connString);

Extracted Credentials:

  • Database: Hub_DB
  • Username (UID): finder
  • Password: D3vel0pM3nT!

Answer: D3vel0pM3nT!